Event monitoring for a home network

Question

I'd like to utilise some of the free SIEM type products out there to increase the chances that I will detect attacks and compromises of any of the devices on my home network. Most of my home devices run Linux. I'm only interested in solutions that are possible without a large investment of effort (not more than ~5 hours setup time, say, and minimal manual feeding and watering).

I have the usual home network assets I'd like to protect: integrity and availability of compute resources including bandwidth (it would be good to notice I was part of a botnet); confidentiality of online account credentials; availability of stored media, etc.

Some research on this site and Google has suggested that Snort + Snorby might be an option; I also have some experience of using Splunk which is free for up to 500mb of logs per day and can be teamed up with any number of other products (I'm a bit of a Splunk fan, though I haven't used it for security purposes).

Is this viable, or are all SIEM tools designed to be ran by full time security operations professionals? If it is viable, what can I configure Snort+Snorby to detect / what apps or publicly available configs and searches should I use with Splunk?

Which of these two options is most likely to meet my goals of low setup and maintenance effort whilst still actually being useful?

I'm particularly interested in experiences from anyone* who has such a setup, but opinions based on professional experience using these tools are also more than welcome.

*_{if you have a setup running at home and you're also a secops person doing this for a living, please mention this fact :)}

Answer 1

Security onion sounds like your best bet. It will set up and IDS pretty fast. Have it watch traffic in and out of your network and install OSSEC on your clients at your house and point them to security onion. This website has all the information you need on the howto. http://securityonion.blogspot.com/

Answer 2

securityonion would be my favourite for that task too, but:

Is this viable, or are all SIEM tools designed to be ran by full time security operations professionals?

you should have some clue on what kind of attacks are happening and why some alerts are triggering rules. snort/suricata are network-based ids, thus filtering and scanning your traffic and are able to produce false postivies, if you adjust your ids not properly.

there is no install-and-never-care-about-solution.

If it is viable, what can I configure Snort+Snorby to detect

everything that fits into a network-paket :)

you can use it to detect attacks out -> in, but also malicious stuff in -> out, if you use the latest emerging-threats-rulesets *) you'll wonder whats crashing onto your internet-facing nic 24/7, trying to break in

what apps or publicly available configs and searches should I use with Splunk?

snort is a central log-store/index with freeform-searches

Which of these two options is most likely to meet my goals of low setup and maintenance effort whilst still actually being useful?

you'll have to "learn" every tool you'll use in such a setup, because you have to analyze your events, sort false positives out, and optimize your setup. this tuning is what take the most time. and you need to tune.

I'm particularly interested in experiences from anyone* who has such a setup, but opinions based on professional experience using these tools are also more than welcome.

these tools are perfect for such a situation, but the price is: it will eat up some of your time

*) sadly, et has become very anti-virus-centric in the recent years, loosing some excellence, imho