WIXLIB

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 2229-5518The above table show the comparison of SOdeployment methods in terms of scalability,performance, throughput and cost.A. Types of NSM dataNSM tool is software that collects, maintains,processes, and presents NSM data. Networksecurity monitoring data may be classified intothe following [34].1) Session DataSession data is the summary data that isassociated with network conversation. It is basedupon the source and destination IPs, ports, andtransport layer protocol.2) Full Packet CaptureFull packet capture or full content data recordsall network traffic and details exactly what wascommunicated. The data is written to disk,commonly in PCAP format.602B. Tools and ConfigurationSecurity Onion offers a variety of tools that cancapture session data, including Zeek, Argus, andPRADS.Thissectiondescribestheaforementioned tools along with their abilities.a) Network Visibility Tools1) ZeekZeek is a network analysis [9] frameworkwritten in a specialized scripting language.Zeek can produce much more than sessiondata, the SO administrator commonly choosesto implement Zeek because the analyst canconfigure it to produce session data,transaction data, extract content, statisticaldata, metadata, and alert data. The defaultZeek installation provides several NSMfunctions. It provides audit records of everynetwork session that is seen on the wire. Italso provides audit records at the applicationlayer. For example, all HTTP sessions aretracked with the requested URIs, MIME types,and server responses. The Zeek scriptinglanguage provides analyzers for manycommonly used protocols that can be used forsemantic analysis at the application layer.IJSER3) Transaction DataTransaction data lies between session data andfull packet capture. It captures the detailsassociated with requests and responses.4) Alert DataAlert data is produced by intrusion preventionsystems (IPS). Alerts are produced whennetwork traffic matches certainconditions forwhich IPS are configured to respond.5) Statistical DataAlert data can be processed to producestatistical data. e.g.; how many requests persecond does this webserver normally receive?How many DNS requests per second are madefrom inside? How often does a user log into thatsystem?Are there cycles in data patterns based on timeof the day, day of the week, on the day of themonth?6) Meta DataMetadata is used to augment the NSM data. Itis directly collected by Geo-location, reputationscores, and ownerships that are associated withIP addresses.Each type of data provides unique values to theanalyst. Correlation is key to the analysts’ abilityto use all the NSM data types. The analyst uses acorrelation between different NSM data sets torelate events in different data slots.2) StenographerStenographer works as an open-sourcenetworking tool [32]. SO uses Stenographer toassemble full packet capture in the form ofpcap files. The main factor that is influencedby it is an increment in the performance thatreaches by zero-copy mechanisms, on packetreceiving and transmission the kernel does notnecessarily require to copy packets fromkernel space to user space and vice versa. Itwrites full-packet capture in form of pcap fileas given below:(HOSTNAME represents real hostname,INTERFACE represents real sniffing interfaceand YYYY-MM-DD is the year, month, anddate).3) SnortIJSER 2021http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 2229-5518In SO, the Snort [8] is a NIDS. Snortgenerates ID alerts and works for the sniffingin network traffic. It is commonly compiledwith PF RING to allow handling morenetwork traffic. It is configured viasnort.confas given below:(HOSTNAME represents actual hostname tobe used and INTERFACE represents realsniffing interface).4) SuricataSuricata works as a robust network threatdetector and fast open-source and fast opensource Network [30]. It examines the networktraffic using an extensively powerful rule andhas Lua scripting to help detect complex threats.Suricata is combined with PF RING to allowyou to spin up several workers to handleadditional traffic. It can be configured viaSuricata.yaml as given below:603Send OSSEC logs to an external Syslogcollector.c) Analyst Tools1) SquertSquert works as a web application tool [28]used for query and views IDS alert data stored inthe form oftheSguil database. Squert is agraphical tool that provides a supplementaryframework to events through the use of logicallycollected