Module 26 Evaluating Alerts Flashcards
What is a security onion?
Open source suite that provides three core functions, full packet capture and data types, network based and host based intrusion detection systems and alert analyst tools.
What are some of the collecting tools for the Security Onion?
CapME, Snort, Zeek, OSSEC, Wazuh and Suricata - all tooks for collecting alert data
What are our analysis tools
Sguil, Kibana, Wireshark and Zeek
What is Sguil
High-level console for investigating security alerts from diff sources.
What is Kibana
Interactive dashboard - it allows querying of NSM data and provides visualizations of that data
What is wireshark?
Packet capture application
What is zeek?
Network traffic analyzer that serves as a security monitor. Inspects all traffic on a network segment and enables in-depth analysis of that data.
What types on information does a security alert generate? What are the five tuples of information?
Src IP, SPort, DstIP, DPort, and PR
Squil is an app that reads the alerts, compiles them into readable info. What are the six fields?
ST, CNT and Sensor. ST is the status of the event, color-coded. Four priority levels, and colors range from yellow to red.
What is CNT within Squil?
Count of the number of times the event has been detected for the same source and destination IP.
What is sensor?
This is the agent reporting the event
Within Squil - what is the alert column
Alert-ID - sensor that has reported the problem and event numbe
Within Squil - that is the date/time
This is the timestamp for the vent.
Within Squil - what is the event message
This is the identifying text for the event
Alerts in the form of NIDS come from what sources?
Snort, Zeek and Suricata
Alerts in the form of HIDS come from where?
OSSEC and Wazuh
Alerts from DNS, HTTP and TCP come from where?
Zeek and pcaps
Alerts from asset management and monitoring?
PADS
What is the structure of a snort rule?
Two sections, rule header and rule options
Explain the rule header of a snort rule
Contains the action to be taken, source and destination address and port, direction of traffic flow
Explain the rule options field
Includes message to be displayed, alert type, source ID and details such as references for the rule or vuln
Explain the rule location?
Added by Sguil to indicate the location of the rule in the Security Onion file structure
What are the three common sources for snort rules?
GPL, ET and VRT. GPL are older rules. ET snort rules are from emerging threats. VRT are immediately available rules.
Explain the rule option field - the structure
msg, content, reference, classtype, sid and rev
Rule option field - what is the msg portion?
Text that describes the aler
Rule option field - what is the content portion?
rerfers to content of the packet.
Rule option field - what is the reference portion?
Link to a URL that provides more information on the rule
Rule option field - what is the classtype portion?
Category for the attack
Rule option field - what is the sid portion?
Unique numeric identifier for the rule
Rule option field - what is the rev portion?
revision of the rule
Evaluating alerts - what is a true positive and false positive
True positive - an actual incident, false positive does not indicate a security incident. It is a benign activity
If an alert is not generated, we have what?
True negative - no security incident or a false negative - an undetected incident has occurred
Deterministic Analysis and Probabilistic Analysis
Statistical techniques are used to determine the probability that a successful exploit will occur. Deterministic - for an exploit to be successful, all of the information to accomplish an exploit is assumed to be known
