Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort ( or Suricata (

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished


Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging




Introduction to Security Onion

Security Onion Blog


Microsoft confirms it’s dropping Windows 8.1 support

From Infoworld -

Microsoft confirms it’s dropping Windows 8.1 support.


Here’s how this works – If you have Windows 8.1, You must update to Windows 8.1 Update (Yes, someone named it Windows 8.1 Update).   This will insure you get future security updates in the near future.

Keep updating until you see the power symbol and the search icon in your Metro screen!  And then keep updating …don’t miss any updates so you are covered on future updates.

See our troubleshooting information on getting updates if you have problems.



More Tips on updating issues-

If the installation fails, try the following-

Run CMD as administrator
Type the following: dism /online /remove-package /packagename:Package_for_KB2919355~31bf3856ad364e35~amd64~~
After this finishes, type: dism /online /cleanup-image /startcomponentcleanup
Retry the upgrade again.


Error 0x80071a91?  Try this update.


An unnecessary path to tech: A Bachelor’s degree

An unnecessary path to tech: A Bachelor’s degree.

An excellent article on education and technical careers from Computerworld.  TCAT Shelbyville”s CIT program has a 98% retention and 92%+ placement.   Is a degree worth the money?  Yes, after you start your technical career.  Your education in technology cannot end once you start your career.    Are certifications worth their weight?  Absolutely.  If you know the hands-on.   The three, academia, certifications and hands-on is the fastest way to a career in IT.

The dangers of using outdated software

 Outdated software contains security flaws which cybercriminals can use as avenues to infiltrate the corporate network.

The dangers of using outdated software.

Microsoft Surface Pro-ready for manufacturing, business and industry

The Microsoft Surface Pro has proven to be versatile in the workplace.  Mr. Arnold our Industrial Maintenance instructor uses the Microsoft Surface Pro to connect to nearly a hundred PLCs, motors, robots and other industrial components.

So why is this tablet perfect for business and industries?


External DVD Attached through USB port


USB EasyLINK to transfer files from one computer to another


The Windows below shows the USB EasyLINK software (loaded on the USB device)



Many industrial components require a floppy disk drive – (Above and Below)


What if you need to expand your USB with a USB hub or two?



IT personnel can attach a Wireless Spectrum Analyzer or multiple wireless cards for site surveys or other wireless needs.



100_3103100_3101   100_3100100_3102

Four Wi-Fi Nic cards shown above


Multitasking (above)


Joining a domain (above)



Connect an external drive, card reader or multiple USB drives at the same time.

Use all of your Windows based software…now why was the Surface a bad idea?  It’s not…

CryptoLocker and CryptoLocker 2 are still alive – take steps to protect your computer

CryptoLocker and CryptoLocker2 are still alive.   You can help prevent infections and encryption (losing your data) by downloading Foolish IT’s CryptoPrevent for Home and Commercial use.

Get the prevention software from here.


US businesses suffered 666,000 internal security breaches

Over 666,000 internal security breaches took place in US businesses in the last 12 months, an average of 2,560 per working day, new research has revealed. The findings, revealed by IS Decisions, also found that despite this regular occurrence, only 17.5% of IT managers consider insider threats to be in their top three security priorities.

US businesses suffered 666,000 internal security breaches.

800M exposed records make 2013 record year for data breaches

While the number of incidents data loss incidents in 2012 is almost by a third bigger that that for 2013, the number of records exposed in 2013 breaches has reached a record 823 million.

800M exposed records make 2013 record year for data breaches.

What makes TCAT Shelbyville’s IT program different?



Exams include Windows 70-680/70-687, Windows Server 2012 70-411/70-640.  The MTA (Microsoft Technical Associate is associated with other certifications in the same curriculum.

The Information Technology program at TCAT Shelbyville offers one of the best programs in the nation for IT professionals.  The amount of resources and curriculum that cover all major operating systems (Linux, Apple and Windows) is delivered by certified and industry leading experts.  With this curriculum, and the round robin method of teaching,  junior students work with senior students and instructors.  A major advantage students have are resources that are available 24/7/365.

Students spend 30 hours each week in lecture, labs and real world hands on for approximately 15 months.  Winning national awards and recognition, the program offers one of the best learning environments in the industry and continues  with a placement rate of over 90% and a retention rate of 96%.


Students can earn up to 10 certifications along with multiple diplomas and certificates.

For more information -
Visit the CIT program at

Note:  The Tennessee College of Applied Technology – Shelbyville is an accredited institution.  

Using Zend OPcache in PHP 5.56 on IIS

Years ago we began to use WinCache in order to double the speed of our IIS server.    While WinCache 1.35 improves the speed of IIS, Zend OPcache is now in PHP allowing an increase in speed on your PHP based webserver.

In order to speed up your IIS server with Zend OPcache, make sure you have the latest version of PHP.  Modify PHP.ini and put the following into your .ini file-





After you put the following into your PHP.ini, save the file and Stop and Start IIS.


There are some excellent GUI interfaces you can save as whatever.php by copying the code

hitrate two

hitrate three


Our personal favorite is the Opcache Control Panel (below).






Where to find more GUI interfaces -


More information from

Achieving 100000 hits in Moodle Performance

In order to stress test our Moodle installation on IIS7.5 with PHP 5.5.6 we used the following -

Installed Moodle, PHP, Wincache and MySQL with Microsoft web installer.  This produced the production machine.

  • added the wincache.dll to the ext folder (Downloaded the new Wincache 1.3.5 found on SourceForge)


  • Added the following to PHP.ini

The Session Save Handler puts information into Memory and saves sessions to the moodledata folder sessions folder


The PHP_Wincache section calls the wincache.dll and uses an optimal amount of cache for performance


  • Downloaded PHP 5.56 from here and registered new PHP with IIS7.5 PHP Manager


  • Added Wincache stores to Moodle (from here)
    This is a plugin to enable MUC access to the WinCache PHP extension available on Windows platforms.  This caches Application Stores and enhances performance.

Configuration after installing the Wincache Store 

Site Administration – Plugins – Caching Configuration

Wincache Store

Moodle Session Handling

Site Administration – Server – Session handling – Disable database for session information.

moodle session handling

Testing the Cache store performance on 100,000 uniques requests per operation (See the after Moodle Data move below)



FX-6100 3.3Ghz CPU (Six Core) (info)
2 Western Digital 2 TB Hard Disk (info)
8 GB of Ram DDR3
Windows Server 2008 R2 (Processor Scheduling – Background and Virtual Memory – System Managed to second Hard Disk)


Note: Since this write up, we have moved the MoodleData to a third hard disk and cloned the Windows Hard Disk to a solid state

The Tennessee College of Applied Technology – Shelbyville (Tennessee Technology Center at Shelbyville at the time) won Computerworld’s Laureate and Techtarget’s SearchCIO-Midmarket 2012 Customer Experience/Integration awards awards for their LMS system (supplemental to classroom work and hands-on).

Stats from Moodle

Moodle Stats


After the data was moved to a new drive

100000 After Moving Data


Results of Data Move (Before and After)

After Move