SNORT – Jupiter Broadcasting

Security Onion Review | LAS 331

chris — Sun, 21 Sep 2014 15:22:27 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Security Onion can turn you into a network super warrior, with its easy to setup IDS, Network Syslog, and more. We’ll show you how to take advantage of some of the best tools in open source, from beginner to expert!

Plus a great new game for Linux, Uselessd looks needed but is stirring up drama, why Gnome 3.14 will be the best Gnome yet & more!

Thanks to:

Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Security Onion

Brought to you by: System76

Security Onion: Security Onion 12.04.5 ISO image now available

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Based on Ubuntu 12.04:
+ FAQ – security-onion – Frequently Asked Questions – Security Onion is a Linux distro for IDS, NSM, and log management. – Google Project Hosting

We have no immediate plans to move to Ubuntu 14.04. Ubuntu 12.04 should be fully supported until April 2017: https://wiki.ubuntu.com/Releases

Core Components

Security Onion seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively), and powerful analysis tools.

Full-packet capture is accomplished via netsniff-ng (https://netsniff-ng.org/), “the packet sniffing beast”. netsniff-ng captures all the traffic your Security Onion sensors see and stores as much of it as your storage solution will hold (Security Onion has a built-in mechanism to purge old data before your disks fill to capacity). Full packet capture is like a video camera for your network, but better because not only can it tell us who came and went, but also exactly where they went and what they brought or took with them (exploit payloads, phishing emails, file exfiltration). It’s a crime scene recorder that can tell us a lot about the victim and the white chalk outline of a compromised host on the ground. T

Deployment Scenarios

Security Onion is built on a distributed client-server model. A Security Onion “sensor” is the client and a Security Onion “server” is, well, the server. The server and sensor components can be run on a single physical machine or virtual machine, or multiple sensors can be distributed throughout an infrastructure and configured to report back to a designated server. An analyst connects to the server from a client workstation (typically a Security Onion virtual machine installation) to execute queries and retrieve data.

The following are the three Security Onion deployment scenarios:

Standalone: A standalone installation consists of a single physical or virtual machine running both the server and sensor components and related processes. A standalone installation can have multiple network interfaces monitoring different network segments. A standalone installation is the easiest and most convenient method to monitor a network or networks that are accessible from a single location.
Server-sensor: A server-sensor installation consists of a single machine running the server component with one or more separate machines running the sensor component and reporting back to the server. The sensors run all of the sniffing processes and store the associated packet captures, IDS alerts, and databases for Sguil; Snorby and ELSA. The analyst connects to the server from a separate client machine and all queries sent to the server are distributed to the appropriate sensor(s), with the requested information being directed back to the client. This model reduces network traffic by keeping the bulk of the collected data on the sensors until requested by the analyst’s client. All traffic between the server and sensors and client and server are protected with SSH encrypted tunnels.
Hybrid: A hybrid installation consists of a standalone installation that also has one or more separate sensors reporting back to the server component of the standalone machine.

The Security Onion setup script allows you to easily configure the best installation scenario to suit your needs.

Install is as simple as installing Ubuntu:

Once Setup an easy to use GUI configures the basics:

Security Onion’s Great Tools:

Sguil – Open Source Network Security Monitoring

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Snorby – All About Simplicity

Snorby brings your existing and new network securits
monitoring data to life with a suite of beautiful, relevant, and, most importantly, actionable metrics. Share data like sensor activity comparisons or your most active signatures directly with your constituents with daily, weekly, monthly, and ad-hoc PDF reports.

the squertproject

Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.

enterprise-log-search-and-archive – Enterprise log search and archive (ELSA) is an industrial-strength solution for centralized log management.

ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.

Further Study:

Doug Burks – YouTube

Less than 20 seats left for the @SecurityOnion class in #RichmondVA 10/20 – 10/22: https://t.co/rI2p0AqrQR #SecurityOnion

— Security Onion (@securityonion) September 20, 2014

— PICKS —

Runs Linux

The Connected Wheelchair Project, Runs Linux

Desktop App Pick

Angry IP Scanner

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

Wasteland 2 on Steam

The Wasteland series impressive and innovative lineage has been preserved at its very core, but modernized for the fans of today with Wasteland 2. Immerse yourself in turn-based tactical combat that will test the very limits of your strategy skills as you fight to survive a desolate world where brute strength alone isn’t enough to save…

4K Stogram | Export, Download and Backup your Instagram photos

4K Stogram is an Instagram Downloader for PC, Mac and Linux. The program allows you to download and backup Instagram photos and videos, even from private accounts. Just enter Instagram user name or photo link and press ‘Follow user’ button. Open up wide new vistas of imagery all from your desktop.

AUR (en) – 4kstogram

Weekly Spotlight

Jupiter Broadcasting Jacket

Sport your favorite Linux Action Show logo on a comfy new jacket just in time for Fall (or Spring if you are from down under). This is a limited run jacket for just 8 days so buy it now, especially if you want it in time to wear to Ohio Linux Fest!

— NEWS —

Red Hat Buys FeedHenry For $82M To Add Mobile App Development To Its Platform

Some big news today for Red Hat, the open source company that provides a platform for application development and other platform as a service solutions: It is buying FeedHenry, an Ireland-based provider of a platform for mobile app developers, specifically for enterprises to build apps. In a statement on the acquisition, Red Hat says it will be paying €63.5 million ($82 million) in cash for FeedHenry. The deal is expected to close in Q3 (as a point of reference Red Hat is reporting Q2 fiscal 2015 figures today; Red Hat says it will be updating its guidance as a result of the acquisition).

Uselessd: A Stripped Down Version Of Systemd

Uselessd in its early stages of development is systemd reduced to being a basic init daemon process with “the superfluous stuff cut out”. Among the items removed are removing of journald, libudev, udevd, and superfluous unit types.

uselessd :: information system

Stopped Clock — Making of GNOME 3.14

The release of GNOME 3.14 is slowly approaching, so I stole some time from actual design work and created this little promo to show what goes into a release that probably isn’t immediately obvious (and a large portion of it doesn’t even make it in).

3.14 On Its Way

Often with new releases we focus on the big new features — obvious bits of new UI that do cool stuff. One of the interesting things about this release, though, is that many of the most significant changes are also the most subtle. There’s a lot of polish in 3.14, and it makes a big different to the overall user experience.

Ubuntu MATE will become an official flavor

Martin Wimpress updated the current development status of Ubuntu MATE in the distro’s blog today. In addition to the regular update, he has confirmed that the MATE variant is going to be recognized as an official Ubuntu flavor. Rejoice, MATE lovers!

The MATE desktop environment is a continuation of the GNOME 2 desktop environment for those who don’t like the bells and whistles of GNOME 3 but loved the simplicity and productivity GNOME 2.

The MATE team requested the Ubuntu Technical Board for an official flavor status recently and the board is supportive of the proposal.

You Can Now Run Android Apps on Chrome for Windows, Mac and Linux – OMG! Chrome!

It requires installing a custom version of the Android Runtime extension, called ARChon. This supports both desktop Chrome and Chrome OS, and also allows for an unlimited number of Android APKs packaged by the chromeos-apk tool.

Netflix Works with Ubuntu to Bring Native Playback to All (Updated) – OMG! Ubuntu!

Well hello Mr Netflix.. We've been expecting you. https://t.co/GIuo7hIUST

— Alan Pope ʕ•͡ᴥ•ʔ (@popey) September 18, 2014

Since this article was published Canonical has confirmed that a version bump to the current nss library is planned to be pushed out with the next ‘security update’. This could arrive on Ubuntu 14.04 LTS within the next two weeks.

This news has pleased Netflix’s Paul Adolph who, in response, says he will _’make a case to lift the user-agent filtering which will make Netflix HTML5 play in Chrome turnkey with no hacks required’ _as soon as the updated package lands.

— FEEDBACK —

Do you know of a great pfSense alternative?

A Linux alternative to pfSense
Something with a competitive UI to pfsense
With packages if possible, like squid, smokeping, etc.
Does not use iptables.
Big bonus if it does use nftables

— CHRIS’ STASH —

jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

Find us on Google+

Find us on Twitter

Follow the network on Facebook

Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post Security Onion Review | LAS 331 first appeared on Jupiter Broadcasting.

A Simple Mistake | TechSNAP 4

chris — Sun, 08 May 2011 22:23:52 +0000

The guys focus on the recent major network compromises, and outages – and what was at the core of their failure. Like Sony’s PSN and SOE attacks, and the recent Amazon EC2 outages. What do these very separate events have in common?

Find out what simple mistakes snowballed into full-on network meltdowns. Plus the EU’s nutty plans to convince websites to prompt every user to sign a EULA for their cookies!

[ad#shownotes]

Show Notes:

Topic: SOE Breached as well, 24 million records stolen

https://www.soe.com/securityupdate/
https://www.joystiq.com/2011/05/02/sony-hit-with-second-attack-loses-12-700-credit-card-nu/
https://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

Old database from 2007 compromised, 12,700 credit cards with expiry dates and 10,700 direct debit accounts
- Old data was not destroyed, why?
- Was this data not encrypted, as sony claims the PSN credit card database was?
- most of these cards are likely expired, but some banks use extended expiration dates
- direct debit accounts are likely more at risk, although harder to exploit
Sony says that PSN and SOE are isolated systems, but it seems the attacks are related
Data was stolen as part of the original compromise on April 16-17th (earlier than previously reported), not a separate compromise
If the data is separate, how were both databases compromised?
If the data is not isolated, why were SOE customers not notified weeks ago when the breech was discovered? More attempted cover-up by Sony.
SOE passwords are hashed (no specifics on algorithm or if they were salted)
Data includes: name. address, e-mail, birthdate, gender, phone number, username name, and hashed password
Unconfirmed rumours that the credit card lists have been offered for sales or to Sony
Sony offering customers from Massachusetts free identity theft protection service, as required by state law in the event of such a breech
It later came to light in congressional hearings in the US (which Sony declined to attend) that Sony was using outdated, known vulnerable software, and that this fact had been reported to them by security researches months before these attacks
Sony says that it has added automated monitoring and encryption to its systems in the wake of the recent attacks.

