IDS Configuration for Beginners

appreciation

you guys all set to go back there cool all right good morning everyone thanks for coming out um so my name is nick lighthorn this is ids configuration for beginners um a little background uh graduated from penn state in 2010. god that was a while ago um founded the penn state 2600 out there um since then i worked for rackspace which i know is kind of a small corporation here in austin or san antonio um worked for shoretel worked for mitel i've done more ids deployments than i can remember in my lifetime um it's a great price pilot uh and now since i've done all those ids deployments and installations i work with my co-workers up there we founded a

company called net tech solutions that does ideas deployments network configuration that sort of thing so my my point today is i'm here to show you configuring ids actually is not that hard um there's a lot of tools out there that are really simple and will get you pretty much all the way there with maybe six commands all you got to know is how to configure it and how you want it to run so i'm going to talk through um the deployment model where it's supposed to be in the network in order to get the best use out of it um what it does how to set it up we'll do a live configuration here in a couple minutes

uh and then at the end we'll talk about what are the next steps how do we how do we get the alerts out how do we analyze the alerts what do we do next so what what is an ids and why do we need one so if you take a look at this this is a pretty typical network configuration right you've got a firewall you've got a couple segments off of it um maybe your users on one segment public-facing servers on another internal private basis servers on a different one and the firewall does a good job of segmenting off the traffic so only things that you want to flow between the segments flow between the segments so

maybe http goes to the public-facing servers and uh samba or snp goes to the private face of servers and there's file sharing going on and the firewall is doing a pretty good job of managing that but how do you know that traffic is good there could be a lot of malicious things hiding within that traffic uh brute force attacks ssh credential attacks there can be things that your firewall isn't picking up on and a firewall is a good start but it doesn't really have all the functionality that you want built into it so like i said a traditional firewall will will segment that off you can tell it i don't want ssh going over here i

want ftp going over here it's kind of like i like to think of it as that border guard at a military base right you can check okay your every truck that comes into the base you've got to manifest it says only red trucks come in today cool so check see if the truck is red and it comes it doesn't actually see what's inside the truck it just checks that the outside of it looks okay and that's kind of what your firewall does it checks to make sure yeah this shield really matches what i'm looking for but it doesn't dive any deeper into it it's not to be looking inside to see is this actually a

malicious act or is this just normal traffic so let's let's take a malware scenario right so um bob goes home he gives his laptop to his kids as you know no lawyer ever does they're all pci compliant and perfectly secure um so his kids pull up his laptop play some some dumb games on it and get some malware on the device of course this is not a scenario i've ever seen in my life um so the next day bob brings his laptop in he plugs it into the corporate network and that malware that he got on his device last night reaches out tries to figure out where it is and as the malware kill chain goes

it it establishes its presence and then moves laterally in the network so it'll figure out where it is and it'll try to find other resources that it can go attack so it might see hey there's an smb share open here i'm going to go through this firewall through this permitted connection onto this smb share encrypt everything on the drive and hold it ransom or maybe you've got a ceo and i'm sure this never happens that wants rdp access from the internet without a vpn which of course is totally secure um so you blast a hole in your firewall you say okay so rdp we'll put it even on a different port we'll put it on like

something weird that people won't usually look for and we'll open up traffic so rdp from anywhere into this one server naturally there's things out there that just scan the internet for things like this open ports that have things behind it um and it will eventually get found i've worked for companies that have had this exact scenario happen where they've had a random port open that went to rdp that got infected by malware that then encrypted all their drives and it's not a pleasant scenario but it's one that's permitted through the firewall it's a known pro no protocol going through an open port so the firewall is great for being that security guard for stopping the majority

of the attacks because they're standard stuff uh you can't hit an ssh server if the ssh board isn't open to the public you can harden it to an extent but once you've got the ports only reports that you want open how do you know if the traffic coming in and out of it is actually good traffic how do you determine that there are no attacks within the traffic that you're expecting so we want to capture what's called indicators of compromise um so that's maybe uh uh some computer network is accessing a malicious domain right there's a list of domains that we have there are known command control servers we can see if one of our computers is

calling out to an own command control server that would be a good indicator of compromise um we also want to look for malicious activity is there i don't know some guy in the network who's just trying to log into an ssh server like 300 times a second that's not normal so we want to we want to find that traffic and identify it so that we get the indicators we can look further into it so we can do further investigation but that indicator that initial alert is what we're trying to get and that's where the ids comes in so an ids what it does is the box that sits there and it looks at all the traffic that's

