Security Onion 1.0 for Splunk

Today I give you version 1.0 of the Security Onion app for Splunk. While previous releases aimed at core functionality and essentially getting the data in with rather minimalistic views, version 1.0 brings a bit of a overhaul to several dashboards and welcomes Splunk Visualizations to the party.

For starters Overview now shows Sguil events by classification. The Overview dashboard is intended to be a quick pulse check of the environment and in this case I think leveraging classifications provides a cleaner heartbeat, so to speak.

Squil events by name has moved to the Monitors dashboard and in further effort to reduce clutter, I’ve excluded OSSEC and misc-activity classified events.

The Mining dashboards are where the major overhauls have occurred. The General Mining dashboard now contains a couple drop down lists to provide greater access with fewer concurrent searches. HTTP and SMTP filename searches have been consolidated as well.

But where things start to get cool is the Interesting URI Values panel:

The drop down list allows you to search Bro HTTP detected URI values for matching regex values. Due to the transitory nature of URI values in attacks, I’ve setup the drop down list to populate via an external lookup from a .csv file. The file is located at

/opt/splunk/etc/apps/securityonion/lookups/mining_uri_values.csv

and contains two fields: value and label, where value is a regex value that will be
searched for in URIs and label is the name you want to appear in the drop down.

The idea is to enable users to perform historical searching against newer active malicious URIs to identify potential victims retroactively or find similar patterns. I’ll likely be posting an updated copy of the file periodically as well, so suggestions for additions are welcome.

HTTP and SMTP Mining also get a lot cleaner in this release, going from a multiple panel view to a drop down list with table view of events and a time chart. HTTP Mining:

and SMTP Mining:

Last but not least, the previous incarnation of SOstat is now broken up into two views: SOstat Security Onion, for service status and Snort/Snorby details, and SOstat *nix, for details about the system (top, ifconfig, NSM log archive listing, etc). I’ve also added (as a proof of concept and because it’s really cool) a Security Onion Data Flow view that leverages the Splunk Visualizations app. I hope to do more with this in the future as I think it has a lot of potential, especially for visualizing replayed events or monitoring a host in real time.

For more details on the Splunk Visualization app and a video demo, check out http://metasplunk.com/projects/particle. It does require an Adobe Flash upgrade on a Security Onion build (achieved easily via Ubuntu Software Center) and can be browser intensive, so be warned.

I hope you enjoy the changes and wish you good luck finding evil!

DC404 Slides

Last Saturday DC404 in Atlanta hosted Doug Burks presenting Security Onion and myself presenting the Security Onion Splunk app. I had a great time meeting Doug and the members of DC404, all of whom impressed on every level. The class and quality of people I continue to encounter in this field on the open source ranges is unmatched.

For the DC404 members who couldn’t make it, I give you slides: DC404 – Splunkin the Onion.

Special thanks to Beth and Taylor for the invite!