Securityonion初探

阅读目录(Content)

• 1. 安装
• 2. 部署架构
• 0x1：High-Level Architecture Diagram
• 0x2：Detailed Data Flow Diagram
• 0x3：Deployment Types
• 1. Distributed
• 2. Heavy Distributed
• 3. Standalone
• 0x4：Node Types
• 1. Elasticsearch
• 2. Logstash
• 3. Kibana
• 4. Curator
• 5. CapME
• 6. CyberChef
• 7. Squert 

回到顶部(go to top)

1. 安装

Download the signing key:
wget https://raw.githubusercontent.com/Security-Onion-Solutions/security-onion/master/KEYS

Import the signing key:
gpg --import KEYS

Download the signature file for the ISO:
wget https://github.com/Security-Onion-Solutions/security-onion/raw/master/sigs/securityonion-16.04.6.3.iso.sig

Download the ISO image:
wget https://download.securityonion.net/file/Security-Onion-16/securityonion-16.04.6.3.iso

Verify the downloaded ISO image using the signature file:
gpg --verify securityonion-16.04.6.3.iso.sig securityonion-16.04.6.3.iso

iso验证通过后，可以用vmware镜像安装，部署系统。

Clean apt list repository:
rm -rf /var/lib/apt/lists/*

Update package list:
apt-get update

Install software-properties-common if necessary:
apt-get -y install software-properties-common

Add the Security Onion stable repository:
add-apt-repository -y ppa:securityonion/stable

Update package list:
sudo apt-get update

Install the securityonion-all metapackage:
apt-get -y install securityonion-all syslog-ng-core

Run the Setup wizard (you can replace sosetup with sosetup-minimal if you prefer the minimal configuration):
sudo sosetup

Relevant Link: 

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
https://securityonion.readthedocs.io/en/latest/quick-iso-image.html
https://securityonion.readthedocs.io/en/latest/installing-on-ubuntu.html 
https://securityonion.readthedocs.io/en/latest/post-installation.html

 

回到顶部(go to top)

2. 部署架构

0x1：High-Level Architecture Diagram

0x2：Detailed Data Flow Diagram

  

0x3：Deployment Types

1. Distributed

• Recommended deployment type
• Consists of a master server, one or more forward nodes, and one or more storage nodes.

2. Heavy Distributed

• Recommended only if a standard distributed deployment is not possible.
• Consists of a master server, and one or more heavy nodes.

3. Standalone

• Not recommended for monitoring high-throughput links
• Consists of a single server running master server components, sensor, and Elastic stack components.

 

0x4：Node Types

• Elasticsearch
• Logstash
• Kibana
• Curator
• Elastalert
• Redis (Only if configured to output to a storage node)
• OSSEC
• Sguild
• CapME
• CyberChef
• Squert

1. Elasticsearch

2. Logstash

3. Kibana

4. Curator

5. CapME

CapME is a web interface that allows you to:

• view a pcap transcript rendered with tcpflow
• view a pcap transcript rendered with Bro (especially helpful for dealing with gzip encoding)
• download a pcap

6. CyberChef

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like

• XOR 
• Base64
• more complex encryption like AES, DES and Blowfish
• creating binary and hexdumps
• compression and decompression of data
• calculating hashes and checksums
• IPv6 and X.509 parsing
• changing character encodings
• and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms.

It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer.

 

7. Squert 

Relevant Link: 

https://securityonion.readthedocs.io/en/latest/installing-on-ubuntu.html
https://securityonion.readthedocs.io/en/latest/analyst.html 
https://securityonion.readthedocs.io/en/latest/analyst.html
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)&input=VTI4Z2JHOXVaeUJoYm1RZ2RHaGhibXR6SUdadmNpQmhiR3dnZEdobElHWnBjMmd1
https://securityonion.readthedocs.io/en/latest/networkminer.html
https://securityonion.readthedocs.io/en/latest/sguil.html
https://securityonion.readthedocs.io/en/latest/squert.html
https://es-cn-v641g353c000f3ijq.kibana.elasticsearch.aliyuncs.com:5601/app/kibana#/home/tutorial/windowsEventLogs?_g=()
https://es-cn-v641g353c000f3ijq.kibana.elasticsearch.aliyuncs.com:5601/app/ml#/datavisualizer_index_select?_g=(refreshInterval:(pause:!f,value:30000),time:(from:now-15m,to:now))