going past it and it has a series of rules that it checks the traffic against so one ssh pack goes by that's fine 300 ssh attempts go by that starts to pick up on its alert so it has these pre-programmed rules that we can set we can configure we can download a rule set we can grab from emerging threats to the ones i'm going to use here today you can get other rule sets for it but basically you download the rule set it sits there watches the traffic as it goes by anything that looks malicious it pops an alert it'll tell you in one of its various ways it alerts hey something weird happened i think you

should look into this it's and there's a difference here between um an ids and ips right we're going to set up an ips today and the difference is detection versus prevention so an ids all it does it watches traffic if there's a problem flags an alert nothing else happens it doesn't do anything else it just tells you there's a problem and it's up to you to go investigate an ips will actually sit there and block the traffic so you'll put it in line it'll be between the firewall and the rest of your segments anything that looks weird it'll drop the traffic for you and we'll get into some some differences there so some configuration deployment so this is

this is typically how you deploy it right it's on the inside of your firewall so if you deploy it on the outside of your firewall there's two problems you're gonna run into first is nap right network access control or network address translation sorry when you move from the outside of the firewall to the inside of the firewall typically uh the outside of the fire will have a single ip address for all of your subnets behind it but your internal subnets will have the private ids associated with it so if you put the firewall on the outside all you're gonna see is that one ip address and so tracking down which device is actually causing the problem is gonna be somewhat

more challenging but if you put it on inside you'll get the private ip address associated with that traffic so be able to quickly identify oh this came from this device in this subnet or at the very least this is the subnet that it came from if you've got dhcp and a bunch of devices constantly connecting and disconnecting the other problem is if you put it on the outside it's going to pick up on all the stuff your firewall already blocks i honestly don't care if there's an ssh brute force attack aptly against a closed ssh port doesn't matter to me it's not something that i care about it's going to flag an alert that i have to then go investigate

and spend resources to figure out if that's a problem but if i put it on the inside all that traffic's already blocked i don't have to worry about it i'm only getting things that actually matter to my network so there's there's two ways to do uh this deployment strategy by the way the first is a tap type picture i have a texture so a tap is a physical device that you put on the network on the network cable between your firewall and the rest of your network so what this does is every packet that comes across it permits it straight through doesn't do anything to it but sends a copy off to the ids so think of it as just a big photocopy

right everything passing through it nothing happens it just gets a copy off the ids there's no actual connect flipping through it so if you do a tap or if you do any of these options really you have to remember you have to have one plug for the tap and one plug for actual communications to the server because the tap does is not two ways your other option is a if it'll load is a span session so a lot of switches like cisco gear um i think ubiquity does this as well gives you the option of mirror ports so if you have one port that's just for the firewall right and that's the inside of the firewall it's getting you can

mirror everything that's going on that port and output it to a different one so that's great because that means you don't have to buy anything else the gear is already there you can easily quickly deploy it the problem with the span session is the additional overhead on the device so if you have all this traffic going on that's additional overhead that the cpu has to process the asic is taking that much more time to to handle it and it can cause some reliability issues so generally i'd say tap is the way to go um spam session if you're looking for something for a little while that's fine but if you're relying on production that's probably a bad idea

so another consideration is throughput right so uh when we're talking about 100 megabit ports for example right so faster ethernet ports it's 100 megabits each way so if i have a 100 megabit port that i'm mirroring or that i want to capture all the traffic for keep in mind that i capture traffic to it and i catch traffic from it so that's not 100 megabits per second that's 200 megabits per second maximum that i'm getting through that port is everyone following cool so when you're doing uh considerations like this right you have to remember if you're mirroring a fast using that port i need a gigabit port if i'm mirroring a gigabit port i need a 10 gig port if i

need whatever i'm mirroring i need more bandwidth than that port has available so it might be a good idea if you have just gigabit ethernet ports maybe just your port your mirroring only as fast as that you can hard set it to do that and downgrade it which isn't a great idea but it'll get you up and running um and especially for an ips when we talk about throughput one of our considerations is overhead on the device as well so ids it's offline it's not real time i don't care if my ids is five or so packets behind it can catch up it can bump if my ips is behind i start to get jitter so uh especially in voip sessions

