Simple Network Security Monitoring with Security Onion & NetWitness Investigator
If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security Monitoring (NSM) platform, look no further than Doug Burks “Security Onion”.
What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil.
You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system.
When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN.
Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyze all your network traffic live.
Another cool feature of Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file.
Now if all the tools that are included in Security Onion are just not enough for you (and trust me there is a ton of them!), you can take the raw daily captures directly from Security Onion and analyze them in Netwitness Investigator.
“NetWitness® Investigator is the award-winning interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.”
Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be “snort.log.1315337092“.
Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator.
Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address.
You can then drill down from high level topics like Destination Country to recreations of the actual data sent in a few clicks. You can look at the information transferred including scripts, programs, pictures and videos. You can also search the entire data collected for phone numbers, credit cards, hacker terms, date/time or location.
Finally, Investigator supports Google Earth to view packet travel and location data.
Security Onion & Netwitness Investigator, a powerful threat detection combination.