The architecture of security onion is designed to be deployed in different ways, its components master server, forward nodes and storage nodes, can be deployed in a distributed manner or in standalone mode. for this course, we will use the standalone mode that combines all the components in a box.

Advanced configuration Process:

Once the network configuration is finished we now start the configuration of Elastic capabilities which are the detection and monitoring tools included in Security Onion.

In the picture above we can see the different tools that are going to be installed in Onion, we press in “Yes, Continue”, After that, the Wizard setup  will request if we want to configure the network interfaces again, we click “skip the network configuration” to avoid this process:

After we skip the network configuration, the setup will show a warning  saying, the minimum requirements that are necessary for the correct performance of all the tools that are going to be installed.

We click in Continue and security onion will ask us on which mode we want to use a platform to start the services, we select evaluation mode which is recommended for the first try of the software, as we have already commented.  The evaluation mode allows you to deploy in standalone mode. The production mode is for advanced and distributed configurations, where we can separate the master, forward and storage node into several hosts.

Security Onion can run either Snort or Suricata as its Network Intrusion Detection System (NIDS). When you run Setup and choose Evaluation Mode, it will automatically default to Snort. If you choose Production Mode, you will be asked to choose whether you want to run Snort or Suricata:

After this, we must select which interface will be monitored

Once we select the interfaces that will be monitored, we have to create the first username for the system, this process can be seen in the picture below:

We select a password for our new user:

After we complete this process, Security Onion will display the list of the changes that are going to be executed over the system, we click in continue and accept the changes.

After this, the process will be complete, Security Onion will display some more windows that provide information about technical aspect related to the installation.

Post-Configuration Information:

• 
• 
• 
• 
• 

Now the Network Intrusion Detection System (NIDS) starts a monitoring network traffic task looking for specific activity and generating alerts. The next step is to recreate some traffic using the .pcap files available in /opt/samples/bro directory.

Introduction

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes.

How does Security Onion work?

Security Onion is built on a modified distributed client-server model. In the past, Security Onion relied solely on the use of a “sensor” (the client) and a Security Onion “server” (the server). With the inclusion of the Elastic Stack, the distributed architecture has since changed, and now includes the use of Elastic components and separate nodes for processing and storing Elastic stack data.

This means that a standard distributed deployment is now comprised of the master server, one or more forward nodes (previously called a sensor — runs sensor components), and one or more storage nodes (runs Elastic components). This architecture is ideal; while it may cost more upfront, this architecture provides for greater scalability and performance down the line, as one can simply “snap in” new storage nodes to handle more traffic or log sources.

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

In the image above we can see the architecture of a Security Onion Instance, this can be deployed in a distributed or standalone way. For our Lab, we will set up and use standalone mode which combines the functions of a master server, forward node, and storage node.

Reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

In a standalone mode, the deploy consists of a single server running master server components, sensor, and Elastic stack components.

 

Technical Aspects of Security Onion:

As a Linux distribution based on Ubuntu, Security Onion contains several tools of security like Suricata, Snort, Bro, CapME, Squert, NetworkMiner, Wireshark, ELSA ( which are now Logstash + Kibana) and some others, all these tools are integrated in the system, the use of these features is quite easy to set up due to the complementation configurated for them is relatively easy to pivot between each one of them.

The principal objective of these tools is the detection of intrusions and monitoring the process of the network by keeping special attention over the security events within the network. Now to understand a little better the functions of each tool, we have to describe a few one of them which are the most used or relevant tools included in Security Onion:

OSSEC/HIDS:

OSSEC is a host intruder detection system, the technical characteristics of this tool are the following:

• Rootkits Detection
• Active response and notification in real time
• System architecture based on a centralized service hosted by a server and several agents installed in the devices that need to be monitored.
• Files verification system

Bro Security Monitor:

Bro Network monitor is a framework which is used for network monitoring activities, the technical characteristics of Bro monitor can be listed as:

• Bro monitor includes features that can be used to scan the most common network protocols.
• The information can be gathered in a database and can be consulted through ELSA or Logstash, which complements the information at the time that alerts need to be analyzed.
• The tool can be used to monitor the network activity and generates active logs for TCP/UDP connections, network services, and software tools detected that affect the network, DNS requests, SSH petitions, SSL certificates integrity, HTTP activity and FTP shared services.

SNORT/NIDS:

Snort IDS are based on an Open-Source software, the technical aspects of Snort can be listed as:

Functioning process:

• Sensors which can capture network packets
• Features which handled the normalization of the traffic
• The tool detects threats and attacks and generates alerts for the administrators
• The results of the threats captured are compared with previous patterns and rules created by the administrators to handle the threats
• The scanning process can be switched to Suricata
• The rules included in the detection scheme are updated automatically through a function called pulled-pork

Sguil:

Sguil is a console system which can be used for security analysis, the technical aspects of Sguil can be described as:

• Sguil posses a graphic interface which allows the access to the security alerts, the data capture, and the session data.
• Sguil posses integrated tools like  CapMe, Network Miner and Wireshark
• All the alerts inform the context which has produced the initial error.