uh voiceover ip anything more than 30ish milliseconds of delay is going to get you jitter on the line which is bad voice connections bad quality it's not going to be good um so when you put an ips in there and you have the traffic passing directly through the device so that it can it can drop the traffic like we were talking about one of the considerations is you usually cut the throughput of the device in half so if it's a device that's capable of passing a gigabit of traffic per second now it's only capable of 500 meg and that's mainly because of the overhead on the cpu that it just takes that much time to process the packet

before it goes out again so if you're thinking that you're going to put an ips it's going to be gigabit and it's going to be just fine you just got to remember that cpu overhead that you're adding to the network and like i said on the taps and the span session uh reliability is a huge problem right so on the span session reliability is an issue uh with the overhead on a tap typically they're designed to fail open um especially optical taps so if you're doing a fiber connection right it's just light passing through so usually it's just a prism that is taking that light redirecting it to a tap and then sniping it off so if that doesn't get power it

doesn't care it's a physical device it's still going to pass traffic but if you have for example an ethernet just a copper ethernet device right that's your tap if that loses power then your whole network goes out so you have to consider reliability uh failover um all these things come into coming to plan when you're designing a good system so having redundancy having two links coming into the firewall having multiple taps so in case one fails the other fixed up are all things you should be thinking about and making sure you have built into your system uh and of course complexity right so with an ips you're probably gonna have to replace some of your your existing

infrastructure uh we'll talk about this in a second when we get to embedded firewalls but there usually is additional work you have to do when you're doing an ips with an idea you just drop it in place you just do a tap siphon it off it'll start working not a whole lot of configuration versus an ips pretty is it requires some tuning uh requires some work to put in place on the front end and we'll take additional time and resources so like i said this is this is a typical deployment so you've got your firewall that feeds to the ids the ids or the tap rather the tap is sending a copy to the ids for processing offline and then

everything else is flowing straight through to the servers so for example if i've got uh one of my users is trying to attack one of my internal servers right so that traffic goes up through the firewall because it has to go through to a different segment so it'll go up through the firewall through the tap it'll come back through the tap to the circle so i got it twice so uh yeah so um this will capture all your traffic this will make sure that everything's working properly uh this is the right way to do ids deployment so here's the bigger question right if you're trying to look for a solution for your environment you're trying to look

for a solution for your company or your home or whatever it is do you build it or do you buy buy it from a vendor off-the-shelf solutions are great but is it the right one so there's there's a couple options here um the first one is an enhanced firewall um typically there's sopos is my favorite just because it's it's a good cheap device it actually has good support it has a pretty well integrated platform for it it's it's got a good dashboard uh the rule set's okay ubiquity is another option that has some ips functionality built into it uh fortinet palo alto all these devices all these firewall companies are really moving towards having a built-in ips

functionality inside the firewall which is great because you deploy one device and you have your firewall your ids your reporting everything is built into it it's great it's expensive and if you have an existing firewall like you've got a cisco asa sitting on the on the network right now you're gonna have to replace it so you have to consider the cost of replacing that device the cost of the time and effort to get that re-engineered so the rules are correct to test and develop and then you have to figure out how you're going to monitor and there's a lot of extra work that goes into it so it's a great option it's a plug and play replacement

it's a little expensive and it takes some time but it's a good option and the other like i was saying with the ips it cuts your throughput so if you've got a gigabit device now you only got 500 megs so if you are looking for high speed low latency this is probably not a good option so let's go with an actual ideas so alert logic is a fantastic company i think they're based out of houston um they i've deployed again more of these devices than i can count um alert logic is basically you give them an ip address they give you a box you plug it in and you're done um it will auto configure it'll have the

latest rule sets it's got a sock team sitting behind the security operations center uh team that will look at your alerts and actually do all the work for you they'll tell you hey we saw this thing here's all the traces of it here's what it actually did exactly it's great massively expensive um so it's it's a black box it doesn't give you a lot of monitoring out of it uh it has a great dashboard to manage it um but again it's a black box and it's expensive so it might not be a great option for people trying to do this for the first time so if you're trying to initially deploy an ids and you just get

your feet wet and see what's the what the deal is what's going on it's a large investment which brings me to option number three so if you build it it's gonna be cheap it's gonna be dirt cheap like you've got a spare server lying around you're done um the all the tools are free and open source uh the rule sets you can get for free it's i think the one i just did is a 400 per year subscription for the rule set and that's the only real cost that it has other than space and power in their data center so the only real cost there is space and power and employee time to implement it

