8.1 Sniffing Traffic

00:00

Hey, folks, welcome to lessen eight of intro to security onion. I'm your instructor, Carl, and in this lesson we will learn about sniffing traffic in a distributed environment, and we will also see what the sniffed traffic looks like and security onion

00:16

all right for the agenda.

00:18

First, we will talk briefly about network sniffing theory,

00:21

how security onion is set up to sniff traffic and a bit about taps.

00:26

This discussion will be followed up with a short demo showing what the sniff traffic looks like in the security onion dashboards,

00:35

so the first thing will touch on Is sniffing traffic. Sniffing or tapping? Traffic is basically just grabbing a copy of the traffic as it goes by and sending it somewhere else. You can think of it as digital eavesdropping, except in our case. It isn't to learn the latest gossip,

00:52

hopefully where grabbing the traffic to look for signs of compromise, signs of corporate policy violations and other such things.

01:00

Now, to sniff network traffic, we use a network. Tap taps are designed to make two copies of the traffic that go through it.

01:07

One copy is for the person on the other side of the conversation

01:11

and the other copy is intended for another system.

01:15

Now, in our case, that system is security. Onion,

01:19

since the tap is just copying the traffic there typically not detectable on your network, that is depending on the tab.

01:26

For example, the tap that I have pictured here is the one that I'm using in this demonstration.

01:32

It is a small, inexpensive tap that does not require power source

01:37

because it doesn't require a power source. Among other factors, it cannot handle big A bet networks and will force your networks to work at a lower speed.

01:46

Typically 100 based T X.

01:49

This signal degradation could be indicative of a tap being put in place,

01:53

but it would also likely be a challenge. Thio track this down

01:59

now For the purposes of this demo, this tap works great. If you wanted to catch me if you wanted to tap a much larger network,

02:06

then I'd look at something much beef here than this little guy.

02:09

To gather the network traffic from a network tap into security onion. Some changes need to be made to the security onion network interfaces

02:19

now, since networking and Lennox seems to require some sort of black magic. I'll say that it's lucky that the configuration scripts take care of the sniffing into your face configuration for us.

02:30

Now, at a high level, the script will edit at sea Network interfaces and set up your sniffing interfaces to run without an I p in promiscuous mode with no arms.

02:40

Now this basically means that interface will not deny traffic that was not intended for that interface.

02:46

Thus it's gathering all logs that come into it for our enjoyment in security onion.

02:54

All right. Now, this is a quick view of the configuration of the network interfaces on our forward node in the distributed deployment that we created in less than four.

03:05

As you can see, E N P zero s three is our management interface. You can tell that because it is assigned a nine et address and it is not running in promiscuous or no AARP mode.

03:19

Looking at e. N. P. Zero s nine and 10 you can tell that those are our sniffing interface is because they do not have I p addresses, and they are indeed running in promiscuous mode.