After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS\/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here is my basic setup to get Security Onion working properly:<\/p>\n
Download ISO, burn, Install on a server (Dell PE1850, 2x 2.8GHz Xeon, 16GB RAM, Mirror 300GB SCSI)<\/p>\n
Added Root User – I still dislike all this “sudo this” and “sudo that” Update Operating system Update Onion Turn off sensor for Eth1 (assuming Eth0 is mirror port and Eth1 is LAN) Reboot Remove SIDs\/Block Addresses (*OLD*) 1:1411-1:1419,1:OTHERRULES,1:ETC<\/p><\/blockquote>\n Remove SIDs\/Block Addresses (*NEW*) 1:1411-1:1419,1:OTHERRULES,1:ETC<\/p><\/blockquote>\n Blocking IPs will stop snort from worrying about certain hosts – by default ALL hosts are worried Add the following template:<\/p>\n #Nothing from src host to dst port After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS\/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here … Continue reading Security Onion<\/span>
\nsudo passwd root<\/code><\/p>\n
\napt-get update<\/code>
\napt-get upgrade<\/code><\/p>\n
\nsudo -i \"curl -L http:\/\/sourceforge.net\/projects\/security-onion\/files\/security-onion-upgrade.sh > ~\/security-onion-upgrade.sh && bash ~\/security-onion-upgrade.sh\"<\/code><\/p>\n
\nnsm_sensor_ps-stop --sensor-name=YOURSERVERNAME-eth1<\/code>
\nnano \/etc\/nsm\/sensortab<\/code>
\nComment out the Interface to disable<\/p>\n
\nreboot<\/code><\/p>\n
\nBlock SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
\nnano \/etc\/pulledpork\/disablesid.conf<\/code><\/p>\n\/usr\/local\/bin\/pulledpork_update.sh<\/code>
\nnsm_sensor_ps-stop<\/code>
\nnsm_sensor_ps-start<\/code><\/p>\n
\nBlock SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
\nnano \/etc\/nsm\/pulledpork\/disablesid.conf<\/code><\/p>\n\/usr\/bin\/rule-update<\/code>
\nnsm_sensor_ps-stop<\/code>
\nnsm_sensor_ps-start<\/code><\/p>\n
\nnano \/etc\/nsm\/YOURSERVERNAME-eth1\/bpf.conf<\/code><\/p>\n
\n!(src host xxx.xxx.xxx.xxx && dst port 161) &&
\n#Nothing from src host to dst host and dst port
\n!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
\n#Nothing to or from:
\n!(host xxx.xxx.xxx.xxx) &&
\n#Last entry has no final &&
\n!(host xxx.xxx.xxx.xxx)<\/p><\/blockquote>\nnsm_sensor_ps-restart<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"