Simple Network Security Monitoring with Security Onion & NetWitness Investigator

If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security  Monitoring (NSM) platform, look no further than Doug Burks “Security Onion”.

Security Onion:

“Security Onion is a Linux distro that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.”

What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil.

You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system.

When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN.

Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyze all your network traffic live.

Another cool feature of Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file.

Now if all the tools that are included in Security Onion are just not enough for you (and trust me there is a ton of them!), you can take the raw daily captures directly from Security Onion and analyze them in Netwitness Investigator.

“NetWitness® Investigator is the award-winning interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.”

Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be “snort.log.1315337092“.

Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator.

Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address.


You can then drill down from high level topics like Destination Country to recreations of the actual data sent in a few clicks. You can look at the information transferred including scripts, programs, pictures and videos. You can also search the entire data collected for phone numbers, credit cards, hacker terms, date/time or location.

Finally, Investigator supports Google Earth to view packet travel and location data.

Security Onion & Netwitness Investigator, a powerful threat detection combination.

~ by D. Dieterle on September 7, 2011.

2 Responses to “Simple Network Security Monitoring with Security Onion & NetWitness Investigator”

  1. Imagine how good that would be if you had NetWitness running continuously monitoring your live traffic!!!

    • Absolutely!
      I think the Enterprise version of Investigator and Netwitness other programs do this. The free version doesn’t. But if you want NSM on a tight budget, can’t beat Security Onion and Investigator! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: