0
1
00:00:02,100 --> 00:00:09,150
In this lecture I will introduce security union to you and explain briefly how we will work with it
1

2
00:00:09,390 --> 00:00:10,570
through our lecturers
2

3
00:00:10,580 --> 00:00:11,370
In this course.
3

4
00:00:14,320 --> 00:00:22,360
So Security Onion is a distribution of Linux intended to support security analysts with a suite of
4

5
00:00:22,360 --> 00:00:29,380
tools for network security monitoring including intrusion detection, network security monitoring and log
5

6
00:00:29,380 --> 00:00:38,080
management. The security union distribution is based on the Ubuntu Linux OS and contains several
6

7
00:00:38,080 --> 00:00:43,470
useful security tools that deals with the following data types.
7

8
00:00:43,640 --> 00:00:51,070
Alert data that indicates a possible attack or malicious activity and includes HIDS alerts from OSSEC
8

9
00:00:51,280 --> 00:01:02,600
and NIDS alerts from snort or Suricata. Asset data from bro. Full content data such as full packet captures
9

10
00:01:02,810 --> 00:01:10,400
from netsniff-ng that records all the network traffic packet by packet at specific network locations.
10

11
00:01:12,750 --> 00:01:23,210
Host data via Beats,  OSSEC, Syslog and more. Session data from Bro, and it is a summary data that is associated
11

12
00:01:23,390 --> 00:01:24,890
with network conversations.
12

13
00:01:27,340 --> 00:01:33,490
Transaction data that is more than session data but less than full back it captures, since it gives
13

14
00:01:33,490 --> 00:01:43,430
you the details that are associated with the requests and responses. These includes HTTP, FTP, DNS, SSL
14

15
00:01:43,700 --> 00:01:51,900
and other logs from Bro. So first in this course you will create the aim of security union in virtual
15

16
00:01:51,900 --> 00:02:02,290
box and configure its settings and then we will download the iso image of security union then we will
16

17
00:02:02,290 --> 00:02:11,030
install the operating system run the security set up to install the tools update software and install
17

18
00:02:11,030 --> 00:02:16,900
the Linux August editions for Peter integration with the host operating system and beta performance
18

19
00:02:19,230 --> 00:02:25,770
and finally we will learn about how to take snapshots for our VM so that we can revert to them back
19

20
00:02:26,010 --> 00:02:33,720
if something wrong happened or to revisit a previous lecture and practice again with it and I recommend
20

21
00:02:33,960 --> 00:02:40,220
that we take a snapshot after each lecture while you follow me with your practicing.
21

22
00:02:40,290 --> 00:02:48,760
In fact I have used that while preparing and recording discourse.
22

23
00:02:49,470 --> 00:02:55,920
Then we have to analyze bigger files which you can find sample of included with the secret union or
23

24
00:02:55,920 --> 00:03:00,870
download from the Internet and I will show both ways to you
24

25
00:03:03,940 --> 00:03:06,440
and to import or replay those files.
25

26
00:03:06,550 --> 00:03:13,930
We can use either the TCB replay command which changes timestamps of the logs resulted to be of the
26

27
00:03:13,930 --> 00:03:22,300
date of running the comment or we can use the Sue and pickup script that will preserve the original
27

28
00:03:22,340 --> 00:03:23,110
timestamps
28

29
00:03:26,620 --> 00:03:33,340
and then we will work with security information and event management products that provides centralized
29

30
00:03:33,550 --> 00:03:35,920
log management.
30

31
00:03:35,920 --> 00:03:40,400
So first we will learn about Elsa which will be end of life soon.
31

32
00:03:40,540 --> 00:03:48,440
But I found it very useful to learn about how to use and then we will upgrade to key banner and learn
32

33
00:03:48,440 --> 00:03:49,130
about it.
33

34
00:03:50,610 --> 00:03:56,520
And for NSM or network security monitoring we will use squealed so that we can see alerts coming from
34

35
00:03:56,520 --> 00:03:56,880
snort.
35

36
00:03:56,880 --> 00:04:06,570
For example categorize those events and by what into other tools and we can also use script which acts
36

37
00:04:06,810 --> 00:04:15,440
as the web based version of screen so in this lecture I have introduced security union to you and explained
37

38
00:04:15,470 --> 00:04:19,520
briefly how we will work with it through our lectures.
38

39
00:04:19,520 --> 00:04:20,450
In this course.