7MS #268: IDS on a Budget - Part 3
Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look!
I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though:
-
Run the
soup
command to update Security Onion with all the latest packages -
Use
ufw
to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured) -
On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing.
-
Do a
wget http://testmyids.com
to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in.
Also, check out this article for some handy tips on threat hunting with Bro.
Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.