2.3 Security Onion Architecture

00:02

all right. Now that we've covered the monitoring and analysis tools, let's take a look at how they interact with each other and with a discussion on the architecture.

00:12

For that, we will jump over to the Security Onion documentation site as their graphics are much nicer than anything that I could put together.

00:21

So this is the girl that will get you to their documentation site.

00:25

I haven't already pulled up, so we won't have to worry about anything loading.

00:31

So says security. Onion don't read the docks dot io

00:36

etcetera. So

00:39

this is a very high level architecture diagram of security onion starting at the top. Here we have our analyst machine interacting with various things on the Internet and various processes. We have python team slack things like that and interacting with the

00:58

security onion interface Here were directly hitting Cabana. Just the query and visual ization engine

01:06

tens.

01:07

Cabana is sitting on top of the elastic search which ingests and indexes are logs. And based on this data, we can have several scripts running how it can have domain stats which give

01:21

statistics on domain. So the D. N s traffic. We have

01:26

frequency server, which is looking for anomalous uh,

01:34

de ns queries so big, randomly generated domains, things like that.

01:38

Then

01:40

we have a last alert which can alert based on any of these are alert to any of these Service is up here that we have curator which is helping us to manage our indices

01:51

and then

01:53

log Stashes where our data is parsed and logged.

01:57

But

01:57

it's in the name log stash, and then everything that is sending data in tow log Stashes down here. So we have snort, sir Kata o s sec, bro and Sis Log.

02:10

And then underneath os sac. We have sis mon and auto runs,

02:15

so just at a very high level. This is how everything in security on you it works. If you have a distributed architecture, this is more or less how it works.

02:23

Um, Cabana will

02:28

be sitting up at the top and it'll query anything at the manager or

02:31

it'll go down to, ah, storage note and query,

02:36

and on ah analyst machine

02:38

or, ah, standalone server.

02:43

Everything will be going on in the same server. So

02:46

little works out there

02:47

to come down here. We have ah, much more detailed diagram.

02:54

I already have a pulled up here

03:05

just to look through really quick.

03:07

You have our analyst machine here, like we did on the high level architecture diagram. And on here it is a bit more granular. Exactly what we're hitting. So squeal

03:17

is hitting. The Squeal Service browser is hitting the web proxy on the

03:24

management server, which is hitting squirt to cap me. Uh, we follow this over, it should take us to Cabana,

03:37

and then we have course have RS S H clients where we can ss agents. The manager and

03:42

I do admit administrative tasks to,

03:46

um,

03:46

choir the data directly. Things like that.

03:50

So if we want to look at our

03:54

child's node that is actually sniffing the traffic, this would be in an enterprise deployment.

04:01

We have sniffing traffic right here. It's coming down hitting PF ring, which is splitting the traffic between snorts terra cotta and bro.

04:11

And then we

04:13

half the traffic oingo were 10 net sniff n G, which is

04:17

from doing a full packet capture and storing all the logs as P caps actually think they're as snort then the snort format. They should be think

04:29

we have all of our alerts being written. Two disc ear.

04:33

Then we have our transport layer here. Soapy cap agent Barnyard says Log envy. If we are using a forward, knowed everything will be sent through sis log N G to log stash on the manager.

04:47

If we are using a heavy note architecture, then it'll send it to lug stash on the

04:55

sensor. Note itself on the heavy note itself,

04:58

so we'll talk a bit about this later on. But the heavy note has all service is running,

05:04

while ah Ford Note does not have the elasticsearch components running.

05:11

It forwards the

05:14

Excuse me,

05:15

it forwards the

05:18

ah, like the bro logs, the snort logs things like that to the manager, where it stores it in the local log stash. And then

05:29

from there it can be stored either on the manager or on a storage node.

05:34

So after the data is stored on here,

05:39

it can be sent over to squeal,

05:43

so the idea slugs will be sent over to squeal, and it's stored on the security onion database.

05:51

Any of the scripts that we discussed earlier would be running here in our doctor containers.

06:00

So

06:01

this review that we're giving right now isn't meant to be comprehensive by any means. I I'd recommend coming in here

06:11

taking a look through

06:15

the flow diagrams and really gained familiarity. What? What exactly what exactly is going on in your network

06:23

on your build?

06:26

If you're ever trying to figure out what

06:30

has broken

06:30

our how things fit together, then knowing how everything is put together in the first place is

06:38

pretty important.

06:40

So

06:41

I

06:42

That's one thing that I very much appreciated about the security onion projects, the people that security onion solutions is they have very good documentation for this project.

06:53

Um,

06:54

I I I found things in here that I didn't even know I needed to worry about, so