How to clean SO data if you want to start afresh whilst keeping your settingsĪll the information discussed below is available in some shape or form in the Security Onion WIKI and by doing a few Google searches.
#INSTALL SNORBY FOR MAC INSTALL#
Install Splunk as a complementary mean to inspect/search data Get "live" automated emails sent for specific alerts Get automated daily and weekly Snorby report emails Install and configure a basic SO instance In order to achieve the above, this guide will cover the following topics: Alert and reporting automation: You want SO to alert you and inform you when required and/or on a regular basis.
Tuned environment: Unless you can remove most of the false-positives, the alerts you get are meaningless.Network visibility: You need to be able to see all traffic from the network(s) you want to monitor.How meaningful and useful SO can be, will depend on 3 factors: Obviously, at the core of it, there is Snort or suricata, but what SO provides is a nicely bundled framework to quickly and easily deploy those technologies and visualize their results in a meaningful way. It has helped us detect malware, miss-configured applications, ad-aware/monitoring activities, vulnerable clients/servers, etc. We have been using SO for some time and found it extremely useful in detecting and understanding risks related to surrounding network activities. However, getting value out of it takes some time and effort, especially if your network/security/linux skills are a bit rusty. Installing SO is fairly straightforward there are also many guides out there on how to configure it. Some information are still relevant to a commercial environment but the basic SO and Network configuration section would be different. Please note this guide was written with a Home Network in mind, with only one instance of SO running within a VM and therefore not using any nodes. There is also a very active support forum, available here, where Doug Burks himself seems to be spending a lot of his time answering questions very quickly and always being very helpful.
It also combines information from many different sources, hoping to save time for the reader who may be faced with some similar hurdles as the author faced when setting up SO the first time. Therefore this guide has been created mainly to extract and present some key information on installing and running SO in a different light, maybe in a more layman's way. The amount of information and documentation available from the official SO WIKI is very impressive and comprehensive. This guide is NOT aimed at the advanced Security Onion user. How to clean SO data and do some basic maintenance.Installing Splunk and getting an additional platform to mine information.Getting regular reports and specific signature alerts emailed to you.Getting basic understanding on how to tune Snort and remove false positives.Getting an understanding of what Network and Server setup are required.This guide is aimed at people who quickly want to get started with SO with the following basic functionalities:
0 kommentar(er)