so if you've got someone who's done this before it's nice and quick and hopefully by the end of this talk all you guys will be able to do this as well uh and i'll put my notes online for you for you to crib off of the the commands for it as well um what i like about this option especially for new builds is it gives you the ability to put all the infrastructure in place so even if you go to build your own rep right you've still got to put the tab in place you still have to have the network architecture correct you still have to have the ability to respond to alerts you've got like 90

of the infrastructure to support an ids deployment uh of something like alert project or some other ids you just don't have that big fancy shiny eye yes you're doing it all yourself so if you wanted to swap it out and upgrade to something like alert logic or or sofos or something else in the future you pull it out put the new one in and you're done there's no additional work to do so that's why i like this option is a good first step it's it's cheap it's easy to deploy you understand what's going on in it and it gives you the ability to operate in the future so let's talk about how you actually do an

ids deployment so we're we've talked about how it works in the overall architecture right you've got a tap that's feeding a server of some sort that does something and that gets you an alert so what we're going to do right now is we're going to start with a pre-configured uh not not free configure but a pre-installed uh fedora fedora 28 server um so all i've done uh is install the packages that i'll show you in a second uh from there it's we're gonna edit the config file uh and we're gonna download some some packages for it and we'll be done so circada so let's let's talk for a second there's two um competing not necessarily computing but two uh

engines that people use it's either snort or circada so snort has been around for ages it's a good reliable engine that will process packets and give you alerts based on a rule set it's exactly what you want but it's not multi-threaded so in order to process large amounts of packets you need to spawn additional additional systems or sorry additional processes for it which is where sarakata comes in surcharge is multi-threaded circadia is built for speed and built for efficiency it is the upgraded better version of sort it takes the same rule sense it has the same outputs it has the same formats does basically the same thing so much better it is multi-threaded from the beginning

it'll auto spawn instances based on what you need and what your uh what your hardware will support so i very much recommend going with siricon also it's a package you can download for fedora so you don't actually have to compile it from source which is great um the rules that i use like i said emerging threats there's a bunch of um there's a bunch of rule sets out there that you can download from various people that self-charge for it some don't emerging threats has an open and free rule set you can go download and we'll show you how to download that today in this in this version um so if you're just starting out it's a great

start they have for that 400 a year fee a version of the virgin threats rule set that is updated a little quicker and has a little bit more juice to it um so if you want to put this in production and want to move from concept to reality with it that would be my recommendation to go do that as well it's pretty much just as easy to to download those real sets as well so step one is install fedora server i'm not gonna do that today because that takes a while um update all your packages so studio i'm update the dashboard is always do yes for commands i like that one um once you've got an updated running

fedora server this is it that's it that's literally installing circada you're done um so studio game installs are recoded it's a package it's pre-configured that the rpm will automatically maintain it for you uh you don't have to worry about it updating just whenever you do your updates it'll pull down latest version if it gets updated it's great let's talk about configuration so there's two uh there's two inputs to servcata and about three outputs we're gonna we're gonna touch on so the first input is called circada.gamel so it is a 1854 line formatted configuration file which is a bit of a beast um the good news is that pretty much ninety percent of what you're going to need ever is in

the first five to ten percent of that file you're not going to need to touch anything else on it and i'll show you in just a second most of the defaults are fine this is pretty much what i do in terms of updates so we're going to um we're going to disable the stats disable fast enable eve and disable on non-logging um i will make a note here so the default file assumes that uh all your rfc 1919 address space so the 192.168 whatever address and the 10. whatever addresses it assumes that all those are your internal behind the firewall nets and that anything else is public so it'll naturally assume that all your internal networks are your source and

your external network certain destination that's a concept that the rules use uh if you have like someone from the outside attacking you on ssh it'll say inbound attack from the outside it'll give you that extra context and a lot of the rules will also work based on if it's attacking different segments there's a lot of stuff in the back end but just let you know there is that assumption that your 1919 space is all internal so let's go take a look at this etsy

and it's gonna ask me for this okay so this is what the circada that yama looks like it's it's a text file that's all it is it's not that scary it's not that bad so this first part what you're seeing is literally what i just said it's assuming that all your internal 1919 space is your home nets and anything external is anything else if you have a different setup if you're using public space for your ip addresses in your network for example i know there's a number of companies that do that just for interoperability with different vpns you can set it here and it's quick and easy to do and i'll do all you need to do is just restart

