Scribd
Upload
114 views17 pages

Security Onion Lab

The document provides instructions for installing and configuring the Security Onion network monitoring system. It describes setting up X11 forwarding, installing Security Onion and its components, importing a packet capture file, and using the included tools like SQUERT, SGUIL and Kibana to analyze network traffic and investigate indicators of compromise.

Uploaded by

monica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views17 pages

Security Onion Lab

The document provides instructions for installing and configuring the Security Onion network monitoring system. It describes setting up X11 forwarding, installing Security Onion and its components, importing a packet capture file, and using the included tools like SQUERT, SGUIL and Kibana to analyze network traffic and investigate indicators of compromise.

Uploaded by

monica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Module: Deploy Security Onion

Objective: As part of this hands-on module, you will be installing and configuring Security Onion (Network
Monitoring System).

Prerequisites: Knowledge of Ubuntu, IDS, Packet analysis and security concepts.

Topology

The following will be the topology used for this lab. Note that the IP addresses are examples only. When
working on the lab, use the actual IP addresses as indicated by the instructors. For the purpose of this
guide, the IP address of 192.168.30.X or 2001:db8:100::X will refer to your Virtual Machine (VM).

Lab Notes

Depending on the workshop, you may be:

1. Given a Virtual Machine (VM) that is already configured with Security Onion. Start the lab at Part 3
(which was given by lab instructor)

2. Or asked to connect to a container over the network. Refer to Part 1 Setup X11 Forwarding.

In this guide the interface name is eth0 . Depending on the version of Ubuntu the interface name
may be enp0s3 or something different. Where eth0 is used in this guide replace it with your
interface name.
Container details

Ubuntu 16.04 LTS/LXC


Hostname = groupXX.apnictraining.net
Domain name = apnictraining.net
IPv4 Address = 192.168.30.xx
IPv6 Address = 2001:db8:100::xx
xx = group ID as allocated by the instructor

Lab Exercise - Security Onion setup and configuration

Part 1. Setup X11 Forwarding for client

Windows 10

1. On the Windows machine. Download putty and install

https://ninite.com/putty/
or
https://www.putty.org

2. On the Windows machine. Download Xming and install

https://sourceforge.net/projects/xming/

3. Open Xming and allow firewall rules if prompted.

4. Connect to the container

putty -ssh -X [email protected]

-X = X11 forwarding .xx = group number

5. Confirm X11Forwarding is set to Yes in the /etc/ssh/sshd_config file.

cat /etc/ssh/sshd_config | grep X11

6. Confirm X11 forwarding is working.

firefox https://www.apnic.net
or
chromium-browser https://www.apnic.net
MacOS

1. On the MacOS machine. Download XQuartz and install

https://support.apple.com/en-au/HT201341

2. Connect to the container

ssh -v -X [email protected]

-X = X11 forwarding -v = verbose .xx = group number

3. Confirm X11Forwarding is set to Yes in the /etc/ssh/sshd_config file.

cat /etc/ssh/sshd_config | grep X11

4. Confirm display settings.

echo $DISPLAY

5. If display output is blank. Type the following:

export DISPLAY="localhost:10.0"

6. Confirm X11 forwarding is working.

firefox https://www.apnic.net
or
chromium-browser https://www.apnic.net

Ubuntu

1. Connect to the container

ssh -v -X [email protected]

-X = X11 forwarding -v = verbose .xx = group number

2. Confirm X11Forwarding is set to Yes in the /etc/ssh/sshd_config file.

cat /etc/ssh/sshd_config | grep X11

3. Confirm X11 forwarding is working.


firefox https://www.apnic.net
or
chromium-browser https://www.apnic.net

Part 2. Installation of Security Onion

1. To install Security Onion via a package manager type the following commands:

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selec


tions
sudo apt-get update
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y install securityonion-all syslog-ng-core

NOTE: This should have already been completed on the container or Virtual Machine (VM).

2. Run setup wizard, type the following:

sudo sosetup

NOTE: Do not complete these steps on the Virtual Machine (VM) as it has already been done. Instead
check the status of the Security Onion by typing sudo sostatus

3. Click on Yes, Continue

4. Click on Yes, configure /etc/network/interfaces

5. Select static and click on Ok

6. The next few screens will ask for details about the network:

IP Address = 192.168.30.XX (XX is group number)


Subnet Mask = 255.255.255.0
Gateway IP = 192.168.30.254 (Confirm with Instructor)
DNS IP = 1.1.1.1 192.168.30.249(Confirm with Instructor)
Domain name = apnictraining.net

7. Click on Yes, make changes!

8. Click on Yes, reboot!

NOTE: May need to ask the instructor to stop and start the container

9. After the reboot, reconnect to the container.


ssh -X [email protected]
or
putty -ssh -X [email protected]

-X = X11 forwarding -v = verbose .xx = group number

10. restart the setup wizard. Type the following:

sudo sosetup

11. Click on Yes, Continue

12. Click on Yes, skip network configuration!

13. Evaluation mode will install all the tools onto the one virtual machine or container. Click on
Evaluation Mode , then click on OK .

14. Create a user account that will be used to log into Kibana, Squert and Sguil.

username: apnic
password: training

NOTE: In a production environment, this should be a different account to what is used to log into
Ubuntu

15. Click on Yes, proceed with the changes! . This will take some time to complete as it
downloads and configures docker.

16. Once installed, check the status of the Security Onion services by typing the following:

sudo sostatus

17. Test you can open Squert in a browser.

chromium-browser https://localhost/squert
or
firefox https://localhost/squert

Part 3. Import Packet Capture File

1. To view the list of sample packet captures that are available:

cd /opt/samples
ls
2. Import the fake_av.pcap file:

sudo so-replay fake_av.pcap

This will import the pcap file as new traffic with the current date and time.

After importing the packet capture file, we will have a look at the alerts that were generated by SNORT, by
utilising a tool called SQUERT.

1. To see a summary of the fake_av.pcap file, type the following:

capinfos fake_av.pcap
Part 4. Investigate an Indicator of Compromise (IoC) using SQUERT

1. To start the investigation, open SQUERT:

firefox https://localhost/squert

or double-click on the SQUERT icon on the desktop.


EVENTS page, shows a list of events that have occured.
SUMMARY page, shows a list of the top signatures and the top source and destinations via IP
address and countries.
VIEWS page, uses a Sankey diagram to show the relationships between IP addresses, source
country and destination country.

2. Click on the SUMMARY page

Looking at the summary, we can see there may be a Command and Control Trojan (CnC) activity
in the packet capture file.
A lot of traffic is originating from an IP address of 172.16.150.20
A lot of traffic is going to an IP address of 58.64.132.141

3. Click on the VIEWS page.

From this Sankey diagram, you can see that the IP address of 172.16.150.20 is indeed mainly
talking to the IP address of 58.64.132.141. But there is also a red line showing a relationship with
an IP address of 66.32.119.38

4. Click on the EVENTS page. Apply a filter for the IP address of 66.32.119.38 to see if any events have
been logged about this activity.

From the output it certainly does look like an Indicator of Compromise (IoC) because a suspicious
file was downloaded from the IP address of 66.32.119.38.

Part 5. Investigate an Indicator of Compromise (IoC) using SGUIL

1. To investigate further open sguil database to view the original logs and filter by the IP address of
66.32.119.38 to get an idea of the time it occurred.

2. To start the investigation, open SGUIL:

sguil.tk

or double-click on the SGUIL icon on the desktop.

Make sure you select the interface ens33 before starting Squil as shown below:
3. Click on Query > Query by IP , and type in the IP address of 66.32.119.38 , then click on
Submit to apply the filter.

Select the Show Packet Data to view the raw data and Show Rule to look at the Snort
rule that triggered the alert.
4. To view more details about the potential malicious file, do a ctrl+right mouse click on the first
PE EXE or DLL event's Alert ID and click on Transcript :

5. From this transcript you can see a document file name and can indeed see that there was an
executable file that has potentially two file extensions ( .EXE and .DOC ) to try and fool the end
user into thinking it is a word document extension.
At this point you can extract the file for further analysis. NOTE: this file could be malicious and should
only be extracted on an isolated system.

6. The file can be extracted by using WireShark or NetworkMiner. To use WireShark do a


ctrl+right mouse click on the first PE EXE or DLL event's Alert ID and click on
WireShark .
7. After opening WireShark, right-mouse click on the first packet, scroll down to follow and click on TCP
stream.

This will piece all the packets together and display the ASCII contents in the packet.

8. To extract the file, change the data type to RAW and click on Save as .
9. Once the file is extracted it is a matter of using your favourite tools to analyse for malware. A quick way
is to generate a hash of the extracted file and upload to tracker sites like Virus Total to see if the hash
has been seen before.
NOTE: This is a public service, do not upload files that may contain company sensitive material.

Part 6. Review an Indicator of Compromise (IoC) using Kibana

Another tool, that comes with Security Onion worth a mention is Kibana. Kibana is an open source tool you
can use to query the Elasticsearch database and display the results visually in a dashboard.

1. To open Kibana:

firefox https://localhost/app/kibana

or double-click on the Kibana icon on the desktop.

The malicious activity that was discovered above occurred around 3:43 GMT time. With this
information, we can now focus on this time.

2. After opening Kibana, click on dashboard, restrict the time and date, and view events related to files.
And you can see that a file was downloaded during that time period.

Conclusion

So in a short amount of time, using Security Onion you were able to analysis a packet capture for an
Indicator of Compromise or malicious activity, extract a suspicious file and determine that the file was
indeed malicious.

With more practice, you should find that Security Onion is a valuable resource when it comes to network
forensics and analysing packet captures, SNORT alerts and other logs.

https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionWalkthrough

You might also like