Security Onion: Peeling Back the Layers of Your Network in Minutes

alerts alone are not enough we need to take an ids alert and we need to surround it with all this contextual data what we really need is something called network security monitoring which is a methodology methodology that originated in the air force and and it said we need to take all of these data types we need to take ids alerts and full page capture and session data and transaction logs and give all of those to the analyst and allow the analyst to pivot between those data types mercilessly just like the attackers are pivoting through our networks mercilessly we as defenders need to take all this data and pivot from one data type to another to be able to fully defend our network

so how do we get nsm well the open source de facto reference implementation is squeal this wheel has been around now for over 10 years written by the ambitious good friend of richards and squeal is awesome it's very powerful it gives you all of this data all of this visibility but what's the problem with school has anybody ever tried to manually install and configure squeal david you don't count a couple of guys down there how did it go it was rough how long did it take you did you succeed your time was infinite i was told there's security on you use that oh okay so squeal you go to the how-to which mr david bianco who's here today he runs

this awesome wiki that has this how-to there's this long instruction list do this do this compile this configure this edit these configuration files and that's fine for rock stars like david and richard who can do that kind of stuff but not everybody is tall enough to ride that ride not everybody has that kind of time to put all that stuff together so this is what it looks like so here on the left hand side you see here your snort alert data is your ids alerts we have passive asset data we have section data we have full time capture we have agents that take that data and they send it into sql d which then writes it into a database

and then use the amazon connect to sql so it's very powerful but it's very cumbersome to put all the jigsaw pieces together to form this wonderful puzzle called nsm so i was looking around i was like there should be backtrack for blue team right there should just be an iso image and i could just download and have all this stuff and just be able to click the next next finish and have it done so i said okay well if it's not out there i guess it's my responsibility to build it and maintain it so started in 2008 2009 released the very first version based on ubuntu it included snort and included squeal so you can download the iso you can

click next next finish and you would have nsl running so i put it on sourceforge and nothing really happened nobody really cared so i cried again so the next year 2010 ubuntu released ubuntu 104 their next long-term support release i said okay it's time to rebuild it's time to do a new version so i took what i had and i added surrey kata so sorry cod is an open source competitor to snort for intrusion detection system alert data and i added osec for host based ids data so a great example of why osec is you've got a web server chances are that web server is doing https traffic is encrypted your network-based ids is now blind to that encrypted

traffic so if an attacker does a sql injection attack against your https web server you are blind to it but if you have osec a host-based intrusion detection system running on your web server watching your apache log files it's going to detect that sql injection attack even though it occurred over encrypted traffic right more visibility the if you remember from the previous slide about squeal so the squeal client is written in tickle dk it's it's kind of old uh it's it's not a web-based interface so i added a web-based interface called squirt written by a guy named paul holliday and uh so i put that version out there and a couple of folks used it 2011

that's when folks really started picking it up richard started tweeting about it and when when richard who has 20 000 followers on twitter tweet something people pay attention uh so folks started playing with security on you and what's more than that folks actually started deploying and this is kind of weird because i had originally built security on you just for like a training environment like just for students in a classroom environment i wasn't intending for folks to actually deploy it in production because i was just putting out an iso image every couple of months so if you deploy this in production you've got to deploy the iso image and then six months later you've got to wipe that box reinstall a

new ice image that doesn't work so well for production deployment so i said okay well i guess i have to have some kind of in-place upgrade method so i wrote this little shell script so that folks could deploy their in-place updates and via that method was able to deploy some additional functionalities so i deployed bro bro is this amazing piece of software that gives you all of this amazing visibility and intelligence about what's going on in your network and we'll talk a lot more about bro later added network miner it's a great graphical interface for analyzing pcapps added snorbi which is an awesome web 2.0 ajax ruby on rails web interface for looking at your ids

alerts so added lots of cool stuff in 2011. then in 2012 ubuntu released ubuntu 12.04 the next long-term support release so it was time to rebuild so i called this project bdr the big distro rebuild right this consumed a lot of my time and a lot of scott reynolds he's kind of my right hand man on security project he and i spent many many hours working on the big distro rebuild why did it take so long well the first thing we did is we took every single piece of software and we packaged it we built true ubuntu packages hosted in an ubuntu launchpad ppa so that instead of using my cheesy little shell script to do your updates you could use the

standard ubuntu tools built right into the distro to get your updates so the packaged on the software that was a big job in addition to that while we're building from scratch we might as well fix some architectural issues so that we can stand up to higher amounts of traffic well one thing that we did is originally for full packet capture we were using snort and we switched to damon logger but even between the both of those they can't handle really high traffic loads right if you're on a small network they'd be fine but big networks not so much so we replaced damon moyer with netsniff ng the packet sniffing beast so this thing uses zero copy for high

speed full packet capture and it's awesome then right below that you see this diagram of pf ring who's familiar with pf ring a couple of folks so the idea of pf ring is so you've got snork listening to your network tracker who can tell me one of the biggest problems with snorkel single threaded very good why is that a problem processors okay so you hit a certain amount of traffic your single threaded start process hits 100 cpu and then what happens you're dropping packets very good so what pf ring allows you to do pframe is a kernel module with the user space library that allows you to take any lib pcap software compile it against the pf ring

libraries and it acts as a software-based a flow-based load balancer right so you take a gigabit worth of traffic and you cut it up into four chunks and you spin up one snort instance for each of those chunks right so now instead of having one stored instance trying to handle a gigabit and dropping packets doing so you now have four snort instances each handling 250 megabits and they can handle that without dropping packets that's awesome so we added that and then we added elsa you're going to hear a lot about elsa today elsa is amazing elsa's like a free version of splunk kinda without the exorbitant licensing fees it's totally free and open source it's not gonna cost

you millions of dollars it's gonna cost you a grand total of zero dollars and it gives you a nice web-based interface for hunting through your locks whether that be your store locks your bro logs your osec logs your osec alerts your standard syslog what have you they're all going to be in elsa you're going to be able to search through them slice and dice them at will i like big onions that i cannot lie so another thing that we did is we said okay we need to be able to build big sensors lots of ram lots of cpus well in order to handle large amounts of ram we really need to go 64-bit right the original version of security

and was just 32-bit so we need to go 64-bit by building all of our software into packages and hosting it with the moon2's launch pad service they build 32-bit and 64-bit automatically for us so that's great that's awesome so we release an iso image and it's 64-bit by default we want folks to use the 64-bit for higher performance to handle large amounts of ram now if you want to you don't have to use our iso image right you can start with your preferred flavor of ubuntu 1204 and that could be bluetooth standard go to google too or even ubuntu server right if you don't want to run a gui at all just run ubuntu server and add our ppa

to packages run our setup wizard and you're up and running right as i mentioned before we have snort certified and bro running on pf ring we have netsif and g using zero copy for high-speed full-time capture elsa the way it's architected it actually acts as a distributed database because by default in our deployment each sensor runs its own copy of mysql and sphinx you've got one central elsa web interface that's queries all of those in parallel right so you're no longer just limited to one single central database that gets big and bloated and slow elsa grows as your deployment grows here's a picture of how that works so you start off with your master server

and that's going to run your elsa web interface then you're going to start deploying your sensors they're going to be running bro and snort and sorry they're going to be running elsa log nodes and so this elsa web interface is going to query all those guys auto magically here's an architectural diagram of kind of the way elsa works and how it's able to handle large amounts of logs this is a diagram that mark holstein put together martin today the author of elsa and he's here today he's going to be talking about elsa so you're going to hear lots of this stuff so events come into syslogian g and then it goes to elsa.pearl also.pl it then loads into mysql and then sphynx

acts as an indexing overlay to the mysql database that gives us our fast retrieval speed so six indexes and then consolidates those indexes and then here's how it looks from a user perspective so you as the analyst you log into the web interface and you issue a query hey elsa tell me everything you know about this ip address or this domain name so you issue the query the web interface goes and talks to all your sphinx indexes it says hey do you know anything about this so space returns a backup list of document ids the web interface goes and retrieves those document ids from my sql and returns it to you as the user and

this all happens in milliseconds it's amazing all right so we talked about 2012 spent all this time rebuilding the distro doing all this big onion stuff right on december 31st 2012 released that version and 2013 here's what we've done so uh as time goes on snort releases new versions siricada releases new versions there are new versions of pf ring so we have to maintain those packages so we've updated just about every single piece of software in the distro this year that includes everything you see there uh we have our own software that we've developed for the project itself a lot of scripts a lot of things that glue all the pieces parts together yes we are

in perfect yes we have bugs so we've fixed lots of bugs in our own stuff we've added more knobs for tuning so in our setup wizard which you'll see in just a minute we have a lot more questions now where you can control which processes are running you can enable and disable processes you can adjust your pcap file size for when you're doing full packet capture uh we used to default to a 90 percent disk threshold so when you hit 90 disk usage that's when we would start purging out old log files that's now adjustable because folks uh when they would deploy on older servers with smaller drives they'd they'd end up filling their drive up too

quickly so we allow you to adjust that a lot of other little knobs that you can tune things with another big thing that we added was the vast majority of http traffic today is gsm encoded right so when i take and i pivot to my full packet capture and i look at an http stream a lot of times i'll see the server respond with gzip encoding and it's just this binary data that i can't read and that doesn't help me as an analyst right so my good friend scott reynolds he wrote this bro script that automatically decodes that gzip encoding so that gives me more visibility to what's happening so we added that and it's pretty amazing i use it every

single day so some metrics about the project the old old version of security based on abuja 1004 we had 37 000 downloads of that from sourceforge we released the new 12.04 iso image on december 31st 2012. so far we've had 34 000 downloads of it in june i released a 1204.1 iso image we've had over seven thousand dollars of it a dot two isolators came out in july we've had over five thousand of it and finally because uh we also have bittorrent available and we have no numbers for how many folks download bitcoin we also if you choose to install your own version of ubuntu and add our ppa we have no counters for that so suffice

it to say we've got a lot of users all over the world uh running big deployments of security so that brings us to today today i'm very happy to announce a brand new iso image 12.04.3 brand new the new hotness right so we have many changes since the last iso image that we just put out uh one big change is we added this new script called soup security onion update makes your life a little bit easier when it comes to updating a sensor uh so that you don't have to worry about pframing my sql updates which could kind of cause some problems sometimes so we just went ahead and fixed that we added new versions of pf rings snore3

network miner and the security on your bro scripts so all the latest and greatest all the new hotness that's out today one of the big new things that we just added that's included in the iso image is salt anybody familiar with salt a couple of folks david is obviously uh so uh let me ask this question how many folks are familiar with puppet a few more folks salt is kind of like puppet okay it's a it's a means that of doing configuration management and remote execution for your entire deployment right so it's one thing if you're just running just a small standalone sensor that's no big deal right you can manage that but as soon as you start running like 10

sensors 20 sensors 50 sensors like are you logging into each one of those and updating it manually are you you know logging into each sensor and updating your configuration files manually no that would take forever right so we need a way to be able to push configuration and push updates to all of our sensors at one time salt allows us to do that so with our iso image and what you'll see in the demo in just a few minutes your master server becomes a salt master so the setup is just going to ask you do you want to enable soft you say yes and it makes your box a salt master automatically now when you build your sensor it's

going to ask you do you want to enable salt when you say yes and it enables the salt menu and it configures it to talk to your salt master and it sets up the authentication and all that stuff auto magically so all you have to do is say yes i want to enable salt and then what can you do well out of the box you can from your master server you can say salt star meaning all salt instances command dot run and any command you can think of and then that salt master is going to tell every single salt minion to run that particular command on every single box instantaneously you can also do things like when you

update your rule set up here on the master your minions are going to be watching that rule set and if it changes they're checking every 15 minutes they'll automatically pull that rule set automatically respect your processes for you uh and then finally another thing that you get out of the box is user management right so you go to your master and you say okay on my sensors i want a doug user i want a richard user i want a david user and i'm going to put my ssh public key on the master and it's going to push out those accounts and those keys to all boxes auto magic just happens it's awesome so that way you can manage your

deployment versus having to manage individual boxes all right so just a quick review of some of the data types that we've talked about some of the data types that you're going to see in the demo so again we start off with alert data so we have network-based ids alerts coming from either snork or story coda we have host-based ids alerts coming from osec we have syslog data so you can any of your infrastructure in your environment that speaks this law you can just send it to elsa and i'll just accept it because it's just as long as you we have asset data coming from growing france we have session data coming from argus grow and drags

then we have transaction data so bro is creating all of these insanely detailed transaction logs like http ftp dns so how many folks today have a log of every single dns request in your environment not too many folks how many folks would like to have that that should be everybody okay we can do that you can do that today full content data from netsniping and all this just happens out of the box all right so would you guys like to see a live demo are you sure okay well you made me do it all right so let's see so here's our security onion virtual machine this is using the brand new 1204.3 iso image just released today

