2011 was a busy year for the Security Onion project and its owner Doug Burks. I just did a quick count of the releases on SourceForge and came up with a total of 32 for 2011! A number of these were bug fixes or application upgrades, but there were quite a few new apps added as well. One of these was Snorby which arrived just in time for Christmas.
I've been using Sguil for quite some time to monitor my Snort boxes, but Snorby is fairly new to me. So I did an update of Security Onion and started checking it out. First impression was how easy it was to see what was happening over time, at least in volume of events. You are taken to the dashboard after logging in and are immediately presented with counts of your high, medium, and low severity events. Underneath each of those counts are bar charts displaying the frequency of those events over the last 24 hours. In the screen shot below, you can see that there were 3 peaks for high severity issues and get a feel for when they occurred. Beneath that is a line chart of the events for the same period of time.
Why does that stand out to me? Well, one of the things we learn in incident response is to watch for things outside the norm in the environment. What looks normal and what stands out as an outlier? While this information is limited to just event counts and their severity, I can still see how things are trending over time. And with just a few clicks, I can see that for the last 24 hours, today, yesterday, the week, month, quarter or year. So how do my IDS events look right now when compared to the volume of last week or a month ago? Am I trending up or down? Anyhow, I thought this was very cool.
From there I started working with looking at individual events. Snorby allows us to look at the event, the payload of the offending traffic, examine the rule that fired the alert, add notes to the alert and perform classification on what was attempted. All in all, Snorby provides good information and is easy to work with. And this is just one of the applications in Security Onion. I've used Snort and Sguil for a long time and they're a major part of Security Onion as well. And there is still a long list of other network security monitoring applications to work with. The really cool thing about Security Onion is how easy it is to setup and deploy. Install the OS on a system, launch the setup application and in a few minutes you are looking at traffic and doing analysis. Updates are easy to apply to both the OS and our NSM applications. The ease of installation and maintenance is a major plus, particularly as Doug keeps rolling out new enhancements at the rate he has been.
All this for the price of a little time and either a virtual machine or some hardware. So take a quick look and give the Security Onion a test drive. Security Onion is also up for the 2011 Toolsmith Tool of the year, so if you like it, consider giving it a vote.
Kudos to Doug Burks for his work on Security Onion and to Dustin Webber for his work on Snorby.