Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
 4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

Cannot reset winsock, isatap yellow exclamation, no wireless or internet

Have a wireless card that doesn’t see the wireless?  Does checking the Device Manager show a yellow exclamation mark on the isatap or Teredo Tunneling Pseudo Interface?

Mickey and I tried everything on someone’s computer and we couldn’t delete the wireless or other networking adapters above that had a problem.   The error, it turns out can be from multiple areas.   We found someone on the internet who doesn’t want any credit.  So to that ‘person’  we say thanks and we owe you.

Always backup your computer before performing advanced commands.

Steps

  1. Load the latest driver for the wireless or Ethernet card.
  2. Reboot if necessary
  3. Go to the properties of the nic card with a problem.  Uncheck IPv6 protocol.   You can check this later after the repair. Close the properties Windows
  4. Go to the Device Manager
  5. Double click on the isatap with a yellow exclamation, click update driver, browse my computer, select next (the driver will be highlighted) and follow through to the finish.
  6. Right Click and remove the Teredo Tunneling Pseudo Interface if it is there.
  7. Open a command prompt as an administrator
  8. Type netsh int ipv4 reset c:\resetlog.txt – hit the enter key    - Do not reboot  -
    Did you have an error that looks like this?  If so, you must modify your registry (see error list below)
    If not, continue to step 9
    Error
  9. Type netsh reset winsock catalog  - reboot

 

Error list  - Resetting the winsock and TCP/IP stack

If you type the following and receive an error -

netsh int ipv4 reset
netsh reset winsock catalog

Remove any antivirus solution you may have.  Often these will prevent the winsock from being modified.  Use removal tools as necessary.

Next find the following key by opening the registry editor (regedit at the run line)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\26

You may see more than one “26″ key – if so, look for all of the 26 values under the keys and perform the following action on each

Right click on the “26″ key, choose “Permissions”, add a checkmark on “Full control” for the everyone group.

Close the registry editor.

Now for a full reset – Open a command prompt as an admistrator -
netsh int ip reset 

 

  • ipconfig /flushdns
  • nbtstat -R
  • nbtstat -RR
  • netsh int ipv4 reset
  • netsh winsock reset catalog
This will rebuild the tcp/ip protocol stack (fully)

Reboot.

Hopefully you have a connection.   Make sure you reload your antivirus software.

 

Microsoft confirms it’s dropping Windows 8.1 support

From Infoworld -

Microsoft confirms it’s dropping Windows 8.1 support.

 

Here’s how this works – If you have Windows 8.1, You must update to Windows 8.1 Update (Yes, someone named it Windows 8.1 Update).   This will insure you get future security updates in the near future.

Keep updating until you see the power symbol and the search icon in your Metro screen!  And then keep updating …don’t miss any updates so you are covered on future updates.

See our troubleshooting information on getting updates if you have problems.

update

 

More Tips on updating issues-

If the installation fails, try the following-

Run CMD as administrator
Type the following: dism /online /remove-package /packagename:Package_for_KB2919355~31bf3856ad364e35~amd64~~6.3.1.14
After this finishes, type: dism /online /cleanup-image /startcomponentcleanup
Retry the upgrade again.

 

Error 0x80071a91?  Try this update. http://support.microsoft.com/kb/2939087/en-us

 

An unnecessary path to tech: A Bachelor’s degree

An unnecessary path to tech: A Bachelor’s degree.

An excellent article on education and technical careers from Computerworld.  TCAT Shelbyville”s CIT program has a 98% retention and 92%+ placement.   Is a degree worth the money?  Yes, after you start your technical career.  Your education in technology cannot end once you start your career.    Are certifications worth their weight?  Absolutely.  If you know the hands-on.   The three, academia, certifications and hands-on is the fastest way to a career in IT.

ReFS – Data Protection – Windows 8.1 and Server 2012

NTFS.  You’ve worked with it for years.  Microsoft’s NTFS is not being replaced by ReFS.   ReFS is available for Windows 8.1 and Server 2012.  What if you have extra drives and need the data protection?  ReFS may be for you. (or Storage Spaces ~See upcoming article)

ReFS is the Resilient File System that makes disk more reliable and works like this.

  • Uses checksums to detect if your data is changed
  • Able to detect and recover from corruption
  • Data is written to a new part of the disk if the above is the case
  • Recovers without limiting availability of the disk
  • Integrity data streams can also be enabled
  • File system metadata is protected
  • No chkdsk
  • Handles 1 Yottabyte ( 1 quadrillion GBs?)

While the boot volume should still be in NTFS, this file system is ideal for servers and workstations that need extra data protection.  The other drives can ideally be made ReFS.

More information from Microsoft

Windows Storage Spaces and ReFS – Is it time to ditch raid for good? via Betanews

 

 

Dell DDA – Upgrading from Windows 8 to 8.1

Having a problem uninstalling the Dell Data Access Software and upgrading to 8.1?  Here’s some tips -

 

  • Dell’s recommendation for upgrading from Windows 8 to Windows 8.1  Link
  • If the software does not uninstall properly, run Microsoft’s fix-it to uninstall the program (Link)  you may also run a registry cleaner that can clear the software from your registry.

 

Our Solution – This may not fit your needs.  Always backup your data.

  • Uninstall the Dell Data Access software  (We had 15 pcs that had remains left after the uninstall
  • Reboot
  • Make sure the software is not listed in the Programs and Features list
  • Navigate to C:\program files and C:\program files (x86)
  • Remove the files under the subfolder ‘Dell’  that are related to the Dell Data Access software
  • If you cannot, open the task manager and click on the details tab.
  • Find the process TDMService.exe, right click and end the process tree
  • Immediately delete the .exes in the above subfolder – you may have to end the process (the process may restart)
  • Delete the files manually (Only the protection files and folders)
  • Run the microsoft fix-it above and/or a registry cleaner
  • Reboot
  • Install Windows 8.1

It seems this is a problem that has many fixes – The above is our fix that worked for us…

 

Other tips that may help once Windows 8.1 upgrading starts -

Remove 3rd party software

Disable the anti-virus software

Run cleaners and defrag