After getting alerts from our DoS protection company that are vague, one of the network engineers and myself decided we needed to gain more visibility into the network. We want to better understand these events and make a decision as to whether or not they are truly incidents. Further, after we get notification of an event, we want to find the traffic to study it. Enter Security Onion. This tool is awesome, as we can run Snort, shoot the output to Snorby, and capture the data as well. We're pretty sure that we have a box capable of running Security Onion, it's more a matter of how much data we want to keep. Right now, we have a 1+ terabyte drive doing the heavy lifting. We're just barely making it before the job to purge runs.
Our first shot at getting it up and running was fairly successful. Data is flowing, we saw some alerts. Next on the agenda was to start tuning it such that we are not drinking from the fire hose.
And, now we've broken Security Onion. We're not sure where yet. Events are coming in. Our sensor NIC has packets traversing it. However, there's nothing showing up in Snorby. So, on to more trouble shooting. Fortunately, this Security Onion server is not production-ready. We knew going in that we would have much tuning before we could start truly relying on the output in a production environment. The next step is to figure out what broke down and see what we can get back.