Topic: Wikileaks may have forced the US Government’s Hand

https://www.guardian.co.uk/world/2011/may/03/osama-bin-laden-abbottabad-hideout
https://www.documentcloud.org/documents/87933-interrogation-file-of-abu-faraj-al-libi.html#document/p5/a17091

US knew that someone was hiding in the compound since at least last summer
US was unsure who was in the compound, believed it was UBL but were unsure, and unwilling to risk disclosing the depth of their penetration of the oppositions security
Classic Intelligence Paradox, what use is having the information if you cannot use it, but using it will expose your sources and methods.
The wikileaks release of Guantanamo documents exposed the US’s penetration of UBL’s courier network
US likely decided to move immediately to avoid squandering the opportunity

Topic: Stupid EU law of the week

https://www.bbc.co.uk/news/technology-12668552
https://translate.google.com/translate?sl=sv&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.idg.se%2F2.1085%2F1.382570%2Fexpertpanelen-ny-lag-om-hanteringen-av-cookies

Basically will result in users being met with mini-EULA asking you to opt in to cookies in order to enter every site on the internet
Law has a specific provision to allow cookies to be used to track the contents of your shopping cart
Cookies are an important part of web applications. HTTP is stateless, and cookies are the easiest and most convenient way to maintain state
Controls for cookies are best left to the browser, which decides and enforces policies on cookies
There already exists the ‘same-domain’ policy in all browsers, cookies can only be read by the site that set them
There exists a better alternative already supported by Google and Mozilla, the DNT (Do Not Track) opt-out system asks advertisers to not use or not collect behavioural data. Google’s system works slightly differently but accomplishes the same goal.
This is yet another example of governments passing laws without considering the technical implications of their implementation. Governments seem to purposefully avoid consulting actual experts and instead hire consultants that will agree with their position.

Topic: Image authentication system cracked

https://blog.crackpassword.com/2011/04/nikon-image-authentication-system-compromised/

https://www.nikonusa.com/Nikon-Products/Product/Imaging-Software/25738/Image-Authentication-Software.html#tab-ProductDetail.ProductTabs.Overview

https://www.elcomsoft.com/canon.html

Digital SLR camera technology that signs photos with a private key when they are taken to allow their originality to be verified.
The image and the meta data are both hashed with SHA-1 (this is possibly insufficient, SHA-256 or better should be used for cryptographic security and future proofing)
The two hash values are then encrypted separately using a 1024-bit RSA key (again, insufficient key size, even SSL requires 2048 bit keys now) and stored in the EXIF data
The verification software then validates the signature and compares the hashes
Very similar system with similar flaw found in the Canon Original Data Security system. Neither Canon or Nikon have responded nor indicated they will address the issues
ElcomSoft managed to extract the private key and sign forged images that then passed verification
It seems all Nikon cameras use the SAME key, not separate keys per camera, so once the key is exposed, the entire system is compromised, not just the single camera

Topic: Amazon Post Mortem, some data loss

https://www.businessinsider.com/amazon-lost-data-2011-4
https://aws.amazon.com/message/65648/

Original failure was caused by network operator error
Failure caused some data loss, a small portion but still significant
- Online cloud services such as Chartbeat lost data
Replica system had no rate limiting, so when a large number of EBS volumes failed, the creation of replicas to replace them overloaded the centralized management system (the only shared part of the EBS infrastructure)
All Availability zones ran out of capacity, new replicas of data could not be created
EBS nodes that needed to create replicas as well as EC2 and RDS nodes backed by them became ‘stuck’ waiting for capacity to store replicas. Effected about 13% of all nodes in the availability zone.
Create Volume API calls have a long timeout, caused thread starvation as the requests continued to back up on the shared centralized management system (EBS Control Plane)
The overload of the control plane caused all EBS nodes in US-EAST to experience latency and higher error rates
To combat this, amazon disabled all ‘Create Volume’ API calls to restore service to the unaffected Availability zones
EBS control plane again became overwhelmed with other API calls caused by the degradation of the effected availability zone, all communications between the broken EBS volumes the control plane were disabled to restore service to other customers
Lessons going forward:
- Rate limiting on all API calls
- Limit any one availability zone from dominating the control plane
- Move some operations into separate control planes in each availability zone
- Increase stand-by capacity to better accommodate growth and failure scenarios
- Increase automation in network configuration to prevent human error
- Additional intelligence to prevent and detect ‘re-mirroring storms’
- Increase back off timers more aggressively in a failure scenario
- Focus on re-establishing connections with existing replicas instead of making new ones
- Educate customers about using multiple-AZ (Availability Zone) setups to reduce the impact of partial failures of the cloud
- Improve communications and Service Health Monitoring tools

Download:

The post A Simple Mistake | TechSNAP 4 first appeared on Jupiter Broadcasting.