Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:03
All right, let's get going. So here we just finished up getting our distributed environment installed and configured, and we have s o master s o forward and eso storage. And I just ran the Esso stats on each one of these to make sure that all of our
00:23
service is we're running properly. As you can see, everything looks okay
00:30
just on there. Who first screen there. So
00:33
let's take a look in
00:36
security onion and see what our traffic looks like. So let's just head on over to Cabana,
00:45
And the traffic that we're getting in here is coming from a network tap that I set up
00:52
between,
00:54
ah, raspberry pie that I have and my router.
00:58
So anything that
01:00
comes from the raspberry pi to the network is coming into security. Onion,
01:07
Right. So I finished setting this up at 20 to 10. So evincing traffic since then
01:15
and as we mentioned before, our landing page is an overview of all of the traffic that is coming into security onion
01:23
from both our heads. So host intrusion detection system, our Ned's network intrusion detection system and from Baro,
01:33
So
01:34
Korea of all of our log types by far the most common is OS sec, And that is very likely because we did a decent amount of configuration in the past hour.
01:47
Just what my time frame is set to right now,
01:49
we have our devices that we set up our S o master forward and storage,
01:57
then log types percent, sir.
02:00
Ah, getting into some bro information.
02:04
Uh, doesn't look like we have any needs alerts right now, which I don't think it's to a surprising since everything is inside the home network.
02:15
Okay, no, bro notices.
02:16
So let's
02:17
take a look and see exactly what we're doing.
02:23
So right now I am remote are already peeing into my
02:30
raspberry pi.
02:31
I have a browser opened up in here
02:36
and
02:38
who went to one of my old favorite Web comics and a salmon fuzzy.
02:43
And if you'll notice here,
02:45
they do not use https, which in this case is excellent
02:50
because
02:53
that allows us to see what's going on.
02:54
And I also have from options open,
02:59
which is, ah, cheese website.
03:05
They can shop for cheese if we want. I guess
03:08
now this one is https will be able to see what that looks like. A swell
03:15
is to a little bit of browsing. Let's refresh salmon fuzzy for good measure.
03:24
Let's come down here to connections and see what kind of bro logs we have.
03:35
All right. So decent amount of D N S, S s l H T T P and D H C P.
03:44
First of all, let's just take a look at our http dashboard under bro hunting.
03:53
All right. 11 logs there.
03:57
Everything in the United States over Port 80. That's to be expected.
04:01
So the source i p. Is zeroed up 33 which is the i. P address of my grass berry pie
04:10
and these air all of the I p addresses that it reached out to over poor Tahiti.
04:15
The sights are salmon fuzzy dot com
04:19
t w i n g dot com. Okay. And then 17 to $17. A whole one.
04:29
You are I
04:31
Http, refer.
04:33
Good.
04:36
Then we have our user agent string here.
04:44
So based on this, it's Ma Zillah. So when likely? Fire Fox
04:48
arms 7.1.
04:51
Looks like
04:53
raspy in. So
04:55
just looking at the user agents drink. It suggests that we're using Firefox in
05:00
up. Nope. It's chromium. Hi.
05:03
Guess I was mistaken. It happens sometimes
05:08
more often than I'd like to admit. OK? Raspberry, crispian, chromium. That
05:14
definitely makes sense. Just that right there. Okay,
05:17
Come down here. We can look and see
05:21
everything that's going on.
05:27
Nothing too exciting Just for funds, ese.
05:30
Let's take a look and cap me.
05:36
I should be able to pivot over tow wire shark. We really wanted to see what was going on with Sam and Fuzzy, but
05:43
I don't think we care that much right now.
05:50
Let's see what we can see with S s l
06:02
Okay, so we have
06:05
the target countries. We have United States, France and Canada.
06:12
If I recall from AJ is is
06:15
a French website
06:16
from AJ and Frenchman's cheese.
06:20
Okay, so
06:24
top one on here is from ashes dot com Then next we have connected facebook dot nets and shop of I shop of I
06:31
chimps statistic Amazon pay.
06:33
These are likely elapse. That they have running on
06:38
from AJ is between.
06:40
Come back here.
06:43
I might be able to find some
06:46
widgets, air something.
06:56
All right. We have facebook there.
06:59
Instagram twitter,
07:04
pre dig into the
07:08
source code of the site. I'm sure we could find out more information as to what everything is
07:17
If you'll notice. I am using
07:19
my rdp clients to connect.
07:24
So let's see what we can see in here,
07:28
bro. Hunting our DP.
07:36
Okay, so we have two connections
07:40
from 9 to 160.56 which is this laptop that I'm using,
07:46
and it's going to zero dark 33. Okay.
07:49
And my host name is Walnut
07:54
Port 33 89. That's not surprising.
07:57
Yeah,
07:59
let's do a quick test.
08:11
Okay, let's try it.
08:13
Apparently, right Click is not working for me
08:30
plugging in his pie.
08:39
Let's see if
08:41
that is in here.
08:43
That was establishing an SS H session.
08:48
See how long it takes the lugs to get in here?
08:50
Looks like they're not in there quite yet.
09:05
Will frequently take more than a couple seconds for you. Locks to show up in here.
09:16
That's still nothing.
09:20
All right, let's take a quick look at de ns.
09:26
So Dennis is a good place to look for weird traffic for anomalous traffic.
09:33
Let's see if we have anything interesting going on in here.
09:41
Okay, so we have
09:45
Google ap eyes
09:46
ex toad that I Oh, no idea what that is. Shocked by dot com
09:54
Amazon pay cloudfront
09:56
So
09:58
some interesting things going on in here.
10:01
Nothing that looks too concerning
10:05
one thing that you'll typically want to look for. If you're looking for evil on your network is randomly generated domains.
10:13
So if you just see a random string of characters,
10:16
dots nat's dot io dot and you got whatever,
10:22
then that's
10:22
potentially something bad.
10:31
Take one more quick look at sshh and see if
10:35
our connection has showed up yet.
10:43
All right, I'm not entirely sure why we're not showing up there, but
10:48
so just
10:50
that is a quick overview of
10:54
what
10:54
sniffing traffic will look like in
10:58
security. Onion. The traffic will just be continuously coming in. And every time that you log in, you'll see different numbers in here and different things till book hat.
11:11
Um, this is, ah, fairly simple network in that were just sniffing a traffic from one server or one raspberry pi,
11:20
and
11:22
we're we're seeing all of this,
11:26
and there's always more interesting things than you expect.
11:33
And since we're here, let's take a quick look and our host intrusion detection system. So
11:39
was ah or a West sec.
11:45
So by far this is the
11:46
largest chatty ist
11:50
log source. Right now
11:52
we have everything from when we configured our system. So file added to the system a session, open session, opened
12:05
system oddity events, integrity check. Some changed.
12:09
So
12:09
as I'm sure you can imagine if you to enterprise deployment of a West sec on all of your end points and you are gathering all of that information into security onion. You can find some pretty interesting things that are happening happening on your end points. That's a little bit beyond the scope of our
12:30
no after
12:31
of this course, but it's it's definitely something that you could look into if you're looking to do Ah, enterprise, deployment of security onion.
12:43
We'll check one more time for Sshh end. If nothing's there, then they will follow the rap on this demonstration.
12:52
Ah, nothing's there. Guess we'll call it good. Thanks for watching

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor