Security Onion (http://securityonion.blogspot.com/) is a Linux distribution for intrusion detection and network security monitoring. Security Onion App for Splunk software is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC.
Security Onion (http://securityonion.blogspot.com/) is a Linux distribution for intrusion detection and network security monitoring. Security Onion for Splunk is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC. (For a detailed description of the application with screenshots: http://eyeis.net/2012/04/splunking-the-onion/.)
Splunk for Security Onion provides several dashboards and search interfaces for correlating Sguil, OSSEC and Bro IDS log events.
Required Splunk Apps:
- Sideview Utils - http://splunk-base.splunk.com/apps/36405/sideview-utils
- Splunk for OSSEC - Splunk v4 version -http://splunk-base.splunk.com/apps/22285/splunk-for-ossec-splunk-v4-version
- Geo Location Lookup Script (powered by MAXMIND) - http://splunk-base.splunk.com/apps/22282/geo-location-lookup-script-powered-by-maxmind
- Google Maps - http://splunk-base.splunk.com/apps/22365/google-maps
- Splunk Visualizations - http://splunk-base.splunk.com/apps/22283/splunk-visualizations
A Security Onion server and a Splunk 5.x installation. (Note: when installing Splunk on a Security Onion system there will likely be a port conflict for the Splunk web server. Port 81 as an alternate port should be a safe alternative.)
Download from www.splunk.com. Install via terminal command:
sudo dpkg -i splunk-5.*.deb
When install completes, we need to start Splunk for the first time:
sudo ./splunk start
After accepting the agreement, you'll have to pick an alternate port for the Splunk web interface since the default is in use. You'll see the following and when prompted to change, choose yes, then specify port 81:
Checking prerequisites... Checking http port (http://splunkbase.splunk.com/wiki/8000): already bound ERROR: The http port (http://splunkbase.splunk.com/wiki/8000) is already bound. Splunk needs to use this port. Would you like to change ports? [y/n](http://splunkbase.splunk.com/wiki/y:n): y Enter a new http port: 81 Setting http to port: 81 Checking http port (http://splunkbase.splunk.com/wiki/81): open Checking mgmt port (http://splunkbase.splunk.com/wiki/8089): open Checking configuration... Done.
Splunk's built-in way to run at boot time is (as root): $SPLUNK_HOME/bin/splunk enable boot-start with an optional user=foo at the end to run as a certain user. It installs proper boot scripts for your OS so you don't need to worry about editing /etc/rc.* files:
/opt/splunk/bin/splunk enable boot-start
Install Required Splunkbase Apps:
Open Firefox and browse to http://localhost:81 (or if you used an alternate port change accordingly). Change your password, then click App > Find More Apps from the menu in the upper right corner. Find the following apps and install them.
- Install Splunk for OSSEC - Splunk v4 version
- Install Geo Location Lookup Script (powered by MAXMIND)
- Install Google MapsInstall Splunk Visualizations
- Install Sideview Utils
- Install Security Onion for Splunk
Configure Bro IDS Inputs:
Depending on how much traffic your sensor monitors, you may need to leave some of the Bro inputs disabled to avoid maxing out your license. The following are the sourcetypes configured for each Bro IDS log data input:
- bro_communication - Bro sensor communications
- bro_conn - Connections
- bro_dns - DNS requests
- bro_dpd - Dynamic Protocol Detection
- bro_ftp - FTP activity
- bro_http - HTTP traffic
- bro_irc - IRC activity
- bro_known_certs - Certificates seen
- bro_known_hosts - Hosts seen
- bro_known_services - Services detected
- bro_notice - You definitely want this one enabled
- bro_smtp - SMTP activity
- bro_smtp_entities - SMTP
- bro_software - Software versions detected (incl. vulnerable versions)
- bro_ssh - SSH activity
- bro_ssl - SSL activity
- bro_syslog - Syslog activity
- bro_weird - Anomalous events
Using Splunk for Security Onion:
I've standardized the source and destination IP fields in the Bro IDS and Sguil log field extractions so "src_ip" and "dest_ip" are consistent across events.
Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked. Depending on your licensing you may need to scale back certain logs and this provides an easy way to do so.
The SOstat monitoring scripts are configured to run at various intervals (in seconds). The default settings are very conservative,
executing most scripts once a day and status scripts 3 times a day. The default configuration is:
Sourcetype - Script - Interval (seconds)
- sostat_disk - /opt/splunk/etc/apps/securityonion/bin/disk.sh - 86400
- sostat_ifconfig - /opt/splunk/etc/apps/securityonion/bin/ifconfig.sh - 86400
- sostat_nsm_log_archive - /opt/splunk/etc/apps/securityonion/bin/nsm_log_archive.sh - 86400
- sostat_nsm_sensor_ps-status - /opt/splunk/etc/apps/securityonion/bin/nsm_sensor_ps-status.sh - 21600
- sostat_nsm_server_ps-status - /opt/splunk/etc/apps/securityonion/bin/nsm_server_ps-status.sh - 21600
- sostat_nsm_sguil_uncategorized - /opt/splunk/etc/apps/securityonion/bin/nsm_sguil_uncategorized.sh - 86400
- sostat_top - /opt/splunk/etc/apps/securityonion/bin/top.sh - 21600
The default settings can be modified via Splunk Manager > Data Inputs > Scripts. Click on the script name in the "Command" column to increase/decrease the interval. You can also disable/enable scripts.
Comments or Questions:
For comments, suggestions or questions, feel free to drop me an e-mail: email@example.com
Hope you enjoy the app!