Since I began my series on detecting Nmap in Wireshark I’ve become somewhat obsessed with looking at detection and security software that can identify port scans and more.
In the book Nmap Network Scanning the following is written under the section “Detect Nmap Scans”
Special purpose port scan detectors are a more effective approach to detecting Nmap activity. Two common examples are PortSentry and Scanlogd.
[....]
……these port scan detection tools work pretty well. Yet the type of administrator who cares enough to keep tabs on port scans will also want to know about more serious attacks such as exploit attempts and installed backdoors. For this reason, intrusion detection systems that alert on a wide range of suspicious behaviour are more popular than these special-purpose tools.
Many vendors now sell intrusion detections systems, but Nmap users gravitate to an open-source lightweight IDS named Snort. It ranked as the third most popular security tool among a survey of 3,243 Nmap users (It’s currently rated as 5th most popular). Like Nmap, Snort is improved by a global community of developers. It supports more than two thousand rues for detecting all sorts of suspicious activity, including port scans.
As a result of reading this I have experimented with both PortSentry and Scanlogd without much success. I then tried Snort and had limited success, I found it difficult as it is controlled entirely through the command line.
As I was busy moaning about this lack of success on Twitter I received the following Tweet:
@Stuey_James try security onion, everything u need is there and easy to configure. Can run as a VM for testing/playing with…
![:)]()
— Adam Maxwell (@catalyst256) August 7, 2013
And so began a lengthy process of investigating Security Onion:
Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Basically Security Onion is a suite of IDS and NSM software (which includes Snort) and instead of having to use command line instructions, it comes configured with the software to analyse output in a GUI fashion via the browser.
I tried downloading the XUbuntu bundle for use in a VM, but it just didn’t work for me and so I tried a dual boot and that again failed, and so yesterday, I borrowed a PC from a friend, loaded Ubuntu 12.04 32bit and installed Security Onion following instructions from here.
Once the simple setup was complete and I loaded localhost in the browser, I was greeted with a Security Onion page with:
*Local Server*
Links to quickly access your local Squert, Snorby, ELSA, and Xplico instances:* Squert: View NIDS/HIDS alerts and HTTP logs
* Snorby: View and annotate IDS alerts
* ELSA: Search logs (IDS, Bro, and syslog)
* Xplico: Carve PCAP files
All the above is linked and I simply click and log in to any one of them to view output.
That’s as far as I’ve got so far, so will begin testing with Nmap scans to see what can be detected.