I now have a few moments to discuss Security Onion, and why it works well for a many small and mid-sided organization. Security Onion is a Linux distro for IDS, NSM, and log management. The whole thing can be run on a single, or separated systems, based on the needs, network and security architecture, and budget. From a IDS sensor standpoint it contains;1. Snort, Suricata – Focused on network-based signature detection, or what I call “the barn door is open, and the horse is gone” detection. This is because someone needs to be compromised, take to time to send out signatures (or purchase them) before you can use them. Great if the attack is against everyone, or a small community of people that will share this information, but not so good if you are the target.2. Bro – Network based packet and protocol classifier, which when configured, preform:a. Internal intelligence analysisb. Full session, Bidirectional net flow analysisc. File extractiond. Network Reconnaissancee. Behavior and statically analysis on the flowf. And much more3. OSSEC – A comprehensive host based intrusion detection system with fine grained application/server specific policies across multiple platforms such as Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and Vmware ESX. To catch the traffic, you have:1. Sguil: The Analyst Console for Network Security Monitoring2. Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.3. Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are *simplicity*, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.4. ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. Packet Capture and analysis: 1. Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).2. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The only thing you are missing is a SEIM, which I recommend the ELK stack. This includes:1. elasticsearch - for distributed restful search and analytics2. logstash - manage events and logs - elasticsearch works seamlessly with logstash to collect, parse, index, and search logs3. kibana - visualize logs and time-stamped data - elasticsearch works seamlessly with kibana to let you see and interact with your dataAll of the above items are Open Source, have free and paid training and support, if needed. One can save millions of dollars and get the newest capabilities. Contact me off list if you have questions. Disclosure: I do not sell these products, but I use them. Joe Klein "Inveniam viam aut faciam" On Fri, Feb 13, 2015 at 12:40 PM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular