Security Operations Center

April 8, 2010
Tags:

At work, a coworker and I have been setting up a mini security operations center. I call it a mini because it is really just a Snort and Nagios installation. We started with a basic Snort installation and added Base and Barnyard. Base is not very fun to look at so we added Snoge, which is a way to output the originating location of network attacks to Google Earth. As you can see from the picture, the Snoge / Google Earth combination is much more enjoyable to look at. Another coworker then added Nagios to monitor uptime of our web servers. It was a fun project and introduced me to snort and how much fun it can be. I am continuing to work on tuning the installation of Snort to reduce false positives.

Google Earth

SOC1

SOC2

UPDATE: I have been asked to post the documentation that I followed. Here are the links:

http://www.rootninja.com/snort-ids-basic-analysis-security-engine-base-fedora/

http://www.snort.org/docs/setup-guides/

I believe the setup guides have how-tos for most Linux distributions in PDF format.

For Snoge, I used the documentation on the website. Installing the Perl modules was new to me and I was able to do that by using cpan. If you have specific questions on the installation please leave a comment.

One Response to “Security Operations Center”

  1. Hi,

    I’m interested in your documentation if available (especially if it’s on Debian, is it ?) and how to you maintain the IDS rules, snoge, and snort too.. from what : repository ? sources ?

    Can i see your installation doc or give me some details if possible ?

    Thanks in advance!

Leave a Reply