the engine it'll update it with new ip addresses so we're going to skip a lot of this section two here is all about rules so the nice thing about circada is by default it assumes you're using the emergent threats rule set so it'll automatically have in the file i'm going to look for all this all the emerging threats rules i think that he's gone ahead and downloaded it so i'm just gonna include it by default it's not included in the package you still have to download it but it'll assume that they're there so you don't have to and you don't have to add any of the uh rule files in here it just automatically works

if you do your own um rule file if you have some unique rules that you want to do for your own network um if you have some application running on a weird port that you really want to monitor you just don't want anything coming from this one network and you want want to alert when that happens you put in a custom rule this is where you would add that line so all you do is pop a new line dash space and whatever that file name is in the slash etsy slash rules folder it goes on for a bit okay so outputs so we've got we've got a good idea of how it gets its input right it comes

here comes from the tap it watches the traffic it does things and then it tells you how do you want it to tell you what's going on there's different formats different options so uh can i i think we're going to skip ahead so like i said etsy. rules slash rules is where you get that um so we'll skip ahead a little bit to this so there's options for how you get the rule how to get the alerts out so circada.log is the first place all this does is it logs normal messages it's it's the equivalent of like the system log um so it'll tell you when it starts how many threads are starting if there's any errors if it

comes up with any problems whatever's going on will be in this thing so as you can see that's an example of things that will be in there like i didn't have i didn't have the role set up properly so it gave me an alert it's good for debugging fast.log is a great lightweight logging option all it does is it tells you hey something happened here's the source here's the destination here's the ports if applicable here's the rule it matched have fun that's it it's not a lot it's not a lot of information not a lot of detail but it is lightning fast uh and it's very lightweight it doesn't take up a lot of disk space so you'll be able to get it

out pretty quick eve.json is by far my favorite way to log out of circada so if anyone's familiar with json formatted files it is a json formatted file and for those who aren't familiar basically it's a structure that gives you all the information in pre-named fields so for example up top gives you time stamp i got the timestamp field it'll always tell me what the field is i don't have to go guessing what the structure or the schema looks like it's just always there in here what i've set up is it not only gives me alert not only gives me the header of the packet it only gives me the first four kilobytes of the packet

data itself it'll also give me a lot more detail for example if i have um five flows enabled so flows is circuit outputs alerts is hey something weird happens you can also output flows flows aren't just hey i saw some traffic from this place to this place on this port that's all it is so if i want to go back and look at the specific flow and when that happened a lot more information about it circa can tell me and link it in this format there's a lot more things you can do in here a lot more information you can put in but this is my default for what i do um the last version of outputs this is a

little bit more advanced and we're not going to touch on it here is the binary unifi 2 binary um so if you thought fast.log was fast this is even faster basically it's just outputting the raw information straight to a file it's not human readable which is why i don't like it that much it can be picked up by things like barnard 2 is a good program that will spool this and output it to mysql and all that stuff we're not going to talk about that here today just know that that's an option if you need more if you need to dump directly to mysql if you're doing other stuff that's how it works and it's faster than fast.log

okay so let's go back here so the first thing i'm going to do is i'm going to disable fast because it doesn't really give me a lot of information i don't see a lot of usefulness out of it especially when i'm already getting it in u so i'm going to just set that to no eve eve is enabled by default which is great but it doesn't give me everything i need so uh i'm going to turn on um alert so a lot of these things are commented out because it's trying to be as fast as possible it's trying to give you an optimized version so we're going to turn on packet or payloads so this is going to

give you an output of the payload that's in the packet so you can start seeing if it was an sql injection for example you'll be able to see what the sql command or the sql request was uh in the packet payload buffer size uh i like to set it to four kilobytes otherwise it's just gonna be the whole thing that's gonna be huge um you can set it to more you can set it to less you can tune it to what you need the first 4k gives you um the http request and the preamble uh as well as pretty much enough of the actual packet to give you an idea of what's going on payload printable um

this one come back here so payload printable normally it'll give you the payload and base64 encoded uh what that means it's not human readable but it's a more compact size it's a faster way of giving you the payload as well as it it it doesn't do anything weird if you have this running to mysql you won't have any double sql injections because it's still a base64 encoded i like to turn this on because i like to read it also it'll give you both so in the eve.json it'll give you both basic 64 in this version and it'll give you the output in human readable format packet yes turn on the packet uh that way you get the packet header so you'll

see everything about the frame everything that happened on that level and for those who just attended the previous talk in this room about uh how alice talked to bob this is how alice talks about um hd body yes hb body printable yeah so this is the body of the request so also just turn this on and that is pretty much that um i don't do exported four uh i i don't have a lot of applications so exported four is if you have um a server that's responding for another server if you have a load balance or if you have something like that in your network um and it's not actually going to the server it's

passing through to something else it'll be an x4 header on that um this is i know getting into the weeds um not necessarily something you have to turn on if you have this turned off you'll still be able to tell generally where it's coming from and where it's going you might need to do a little bit more digging but exported four just is more information than i think is is really necessary on this um the rest of this i like to comment out so if we turn off http that will stop doing every http session so all i want is alerts right i don't want to see every flow i don't want to see every

http connection i don't want to see every dns connection it'll do it by default which is a huge file and a huge pain in the butt but i don't want to see it so i turn it off so we're going to turn off http we're going to comment that out i don't want to see every dns request because i don't care who's going to what website that's not for me um if you want to see that that's a good way you can actually filter that and dump it to another file format you can get a whole list of like what people are going to have blacklist it's great but not in scope for what we're talking

about today tls turn that off files it's not going to reconstruct files for us this time because that again is taking too much time smtp is mail information uh we're going to turn that off i don't care about ssh and i don't care about stats so stats is every so often circado will dump i've seen this many packets it's been this long since i've been running um here's what's going on with itself great information do not care uh in my opinion it's just dumbling information to a file that i can get by logging in and looking at um just circada directly i don't really need that dumped in but if you're handling a number of different systems they're

all running uh circada you want to have like a central management it might be a good idea to turn on i don't really need it so i turn it off totals threads deltas and this is the one that's gonna be the chattiest of all so flow is what i was talking about is source and destination that's all it is so for every connection every single one flow will tell you where it came from where it's going that's a lot of data i did a calculation on so my current current job i'm working we turned it on for three days it was about 20 million rows of information just turning on flows i don't need it

that's it so unified alert unified alert is off http log is off tls is off dns is off pcapp is off debug is off the last one i'm going to update is stats so like i said i don't care about stats if you want a dedicated stats output there is uh i think it's stats.log so you can have it either dump to eve.json you can have a dump to stats.log you can have it output a couple different ways this is a dedicated file just for that all i see it doing is just tying up the space so it's something i turn off so enabled no stop that okay so other things you can do out of here

you can send it to redis server uh you can send it to syslog uh you can send it to a whole bunch of places but really dumping it to the file is probably going to be the easiest way to pick it up especially if you don't have a syslog destination set up and you're not really running that if you just dump it to file there's other ways other agents we can use to take that information out so that's that's pretty much it everything after this and there's a nice little warning up there advanced configuration you don't need to touch this network we're at the end of what we care about for this file this is

fine tuning this is advanced stuff uh this is beginner's class here we do not pass this point um so at this point what we've done right is we've set up our home nets we've told it what we care about we've told it that we're gonna start running we fold it that it's going to output to certain formats pretty much we're done that's it so we save that worked right yes that did work okay

so starting circumstance so we've got our you've got our uh circuited circado.gamma's done it's that's configuration it's all set so first figure out what you actually want to monitor so circada can monitor one interface it can monitor multiple interfaces multiple interfaces is still kind of in beta it's not really supported just yet i can tell you from my experience i've been running storacotta on multiple interfaces for six months now i haven't had any problems all the test data have run against it it's picked up hasn't had any issues i think it's pretty stable i would just warn you that um if you're doing uh multiple interface logging on circada so you're if you have not just one tap

with multiple taps where it starts to get messed up is if you have the same traffic coming in on multiple places so if you have just one tab for example let's let's say you get a device that you just want to deploy you just want to monitor one tap but you don't really know which ports can be plugged in you've got some dopey guy in the data center he doesn't really know what he's doing he's going to plug the tap into something you're just not sure which one turn on multiple interfaces he can plug in wherever he needs to it doesn't really matter and it'll just start monitoring so that's usually my recommendation just set it to monitor

everything uh and it'll be fine they can even monitor uh the port that it's getting management on so if you're managing the report and it's monitoring it it can do that as well uh so if for example you're deploying it into your network it could be a little honeypot because then all the traffic that's going to hit it will also monitor it so things to think about so all you do is you turn on the sudo um you can set it to run with a specific user but it needs admin credentials in order to put out the log file there's a bug for that um so you start with sudo you tell it circada do on this interface with the i

