What is NSM (Security Onion) & SIEM (ELK)?

Network Security Monitoring NSM

is the collection, detection and analysis of network security data.

The majority of NSM is dedicated to Detect in an effort to better Respond.

Example for NSM is Security Onion

Security Onion is a Linux distro specialized on network security monitoring and intrusion prevention, simplify the whole network management with a Ubuntu-based distro that you can start using with just few steps.

It comes with many valuable security software to monitor your network in real time or perform analysis on pcap files and/or system logs.

Here are tools you will find on Security Onion:

  • Reassembler
  • tcpdump
  • hunt
  • Squert
  • Xplico
  • tshark
  • Bro
  • dsniff
  • ELSA
  • tcpxtract
  • ngrep
  • Snort (IDS/IPS)
  • sslsniff
  • Snorby
  • tcpstat
  • Wireshark
  • Suricata
  • mergecap
  • sguil
  • tcpslice
  • ssldump
  • barnyard2
  • driftnet
  • p0f
  • tcpreplay
  • NetworkMiner
  • u2boat
  • netsniff-ng
  • Sniffit
  • scapy
  • Argus
  • u2spewfoo
  • driftnet
  • tcpick
  • chaosreader
  • Daemonlogger
  • netsed
  • labrea
  • hping

Snort is a Network Intrusion Detection System (NIDS). It sniffs network traffic and generates IDS alerts.

Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.

Bro monitors your network traffic and creates logs

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Autoruns This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.

syslog-ng allows you to flexibly collect, parse, classify, and correlate logs from across your infrastructure and store or route them to log analysis tools.

The tools in the bottom row are dedicated to the collection and production of raw NSM data.

The tools in the middle row are associated with the optimization and maintenance of the data. For example, Bro, OSSEC & syslog-ng all produce flat files with one log entry per line. The ELSA system takes this raw data and organizes it into a relational MySQL database, using high-performance Sphinx indexing.

The tools that are listed in the top row are responsible for the presentation of the data to the analyst.

also Latest version of Security Onion is shipped with ELK software as well.

But what is ELK > to answer this question we need to answer another question first , What is SIEM?

Security event and incident management (SEIM)

SIEM systems are data correlation tools that capture data from multiple sources and provide data analysis and reports to management on system, application and network activity and possible security events.

These tools can be used to detect compliance violations, identify known attacks and provide reporting.As shown in exhibit a SEIM system gathers data from multiple sources and correlates and analyzes that datato develop reports for management on the wider picture of security across the systems of the organization

Most modern SIEMs also integrate with other information systems to gather additional contextual information to feed the correlation engine.

Cisco ISE and Cisco Stealthwatch are examples of an identity management system and flow collector that are able to integrate with most of the SIEM systems.

Examples of SIEM software: Splunk , IBM QRadar , Log Rhythm , HP ArcSight and ELK , ELK is open source SIEM

ELK” is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana.

The ELK stack consists of the open source products Elasticsearch, Logstash and Kibana.

Logstash is a receiver for log data from virtually any source.

It can filter, process, correlate and generally enhance any log data that it encounters.

(is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch)

Elasticsearch is the storage engine and is one of the best solutions in its field currently available. (it is an open source, distributed, RESTful, JSON-based search and analytics engine)

Kibana is the visualization portion of the equation, and it is hands down one of the best visualization system the open source community has yet produced. (lets users visualize data with charts and graphs in Elasticsearch.)

Logstash, a part of the ELK stack, uses input plugins to collect logs; however, it also can accept input from more purpose-built solutions such as OSSEC or Snort.

The Elastic Stack is the next evolution of ELK.

To Make ELK collect data from different servers and services we need some agents to be installed on these servers, we call it Beats.

Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to Elasticsearch.

The servers that are running Logstash agents are called shippers.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s