results, metadata, and time seriesrepresentations. Squert offers access to the datatypes, e.g. NIDS alerts, HIDS alerts, Asset datafrom PRADS, HTTP logs from Zeek. Squert canpivot to CapMe for full packet capture. To dothis, drill into an event and click on the Eventthe alert pane consists of several columns, suchas SC source alerts, DC as destination alerts,PROTO as event alerts and etc.IJSER(HOSTNAME represents your real hostnameand INTERFACE represents your real sniffinginterface).b) Host Visibility Tools1) Syslog-ngSyslog-ng provides the facility to flexiblycollect [34], parse, classify, and correlate logsfrom the infrastructure and supply or route themto log analysis tools. Syslog-ng is used by SO touse it as a primary Syslog collector and senderof logs to ELSA.Syslog-ng's configuration file is positioned at:2) OssecOSSEC monitors all activities of the systemincluding file integrity, log, process, and rootcheck monitoring [5]. SO uses OSSEC as aHIDS. OSSEC also works as monitoring anddefending SO and you can add its agents tomonitor other hosts working on the network.To Configure OSSEC to direct emailnotification(s) is given as2) Enterprise Log Search and Archive(ELSA)It is a three-tier tool for log receiver, archiver,indexer, and web frontend for received Syslog[36]. It controls Syslog-ng's pattern-db parser forefficient log normalization and Sphinx full-textindexing for log searching. It is very fast,scalable. Each sensor has its own Mysqldatabase and sphinx index. When you query theELSA web interface, it queries all ELSAdatabases in parallel and then gives you theaggregate results. ELSA can pivot to CapME toaccess full packet capture. For any log relatingto TCP traffic that has timestamp; source anddestination IPs; source and destination ports. Auser can get Info by providing credentials.CapMe!will retrieve the pcap files and renderthem as an ASCII transcript.3) SguilSguil is used as a network analyst tool [30].The main component in Sguil is its GUI throughwhich real-time events, session data, and rawpackets can be accessed. NSM and event-drivenanalysis are captured through NIDS alert.4) CapMECapME works as a web interface [36]. It helpsin view the pcap transcripts and also helps usersinreducingthesefileswithtcpdump.CapMEallows users to pivot from aIJSER 2021http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 2229-5518NIDS alert in Squert or from any log in ELSAthat has a timestamp, source,and destination IPs;source, and destination ports.5) Kibanacollected from the top five databases (i.e.,Science Direct, Springer, IEEE, JhonWiley,andACM).We wrote the following query to get the result asshown in Fig.1Kibana can perform all advanced data analysis.It also helps in visualize user’s data in the formof a chart, maps, and tables. Different data typeslike HTTP, DNP3 is generated by SO [38].Table 2 shows the comparison between differentanalysis tools according to their working andtype of IDS supported by them. The comparisonshows that most of the IDS are work only forNIDS but the Kibana tool work on both types ofIDs (HIDS & NIDS). These are web-based tools,and are used for the query and viewing ID alertalong with the normalized data form, SGUIL isthe tool which is based on Network securitythrough which real-time events and session datacan be managed easily and Kibana is mainlyfocused on Visual Interfaces through whichdecision making can be easily done betweendifferent given fields.V.604(((“Intrusion Detection System” OR “IDS”) AND“Zeek”) NOT “Sagan” NOT “AIDE” NOT“Samhain” NOT “Suricata” NOT “Snort”)ToolsTypePurposeSquertNIDSUse to query and View IDSalert data for a web-basedapplicationELSANIDSIt is used for efficient weblognormalizationSGUILNIDSIt provides graphical access toreal-time events and sessiondata.CAPMENIDSView a pcap transcriptrendered with tcpflowKibanaNIDS,HIDSInvestigations and decisionmaking is used to acceleratemultiple hyperlinked fields.IJSERANALYSISPERFORMEDONINTRUSION DETECTION TOOLSTable 02 Comparison of different Network analysis ToolsZeek is the most used intrusion detection toolwhich works efficiently in different intrusiondetection mechanism. The least used intrusiondetection tool isSamhain. After Zeek the secondmost used tool is Suricata due to its fast opensource network mechanism, then snort which isfamous for its IDS alert which can easily detectthe intrusion in the network. AIDE has 10% ofusage from different tools and lastly Sagan toolwith 8% of consumption