Given the complexity of this architecture I think I should write a line or two explaining the componentsJ:
- The Sensor – Sniffs the packets, validates them against rules and sends any alerts to the server. For my requirement, this is the machine that runs the Snort IDS.
- The Server – Collects and stores the alerts and provides the necessary infrastructure for viewing/analyzing alerts. In other words, this is the host for any of the GUIs for Snort.
- The Analyst Workstation– This is just about any machine using which an Intrusion Analyst can login to one of those Snort GUIs, view and take further action on the generated alerts.
As I was hunting around the internet to implement this setup using VMware workstation, I came across Security Onion (or SO for short). The description in their site goes:
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Quite impressed by what I had read, I immediately downloaded the Security Onion ISO (~1.4 GB) from Sourceforge. True to their word, setting up the lab turned out to be quite simple and elegant. Yeah, ok, the next best thing since sliced bread…. Barring the initial struggles, I was able to get my lab running in about 2-3 hours.You may refer the steps I followed during the setup from here.
[…] This post follows from the context of "How I setup an IDS Lab" […]
ReplyDelete