Whitelisting IPs in OSSEC

All of this was prior to the latest versions of Security Onion which now run inside docker instances. I’ve not yet looked to see how this would be replicated there. But I’m leaving this up for historical purposes. Another tool in the arsenal of Security Onion is OSSEC, a “scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).” OSSEC examines log and alert events and correlates them against pre-built (or custom) rules and sends alerts as configured. When installed on the Security Onion server, OSSEC alerts are logged in the sguil database and managed alongside alerts from the network IDS. ...

Security Onion - Validating EXE/DLL Download Alerts

All of this was prior to the latest versions of Security Onion which now run inside docker instances. I’ve not yet looked to see how this would be replicated there. But I’m leaving this up for historical purposes. As I’ve mentioned before, Security Onion is a fantastic network security-focused Linux distribution which can monitor your network and/or hosts for malicious activity. The Onion can run Snort or Suricata as a network IDS, and it can also run bro Zeek alongside those traditional IDS engines to add another layer of intelligence. This article will highlight one way in which these two engines can be combined to quickly triage IDS alerts. ...

Bulk Update Security Onion Alerts

All of this was prior to the latest versions of Security Onion which now run inside docker instances. I’ve not yet looked to see how this would be replicated there. But I’m leaving this up for historical purposes. Security Onion is a fantastic Open Source IDS distribution created by Doug Burks and Security Onion Solutions. Per their own about page: Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. ...

Keep Calm and ...

Just a reminder to keep calm even when it feels like every system around you is crashing down to the ground. Keep a level head and calmly review the log data available, only ruling an event out when the evidence backs it up. If you don’t have the necessary logs available, use the incident to gain management approval to invest in the necessary logging infrastructure. It probably doesn’t even have to be expensive. Just the cost of some decent hardware and a good networked installation of SecurityOnion. (A Snort Talos subscription would also help, and they aren’t expensive, either…) ...