IDS News (7 Posts)

IDS used as a Network Forensic Tool

Note: This is the second post of a two parts series on how to use IDS in a different way.

Intrusion Detection Systems are traditionally seen as Defensive tools. They can however be used for different purposes than initially designed for as highlighted in the previous post , where we discussed how IDS could be used as an offensive tool.
The popularity of pre-configured/packaged IDS environments such as SELKS or Security Onion provide various software packages and Graphical User Interfaces to navigate through large volume of data by parsing/categorising/filtering it automatically.

More importantly, such systems are starting to provide mo...

IDS used as an Offensive Security Tool

Note: This is the first post of a two parts series on how to use IDS in a different way.

Intrusion Detection Systems such as Snort and Suricata are traditionally seen as Defensive tools, and in essence they are. They can alert on security issues occurring on your network such as Botnet Activities, network based attacks, hosts/servers activities and vulnerabilities.

That last point is important.

It is important because that same information used for defence activities, could be used by an attacker as part of an attack reconnaissance. For example, being able to identify a list of hosts that use outdated SSH/SSL servers, a vulnerable Flash Client or other vulnerable software/services; HTTP logs highlighting users web activities, clear text passwords, etc.
When looking at an IDS that way, it becomes a passi...

SELKS 2.0 vs. Security Onion

I have recently been testing SELKS v2.0 which is an open source Network Security Monitor (NSM) based on an ELK framework: Elasticsearch (search and analytics engine) Logstash (log normalisation) Kibana (visualisation). The NSM core engine is provided by the first "S" which stands for Suricata (Network IDS) and the last "S" which stands for Scirius (Management GUI for Suricata).
SELKS is provided as a live Linux distribution based on Debian 8 (Jessie) which is also installable.

SELKS V2.0 is a great improvement from SELKS V1.0, so much so that I now consider it a serious contender to Security Onion (SO) at...

One more update to the Security Onion Guide

We have updated once more our Security Onion Installation Guide with a few tweaks regarding setting up BRO emails and SSH.
There is also a new PDF version, using an updated template, available from the download section .


Updated Security Onion Guide

Last week, Security Onion repository moved from Google Code to Github. We have now updated our Security Onion Installation Guide with the new links.
Basically, replacing the base part of each link from the old reference

If you are looking for "issues", not only do you need to replace the base reference as mentioned above, but you also need to remove the "detail?id=" at the end of the URL.
For example: (does not work )

How to setup Security Onion on a home network with Splunk, email alerts and some basic tuning

Entry Last updated on the 11th of May 2015
a PDF version is also available to download here

Security Onion (SO) is a great open source project created by Doug Burks.
It is a Linux Distribution based on Ubuntu and bundled/configured with all the tools you need to get a powerful, and free, Network Security Monitoring system (NSM). It can be used to monitor your network traffic for suspicious activities and malware.

This guide is aimed at people who quickly want to get started with SO with the following basic functionalities:
  • Getting an understanding of what Network and Server setup are required
  • Going through a basic SO installation
  • Getting basic understanding on how to tune Snort and remove false positives
  • Getting regular reports and speci
  • ...
    >>[READ MORE]

    Security Onion and seeing through HTTPS

    Security Onion is an Open Source Linux distribution that makes deploying an IDS/NSM a very easy task indeed and I highly recommend you try it at home. Especially since you can do everything in a VM…

    The video below gives a great summary of what this is all about (it is an hour long, but like any good movie you won’t see the time fly ;)

    If you have ever been through a Snorby installation yourself, you will appreciate this distribution even more as everything is done for you. The installation process only asks a couple of questions and you should be ready to monitor your network, analyse data through full packet capture within 15 minutes!

    The latest beta is even better, and lets you use your own Ubuntu flavoured distribution if you prefer not to use the d...
    >>[READ MORE]