from different sources.V. SIMPLIFIED SECURITYARCHITECTUREONIONFigure 1 Intrusion Detection ToolsThe researchers explore top IDS tools and findthat the above tools shown in Fig.1 are the mostwidely used tools for the IDS,results areSO can be deployed as a simple standalonesystem where one NIC is used for managementand one or more additional NICs are used formonitoring. SO can also scale using a distributedIJSER 2021http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 2229-5518deployment where one system acts as the masterserver and the monitoring duties are spreadacross multiple sensor systems [40].When it comes to NSM tools, for every function,there are numerous options. For example, SOprovides a choice between Snort and Suricata forthe NIDS rule-based functionalities, which is acore component of SO. To understand thedifferent types of tools and different types ofdata that a network security analyst will workwith, SO provide a cohesive set of these tools asshown in Figure 2.The diagram serves to introduce the complexityof and interactions between the NSM tools inSO. The tools in the bottom row are largelydedicated to the collection and production of rawNSM data. The tools in the middle row areassociatedwiththeoptimizationandmaintenance of the data, for example, Zeek,OSSEC,and Syslog-ng all produce flat files withone log entry per line. The ELSA system takesthis raw data and organizes it into a relationalMYSQL database using high-performanceSphinx indexing. The tools that are listed in thetop row are responsible for the presentation ofthe data to the analyst. There are many linkagesbetween the data sets and the tools. For example,the ELSA can display Zeek connection events,providing session data. From any Zeekconnection log, ELSA can pivot to the CapME.The tool can extract the PCAP content that isassociated with that connection from the Sguildatabase display and decode it to the analyst.CapME! Pivot to Wireshark for an even moredetailed analysis of the associate PCAP data.While one might describeSguil and Squert asSnort alert managers, both offer much moreincluding the presentation of PCAP data,incorporation of metadata such as geo-location,and the ability to pivot other NSM tools.605Figure 2: Simplified Security Onion ArchitectureVI.DISCUSSION AND CONCLUSIONIn this paper, we have discussed twofundamentally different intrusion methods –Host IDS and NIDS and of SO tools handlingthese Host and Network attacks.Different typesof data havealso been discussed which arehelpful in security monitoring (NSM) andsecurity analyst use these data types to generatealerts in a network-based environment. SOprovides the tools including Zeek, Argus, andPRADS that capture session data. Similarly,HIDS/NIDS sensors deliver Alert data, PRADS,and zeek are responsible for Asset data, andOSSEC for Host data. SO also gives toolsincluding web applications such as Squert toquery data kept placed in the Sguil database.Another analyst tools of SO are ELSA andSguil. The main part is an instinctive GUI thatoffers access to raw packet captures, real-timeevents, and session data, and. Many tools areoffered such as NetworkMiner, CapME, orXplico to disseminate data for further analysis.SO provides secure remote access andmanagement methods to capture the malicioustraffic that can be investigated further inresearch problems. It is a Linux based platform,therefore, lower in implementation cost than theother alternatives. In a summarized way the wecan say that, SO is an extremely influentialNetwork Security Management platform whichis rapidly developing new tools and authorizingsecurity analysts to configure full monitoringand reporting capability in network intrusiondetection environment and giving a goodplatform for education and the researchdevelopment community.IJSERREFERENCES[1]S. Sharma, R. K. Gupta, al Journal of Security and ItsApplications Vol. 9, No. 5 (2015), 07.IJSER 2021http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 2229-5518[2][3][4][5][6][7][8][9][10][11]N. Das, T. Sarkar,” Survey on Host andNetwork Based Intrusion DetectionSystem,” Int. J. Advanced Networkingand Applications, Volume: 6 Issue: 2Pages: 2266-2269 (2014) ISSN : 09750290.Sultana, N., Chilamkurti, N.K., Peng,W., &Alhadad, R. (2019). Survey onSDN based network intrusion detectionsystemusingmachinelearningapproaches. Peer-to-PeerNetworkingand Applications, 12, 493-501.Heenan, Ross &Moradpoor, Naghmeh.IntroductiontoSecurityOnion.Conference: PGCS: The First PostGraduate Cyber Security Symposium –The Cyber Academy, Edinburgh NapierUniversity, At Edinburgh NapierUniversity, Scotland, Volume: 1, May2016.TripwireAvailable:http://www.tripwire.com. Last accessed29thJanuary 2020.OSSEC.Available:http://www.ossec.net. Last accessed 1stFebruary 2020.Samhain Available: http://www.lasamhna.de/samhain. Last accessed 20thJanuary 2020.Snort. Available: http://www.snort.org.Last accessed 24th January 2020.Zeek Available: https://www.zeek.org.Last accessed 29th January 2020.S. Lessmann, R. Stahlbock, and S. F.Crone, “Genetic Algorithms for SupportVector Machine Model Selection,”International Joint Conference on NeuralNetworks, Sheraton Vancouver WallCentre Hotel, Vancouver, BC, Canada,July 16-21, 2006.M. S. Mhatre, F. Siddiqui, M. Dongre,P. Thakur, “A Review paper onArtificial Neural Network: A PredictionTechnique,” International Journal ofScientific & Engineering Research,Volume 8, Issue 3, March-2017, ISSN[12][13][14][15]6062229-5518.S. Mohammadi, A. Namadchian, “ANew Deep Learning Approach forAnomaly Base IDS using MemeticClassifier,” International journal ofcomputers communications & controlissn 1841-9836, 12(5), 677-688, October2017.T.S. Cheng, Y.D. Lin, Y.C. Lai, P.C.Lin, "Evasion Techniques: stems", IEEECommun. Surveys Tutorials, vol. 14, no.4, pp. 1011-1020, curityOnionSolutions/security-onion.Lastaccessed 1st January 2020.Security Onion blog. sed 1st January 2020.Gonzales, Ronald; Watkins, Alan;Simpson, Chris. “Using Security OnionforHands-OnCybersecurity”Proceedings of the 2015 hWestConference.Carey, M. J., Oyeniyi, T. U.S. PatentNo. 10,395,040. Washington, DC: U.S.Patent and Trademark Office. 2019.Deuble, Ashley; Shinberg, David.“Using and Configuring Security Onionto detect and prevent Web ApplicationAttacks.” SANS Institute InfoSecReading Room. p1-35. 2012.IJSER[16][17][18][19][20][21]Roger Meyer, “Detecting Attacks onWeb Applications from Log Files.” Aspart of the Information Security ReadingRoom, SANS Institute 2008.Gupta, Sunil; Luene, DrKees. Loggingand Monitoring to Detect NetworkIntrusions and Compliance Violations inthe Environment. SANS InstituteInfoSec Reading Room. p1-44. 2012Hjelmvik, Erik. “Hands on networkforensics. Swedish Armed Forces CERTIJSER 2021http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021ISSN 32]FIRST, Berlin., p1-93. 2015.Coleman Kane, ”Network SecurityMonitoring,” Cyber Defense Overview,September 24, 2014.S. Anwar et al., "From intrusiondetection to an intrusion responsesystem: Fundamentals requirements andfuture directions", MDPI Algorithms,vol. 10, no. 2, pp. 1-24, Mar. 2017.A. A. Sayar, S. N. Pawar, V. Mane, AReview of Intrusion Detection System inComputer Network, vol. 3, no. 2, pp.700-703, 2014.Techniques in Network manyam., “A Review ofAnomalyDetectionJournalofInnovative Research in Computer andCommunication Engineering (An ISO3297: 2007 Certified Organization) Vol.2, Issue 11, November Lastaccessed 27th February 2020.XplicoAvailable:http://www.xplico.org.Last accessed 30th December 2019.607December 2017. netsniff-ng Available:http://netsniff-ng.org. Last accessed 12thMarch netresec.com/?page NetworkMine r. Lastaccessed 29th January 2020.Book, Richard Bejtlich, “The Practice ofNetworkSecurityMonitoring:Understanding Incident Detection andResponse,” Paperback, 376 pages,Published August 2nd 2013 by NoStarch Press, ISBN 1593275099(ISBN13: .Last accessed 12th January ed 25th March onSolutions/securityonion/wiki/ELSA.Last accessed25th December2019.Proffitt T. How Can You Build andLeverage SNORT IDS Metrics toReduce Risk. The SANS (SysAdmin,Audit, Networking, and Security)Institute, Boston, MA. .net/.Lastaccessed 1st January /.Lastaccessed 10th February ads/. Lastaccessed 15th January 2020.Suricata Available: https://suricataids.org. Last accessed 29th November2019.PF RINGAvailable:http://www.ntop.org. Last accessed 29th[36][37][38][39]Perez, Steven. "Practical SIEM tools forSCADA environment." (2018).[40]Mikail, A., &Pranggono, B. (2019).SecuringInfrastructure-as-a-ServicePublic Clouds Using Security Onion.Applied System Innovation. 2019.IJSER 2021http://www.ijser.org

responsible for monitoring a particular host or system [2] and avoids intruders to compromise system security policies. HIDS collects data of network events, file systems, and system calls to check whether any inconvenient action has been encountered or not. Detection in intrusion is examined by file system integrity and memory usage [4].