Bob123 Posted July 21, 2017 Share Posted July 21, 2017 Anyone heard of Security Onion Linux? I do a lot of ICS work and am always interested in security since there pretty much is none in the ICS world. I came across a blue team pdf and it talks about Security Onion Linux. I just downloaded it and plan to put it on a machine this evening. Was wondering if anyone else has used it? Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 (edited) Looks like it's a bundle of IDS solutions - https://securityonion.net/#about I don;t work on that side of the network stuff, but when you install this, what sends the info to this for collection? You have to setup whatever the other boxes are, to send the info to this machine? I see on the wiki there are several ways to use it in different scenarios, but wouldn't this ideally be something that port mirrors traffic for inspection or is there something else you install on other devices to send it to this, like an SNMP type server and client? Edited July 21, 2017 by digip Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 21, 2017 Share Posted July 21, 2017 I played with it for a little while. I just created a mirror port on my switch. Course most folks don't have $300 switches on their home networks. You can also use the hak5 throwing star tap. The box security onion is installed on will need three network ports though. Two for the tap, and one that's not connected to your network for your monitor computer. Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 4 minutes ago, barry99705 said: I played with it for a little while. I just created a mirror port on my switch. Course most folks don't have $300 switches on their home networks. You can also use the hak5 throwing star tap. The box security onion is installed on will need three network ports though. Two for the tap, and one that's not connected to your network for your monitor computer. Yeah, that was what I was getting at, how does it see the traffic without having all the thing flowing over it, either mirrored or with some kind of client stuff that sends it over. Quote Link to comment Share on other sites More sharing options...
coyotlgw Posted July 21, 2017 Share Posted July 21, 2017 Used it at home for a while, I put an old ethernet hub inline between the cable modem and the local router/AP, used Snort and later Surikata to watch traffic. Good toolset if you are just starting with IDS/ISP, dig into the ELSA database to aggregate and correlate feed data. Loved the Snorby implementation for dashboard and alerting Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.