so if it crashes and burns i'll just call it beta software so what i've done so far is i've run through the standard ubuntu installer to install it to my virtual machine i've rebooted into that installation i've run through the first phase of our setup wizard and what that does is you tell setup which interface is which so you have a management interface and then you have a sniffing interface so i've done that and i've rebooted now i'm going to run through the second phase of setup let me just make sure okay all right so here's our lovely setup wizard welcome to security onion setup would you like to continue well yes i would all right so set up the text that i've

already configured my network interfaces so it says do you want to skip that part or do you need to reconfigure we'll just skip it because we've already done it and it's fine now the next question is do you want to run quick setup or advanced setup now for those of you who have never used security before if you're going to try it today we recommend that you run quick setup the first time that you try it's going to ask you the minimum number of questions it's going to choose some smart defaults for you it's going to turn everything on so that you just get up and running as quickly as possible what i'm going to show you today is

advanced setup because this is what you're going to use if you're going to do a true enterprise production deployment advanced setup is going to allow you to specify this box is my master these boxes are my sensors they're going to report back to the master it allows you more control more knobs for tuning so that's what we're going to do advanced setup all right so what kind of box is this going to be is it going to be a server or is it going to be a sensor or you could do both and just be a standalone box and that's what we're going to do so we're going to do a standalone box would you like your squeal username to

be what's your email address what do you want to set your password to confirm your password which ids engine would you like to use you can use either snort or cerricada it's up to you we'll choose snort which rule set would you like to use so by default we give you emerging french gpl it's totally free you don't have to sign up you don't have to create an account you have to pay any money it just works so that's what we'll use but if you want to go with emerging threats pro and pay money to them you can do that if you want to pay money to snort for their subscriber rule set you can do that

which network interface should be monitored on this machine ethernet 0 is my management interface and ethernet 1 is my sniffing interface so we're going to choose ethernet 1. all right so here's where we get into enabling and disabling processes so it's going to ask you for each of the processes in our stack do you want to enable or disable so you want to enable the ids engine yes i do this will give us our ids alerts so now the next question is this goes back to the the pf ring stuff we were talking about before because this virtual machine has two cpu cores i can choose up to two snort instances to run and setup is going to configure all that

automatic in this case i'm just going to choose one next question is would you like to enable grow bro is amazing yes you do want to enable bro and again with pf ring we could choose up to the number of cpu cores that we have for this demo we're just going to choose one http agent so when bro is sniffing your traffic and it's writing all your http transactions into http.org we have a process called http agent which can take those http logs and send them into the sql database so that you can view them in your sql console so you want to enable that yes i do would you like to enable argus for this demo we don't really need that

so we'll turn that off would you like to enable pratt's products gives you session data and asset data so we will enable that would you like to enable full packet capture yes i do yes you do want full packet capture how big do you want your pcap files to be so when it's recording full packet capture by default we're going to grow that pcap file to 150 megabytes and then roll to a new file we'll just accept the default there at what percent of disk usage would you like to begin purging old logs so our default is 90 as soon as you hit 90 disk usage it's going to start purging out those old pcaps and those

old log files would you like to enable salt yes just be aware though that currently this is a brand new integration that we have it is still considered experimental we are going to enable it today just so you can see it would you like to enable elsa yes yes okay so now we come to our confirmation screen so setup has collected all the information it needs and it's confirming all of our selections are you sure this is what you want to do yes please all right so right now set up behind the scenes it's going and putting together all the pieces in that jigsaw puzzle it's doing all the hard work for you configuring all the stuff

starting all the processes so right now it's initializing the snorby database as soon as setup finishes i'm going to show you four interfaces and the first one i'm going to show you is snorby i mentioned before snorbi is web 2.0 it's ajax it's ruby on rails it's got all the hipster buzzwords right it's written by a cool guy named dustin weber and it's really awesome it's really a beautiful web interface folks really love it it's one of those things when when i show snorby to folks they just kind of start drooling you know they get really excited about defense just because stormy is so cool looking um and then we're going to move on to

squirt which is another web-based interface is there a question yeah i just said a couple um as far as packet capture does it does it do all packet or can you set it to do selective packing because i mean if you're talking about it you know a geek of the interface you're going to get an awful lot of packet data right so you can the question was are you recording all packets or can you selectively uh change what you're recording so you can use bps berkeley packet filters to say i want to ignore all this traffic from my backup server i want to ignore this traffic over here i want to ignore traffic on this port it's just doing

