I am just curious if anyone is running this, or perhaps some of the components. I've looked into it lately and it's intriguing, but is there any benefit to running NSM at home, or in lieu of a UTM network device? What's your overall impression of it?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Does anyone run Security Onion at home?
- Thread starter iroc409
- Start date
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
I installed it but haven't done much with it, I'm interested in working with it some more. At work we have a snort+barnyard+snorby instance and I will test SO to see if it's worth it to replace something that's working.
Be sure to install as 'Standalone' and not 'Server', they're different things
Be sure to install as 'Standalone' and not 'Server', they're different things
"Server" doesn't actually collect data, only collates information from sensors, right?
Do you use any sort of UTM device at work? Do you think it's better, or just another tool in the arsenal?
The Tao Security guy seems to hint that NSM is more useful than IDS/IPS, because they'll always find a way through. Maybe I'm reading it wrong?
Anyway--it seems like it could be a useful tool, but not sure I want to dedicate hardware to it.
Do you use any sort of UTM device at work? Do you think it's better, or just another tool in the arsenal?
The Tao Security guy seems to hint that NSM is more useful than IDS/IPS, because they'll always find a way through. Maybe I'm reading it wrong?
Anyway--it seems like it could be a useful tool, but not sure I want to dedicate hardware to it.
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
Yeah, 'Server' just collects the data, 'Sensor' mode passes captures to the 'Server'. 'Standalone' is all-in-one.
At work we have ASA's with threat-detection measures in place and Snort behind it listening on mirrored VLANs. Both have been useful in thwarting potential attacks and even found a botnet or two on some customers of ours.
I do recommend having at least an IDS in place in any size infrastructure though, even a mild machine or virtual machine would do the trick.
At work we have ASA's with threat-detection measures in place and Snort behind it listening on mirrored VLANs. Both have been useful in thwarting potential attacks and even found a botnet or two on some customers of ours.
I do recommend having at least an IDS in place in any size infrastructure though, even a mild machine or virtual machine would do the trick.
I was reading somewhere on the Security Onion site about hardware recommendations, and I think it said something like 4GB per interface for collection, plus quite a bit of hard drive space for logs. It indicated it would use a lot of horsepower. However, this seemed to be more of an enterprise-related recommendation, with a lot of constant traffic--which I wouldn't have. Would monitoring two ports on a home network hammer a virtual machine, especially if I want to have routing, etc on the VM?
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
You would want to make sure that the VM can actually listen on an interface; KVM for instance only actually captures broadcasts and traffic destined to their MAC on their virtual interfaces, but other virtualization should be fine (check before you go through the rigmarole of installing everything)
With little traffic, you don't need a beefy machine or VM, but I do recommend a good amount of space to hold data, between logs and databases, it can add up.
With little traffic, you don't need a beefy machine or VM, but I do recommend a good amount of space to hold data, between logs and databases, it can add up.
Thanks Dark Shade. Drive space shouldn't be an issue, and if I get this up and running for the sensor ports I'd probably just give it a dual-port NIC on passthrough and a vNIC for management access. Then I shouldn't have to worry about driver interactions.
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
No prob. If direct PCI passthrough of a NIC is available, that would be perfect