Jump to content

Anyone heard of Security Onion Linux?


Bob123

Recommended Posts

Anyone heard of Security Onion Linux? 

I do a lot of ICS work and am always interested in security since there pretty much is none in the ICS world.  I came across a blue team pdf and it talks about Security Onion Linux.  I just downloaded it and plan to put it on a machine this evening.  Was wondering if anyone else has used it?

Link to comment
Share on other sites

Looks like it's a bundle of IDS solutions - https://securityonion.net/#about

I don;t work on that side of the network stuff, but when you install this, what sends the info to this for collection? You have to setup whatever the other boxes are, to send the info to this machine? I see on the wiki there are several ways to use it in different scenarios, but wouldn't this ideally be something that port mirrors traffic for inspection or is there something else you install on other devices to send it to this, like an SNMP type server and client?

Edited by digip
Link to comment
Share on other sites

I played with it for a little while.  I just created a mirror port on my switch.  Course most folks don't have $300 switches on their home networks.  You can also use the hak5 throwing star tap.  The box security onion is installed on will need three network ports though.  Two for the tap, and one that's not connected to your network for your monitor computer.

Link to comment
Share on other sites

4 minutes ago, barry99705 said:

I played with it for a little while.  I just created a mirror port on my switch.  Course most folks don't have $300 switches on their home networks.  You can also use the hak5 throwing star tap.  The box security onion is installed on will need three network ports though.  Two for the tap, and one that's not connected to your network for your monitor computer.

Yeah, that was what I was getting at, how does it see the traffic without having all the thing flowing over it, either mirrored or with some kind of client stuff that sends it over.

Link to comment
Share on other sites

Used it at home for a while, I put an old ethernet hub inline between the cable modem and the local router/AP, used Snort and later Surikata to watch traffic.  Good toolset if you are just starting with IDS/ISP, dig into the ELSA database to aggregate and correlate feed data.

Loved the Snorby implementation for dashboard and alerting

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...