encrypted traffic so you can configure that all right so the setup wizard is now complete right we didn't have to spend hours and days and weeks compiling all this software configuring all this software testing it and getting it to work we're done right we clicked a few buttons and we're up and running so setup is now complete we click ok just some closing information so you know where to go from there and if you have questions or problems you go to our site check out our frequently asked questions yada yada so we're done so let's go to our terminal window so the first thing i want to show you is this new salt integration so remember i said that with salt from

your master server you can control your entire deployment so what we can do is we can do something like this salt star meaning all the basalt minions in our entire deployment test dot pink and that's just going to ensure that all of our minions are up so if we had 10 sensors you'd see them all listed there you'd see sensor 1 sensor 2 and they'd all respond with true so well that's not that really powerful other than just making sure they're there but what if we do this command run service nsm status

all right so obviously this is just one box but if we had 10 sensors you'd see the status of every single one of those sensors all eight outfits sensor one sensor two sensor three but you can tell here that our setup process did complete successfully because we've got nice pretty green okays everything is up and running everything works it's great all right so we've got all of these processes listening to our network interface but they're not actually doing anything right now because i don't have any traffic right i'm not connected to a network lucky for you guys i i happen to bring some traffic okay so we're going to use our old friend tcp replay

and we're just going to do a small sample i just want to make sure that bro is doing what it's supposed to be doing

all right so you can see there this is the bro con log this is connection records this is session data this is this ip address talk to this ip address and i just wanted to verify that bro is up and running and that it did identify our host name and interface everything looks good all right so the next thing we want to do is create some more traffic some more interesting traffic so we'll do this one and we'll do this one yes why you run this could you explain the difference between what you're doing and people want yes so what richard's referring to is the fact that we're using tcp replay to take some pcaps

and replay them to an interface so this is great for doing a demo like this because i'm just shoving some traffic to an interface just so i can generate some alerts during some logs but you have to be careful if you're relying on tcp replay from a forensic standpoint because what tcp replay is doing is it's not looking at the time stamps that are in those pcap files it's just taking the data and just shoving it into the interface as quickly as possible so in a minute when we go and look at these interfaces and we look at the time stamps that are on those logs those aren't the true original time stamps okay so if you're working in

investigation and somebody sends you a pcap and you're we want to do forensics and you use tcp replay don't rely on those timestamps that you get out of the end of that because those aren't the true original timestamps is that what you were referring to yes but there are tools that are included here like you can run pro against the trace you can run network miner but it's just a different operational model right so you could do if you do want to get the original time stamps you can do bro dash r and the name of the p cafe you can do snort dash r in the name of the pcap file and you can read them like that but in

order to be able to show our entire stack and do this demo today we're using tcp replay we don't really care about the timestamps for this demo all right so we've created some traffic so now we're going to start looking at some some interfaces so i said i'm going to show you four different interfaces i'm going to start with snorby so i double click my story icon

and i proceed anyway even though that doug burks guy is trying to own me with false certificates all right so here's my nice beautiful snorby interface i'm gonna log in using the username the email address and password that i specified in setup now we've got this nice dashboard we need to force a cache update this will take just a minute so we've got all these ids alerts that are sitting there in the stormy database and we just have to refresh so there on the screen you see we've got 368 high severity alerts 46 medium severity alerts 72 low severity alerts we can click on each of these and we can just drill into just the high severity

alerts if we want to we can go down here and we can look at this we can look at severities we can look at protocols and signatures and we've got nice pretty colorful charts for the management types right so that's all fun and good but we're analysts right we want to see the packets we want to see the alerts so let's go to events so here are our ids alerts so keep in mind that stormy is really limited to just ids alerts so everything that you'll see here we'll see like et this is emerging threats this is our emerging threats rule set and gpl these are standard gpl rules so we could find something in here and

we could drill into it and start working an investigation so let's pick this one so this is emerging threats policy suspicious dot doc dot exe in an http url so somebody tell me why i would care about that particular alert engineering social engineering okay explain the standard standard fishing fair you give it an extension so it cops an icon people think it's a doc file or whatever they open it it's actually an executable and now they're owned without having to use an exploit yeah so maybe they receive an email that says hey i found this confidential document from hr that talks about the fact that you're getting fired next week click this link to retrieve the word

document so the user says oh i'm getting fired i better read this word document right so but our users are better than that oh clearly yes obviously sure so here's our ids alert here's our standard ids alert type data right so up here you see like the source ip the destination id and source port destination port down here you've got the payload so the thing to remember about an ids alert is that it's just a snapshot in time right so here's an analogy you've got a house you want physical security for your house you get a security system they come and install it and then you realize it's just a motion activated camera that takes a snapshot

