Securityonion初探

1. 安装

Download the signing key:
wget https://raw.githubusercontent.com/Security-Onion-Solutions/security-onion/master/KEYS

Import the signing key:
gpg --import KEYS

Download the signature file for the ISO:
wget https://github.com/Security-Onion-Solutions/security-onion/raw/master/sigs/securityonion-16.04.6.3.iso.sig

Download the ISO image:
wget https://download.securityonion.net/file/Security-Onion-16/securityonion-16.04.6.3.iso

Verify the downloaded ISO image using the signature file:
gpg --verify securityonion-16.04.6.3.iso.sig securityonion-16.04.6.3.iso

iso验证通过后，可以用vmware镜像安装，部署系统。

Clean apt list repository:
rm -rf /var/lib/apt/lists/*

Update package list:
apt-get update

Install software-properties-common if necessary:
apt-get -y install software-properties-common

Add the Security Onion stable repository:
add-apt-repository -y ppa:securityonion/stable

Update package list:
sudo apt-get update

Install the securityonion-all metapackage:
apt-get -y install securityonion-all syslog-ng-core

Run the Setup wizard (you can replace sosetup with sosetup-minimal if you prefer the minimal configuration):
sudo sosetup

Relevant Link:

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
https://securityonion.readthedocs.io/en/latest/quick-iso-image.html
https://securityonion.readthedocs.io/en/latest/installing-on-ubuntu.html 
https://securityonion.readthedocs.io/en/latest/post-installation.html

2. 部署架构

0x1：High-Level Architecture Diagram

0x2：Detailed Data Flow Diagram

0x3：Deployment Types

1. Distributed

Recommended deployment type
Consists of a master server, one or more forward nodes, and one or more storage nodes.

2. Heavy Distributed

Recommended only if a standard distributed deployment is not possible.
Consists of a master server, and one or more heavy nodes.

3. Standalone

Not recommended for monitoring high-throughput links
Consists of a single server running master server components, sensor, and Elastic stack components.

0x4：Node Types

Elasticsearch
Logstash
Kibana
Curator
Elastalert
Redis (Only if configured to output to a storage node)
OSSEC
Sguild
CapME
CyberChef
Squert

1. Elasticsearch

2. Logstash

4. Curator

5. CapME

CapME is a web interface that allows you to:

view a pcap transcript rendered with tcpflow
view a pcap transcript rendered with Bro (especially helpful for dealing with gzip encoding)
download a pcap

6. CyberChef

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like

XOR
Base64
more complex encryption like AES, DES and Blowfish
creating binary and hexdumps
compression and decompression of data
calculating hashes and checksums
IPv6 and X.509 parsing
changing character encodings
and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms.

It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer.

7. Squert