Security Onion + (ELSA or Snorby) + CapMe = Awesome

Happy New Year everyone, and with some new open source software, what a year it will be.

Monday Doug Burks released Security Onion 12.04. Please read Doug's post to learn how great this new 64 bit release is. I wanted to highlight a few features of the new release which takes Network Security Monitoring with open source tools to a new level for security analysts.

12.04 ships with Martin Holste's Enterprise Log and Search Archive (ELSA) working out of the box. Thanks to close integration with the latest version of Bro, analysts have Web-based, indexed access to Bro logs.

If that weren't enough, 12.04 also ships with a late addition -- Paul Halliday's CapMe. What this means is that you can now access full TCP transcripts from any alert in Dustin Webber's Snorby or Martin's ELSA.

You might not appreciate that right away, but it's a step in the right direction. Thus far, Bamm Visscher's Sguil has been the de facto open source NSM reference tool, allowing analysts to easily pivot from alert or session data to full pcap data. Now, with ELSA + CapMe, analysts can pivot from any log entry of TCP traffic with timestamps, IP addresses, protocols, and ports to a Web-based rendering of a transcript.

This is key: this transcript was not saved because of the log or alert. It was saved simply because the traffic was seen on the wire and netsniff-ng recorded it. This is one way to better handle threats who know how to evade signature-based systems.

This new workflow/feature is what I chose to depict in the screen shot at left. The upper window shows ELSA with a query for a BRO_HTTP log for www.testmyids.com. I then invoke CapMe and generate the transcript in the window at bottom. You can do the same from alert data in Snorby.

This is only the first step in giving analysts more data via open source software. Great work Security Onion team!

Comments

Erik H said…
An alternative to CapMe (or tcpflow or Wireshark's Follow TCP stream for that matter) is to use CapLoader's Transcript feature. I believe CapLoader will be faster than the others when dealing with large captures.
Anonymous said…
I know this is an old thread but I am spinning in circles creating a project plan for an Enterprise Security solution and could use some help. What is the actual tool that will be capturing and storing the pcaps? Is CapMe simply a plugin to integrate the pcap accessibility to ELSA or Bro?
Please ask here:

https://groups.google.com/forum/#!forum/security-onion

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics