Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
All right. So the first thing I'm going to show you is how to check on your system. Service's with s O stat.
00:07
Right here. I have Ah, honey. Session open. This allows me to S S H into the
00:13
virtual machine that we have set up.
00:16
We'll do. Sudo has so stepped pipefitter.
00:20
Unless if we don't pipe, it'll less than everything will just fly by and probably missed something.
00:29
All right, so we look through here, It's top part is our service status. We can check on Squeal server. We can check on our elastic stack. Somewhat
00:39
of the underlying
00:42
service is running.
00:43
We have our interface status. Here
00:47
we look, we have some internal stuff. We have our
00:53
management interface here. That's our management. I p address.
00:57
Here we have our sniffing
01:00
interface that's running in promiscuous mode, meaning that it gathers all traffic coming in Instead of
01:06
passing on things that aren't meant for
01:07
us,
01:10
we have more to face information.
01:12
We can either scroll through with our arrows or hit space. Barto
01:17
bounce farther down.
01:19
We have our disk usage. Right now. Nothing is too heavily used. But
01:26
if this were a production deployment or if we were throwing a lot more data at its than
01:33
this should fill up
01:36
whether they're some of these percentages should be higher
01:41
of our network sockets.
01:42
Yeah,
01:46
they were getting into our I. D. S rules.
01:49
You can see we have our nice ask e r to the flying pig
01:53
information about our snort rules.
01:57
Right here we have our rules. Stats
02:00
so enabled. Rules 20,255
02:05
then disabled rules 7300 and 59 making over 27,000 rules. Total.
02:16
Go a little bit farther down. We have our CPU usage
02:21
for the last 15 and 15 minutes.
02:23
Uh huh.
02:24
I only have one see peel applied right now. I should probably boost that up next time I reboot
02:30
and then our load averages any time. This is Any of these numbers are higher than our processing units. Then
02:38
either me to tune or give it more cp use.
02:42
Since this is just one, we should probably give it more. See, fuse
02:46
starts face. Barring through these,
02:50
we get into our packet monitoring information.
02:54
So if
02:57
if you're on the fairly busy network and your server has quite a few cores on it.
03:02
Then,
03:04
looking through here, you'll be able to see all of our bro and snort instances and the percentage of dropped packets.
03:12
Right now, since we only have the one interface and we are not gathering anything, we don't have any dropped.
03:19
Apparently, we have one that we gathered.
03:23
So right now everything looks
03:24
about how it should be.
03:27
Space bar down a little bit,
03:30
shows how,
03:31
but our data retention is in our log archive. Right now. It's one day because
03:38
we've only really had this up for one day.
03:43
We have
03:45
this shows our own categorized events.
03:47
When we're working and squeal, we want to put
03:51
auto cat rules in to categorize our events for us.
03:57
We
03:58
don't have anything set up right now, and all these 400 events are working. Michael just osx alerts,
04:06
then
04:09
top events for yesterday and all time
04:12
Again, we don't have any data coming in right now, so
04:15
nothing too exciting there scrub by all that.
04:23
Then we have more granular details about our elastic stack.
04:28
So everything's running.
04:30
It's like our cluster status is currently yellow. So could be something toe take a look at typically you want this to be green? It? If it's
04:40
bread, then
04:41
something is more than likely broken. But
04:45
scroll through here.
04:47
Well, right.
04:48
So that is everything that is in S o stat, If you ever run into an issue that you can't resolve
04:57
than eso, stats can definitely help.
05:00
And if you do s o stat redacted
05:03
that will
05:05
I run the same command, except it'll
05:08
remove any sensitive data. And that's something that you can share on the security onion forums. And
05:14
the people there can take a look and
05:16
see if they can offer you some help.
05:19
That is
05:23
ah, high level overview of the S O stat.

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor