Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:02
all right. Now that we've covered the monitoring and analysis tools, let's take a look at how they interact with each other and with a discussion on the architecture.
00:12
For that, we will jump over to the Security Onion documentation site as their graphics are much nicer than anything that I could put together.
00:21
So this is the girl that will get you to their documentation site.
00:25
I haven't already pulled up, so we won't have to worry about anything loading.
00:31
So says security. Onion don't read the docks dot io
00:36
etcetera. So
00:39
this is a very high level architecture diagram of security onion starting at the top. Here we have our analyst machine interacting with various things on the Internet and various processes. We have python team slack things like that and interacting with the
00:58
security onion interface Here were directly hitting Cabana. Just the query and visual ization engine
01:06
tens.
01:07
Cabana is sitting on top of the elastic search which ingests and indexes are logs. And based on this data, we can have several scripts running how it can have domain stats which give
01:21
statistics on domain. So the D. N s traffic. We have
01:26
frequency server, which is looking for anomalous uh,
01:34
de ns queries so big, randomly generated domains, things like that.
01:38
Then
01:40
we have a last alert which can alert based on any of these are alert to any of these Service is up here that we have curator which is helping us to manage our indices
01:51
and then
01:53
log Stashes where our data is parsed and logged.
01:57
But
01:57
it's in the name log stash, and then everything that is sending data in tow log Stashes down here. So we have snort, sir Kata o s sec, bro and Sis Log.
02:10
And then underneath os sac. We have sis mon and auto runs,
02:15
so just at a very high level. This is how everything in security on you it works. If you have a distributed architecture, this is more or less how it works.
02:23
Um, Cabana will
02:28
be sitting up at the top and it'll query anything at the manager or
02:31
it'll go down to, ah, storage note and query,
02:36
and on ah analyst machine
02:38
or, ah, standalone server.
02:43
Everything will be going on in the same server. So
02:46
little works out there
02:47
to come down here. We have ah, much more detailed diagram.
02:54
I already have a pulled up here
03:05
just to look through really quick.
03:07
You have our analyst machine here, like we did on the high level architecture diagram. And on here it is a bit more granular. Exactly what we're hitting. So squeal
03:17
is hitting. The Squeal Service browser is hitting the web proxy on the
03:24
management server, which is hitting squirt to cap me. Uh, we follow this over, it should take us to Cabana,
03:37
and then we have course have RS S H clients where we can ss agents. The manager and
03:42
I do admit administrative tasks to,
03:46
um,
03:46
choir the data directly. Things like that.
03:50
So if we want to look at our
03:54
child's node that is actually sniffing the traffic, this would be in an enterprise deployment.
04:01
We have sniffing traffic right here. It's coming down hitting PF ring, which is splitting the traffic between snorts terra cotta and bro.
04:11
And then we
04:13
half the traffic oingo were 10 net sniff n G, which is
04:17
from doing a full packet capture and storing all the logs as P caps actually think they're as snort then the snort format. They should be think
04:29
we have all of our alerts being written. Two disc ear.
04:33
Then we have our transport layer here. Soapy cap agent Barnyard says Log envy. If we are using a forward, knowed everything will be sent through sis log N G to log stash on the manager.
04:47
If we are using a heavy note architecture, then it'll send it to lug stash on the
04:55
sensor. Note itself on the heavy note itself,
04:58
so we'll talk a bit about this later on. But the heavy note has all service is running,
05:04
while ah Ford Note does not have the elasticsearch components running.
05:11
It forwards the
05:14
Excuse me,
05:15
it forwards the
05:18
ah, like the bro logs, the snort logs things like that to the manager, where it stores it in the local log stash. And then
05:29
from there it can be stored either on the manager or on a storage node.
05:34
So after the data is stored on here,
05:39
it can be sent over to squeal,
05:43
so the idea slugs will be sent over to squeal, and it's stored on the security onion database.
05:51
Any of the scripts that we discussed earlier would be running here in our doctor containers.
06:00
So
06:01
this review that we're giving right now isn't meant to be comprehensive by any means. I I'd recommend coming in here
06:11
taking a look through
06:15
the flow diagrams and really gained familiarity. What? What exactly what exactly is going on in your network
06:23
on your build?
06:26
If you're ever trying to figure out what
06:30
has broken
06:30
our how things fit together, then knowing how everything is put together in the first place is
06:38
pretty important.
06:40
So
06:41
I
06:42
That's one thing that I very much appreciated about the security onion projects, the people that security onion solutions is they have very good documentation for this project.
06:53
Um,
06:54
I I I found things in here that I didn't even know I needed to worry about, so
07:00
I'd recommend coming in here and reading through this and see what you can learn.

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor