Security Onion as NDR only

[facyber]

Hello community, I was wondering if anyone use SO only for monitoring network traffic? I would like to know what kind of setup (probably standalone) would be needed to have SO and then Zeek/Suricata alerts/logs from end devices only (PC/laptops), sending to SO.

Would it be possible to use SO as NDR only, without TAP/port mirroring?

Cheers!

[UMHB-InfoSec]

Question, if you're using NDR to mean Network Detection and Response ... if you're not ingesting network traffic there will not be anything to detect and respond to. Right?

On re-reading this comment I just wanted to say, this is a legit question. I'm not trying to be rude. My apologies if that did not come across correctly.

[facyber]

No worry. I am only interested in network traffic that happens on end devices let's say someone is running nap scan toward a PC. I presume Suricata for example, would detect that something suspicious and generate alerts that could be sent to SO. Or I misunderstood how it works actually (it's been a while since I played with SO sorry).

[UMHB-InfoSec]

Ah, that makes sense.

I don't think Suricata would be much assistance in the example you mention because AFAIK there is not a host-based agent for Suricata. So the only way Suricata, or a tool like it, can get input is to sniff it off the network or be fed the info via a pcap.

To my knowledge, most of the tools in SO are geared towards the network. Notable exceptions are Wazuh, OSQuery, and FleetDM. Recent development in SO seems to be moving away from tools like Wazuh and FleetDM and focusing more on the networking side of the house.

I don't think that is a bad thing either. Being all things to all people will always be impossible and only insure none of your users will ever be happy.

I solved this issue by standing up a dedicated Wazuh instance, which was not as difficult as I thought it would be. The down side to this is that you now have one interface for your host based info and a different interface for NSM. But, in my opinion, that is a price worth paying.

From your original question it sounds like a solution like Wazuh is what you are looking for.

[facyber]

Well Watch was good for me when I worked with SO but it is an EDR which I don't need, I only need network traffic monitored, bit I see that Wazuh supports some integration with Suricata so might worth of trying. I also of course need nice web UI for managing alerts, and that is why SO came on my mind. Thanks for the info!

[dougburks]

To my knowledge, most of the tools in SO are geared towards the network. Notable exceptions are Wazuh, OSQuery, and FleetDM. Recent development in SO seems to be moving away from tools like Wazuh and FleetDM and focusing more on the networking side of the house.

@UMHB-InfoSec Security Onion is committed to providing both network visibility and endpoint visibility allowing security teams to get the best of both worlds in a single platform. In Security Onion 2.4, we're moving to Elastic Agent which has more endpoint features and better integration than we've had before.

From https://blog.securityonion.net/2023/02/security-onion-in-2022-and-2023.html:
As mentioned above, our primary endpoint agent will be Elastic Agent. Since Elastic Agent has osquery built in, it will be taking the place of the current osquery agent. Security Onion 2.4 will also use the Elastic Agent to send alerts and metadata from the sensors to the back end, replacing the current Filebeat agent. Users will be able to manage all of their Elastic Agents using Elastic Fleet in Kibana. Since Elastic Agent covers most of the Wazuh use cases used in Security Onion, Wazuh is being removed as well. This single agent architecture will save resources, streamline administrative processes, and ease the upgrade process in Security Onion.

[UMHB-InfoSec]

Thanks Doug. My apologies if I misrepresented the SO project. The SO team continues to do great work.

@facyber Listen to Doug, ignore me. If anyone needs me, I'll be the guy in the corner trying to excavate my foot from my mouth.