Hey, folks. Welcome to lessen seven of intro to security onion. I'm your instructor, Carl, and in this lesson we will learn how to replay traffic on a standalone server and do some basic analysis of a malicious pea cap file.
But for the agenda, we will replay a pea cap from a fictional organisation called Beguile Soft. Using TCP replay.
We will then perform analysis of the findings in Security Onion Using the VM installed on my local machine as an analyst. GM
The pee kept that we will be using was pulled from malware traffic analysis dot net. It is an example of malware traffic on a fictional network. Beguile Soft
will replay it on our standalone server that I moved to my virtual ization server, but well, actually perform the analysis on the virtual machine that we built on my laptop.
We're doing it this way for two reasons. One and mimics how we'd perform analysis on a standalone server that is on your desk top. With only a few differences,
we'll touch on those differences in the demo
now. The second reason we're doing it this way is that it's good practice to use an analyst VM when connecting toe a security onion deployment in an enterprise has it isolates both your desktop and your security onion deployment.
Now we will be replaying the traffic on our sniffing interface using TCP replay.
The command to replay the traffic is listed here. Now it's pretty straightforward. Pseudo TCP replay Dash I. Then you're sniffing interface name followed by Dash T, which will replay the traffic a top speed and finally, the pea cap, location and name.
Now, something to keep in mind with TCP replay is that it won't preserve the original timestamps from the pea cap.
It will give new time stamps based on the time that you ran the command.
Now there is a script that you can use to preserve time stamps when replaying traffic.
The command to use that script is S O import pea cap.
Another option is to open the peak happened wire shark has that will show the original Timestamps.
All right, let's get started