uh and then okay and then it'll start running so let's go ahead and get that going casinos actually what am i running on

dash i and i am e and p 0 s 3. oh the security is so hard these days

173. damn it sorry

oh it's my indentation damn it why is

it's always something isn't it

all right i'm just going to turn a lot of this off just to start it up

okay so with circada running you're going to get some outputs the outputs are all going to be in var log car log circada

annoying anyway so you're gonna get your outfits right your outfits are gonna be eep.json uh fast.log and circuit you're gonna be the threes you get by default we just turned on eve uh it's asking me logging eve all right that's gonna be logging everything do you even that extensible formula that we saw before so threats assume that reactor to run um we have running ids right so that's how you do it that's the file format that's how you set it up you've got a running ids now what do you do because you've got this device that's logging into a file it's logging locally to a file how do you get that file how do you get the file off the box so

you have to get that file off the box into some system where you're centrally locating everything if you have six campuses that you're trying to do you're trying to get the information out of how do you get that centralized how do you analyze the threats and figure out the signal from the noise how do you do an alert system and how do you do the instant response based on that so getting starting alerts there's options out there these are some of my recommendations so elk stack is great sumo logic is basically elk stack as a service um so i would recommend going that direction i've done that with a couple installs it's been fantastic you get 500 megabits megabytes per day

for free which is great um there's an agent that runs on the device so you install an agent you give it an api key with sumo logic it'll pick up that file it'll parse it in and you'll be able to say uh you're gonna go in and parse that log file to give you different alerts you can set scheduled alerts so that if there's something that you're looking for it'll automatically alert you in an email format um there's a lot of things that zoom logically they're great it's got a built-in uh not emerging threats it's crowdstrike it works with crowdstrike it automatically does a lot of information based on the ip address that's coming in

there's a lot of value add to sumo logic um other things there's a lot of alerts coming in so if you have your own database keep in mind it's going to be roughly 7000 alerts per week per office is usually what i've seen um so it's a lot if you have multiple devices it's going to even be even more for data centers it can be even bigger than that so keep in mind you've got to store all this data you've got to keep it in a format that you can actually search through which is why elk stack is great because it just extends similar logic is even better because you don't have to deal with it

and then log retention so you've got all this data usually you're deploying ids for a reason um it should be the basic building block of any security but usually it's because you want to do uh compliance of some sort for hipaa or pci or whatever um some some readings of hipaa say that we have to keep this information for six years it's a lot of time so you not only have to now manage that data and analyze the data you have to store it and log it so where you put that how do you do it how do you rotate that out to other things so these are things you have to keep in mind not within the scope of this

discussion here i'm just giving you the options of here's how you generally get it out analysis so how do you analyze that information how do you get alerts out of it you need some sort of system like i said sumo logic is great this is one that my company built that i designed that will you need to coordinate and correlate this came in to this ip address at this time from this location how do you do that how do you make that analysis happen um you have to be the detective the who what where and why of what happened your system needs to be able to do that and aggregate and give you results out so it

can't just be a flat database there has to be something along with it you have options out there like splunk there's other sim tools that'll do some of this but consideration you don't just get the data you need to be able to understand and analyze the data and after that you need to be able to do incident response so once you have an alert if you get the alert and you jump for joy then you're like you got something and then sit there and like okay how do i do anything meaningful with this that's where instant response turns so you need to have a system where every alert must be actioned right so this this is my recommendation is

if you don't have every alert action you're going to run into um a situation where you're going to lapse into complacency you're just going to be like oh whatever that's that's some weird alert i don't have to deal with it because i don't need action so you want your system to only output alerts you care about stuff that you're actually going to do something about interesting things so you have to have your system designed to do that and then from there you need to contain the threat investigate what happens eradicate the threat close the vulnerability standard instant response stuff so i'm getting the high sign from back um my company was designed i'm going to

shamelessly plug our design is built basically to do all this stuff except for instant response in some cases uh for small media businesses so we designed a system to do this we use a regatta a running version um we use it we use a lot of these tools that we both ourselves um i'm happy to give you a talk about it as well um there's other options out there as website like the easy part the easy part is deploying the ids device the hard part is getting the alerts in ingesting the data doing the log retention understanding what you're doing getting alerts out sending it to the right places that's the hard part that's what

we did and we're happy to share our information with you guys uh but that's for another time so if you have any questions i'm here otherwise you've been great and thank you so much [Applause] that was great thanks guys