3 hours 10 minutes
Welcome to Lesson two of intro to Security Onion. I'm your instructor, Carl, and this lesson is all about what security Onion is.
So for the agenda. First we'll talk about what we're going to talk about in this course. We'll start with a discussion on what security Onion actually is, including a short history and the functionality. Next, we'll discuss the tools that are included in security Onion.
Then we'll discuss the architecture, and we'll wrap up by discussing deployment types.
So what is security? Onion?
This excerpt here is taken from the security Onion website
Security. Onion is a free and open source. Lennix distribution for intrusion detection, enterprise security monitoring and log management. It includes elasticsearch logs, Dash Cabana Snort Sarah Kata
Rowe was, ah, Squeal, Squirt, Cyber Chef, Network Minor and many other security tools.
The easy to use setup wizard allows you to build an army of distributed sensors for your enterprise in minutes
to build on that description. From the security Onion website Security Onion is an open source network security monitoring and network forensics tool. It was built with ease of deployments and tool interoperability in mind. It's not just a bunch of tools on a No West. They are configured to work together.
I appreciate this as it makes it much easier to deploy
Auntie, and the interoperability allows for more fluid investigations, and we'll dig into both of these ideas later on in the course.
So when people ask me what security Onion is, I like to compare to Cali, Lennox Kelly Lennox. Of course, being it is Lennox distribution that is largely used for penetration testing.
Well, well. Kelly has used her pen testing security. Onion is used to monitor for attacks from tools like Kelly. They're both similar distributions, but they have very differing ideologies.
The tool itself is the creation of Doug Burkes. He began the project in 2008 with the first open release in 2009. Over time, it gained a following, and Doug continue to build and rebuild the project.
In 2014 he founded Security Onion Solutions, which is the business arm of Security onion.
While the project is free and open source, this comes with a cost of knowing how to maintain a fairly complex piece of software.
Using open source technologies and a corporate environment might be attractive because that it's free,
you'll likely end up paying as much, if not more in time spent learning to deploy and maintain the tool.
Security Onion Solutions offers paid support, training and other service is for corporations that use the tool to help hops at the time sink. That may come from doing everything on your own.
That may be something to check out. If you're looking at security onion for your business,
there are several websites. They're maintained by the Security Onion team, the first to hear our security onion dot net and Security Onion solutions dot com. These give information on the project as a whole and what service's are available through security. Onion Solutions
they have good info for this course, will spend more time on the documentation site and the Google Group.
These have more information on deploying and using security onion and there a good place to look when things are broken.
Security. Onion can be used either as a forensics tool or for continuous monitoring as a network security monitoring tool.
When using it as a forensics tool, you can configure it as a standalone server, frequently as a V M on your desk top that you can replay P caps on two.
If you're ever in triage mode after an incident and someone hands you a pea cap that likely contains evidence of a compromise, it can be hard to know where to start by replaying it onto a standalone instance of security Onion, you can have the pea cap parsed out into network classifications. So think of
D. N s SMTP FTP things like that
and ran through Ah, ideas such a snort. And this will give you a very good starting place for your investigation.
When using it as a network security monitoring tool, you deploy multiple servers across your enterprise and gather the traffic in real time via a network tap.
The traffic is then run through. The same parcel is used in a standalone instance, but the traffic is coming and continuously.
This allows you to see what is coming in and going out of your network. Since all of the traffic is run through an I. D. S, you can then see what types of attacks are being thrown at you.
If you were, if you ever wanna have some fun at home, set up an instance to monitor what is hitting your home network. You may be surprised what's coming in.
Both types of installations will gather all the network traffic and stored in a searchable format. The amount of data stored will obviously depend on how much stored you have on your server and how much traffic you're throwing at it.
For example, a fully saturated, one gigabit per second pipe will require you to store seven and 1/2 gigabytes per minute
and 450 gigabytes per hour, so it's always good to plan accordingly.