University of Maryland Intrusion Detection Analytical Research Project

Verified

Added on 2022/10/12

AI Summary

This analytical research project focuses on intrusion detection technologies, specifically exploring Security Onion, a Network Intrusion Detection System (NIDS) tool. The paper delves into the functionalities, configuration, and usage of Security Onion, including its interfaces, data types, and tools such as Sguil and ELSA. It examines the tool's applicability in various scenarios and discusses its limitations. The research also addresses the importance of intrusion detection in securing networks, especially with the rise of web applications and critical online services. The project investigates research questions related to the tool's suitability for fulfilling NIST requirements, its optimality as a security solution, and its impact on improving organizational security. Furthermore, the project covers the configuration of Security Onion, including the management of logs and rules files, and its logging and monitoring capabilities. The paper concludes by providing an overview of the tool's use in network management, emphasizing its open-source nature and cost-effectiveness.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Analytical Research Project based on Intrusion detection and/or prevention technology
Name of the Student
Name of the University
Author note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Executive Summary
The discussion in this paper focuses over the intrusion detection technologies and tools that are
mainly used by different companies and organizations in order to detect any form of intrusion
within any network. The discussion focuses over Security Onion, which is a useful tool and
which is used by different industries for monitoring the performance over their network. The
paper thus puts focuses over the implemented strategies, functional applications and limitations
presented with the help of the tool. The paper concludes by providing an overview over the
entire use of the network management tool.

2ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Table of Contents
1. Introduction..................................................................................................................................2
2. Research Question.......................................................................................................................3
3. Background..................................................................................................................................3
4. Literature Review........................................................................................................................5
4.1 Usage of Security Onion........................................................................................................5
4.2 Configuration of Security Onion...........................................................................................5
4.3 Logging and Monitoring........................................................................................................6
5. Usage Methods............................................................................................................................6
5.1 Types of Data.........................................................................................................................7
5.2 Tools and Interfaces...............................................................................................................7
6. Functional Applicability..............................................................................................................8
7. Limitations of Security Onion.....................................................................................................9
8. Conclusion.................................................................................................................................10
References......................................................................................................................................11

3ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
1. Introduction
In the era of rising number of web applications, there is a vast need for including high
level of security within the networking environment. This provides the users a certain kind of
assurance about the type of critical functions used by the users. Different kind of critical
functions used by users are in relation with healthcare facilities, online banking services, remote
management and various other cloud services (Bezborodov, 2016). In order to secure the data
and privacy of users, there is a growing need to protect the entire network, applications, systems
and internal data, which would be in connection from intrusion till exploitation.
Intrusion Detection Systems (IDS) is defined as a useful tool based on providing alerts
and controlling the entire traffic present within a network. These tools implement anomaly-
based, signature-based and machine learning methods for bringing in changes within the process
of detecting intrusions within the network (Hermanowski, 2015). Different kind of IDS includes:
Network-based IDS (NIDS) and Host-based IDS (HIDS). The NIDS are used for monitor the
entire network while HIDS are used for monitoring the activity of host.
The discussion in this paper focuses and provides an overview of Security Onion, which
is a NIDS tool and also discusses their functionalities. The paper further discusses by considering
the functionalities and abilities of Security Onion. The other discussed parts are in relation with
the configuration, interfaces, data and system management (Park & Ahn, 2017). The discussion
further concludes by providing justification about the usefulness of the tool and their impacts
over the network settings.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
2. Research Question
2.1 Would the chosen intrusion detection tool and the deployment configuration fulfil the
requirements set by NIST?
2.2 Why has Security Onion been chosen for deployment and configuration and would it
be considered as an optimal solution?
2.3 Is the chosen form of security solution would help in improving assurance and
security within organizations after their deployment?
3. Background
Security Onion is discussed as an intrusion and detection-based orientation platform,
which is based on the Ubuntu platform. The intrusion detection tool could be configured with the
help of a master server that would comprise of multiple form of sensors or hybrid deployment or
a standalone system. Due to such kind of inclusions within the tool, hence it is considered as
extremely adaptable (Sakai et al., 2017). The data captured and stored within the log files would
be stored in a Sguil database. It thus helps in providing a certain form of user interface based
nonperforming the tasks of analysis and preparing reports while managing them.
Security Onion helps in providing a full capture of packet based on making use of
PF_RING, which is also considered as a kind of network socket. The IDS tool is thus capable of
performing at a network speed of 10 Gbit while performing many other kind of functions
(Devadas, van Dijk, Fletcher, Ren, Shi & Wichs, 2016). The toolkit also performs deep form of
network analysis and thus helps in providing an ability for zero-copy for capturing the traffic at
full speed. Security Onion also makes use of Passive Real-time Asset Detection engine (PRADS)
based on detecting data assets present within a network (Genge & Enăchescu, 2016). It also

5ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
makes a varied use of Audit Record Generation and Usage System (ARGUS) and HTTP Agent
for the purpose of auditing and acquiring the data transferred or communicated within a network.
These kind of systems also help in improving the system monitoring performance of the entire
system.
The different facilities that are supported by Security Onion includes the overall
managing of system that also includes the SOSTAT module. It thus helps in supporting the
system statistics, analysis while maintaining the configuration and management of servers and
sensors that are a part of the network (Heenan & Moradpoor, 2016). The IDS also makes a
varied use of SALT that is defined as maintenance and management tool based on allowing tasks
to check the status of service and configuring with the sensors. Security Onion can also provide a
varied range of monitoring capability based for the benefits of the analyst. This would further
help in allowing secure systems to gain more form of control over any network.
Thus, the primary aim of Security Onion is to support a centralised system based on
performing Network Security Management with the help of incorporating multiple mode of
detection methods, ability for capturing speed and also performing analysis over the acquired
data (Khan et al., 2014). The IDS is based on open-source, which is thus cost-effective in terms
of the various other alternatives present within the system. The different kind of interfaces and
tools that are used by Security Onion, help in performing analysis over different aspects such as
alert, session, network and many others (Trapero et al., 2017). Each of the included
functionalities would further help in improving the capacity of monitoring over any network.
However, there are certain kind of considerations that are required to be assessed before
the process of deployment of the tool would be considered. These considerations include the
factors of budget based over the implementation process (Kim et al., 2017). Other considerations

6ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
include the factors of capturing of speed abilities, performing data storage and implementing
staff training process (Sakai et al., 2016). Another important aspect that needs to be highly
considered is to allow permission for the incurring of separate ports based on performing
monitoring and management. They thus allow for capturing the full speed of traffic within a
network.
4. Literature Review
4.1 Usage of Security Onion
Security Onion is used by different companies and organizations in order to detect any
form of intrusion that might attack the network of the organization during the time of data
transmission or performing any form of communication. The IDS tool includes a traffic capture
file that also includes honeypot, malware and botnet.
4.2 Configuration of Security Onion
Security Onion can be further be used for exploring the detection and prevention
mechanisms based on different attacks over web-based applications. Different labs have tested
different forms of vulnerabilities that could be caused over applications against a known form of
vulnerable web-based application (Sergey, 2016). The names of different kind of vulnerabilities
that are present within a network includes Cross Side Scripting (CSS), Operating System (OS)
injection and SQL injection.
The most important areas present within the process of configuration is the managing of
logs and rules files. The most primary locations based on storing the configuration files are
“/etc/nsm” and “/opt/bro”. The internal system of Security Onion can be considered as effective
after the rules have been implemented within them (Park & Ahn, 2017). The most important files

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
that would be present within the system of Security Onion are “blacklist.rules”,
“downloaded.rules”, “whitelist.rules” and “local.rules”. The various kind of log files include
DNS, DHCP, and SNMP SSL followed by “/nsm/bro /current” based on allowing the performing
of analysis of capturing of traffic. The entire process of configuration could also be performed
with the help of provided interfaces such as Sguil, Snorby, ELSA and Squert.
4.3 Logging and Monitoring
The use of Security Onion could be used for performing an effective kind of logging and
monitoring functions based on exploitations within the network. Different form of analysis and
rule sets based on Security Onion helps in providing suggestions based on providing alerts,
logging and monitoring framework based on ensuring requirements would be properly met
(Salahuddin et al., 2018). These requirements should also be need to be in compliance with the
service levels, security and legislation. Based on the discussion of the authors, it can be discussed
that Security Onion could be considered as a viable solution for organizations and individuals
that would not have a high form of budget (Caliskan et al., 2017). It thus highlights the immense
power and benefits that would be provided to the security analysts performing an analysis over
the entire traffic of the network.
5. Usage Methods
Security Onion could be deployed and used in different kind of configurations. The IDS
tool could also be deployed as a standalone deployment system based with the help of Sensor
and Server components that would be presented in an in-built manner (Chong et al., 2016). They
are thus considered as a master server that would be composed of multiple form of distributed
sensors present across the network, which is being in the process of monitoring or could also be
set in a hybrid form.

8ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Two form of options are supported during the setup procedure of Security Onion. This
includes the providing of a setup wizard, Advanced and Quick. The advanced mode is mostly
used in cases when a complex deployment process would be set up that includes a Master Sensor
powered by multiple sensors. This process of installation also provides a choice based on IDS,
configuration of interfaces, rule sets and choice of the most appropriate tools based on enabling
and disabling.
5.1 Types of Data
The ability of full form of packet capture that is provided by Security Onion allow for the
different kinds of data that would need to be acquired. This also includes providing alerts in
cases of data generated from the HIDS and NIDS sensors (Rehman et al., 2016). Other form of
data generation sources include PRADS, Bro, which are considered as the source of alert data.
Session data is derived from PRADS, Argus and Bro logs based on processing protocol-specific
data meant from transaction.
5.2 Tools and Interfaces
Sguil can be defined as an analysis tool based on that helps in providing a backend
powered by an SQL database. It also provides a frontend that would be powered by GUI for
performing analysis over the generated data stored within. The Sguil also provides access to
different kind of events, generated alerts, data derived from packets, which can be further be
viewed in ASCII or Hex (Hurd & McCarty, 2017). The data could also be exported using further
form of analysis over tools such as NetworkMiner, Wireshark or Xplico. This tool also help in
providing an ability for generating a transcript based on alerting the system and reassembling the
packet stream by performing a high level of analysis. The database could be further managed
from the command line with the use of different form of commands that includes sguil-db-purge.

9ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
On the other hand, ELSA supports a certain user interface based on performing the
operations of traffic analysis and filtering of traffic within the network. These kind of functions
could be performed with the help of IP port, connection, service, duration and various others. It
also helps in supporting the functionality of providing certain form of access to session,
transaction and alert data that could be further searched by making use of Bro queries. ELSA
could also be used for the generation of statistical data based on performing the functioning of
overview over the statistical performance performed over the network that is being in the process
of monitoring.
Snorby is defined as a user interface within Security Onion that is primarily been
designed with Ruby. The front end of the user interface helps in providing access to captured
data and which would also be logged in with the help of Suricata or Snort IDS. They also
provide different other form of abilities based on performing the operations based on analysis of
data, filtering data and also reporting of logged form of data. Squert is also defined as a front-end
GUI that helps in granting permission for access and analysis of data, which would be further be
stored within the Sguil database. The different kind of events would be accessed and the packet
data would be viewed or could be exported to various other kind of tools.
6. Functional Applicability
The core functionality of Security Onion is based on the following aspects:
1. Capture of Full Packet – This functionality is based on performing net sniffing that
helps in capturing the network traffic that can be viewed by Security Onion. It then stores the
data as would be permitted by the storage provider. It thus acts as a real-time camera based on

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
monitoring the networks. It thus also provides a certain form of evidence for all kind of
malicious activities and threats that would be happening within the network.
2. Host-based and Network-based IDS – They help in performing an analysis over the
network or host systems. They also provide alert and log data based on certain form of detected
events and certain activity (Ghafghazi et al., 2016). Security Onion thus has a varied range of
IDS options such as analysis-driven, HIDS and rule-based IDS.
3. Tools for Analysis - Security Onion is comprised of various kind of tools such as
ELSA, Squert, Sguil based on assisting administrators for performing analysis (Imran,
Aljawarneh & Sakib, 2016). This tool also provides varied ways based on preparing for live
deployment based on server-sensor, regular standalone and tools for hybrid monitoring.
7. Limitations of Security Onion
The certain limitations that can be discussed for Security Onion after a proper form of
analysis over the monitoring capacity of the Intrusion Detection tool are:
1. There is no certain form of GUI interface based on performing of manipulation rule.
2. Based on processing of a large number of packets within a network, the processing
power is somewhere lowered and thus creates certain amount of problem at peak times.
3. The tool would not be able to perform a signature split based on multiple form of TCP
packets. This would thus occur when the packets would be in configuration within the inline
mode.
4. The analysis over Security Onion provides a certain fact that it would only work over
wireless networks.

11ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
5. The functionality of Security Onion would only be limited over medium and low level
administration. They are also not in full compliance based on the purpose of detecting every kind
of wireless attacks.
6. There is no such form of community support and documentation practice in
comparison with different kind of systems.
8. Conclusion
The paper mainly focused over the studies performed by different authors about the use
of Security Onion, which is considered as an intrusion detection tool. The study provides a brief
kind of overview over the tool. It thus discusses the functional applicability and limitations
present within the system. These different form of features that are presented by Security Onion
would help in concluding the fact that this tool supports internal processes based on performing a
brief of the system and internal functioning. The full form of ability of Security Onion based on
capturing of packets also provides a view of powerful analysis, network monitoring and
capability of management of intrusions affected with the network settings. The discussion over
the tool also allows for a centralized kind of management of maintaining alerts and logs. Thus,
from the discussion, it could be concluded that Security Onion is a Linux-based tool that helps in
presenting of various opportunities and open-source. This tool is scalable, configurable and
adaptable for meeting up to the expectation of companies and organizations for preventing a vast
range of intrusions.

12ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
References
Bezborodov, S. (2016). Intrusion Detection Systems and Intrusion Prevention System with Snort
provided by Security Onion.
Caliskan, E., Tatar, U., Bahsi, H., Ottis, R., & Vaarandi, R. (2017). Capability Detection and
Evaluation Metrics for Cyber Security lab Exercises. In ICMLG 2017 5th International
Conference on Management Leadership and Governance (p. 407). Academic
Conferences and publishing limited.
Chong, S., Guttman, J., Datta, A., Myers, A., Pierce, B., Schaumont, P., ... & Zeldovich, N.
(2016). Report on the NSF workshop on formal methods for security. arXiv preprint
arXiv:1608.00678.
Devadas, S., van Dijk, M., Fletcher, C. W., Ren, L., Shi, E., & Wichs, D. (2016, January). Onion
ORAM: A constant bandwidth blowup oblivious RAM. In Theory of Cryptography
Conference (pp. 145-174). Springer, Berlin, Heidelberg.
Genge, B., & Enăchescu, C. (2016). ShoVAT: Shodan‐based vulnerability assessment tool for
Internet‐facing services. Security and communication networks, 9(15), 2696-2714.
Ghafghazi, H., El Mougy, A., Mouftah, H. T., & Adams, C. (2016). Security and Privacy in
LTE-based Public Safety Network. In Wireless Public Safety Networks 2 (pp. 317-364).
Elsevier.
Heenan, R., & Moradpoor, N. (2016, May). Introduction to Security Onion. In PGCS 2016: the
first post graduate cyber security symposium. The Cyber Academy, Edinburgh Napier
University. 10th May.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Hermanowski, D. (2015, June). Open source security information management system
supporting IT security audit. In 2015 IEEE 2nd International Conference on Cybernetics
(CYBCONF) (pp. 336-341). IEEE.
Hurd, C. M., & McCarty, M. V. (2017). A survey of security tools for the industrial control
system environment (No. INL/EXT-17-42229). Idaho National Lab.(INL), Idaho Falls, ID
(United States).
Imran, A., Aljawarneh, S., & Sakib, K. (2016). Web Data Amalgamation for Security
Engineering: Digital Forensic Investigation of Open Source Cloud. J. UCS, 22(4), 494-
520.
Khan, Z., Pervez, Z., & Ghafoor, A. (2014, December). Towards cloud based smart cities data
security and privacy management. In 2014 IEEE/ACM 7th International Conference on
Utility and Cloud Computing (pp. 806-811). IEEE.
Kim, S., Han, J., Ha, J., Kim, T., & Han, D. (2017). Enhancing security and privacy of tor's
ecosystem by using trusted execution environments. In 14th {USENIX} Symposium on
Networked Systems Design and Implementation ({NSDI} 17)(pp. 145-161).
Park, W., & Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata
environment. Wireless Personal Communications, 94(2), 241-252.
Park, W., & Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata
environment. Wireless Personal Communications, 94(2), 241-252.

14ANALYTICAL RESEARCH PROJECT BASED ON INTRUSION DETECTION TECHNOLOGY
Rehman, S. U., Khan, I. U., Moiz, M., & Hasan, S. (2016). Security and privacy issues in
IoT. International journal of communication networks and information security, 8(3),
147.
Sakai, K., Sun, M. T., Ku, W. S., Wu, J., & Alanazi, F. S. (2016, June). An analysis of onion-
based anonymous routing for delay tolerant networks. In 2016 IEEE 36th International
Conference on Distributed Computing Systems (ICDCS) (pp. 609-618). IEEE.
Sakai, K., Sun, M. T., Ku, W. S., Wu, J., & Alanazi, F. S. (2017). Performance and security
analyses of onion-based anonymous routing for delay tolerant networks. IEEE
Transactions on Mobile Computing, 16(12), 3473-3487.
Salahuddin, M. A., Al-Fuqaha, A., Guizani, M., Shuaib, K., & Sallabi, F. (2018). Softwarization
of internet of things infrastructure for secure and smart healthcare. arXiv preprint
arXiv:1805.11011.
Sergey, B. (2016). Intrusion Detection System and Intrusion Prevention System with Snort
provided by Security Onion. Information Technology, University of Applied Sciences.
Trapero, R., Modic, J., Stopar, M., Taha, A., & Suri, N. (2017). A novel approach to manage
cloud security SLA incidents. Future Generation Computer Systems, 72, 193-205.