I'm sorting through a few IDS issues but I've finally had enough downtime to build a SecurityOnion instance and I'm looking forward to learning more about Snort/Surricata, Bro. and Kibana on this.
I'd initially tried running it on a Udoo x86 SoC device that'd kickstarted but it was woefully underpowered to run everything I needed so I decided to start over.
Specs
Gigabyte Brixx
I'm a big fan of small form factor PCs for labs because of the size and noise profile. They're lower powered so they make less noise but that's fine for a home lab.
The only issue that I'm having is with secure boot causing Snort/Surricata to fail because the kernel module PF_RING isn't signed (more info). I will need to eventually disable this in the BIOS/UEFI menu.
Findings/next steps
1. I need to learn to use docker more
2. pipe security onion / bro/snort alerts to my Splunk instance.
3. IOT is really crap at managing SSL certs. A lot of devices like Canary and Roku's phone home to a location that does not have a correctly signed SSL/TLS cert. Just a subset below:
I'd initially tried running it on a Udoo x86 SoC device that'd kickstarted but it was woefully underpowered to run everything I needed so I decided to start over.
Specs
Gigabyte Brixx
I'm a big fan of small form factor PCs for labs because of the size and noise profile. They're lower powered so they make less noise but that's fine for a home lab.
- 16 Gigs (2x8Gigs) of Hynix SODIMM DDR3L
- 250 Gig SSD Samsung 860 Evo
- USB3.0 Gigabit Ethernet interface for packet capture
- Netgear GS110TP 8 port gigabit switch providing SPAN interface.
The only issue that I'm having is with secure boot causing Snort/Surricata to fail because the kernel module PF_RING isn't signed (more info). I will need to eventually disable this in the BIOS/UEFI menu.
Findings/next steps
1. I need to learn to use docker more
2. pipe security onion / bro/snort alerts to my Splunk instance.
3. IOT is really crap at managing SSL certs. A lot of devices like Canary and Roku's phone home to a location that does not have a correctly signed SSL/TLS cert. Just a subset below:
- CN=digdug.data.roku.com,O=Roku\, Inc.,L=Los Gatos,ST=California,C=US SSL certificate validation failed with (self signed certificate in certificate chain)
- CN=scribe.logs.roku.com,O=Roku\, Inc.,L=Los Gatos,ST=California,C=US SSL certificate validation failed with (unable to get local issuer certificate)
- CN=*.canaryis.com,OU=Server,O=Canary Connect\, Inc.,L=New York,ST=New York,C=US SSL certificate validation failed with (self signed certificate in certificate chain)
- CN=wdcp.microsoft.com,OU=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US SSL certificate validation failed with (unable to get local issuer certificate)
- CN=configsvc.cs.roku.com,O=Roku Inc.,L=Los Gatos,ST=California,C=US SSL certificate validation failed with (self signed certificate in certificate chain)
- CN=*.delivery.mp.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US SSL certificate validation failed with (unable to get local issuer certificate)
- CN=fe2.update.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US SSL certificate validation failed with (unable to get local issuer certificate)
4. I really need to write up a post on the lab.