Security Onion Primer

If you read my article on Security Onion planning and the mention of Snort/Suricata, Bro, and ELSA left you with questions, or if you haven’t read my Security Onion (SO) planning article but are looking for explanations of the various detection and analysis tools then this is the article for you. This is a Security Onion primer, and not part of the installation and configuration series.

SO has three primary functions that consist of network intrusion detection (Snort, Suricata), host intrusion detection (OSSEC), and analysis tools (Squert, ELSA, Sguil).

  • Sguil (where I spend most of my time) is the console where you view Snort or Suricata and OSSEC alerts, and Bro events. What makes Sguil so powerful is that you can look up IP address in Virus Total, Google, Malware Domain List, Google Safe Browing, Dshield, Central Ops, Domain Tools, and perform DNS and whois lookups of the IP addresses in the alerts. You can also open PCAP’s in Wireshark and Network Miner. Sguil also has the ability to display traffic that was not included in the alert so you can see the before and after of the attack. Going a step further Sguil provides a way for junior analysts to escalate alerts to senior analysts and exchange notes.
  • Squert is the web version of Sguil and provides a high-level overview of what is being fed into Sguil. Squert isn’t meant to replace Sguil, and I almost never use it. The most useful feature is the geo-IP mapping capability which I never use either.
  • ELSA (Enterprise Log Search and Archive) is where I spend roughly a third of my time. According to the creator of ELSA, Martin Holste, “a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy and fast as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.” Anything SO collects can be searched in ELSA to include host logs from OSSEC, and system logs from printers, switches, and any other device that supports the forwarding of system events to a remote server. ELSA also has configurable dashboards where you can group all of the searches that matter most to you.

Here’s ELSA in action:


  • Network-based Intrusion Detection System (NIDS) has two flavors 1) rule-driven and 2) analysis-driven.
    • Rule-driven intrusion detection is performed by Snort or Suricata. You can’t enable Snort and Suricata because they perform the same function; looking at network traffic for indicators of malicious, suspicious, and anomalous traffic based on pre-configured rules.
    • Analysis-driven network intrusion detection is performed by the Bro Network Security Monitor. Bro is developed and maintained by the University of California at Berkeley and supported by the National Science Foundation. Doug has an excellent description of Bro, “Bro monitors network activity and logs any connections, DNS requests, detected network services and software, SSL certificates, and HTTP, FTP, IRC SMTP, SSH, SSL, and Syslog activity that it sees, providing a real depth and visibility into the context of data and events on your network. Additionally, Bro includes analyzers for many common protocols and by default has the capacity to check MD5 sums for HTTP file downloads against Team Cymru’s Malware Hash Registry project. Beyond logging activity and traffic analyzers, the Bro framework provides a very extensible way to analyze network data in real time.”
  • Host Intrusion Detection is performed by OSSEC which is free and open source software that can be installed in Windows, Mac OS X, and Linux. In Doug’s words, “When you add the OSSEC agent to endpoints on your network, you gain invaluable visibility from endpoint to your network’s exit point. OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.” You can change the log level that OSSEC reports. The default level for OSSEC is 5 that is a user-generated error. According to the OSSEC manual “User-generated error – They include missed passwords, denied actions, etc. By itself, they have no security relevance.”   You can download OSSEC here.

Leave a Reply