Here is a picture demo of the system that shows the event logs:

Squert:

Squert can be described as a web application which can serve to visualize events and posses the following characteristics:

• Squert posses an analyst console which complements with Sguil
• Squert import information about the context of alerts, group of events and creates a timeline to follow each aspect of them
• It shows the Sguil database but it shows a different perspective of the data.

Elasticsearch

Elasticsearch is a distributed, RESTful search and an analytic engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Elasticsearch

Logstash

Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources. It  simultaneously transforms it, and then sends it to your favorite “stash”.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash

Kibana

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.

reference https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana

As we have seen, Security Onion is built under a set of tools, each with a specific function.  We will see how to install Security Onion and also explore each of the tools described in this lesson.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

You’ll often find yourself looking for things. Here are some useful tips for just that. There are some commands that have proven useful for finding things in Linux.

find is a popular command line tool that searches for files in the directory hierarchy. The command searches the current directory and recursively searches subdirectories for the supplied criteria.

The -name argument allows you to find specific patterns of information. Of note, find is case sensitive so use -iname to avoid missing what you are looking for.

find . -name file

locate is a very fast way of searching for files on disk rather than searching for file paths on the system. By default, locate does not check if files still exist in the respective database. To update the database that locate searches, update with the updatedb command. Locate a file on the Strategic Security Ubuntu VM. Using locate without any options will bring up results that contain the keyword.

Let’s locate the file r00kies. This file will need to be created for this example using the touch command. Use the touch command to create 3 different files with r00kies in the name. Make sure to update the database after these files are created using sudo updatedb.

This shows us 3 files, but we only wanted the r00kies files. Let’s use the -b option to search exactly what we want. The backslash disables the implicit replacement of “r00kies” by “*mydata*” so you end up with only what we are looking for.

locate -b ‘\r00kies’

whereis searches for binary files, source files, and man pages. This is useful when determining a file is executed from. To only show the executable only, use the -b option.

whereis firefox

whereis -b firefox

which command helps in returning the absolute path of the executable that is called. This makes creating shortcuts a bit easier. By default which only shows the first matching executable. To display all results use the -a option. Only the current user’s PATH variable are searched.

which firefox

Reference(s):

http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/

http://www.howtogeek.com/112674/how-to-find-files-and-folders-in-linux-using-the-command-line/

If you are interested in learning more, we invite you to review this course.

Try Certified Ethical Hacker for FREE!!!

Linset is a tool of Spanish origin for that reason we have some screenshot in Spanish.

If you are one of the people who like to test the security of wireless networks, Wifislax is the Linux distribution that will help you a lot. In this blog, we will show you one of the tools that are integrated.

The first thing we have to do is to download Wifislax.

Download links:

LINK1 FTP OFICIAL: http://www.downloadwireless.net/isos/wifislax64-1.0-final.iso

LINK2 MEDIAFIRE: http://www.mediafire.com/file/25rsmyz449g2csc/wifislax64-1.0-final.iso

LINK3 MEGA:  https://mega.nz/#!jsglSLxb!bZgdN7yeWvL2-xzPv7-15FOHf8FHnH6lWvCNogy2hTQ

DRIVER NVIDIA: http://www.mediafire.com/file/zoaebscconl6xrv/Driver_NVIDIA-367.57_wifislax64-x86_64-8sw.xzm

DRIVER AMD: http://www.mediafire.com/file/l422ezur7z2b61o/Driver_AMD-15.12_wifislax64-x86_64-8sw.xzm

After the download, you can install them as a virtual machine or in a pen driver, At the moment of initiating Wifislax we will have the following option, we select Run whit smp kernel, and enter

Select wifislax with KDE Desktop and enter.

Let’s hope that Wifislax does not show its desktop environment

If you have wifislax installed as a virtual machine, you must connect a wifi antenna and it can be a USB and you have to configure VirtualBox or VmWare to recognize your Wifi Usb card.

Now we click on linset as shown in the following image.

At this moment we have our tool ready to use.

The first thing that is asked is what adapter do we want to use? But in this case, we only have one option, so we press the 1 key and enter.

Then it asks us if we want all the channels or a specific channel. Take option one to analyze all the channels.

As you can see we are already scanning the WiFi networks that our antenna can capture.

For this case we will take the network called INFOSECADDICTS.

We close the scanning window to get the other options

we choose option 1

We select option 1 to perform a massive de-authentication of the AP

we have captured the handshake

we choose option 1 which corresponds to a neutral interface.

we select the English language

Now we just have to wait for the user to connect so that linset will ask for the password.

below we have the screenshot of the experience of a normal user connected to the network.

We have cloned the AP automatically as shown in the following image.

As soon as a user connects, we can see which sites he is consulting.

Now you are forcing him to write the password again.

Bingo, we have captured the password. we can already use metasploit or any other tools to compromise the connected devices in the network.

Resources:

https://www.wifislax.com/

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/