so you don't know if the bad guy knocked on your door and walked away or if you broke down the door and stole your 3d tv right so look at this and and let me click on ascii so we can just concentrate on this so let me show you one other thing we can look at the uh the rule so here's the ids rule that generated the alert so the ids rule is just looking for content dot doc dot exe okay so let's start asking some questions so based on the ids rule that generated this alert with this payload was this a false positive or true positive true positive very good this is a true

positive because all i was looking for was dot dot dot x and it's right there it's a true positive did the user actually download this file based on what you see here you made the request it made the request we don't know that it came back it could have been a 404 on the server right so just based on the ideas alert alone we don't know if this succeeded we don't know if the user downloaded the file that's when our other data types come in handy so let's take this ids alert and let's pivot to another data type so we can go to packet capture options custom fetch packet so we're pivoting to another web

interface called catme and so this is going to our full packet capture store and retrieving the entire tcp stream from disc right so let me scroll down so you can see this so up here at the top you see what we saw before in sorby you see the get request from the workstation right and then you see the server's response what can you tell me based on the server's response the server had the file the server sent the file to the workstation okay we answered a question that's good all right so let's continue scrolling through here so what is this

say that louder it's an http method for setting up and communication for a proxy an http method for setting up end-to-end communication through a proxy well said sir you must know what you're talking about yeah all right so we see that in the executable that the workstation downloaded what else can we see hmm what is this cncip an ip address interesting all right well let's copy that ip address let's go back to snorky so starving you can search so let's say if the source address is this or if the destination address is this search we get nothing okay so i chose this example for a reason because remember i said snorby is limited to uh ids alerts and that's it

if you're just relying on ids alerts you're not going to solve this investigation okay so let's move on to our next interface which is going to give us a little bit more data let's peel another layer see what i did there you guys catch on fast i can't get anything by you you keep peeling and you're not gonna have any onion left oh just wait i got lots of onion all right so i go to squirt and i say ip is this and then i go update oh wait um there we go all right so squirt has some other data types so in this case what we're seeing here is a pad's new asset link

so this is asset data coming from a tool called prads so pratt saw hey there was a communication with this ip address and we saw an https client well that's interesting so we did have communication so the workstation requested the executable we saw that it downloaded it we saw an ip address in the executable now we're seeing traffic to that ip address we're pulling the screen right so that's pretty cool so what about this um what if i here's my workstation ip what if i ask squirt hey squirt what do you know about this ip address so we have some urls we have some other alerts we have oh we have a rat we have ghost rack command and

control well that's interesting so you know what let's go into squeal let's peel another layer of the onion right because squeal is going to give us a little bit more information more access to more data all right so let's sort by port and hey here's our ip address and here's port 21. well that's interesting so our suspicious workstation ip address connected to an ftp server well let's check that out so in squeal you can pivot on anything that you see in here to full packet capture very quickly and very easily bam just like that right so this window pops up with a nice ascii transcript so now we see the ftp conversation that took place

so what do we see we see the workstation logs into the ftp server with user jack password two awesome yeah i like this attack uh and then what do we see here

that would be an upload interesting what do we see here another upload okay that's interesting maybe i need to check those out so let's pivot let's take the destination ip address and ask wheel hey show me all of the session data for that particular ip address and so what do we see here well we see the port 21 control channel conversation that we just looked at what else do we see there data channel interesting what might we see in the ftp data channel let me look at the other one first so what do we see here

somebody was trying to run g-seg dump what does g-seg dump used for dumping password hashes what do we actually see in the output here do we see password hashes we see the options for the gseg command let me offer a theory here might this be a sloppy attacker who actually mistyped his command could be i love seeing sloppy attackers it's awesome they're human just like we are it's fine it's cool all right well let's look at the other one okay because that data doesn't scare me it doesn't scare me that they ran g6 dump and didn't get anything because they screwed up but let's look at the other one what do we see there a rar file wow how do you know that

i have eyes you have eyes you can see the fact that the file begins with rawr wow can you do that again thank you go blue team all right so we have a rar file well that's interesting maybe i better look at that you think all right so here's what we can do we can say instead of just looking at the transcript i want to send that p gap in the wireshark so is if i ever play with this little tool called wireshark anybody all right so oh that was the wrong one

watch it watch it i will kick you out of my talk we'll revoke your b-side's augusta privileges as well all right so there's our rarified sloppy defender wins all right so what i meant to do there was follow tcp stream and save as and save this as out.rar close this and close wireshark so guess what we just extracted a file from a pcap so now if we go to accessories file manager and we go to file system and we go to temp and we go down to out.rar it prompts for a password an encrypted raw that's crazy so we're dealing with a sloppy attacker so maybe he was sloppy and picking a password how about that so q-w-e-r-t-y

bingo all right so we open up this folder hey there's the data that was just stolen from your network we answered that question the attacker got in they got the data out there it is right there all right so the other thing that i want to show you about wireshark or excuse me squeal is so let's pick an exe so we can pivot this into wireshark so if you see a user download a suspicious exe like we saw before of course with wireshark you can go file export objects http it will carve that executable right out of http traffic you can save that to disk start doing forensics on it the other option is instead of sending to wireshark you can

send to network miner network miner automatically extracts the files all you have to do is right click on the folder there's your executable pretty cool right all right so that's what i want to show you in squeal next and finally i want to show you elsa so elsa has this web-based interface for honey throw all your logs and we log in using our standard username and password and so i'm going to show you a few different log types that we have available and how you can use those for hunting because what we've done so far is kind of alert based reactive detection processes but you heard richard talk this morning in his keynote speech about

hunting and how we need to be proactively hunting in our environment so in elsa we can say hey elsa show me all of the connections on my network so show me the bro con law now elsa take and group that by source ip so this is all of the top talkers on my network in just a couple of clicks go back to this original tab group by destination ip here are all the top destinations on my network go back here group by destination port here are the top ports on my network right you expect to see like 80 53 443 then you start looking for anomalous port numbers right start pulling the string on those let's

look at another log type let's go to remember i asked before how many folks have access to all of the dns requests on your network check this out show me all the bro dns logs submit now group by hostname check that out that's a list of all the dns requests on our network you see some other stuff in there like work group and ms browse it turns out bro also does this other cool thing where if it sees a windows net bios name request it'll actually log back to the dns log as well if we just want to see true dns requests we can filter on port 53 so there's our dns report so you can

start looking through that for anomalous dns requests start drilling on those now let's look at http logs and do the same thing also show me all the http transactions on my network and oh by the way group by site okay so this is cool look at all the sites on your network that your users visit oh we have apple we have apple we have apple we've got some fanboys what's after happening are you what is this thing right here well that's clearly legitimate right maybe i need to drill into that and check it out all right so here's all the requests to split me.com.cn so now if i see an http request that interests me maybe i want to drill into

that so i click info plug-in get pcap put in my username and password wait a few seconds it's going to go to my full packet capture store retrieve the entire stream and show me exactly what happened all right so if i scroll down here i see a request from the workstation i see a response from the server i see a request from the workstation i see a response from the server what is all this stuff down here encrypted encoded gzip encoded remember i mentioned before that the vast majority of http traffic is gs have been coded because providers want to save on their bandwidth so they encode it using gzip to compress it before they send it

so i can't read this i can't see what happened but guess what i can solve that problem for you i just go back i render the transcript with bro bro is going to automatically decode that gzip encoding so now when i scroll down here what do i see in the server's response javascript very good david has looked at this once or twice all right so again more visibility equals more wins for you defenders all right so that's elsa so i showed you all this cool stuff uh and oh by the way elsa does have dashboards that's pretty cool and let's see so now that i have preached to you the gospel of security onion and you're ready to download it

just go to security.blogspot.com you'll see my latest post from 5 30 this morning where i release the brand new 1204.3 iso image you can download it from there from sourceforge or via torrent what have you you can get help on our frequently asked questions on our mailing list you can hop on our irc channel follow us on twitter at security onion i'm teaching a class in memphis next month if you're interested in log management i'm teaching that i'm going to be teaching another eight-hour security guiding class right here in augusta georgia probably in the next month or so so if you need training we got it is there a question back here for me yeah just curiously um

instead of using elsa i mean i realize it's not great great call but if you have an enterprise sim deployed can you send the logs off of london internet sim so i can get like the pro logs and so on so the question is if you already have an enterprise sim deployment and you don't want to use elsa for whatever reason yes you can configure all of your log data to be shipped off to some external assist log collector that's no problem we have a lot of users that do that okay so sure no problem all right now one more thing