Security Onion 설치

 

Security Onion 설치

Security Onion Video Playlist 정리

 

* 참고용 동영상 - 라이브이미지 제작자가 설명하는 자료인데, 짧게 IDS 이벤트 및 패킷 분석 방법 등을 볼 수 있음.

 

출처: <https://code.google.com/p/security-onion/wiki/Videos>

 

1. Install
2. Advanced setup

Eth0 - management

Eth1 - monitor

 

Standalone

Snort

GPL

Eth1

Enable ids engine

Enable bro

Enable http

Dis aruis

Ena prad

Full packet capture

Enable salt

Enable elsa

Sudo salt '*' test.ping

Sudo salt '*' cmd.run 'service nsm status'

 

3. Update

Sudo soup

 

4. 해상도 변경

Xrandr

Xrandr -s 1024x768

 

5. Tcp replay(Pcap 파일 replay)

sudo tcpreplay -ieth1 -M10 /opt/samples/markofu/honeynet_suspicious-time.pcap

more /nsm/bro/logs/current/conn.log

sudo tcpreplay -ieth1 -M10 /opt/samples/markofu/outbound.pcap

sudo tcpreplay -ieth1 -M10 /opt/samples/markofu/jackcr-challenge.pcap

sudo tcpreplay -ieth1 -M10 /opt/samples/markofu/netforensics_evidence0*

 

6. Snorby

Event > Packet capture option > custom > fetch packe>> capME - capture 된 패킷에서 의심되는 IP를추출함.

Search > src IP or dst ip 로 의심가는 IP를 검색

7. Squert

Filter > 의심되는 IP를 검색 'IP 221.54.197.32'

Filter > 의심되는 IP를 검색 'Ip 172.16.150.20'

Sudo vi /var/www/squert/.inc/config.php --> sguil 설정에 사용자, 암호 입력

Queue 에서 'TX' 클릭

8. Sguil

21번 포트로 정렬 더블클릭 패킷덤프 나옴

우클릭 Quick query>query sancp table>query dstIP

CNX ID 우클릭> wireshark > follow tcp stream > Save as > ..out.rar

트래픽재생을 통해서 파일 추출

Asdf

Sguil에서 Exe 찾은 뒤 wireshark > file > export > object > http

Sguil 에서 exe 이벤트 찾은 뒤 network miner > files > open

 

9. Elsa

Add term > BRO_!!!!

 

10. OSSEC and ELSA

Server 추가 설치

 

Dis salt