Security Onion 2.4.8 queries -Alerts algorithm, Monitoring Interface, Machine Learning with multiple Vendor Malware signature integration

[smallboy69]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

256gb

Storage for /

11TB

Storage for /nsm

8T

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

a) is there a way i can determine from security onion that my monitoring interface is a trunk port that monitoring my gateway traffic as a mirror port into my network

b) how does security onion determine alerts to display such that the traffic workflow....is every packet coming in the monitoring interface is it compared against a signature and given a rating is tag than displayed as a alert on alerts dashboard

c) is there any future plan in the Security onion Roadmap for integrating Machine Learning and malware signature collaboration with other security platform

such that a highly likely possible that a alert is geniuely triggered if a signature was triggered by 3 different malware signature databasese

but tis is a very awesome product.....still alot to learn to enhance my understanding of SO capabilities in todays world

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

a) is there a way i can determine from security onion that my monitoring interface is a trunk port that monitoring my gateway traffic as a mirror port into my network

If you accidentally connect Security Onion to a normal switch port instead of an actual mirror port, then you will only see broadcast traffic and not all of the mirror traffic that you expect.

b) how does security onion determine alerts to display such that the traffic workflow....is every packet coming in the monitoring interface is it compared against a signature and given a rating is tag than displayed as a alert on alerts dashboard

Yes, Suricata uses the Emerging Threats ruleset by default to look for suspicious traffic. For more information, please see:
https://docs.securityonion.net/en/2.4/suricata.html
https://docs.securityonion.net/en/2.4/nids.html
https://docs.securityonion.net/en/2.4/detections.html

c) is there any future plan in the Security onion Roadmap for integrating Machine Learning and malware signature collaboration with other security platform

We are considering options for the future. We have no timelines or any other information to share at this time.

[smallboy69]

Thanks @dougburks for the confirmation

a) For point A reason i asked is because i had Security Onion 2.3.6 before installed with Same IP and interface before i loaded 2.4.8
with 2.3.6 i had alot of high alerts signature which i tried and verified with other security appliances and if two different malware signature platform identified the same signature high possible it was positive hit on a malware and i address it according

with 2.4.8 for the last six days i have had only 1 high alert which has me worried, i am be missing important high alerts or i have misconfigured security onion 2.4.8

appreciate your insight and experience

Thanks

[dougburks]

If you take a look at the Suricata documentation page I linked in my last response, there is a Troubleshooting Alerts section that might help you:
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

[smallboy69]

Thanks @dougburks

appreciate the advise, Bless weekend