Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hey, folks. Welcome to lessen seven of intro to security onion. I'm your instructor, Carl, and in this lesson we will learn how to replay traffic on a standalone server and do some basic analysis of a malicious pea cap file.
00:13
But for the agenda, we will replay a pea cap from a fictional organisation called Beguile Soft. Using TCP replay.
00:21
We will then perform analysis of the findings in Security Onion Using the VM installed on my local machine as an analyst. GM
00:30
The pee kept that we will be using was pulled from malware traffic analysis dot net. It is an example of malware traffic on a fictional network. Beguile Soft
00:41
will replay it on our standalone server that I moved to my virtual ization server, but well, actually perform the analysis on the virtual machine that we built on my laptop.
00:50
We're doing it this way for two reasons. One and mimics how we'd perform analysis on a standalone server that is on your desk top. With only a few differences,
01:00
we'll touch on those differences in the demo
01:03
now. The second reason we're doing it this way is that it's good practice to use an analyst VM when connecting toe a security onion deployment in an enterprise has it isolates both your desktop and your security onion deployment.
01:15
Now we will be replaying the traffic on our sniffing interface using TCP replay.
01:22
The command to replay the traffic is listed here. Now it's pretty straightforward. Pseudo TCP replay Dash I. Then you're sniffing interface name followed by Dash T, which will replay the traffic a top speed and finally, the pea cap, location and name.
01:38
Now, something to keep in mind with TCP replay is that it won't preserve the original timestamps from the pea cap.
01:45
It will give new time stamps based on the time that you ran the command.
01:49
Now there is a script that you can use to preserve time stamps when replaying traffic.
01:53
The command to use that script is S O import pea cap.
01:57
Another option is to open the peak happened wire shark has that will show the original Timestamps.
02:02
All right, let's get started

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor