2.2 Monitoring and Analysis Tools

Now that we've talked a bit about what security onion is and how it's used, let's discuss some of the tools that are built in two Security Union. The first component is the network I. D. S. There are two options that you can choose from Snort or Sarah Kata. They are both signature based I d. S is, and they both have their followers in this course will focus mainly on snort, as that is, where my experience lies. Next is burrow or, as it's been re branded, Zeke Bro is a network analysis framework. It is built with a scripting language that allows you to write rules to analyze and classify your traffic out of the box.

‍

Security comes with a host of Raoh rules that can classify your traffic based on protocol such as SMTP Dion sftp http. Things like that. Typically these lugs would be stored in the prologue format, which can then be parsed with tools like pro cut. But to make the logs interoperable with the elastic stack, they're stored in the Jayson format, which can be parsed with tools like Jake, you. The next tool is a West sec or was ah, this is the host intrusion detection system that is installed on all security onion servers. OS *** acts like a firewall. That manager monitors activity on the OS level and checks for things such as root kits. Since security onion is also used for log monitoring, it can be configured to gather logs from a just distributed a West sect deployment.

‍

This is helpful if you want to monitor other servers in your data center or even your end point in points from a central location. Next, we have nets Sniff N G. This tool gathers your network logs as they come in and stores the mass peak cap files. Now that we know what tools are gathering, get analyzing the network logs will move on to the tools that were used to analyze those logs. The main tool that we use for analysis is Cabana Cabana is a visualization tool that allows you to view the logs from the rest of the elastic stack. Elastic searches the search and analysis engine in the elastic stack that queries the logs being ingested by log stash. Well, now the elastic stack is a fairly complex beast, and it is used in many different tools.

‍

Since it is just a component of security onion, we won't dive too deep and how to manage it. The next two tools will discuss our squeal and squirt squeals stores and visualize is the logs from the I. D. S. The squeal dashboard can be viewed on the OS level of the manager in a standalone instance or from a dedicated analyst. VM and Squirt is a Web application for viewing the save logs but from any host that has been granted access through a west sec both squeal and squirt shou I. D s rules that have triggered the metadata from the package that triggered the alert as well as the payload. Next we have capped me.

‍

Cap me allows you to pivot from cabana to your full pack. It captures most logs in cabana, our bro logs which don't contain all information such as full payload. By being able to pivot from cabana to cap me, you can view exactly what's going on with your traffic, assuming you know how to read it. And it is not encrypted. That brings us to cyber chef. Cyber chef is not built directly into Cabana, and it does not ingesting the logs. What it is, though, is a tool box that will make your life easier. As an analyst, for example, it has a decoder for base 64. A lot of attacks are based. 64 encoded in an effort to hide the attack.

‍

With the decoder, you can see exactly what was sent to you. No, There are also regular expression tools by an Aryan hex decoders, hashing tools and other such things. It's a pretty cool tool level. Come in handy in unexpected ways, I'm sure. Now we've only covered the largest components of security onion. There are other tools, such as Time Lion Network, minor and wire shark that will cut that come included as well. Now these are all powerful tools, but if we cover them, it will likely be in passing. I do encourage you to look into them as much as you can, though, just learn all the things