Did you know Security Onion includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration?

Yesterday, we talked about how Security Onion is built BY defenders FOR defenders:

https://blog.securityonion.net/2024/09/did-you-know-security-onion-is-built-by.html

As defenders, we built the platform that we've always wanted! This includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration. These interfaces are streamlined and integrated to make you more effective and efficient as a defender!

Alerts:

Dashboards:

Hunt:

Cases:

Detections:

PCAP:

Grid Health:

Configuration:

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) with FTP EXFIL PCAP from 2024-09-17

Thanks to Brad Duncan for sharing this pcap from 2024-09-17 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.100 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, we look at just the NIDS alerts generated by Suricata:

Let's drill into the Snake keylogger alert:

This looks interesting so let's pivot to PCAP:

We can switch to ASCII transcript to make it more readable:

Now let's review the protocol metadata provided by Zeek:

We start with the Software dashboard where we see an interesting browser user agent string:

Next, let's review the X.509 dashboard:

and the associated SSL/TLS dashboard:

Next, we'll look at the DNS dashboard:

Looking at the HTTP dashboard, we see the interesting browser user agent we saw earlier on the Software dashboard:

Looking at the Files dashboard, we can see files being transferred by both HTTP and FTP:

Let's review the FTP dashboard. Here we see a couple of files being transferred:

At the bottom of the FTP dashboard, we can see the 2 FTP STOR transactions where files are being exfiltrated:

If we pivot to PCAP, we can see the FTP CONTROL channel:

To see the FTP DATA channel, we can switch to the Connections dashboard:

Pivoting to PCAP, we see one of the exfil files contains the user's browser cookies:

And the second exfil file contains the user's saved passwords:

Did you know Security Onion is built BY defenders FOR defenders?

In 2008, Doug Burks started the Security Onion project to help his fellow defenders. He is former Deputy CSO of Mandiant, former CISO of Morris Communications, and has been doing detection and response since the early 2000s for Department of Defense, Department of Energy, and several private companies in various industries. In 2010, he became SANS GSE #24:

https://blog.securityonion.net/2010/10/congratulations-to-latest-sans-gses.html

https://www.giac.org/certified-professional/Doug-Burks/117421

Today, our engineering team has several collective decades of defensive experience and we use that experience to build the platform that we always wanted as defenders. In addition, our instructors use their experience as defenders when teaching our classes and our support team uses their experience as defenders when supporting our customers.

From all our defenders to all of you defenders out there, thanks for what you do and happy hunting!

10% Discount for Security Onion Pro for a Limited Time Only!

We recently celebrated the 10th birthday of Security Onion Solutions by announcing Security Onion Pro!

https://blog.securityonion.net/2024/07/celebrating-10-years-of-security-onion.html

As we continue to celebrate our 10th birthday, we'd like to offer you a special gift! 

Here's a 10% discount code for new purchases of Security Onion Pro:

SOPRO-20240923

Please note:

• This discount is for new purchases of Security Onion Pro only.
• This discount is only valid through November 15, 2024.
• This discount is not valid with any other discount or offer.

For more information about how you can take your game to the next level with Security Onion Pro, please see https://securityonion.com/pro.

For more details and to reach out to our Sales team, please go to https://securityonion.com/pro, click the Purchase Pro button, and make sure you mention the discount code above!

Did you know Security Onion scales from small virtual machines all the way up to large enterprise deployments of hundreds of nodes and thousands of endpoint agents?

A minimal Security Onion installation is an IMPORT installation and can be used to import PCAP or EVTX files in a minimal VM with as little as 4GB RAM:

On the opposite end of the architecture spectrum, a distributed deployment consists of:

•  a manager node
• one or more forward nodes running Suricata and Zeek to analyze network traffic and generate NIDS alerts and protocol metadata logs
• one or more search nodes running Elasticsearch to store and search logs
• optional receiver nodes for load balancing and pipeline redundancy
• optional Intrusion Detection Honeypot (IDH) nodes for deception

This is a scalable model and can support hundreds of nodes and thousands of endpoints running the Elastic Agent.

For more information, please see the Architecture section of our documentation:

https://docs.securityonion.net/en/2.4/architecture.html

Did you know Security Onion works on both Internet-connected and airgap networks?

Did you know Security Onion works on both Internet-connected and airgap networks? Our ISO image includes everything you need to run without Internet access. Make sure that you choose the Airgap option during Setup:

If your network has Internet access but has overly restrictive proxies, firewalls, or other network devices that might prevent Security Onion from connecting to certain Internet sites, then you may want to consider the Airgap option as everything will install from the ISO image itself.

For more information, please see the Airgap section of our documentation:

https://docs.securityonion.net/en/2.4/airgap.html

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) INFECTION, SMTP EXFIL pcap from 2024-09-16

Thanks to Brad Duncan for sharing this pcap from 2024-09-16 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.100 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's look at just the Alerts:

Let's drill into the Snake alert:

Now let's pivot to PCAP to see that entire TCP stream:

We can switch to ASCII transcript to make it a little more readable:

Now let's review the protocol metadata:

We'll start with X.509 certificates:

Next, we look at the related SSL/TLS connections:

Here are the DNS lookups:

Next, we can look at all of the connections:

Here are the HTTP transactions related to the Snake alert we saw in the beginning:

Finally, let's review SMTP transactions:

Pivoting to PCAP, we can see usernames and passwords being exfiltrated via SMTP:

In the second PCAP, we can see session cookies being exfiltrated via SMTP:

Did you know that Security Onion performs comprehensive analysis on both IT and OT (ICS/SCADA) networks?

Security Onion started back in 2008 primarily focused on traditional IT networks. However, in 2022, we added support for LOTS of different ICS protocols:

https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html

Here's a screenshot showing the list of ICS dashboards included in our current version:

Did you know that Security Onion provides both network AND host visibility?

Security Onion started in 2008 as a Network Security Monitoring (NSM) platform. Over the years, more and more of our network traffic has become encrypted. That's a good thing for privacy but it makes our jobs as defenders a little more difficult. To fill in those blind spots, we've spent the last several years making sure that Security Onion is equally as powerful on the host side as it is on the network side. Here's a diagram showing an overview of Security Onion consuming not just network traffic from your taps or span ports but also logs from your endpoints:

The following screenshot shows a comprehensive Security Onion deployment that does both network monitoring and host monitoring as well:

Security Onion includes a complete set of dashboards for each of those different kinds of endpoint data:

The Elastic Agent Overview dashboard gives you an overview of the comprehensive telemetry that is provided by the Elastic Agent when installed on your servers, desktops, and laptops:

You can read more about our endpoint capabilities in the Host Visibility section of our documentation:

https://docs.securityonion.net/en/2.4/host.html