Southern Fried Onion

2 minute read

Coverage of the 2016 Security Onion conference by Trinity

It’s 105º outside the conference hall in Augusta, Georgia where the annual “Security Onion” conference is being held - perhaps they should name it “Southern Fried Onion”, I think, as I make my way inside to the cool air-conditioned auditorium in Augusta State University where the conference is being held. The opening speech of the conference is by Doug Burkes, welcoming the delegates and speakers to the conference, after which they start presenting some interesting talks to us.

Eric Conrad start the ball rolling with a fascinating talk on how modern exploits use ICMP and DNS to contact CnC IPs and why you should develop whitelists for ICMP traffic and not just block the whole protocol. He has posted details of the code required to his blog site Robert Lee holds a talk about using security onion in industrial applications - not relevant to us but very interesting, especially the story about the Norwegian wind farm that got hacked so that the processors in the wind turbine control units could be used to harvest bit coins for the hackers !

Josh Bower is next up on the platform, and has written some code modules for Bro that allow autorun software commands on windows systems to be picked up and displayed in security onion - really useful stuff and exposes a new bro module called class=’‘autorun”. This module is scheduled for release in the near future. Chris Sanders, a Mathematician and Physicist, presented an in depth talk about statistical analysis of log files using, which lead us into lunch – a traditional BBQ for 100 people !

The creator of ELSA, Martin Holste, had the pleasure of the first spot after lunch and kept the room wide awake explaining all about the imminent release of ELSA 2.0 which has some significant changes such as no longer using Sphinx. This will be a major change to the ELSA platform and the full details of the new package can be found on the product website. Chris McCubbin presented a talk about machine learning, followed by Brad Duncan, an ex-military guy who now uses Security Onion to do analysis of malware, and he explained both his methods and the precautions required to implement them successfully, including using TCP replay and why VPNs are essential for this type of work, as is PCAP sanitation prior to publication.

Nathan Crews & Tanner Payne closed the presentation - they have written a web front end for Security Onion that ports the functionality of many of the tools to a web front end – interesting stuff.

A massive thankyou to both Doug Burks and Phil Plantamura for organising the conference and getting members of the community together for what was a fascinating day and a great opportunity to socialise with some of the leading lights in the open source security community.

See you next year !