3 hours 10 minutes
All right, let's get going. So here we just finished up getting our distributed environment installed and configured, and we have s o master s o forward and eso storage. And I just ran the Esso stats on each one of these to make sure that all of our
service is we're running properly. As you can see, everything looks okay
just on there. Who first screen there. So
let's take a look in
security onion and see what our traffic looks like. So let's just head on over to Cabana,
And the traffic that we're getting in here is coming from a network tap that I set up
ah, raspberry pie that I have and my router.
So anything that
comes from the raspberry pi to the network is coming into security. Onion,
Right. So I finished setting this up at 20 to 10. So evincing traffic since then
and as we mentioned before, our landing page is an overview of all of the traffic that is coming into security onion
from both our heads. So host intrusion detection system, our Ned's network intrusion detection system and from Baro,
Korea of all of our log types by far the most common is OS sec, And that is very likely because we did a decent amount of configuration in the past hour.
Just what my time frame is set to right now,
we have our devices that we set up our S o master forward and storage,
then log types percent, sir.
Ah, getting into some bro information.
Uh, doesn't look like we have any needs alerts right now, which I don't think it's to a surprising since everything is inside the home network.
Okay, no, bro notices.
take a look and see exactly what we're doing.
So right now I am remote are already peeing into my
I have a browser opened up in here
who went to one of my old favorite Web comics and a salmon fuzzy.
And if you'll notice here,
they do not use https, which in this case is excellent
that allows us to see what's going on.
And I also have from options open,
which is, ah, cheese website.
They can shop for cheese if we want. I guess
now this one is https will be able to see what that looks like. A swell
is to a little bit of browsing. Let's refresh salmon fuzzy for good measure.
Let's come down here to connections and see what kind of bro logs we have.
All right. So decent amount of D N S, S s l H T T P and D H C P.
First of all, let's just take a look at our http dashboard under bro hunting.
All right. 11 logs there.
Everything in the United States over Port 80. That's to be expected.
So the source i p. Is zeroed up 33 which is the i. P address of my grass berry pie
and these air all of the I p addresses that it reached out to over poor Tahiti.
The sights are salmon fuzzy dot com
t w i n g dot com. Okay. And then 17 to $17. A whole one.
You are I
Then we have our user agent string here.
So based on this, it's Ma Zillah. So when likely? Fire Fox
raspy in. So
just looking at the user agents drink. It suggests that we're using Firefox in
up. Nope. It's chromium. Hi.
Guess I was mistaken. It happens sometimes
more often than I'd like to admit. OK? Raspberry, crispian, chromium. That
definitely makes sense. Just that right there. Okay,
Come down here. We can look and see
everything that's going on.
Nothing too exciting Just for funds, ese.
Let's take a look and cap me.
I should be able to pivot over tow wire shark. We really wanted to see what was going on with Sam and Fuzzy, but
I don't think we care that much right now.
Let's see what we can see with S s l
Okay, so we have
the target countries. We have United States, France and Canada.
If I recall from AJ is is
a French website
from AJ and Frenchman's cheese.
top one on here is from ashes dot com Then next we have connected facebook dot nets and shop of I shop of I
chimps statistic Amazon pay.
These are likely elapse. That they have running on
from AJ is between.
Come back here.
I might be able to find some
widgets, air something.
All right. We have facebook there.
pre dig into the
source code of the site. I'm sure we could find out more information as to what everything is
If you'll notice. I am using
my rdp clients to connect.
So let's see what we can see in here,
bro. Hunting our DP.
Okay, so we have two connections
from 9 to 160.56 which is this laptop that I'm using,
and it's going to zero dark 33. Okay.
And my host name is Walnut
Port 33 89. That's not surprising.
let's do a quick test.
Okay, let's try it.
Apparently, right Click is not working for me
plugging in his pie.
Let's see if
that is in here.
That was establishing an SS H session.
See how long it takes the lugs to get in here?
Looks like they're not in there quite yet.
Will frequently take more than a couple seconds for you. Locks to show up in here.
That's still nothing.
All right, let's take a quick look at de ns.
So Dennis is a good place to look for weird traffic for anomalous traffic.
Let's see if we have anything interesting going on in here.
Okay, so we have
Google ap eyes
ex toad that I Oh, no idea what that is. Shocked by dot com
Amazon pay cloudfront
some interesting things going on in here.
Nothing that looks too concerning
one thing that you'll typically want to look for. If you're looking for evil on your network is randomly generated domains.
So if you just see a random string of characters,
dots nat's dot io dot and you got whatever,
potentially something bad.
Take one more quick look at sshh and see if
our connection has showed up yet.
All right, I'm not entirely sure why we're not showing up there, but
that is a quick overview of
sniffing traffic will look like in
security. Onion. The traffic will just be continuously coming in. And every time that you log in, you'll see different numbers in here and different things till book hat.
Um, this is, ah, fairly simple network in that were just sniffing a traffic from one server or one raspberry pi,
we're we're seeing all of this,
and there's always more interesting things than you expect.
And since we're here, let's take a quick look and our host intrusion detection system. So
was ah or a West sec.
So by far this is the
largest chatty ist
log source. Right now
we have everything from when we configured our system. So file added to the system a session, open session, opened
system oddity events, integrity check. Some changed.
as I'm sure you can imagine if you to enterprise deployment of a West sec on all of your end points and you are gathering all of that information into security onion. You can find some pretty interesting things that are happening happening on your end points. That's a little bit beyond the scope of our
of this course, but it's it's definitely something that you could look into if you're looking to do Ah, enterprise, deployment of security onion.
We'll check one more time for Sshh end. If nothing's there, then they will follow the rap on this demonstration.
Ah, nothing's there. Guess we'll call it good. Thanks for watching