I've been a fan of Security Onion for a while. Richard Bejtlich's book "Practice of Network Security Monitoring" discusses setting it up and how to incorporate it into an operations center's routine.

Notably, Security Onion and other tools are very difficult to use in cloud environments where you don't control the network! There are ways of getting a sensor access to the relevant traffic, but they require careful architecture. Even when set up properly, encrypted traffic defeats much of the deep packet inspection-based monitoring.

Do you have any other resources to point me toward describing how you would set something like this up in a cloud environment? Are there other tools better suited for cloud environments?

SANS has a slightly dated paper ([1]) about setting up this sort of thing that gives a flavor for how it can work.

I think AWS's VPC Flow Logs are the foundation for better tools (disclaimer, my company develops these tools - [2]). I hope Azure and others follow suit.

[1] https://www.sans.org/reading-room/whitepapers/cloud/security...

[2] https://observable.net/blog/vpc-flow-logs-virtual-private-cl...

In fact Azure security center does quite a lot of threat and malicious traffic analysis. OMS is going to be rather interesting as it matures as well.

I deployed it at home a few years ago - a hardware server on a mirrored switchport. Really easy to set up. And from what I hear, the multi-node setup with manager is easy, too. If you want IDS but don't have a high software budget for Cisco FirePOWER or Palo Alto or $VENDORIPS, this would be a good start.

It will still take a lot of personnel time, though. Tuning alerts is critical.

Could you use this, for instance, to detect an infected Windows host talking to a botnet? Or would that sort of connection info be lost as noise in the presumably large amount of data captured?

You could definitely use Security Onion's tools for that. The full SO distribution is a little bit overkill for that. You could run YAF ([1]) on a box attached to a mirror port to log IP headers and then periodically check it against a tracker.

NetFlow or VPC Flow Logs (in AWS) would work just as well for this also.

[1] http://tools.netsa.cert.org/yaf/index.html

I work in a major bank SecOps. Here we use RSA Security Analytics for aggregating packets and logs from all over the network, fire alerts and do our analysis.

I would like to know if someone here has used both RSA Security Analytics and Security Onion, and what they think about how they compare against one another. The last time (which was about 2 years ago) RSA Sales people came to our site and showed the capabilities of their product, it seemed to exceed the capabilities of Security Onion, but I am still a junior guy in SecOps and I still have a lot to catch up and learn, so I don't have the sufficient knowledge and expertise to determine how they compare against one another and what the pros and cons of each product are.

As someone not in SecOps, and to the extent that you feel comfortable, how transparent are the commercial vendors about technical details?

Id imagine management / sales is probably "it's a black box and does good stuff", but curious about what level of detail is shared with the customer.

Turn this into a small appliance I don't have to manage and take my money. Send me alerts via Slack and ask me to confirm suggested corrective actions.

I see you got downvoted, but the reason someone wants something for free: many powerful expensive appliances exist. But if someone needs to stand something up quickly and effective for an investigation or frequent analysis, that gets expensive.

I am sure other people with Cisco Sourcefire and competitors will agree here.

Okay. For those down voters this... for those of us without the time, skills and money for expensive solutions or free solutions a Reasonably Priced appliance would really, really be great. That market is pretty much everyone with an internet connection who conducts business or confidential communications online.

Tons of SMB router vendors include basic IDS features, often under the label "UTM", with some sort of basic rule set aimed against malware.

If you want something better, hands-off doesn't work that well, you have to tune it to your network, because otherwise you'll drown in alerts for mundane things or leave a lot of potential on the table. (E.g. in an insurance office remote management connections or IRC are probably are worth an alert. In a dev shop these might happen all the time. Or not, depending on setup and policies)

Can someone explain what is the use-case for this OS?

Do I use it as an OS to monitor my infrastructure?

Eg. I use this OS to monitor and analyze my servers, containers, etc (which are running their own host/container OSes)

OR

Do I use this as an OS for my servers and my containers?

Eg. Security-Onion as the Host and Security-Onion containers on my infrastructure

It isn't quite clear from what I read/see on the landing-page.

You use it to monitor network activity similar to NIDS products from vendors like Cisco or Enterasys. You'd either set up network taps or mirrored switch ports, and you'd feed the resulting network traffic to one or more Security Onion sensors. The distribution includes a variety of different intrusion detection systems, e.g., Snort, Bro, together with a few different analysis tools, e.g., Barnyard, Sguil. You'd usually tap your network core or distribution layers because they naturally aggregate traffic flowing between security domains (e.g., data center/office, intranet/extranet, public/private) and because it's generally too costly to tap all but the most critical assets at the network access layer (although switches with integrated IDS are becoming a thing).

Security, not infrastructure. You set it up to monitor traffic and it has tools like snort, snorby, surricata, etc. that look for bad things on your network.

The first. The tools that come with it are used to analyze network traffic, logs etc from other hosts, with a focus on security.

So I stick this on an old laptop and connect it to a spare Ethernet port on my router?

Ideally you use a mirror port so that all traffic being routed also gets sent to the SecurityOnion services for automated analysis, reporting, and alerts (depending on how SO is configured).

Would it be efficient to create iptables rules to mirror traffic on a router that doesn't have a mirroring port?

Essentially. Or a low-power server in your rack. :)

as andrewstuart2 mentioned, you need it to see all traffic, which doesn't happen if you just connect it to the router. If you have an ethernet connection your internet traffic goes through, you'll want to put a device in there that sends you a copy of all traffic (one simple and cheap option is a Netgear GS105E switch).

A few years ago many people understood that retroactive monitoring will not give you any security related benefit, as it is always too late when you get an alert.

Some of these interesting products then also put "intrusion prevention" into their product descriptions.

Isn't that too a questionable promise?

Ok, not to start a OS war, but I run pfsense, which has snort (and IPS), and pretty much any other security tool you can imagine, and it's based on BSD rather than Linux, which has a history of being more secure.

General speaking, most systems are as secure as the intent to make them secure divided by the intent to make them not secure; there's no reason to believe BSD is an exception.

Where "intent to make them not secure" can also be written as intent to make them easy to use without thinking about security.

The best part of Security Onion 12.04 for me was the pre-built Snorby instance, which was pure hell to install manually due to all the old Ruby/Rails dependencies that it had.