 To the homelab show episode 42 security onion We're gonna peel back the layers of security onion and tell you why it's an awesome project But not for the faint of heart and also it's a rabbit hole that you'll spend way too much time on obsessing over because it's amazing And the more insight you get on how network engineering works the more you like this product It is really really a lot of fun. It'll it really will tickle the network engineer in you I hope so that's I have not done any video yet It is on my to-do list to put this on my YouTube channel But don't worry if you search the actual security onion organization The team themselves does have a series of YouTube videos and talks on the product So easy enough to go to their website and find all of that But before we dive deep into this, let's talk about a sponsor of the show and that is still the node They still want to keep sponsoring the show. They have thanked us for Sharing the knowledge of the node with all of you. We actually just talking to him the other day me and she were so this is They plan it we plan to continue the spot ship will not I guess enough of you have signed up They find it worthwhile so if you're looking for a place to Host some of your applications and some of the fun projects we talked about in here do check out the node I mean, we know the home lab show sounds like it should all be in your lab But your lab sometimes, you know can't handle things or doesn't have enough IP addresses or you don't really want it Inside your lab. Maybe you want to set up a honey pot, which Jay make a note of that honey pot sound like a great episode, don't they? They really do that. It's so much fun, especially we were kind of just floating ideas like Kind of like forensics after you get, you know Something happens and just looking at what people are doing or how they're getting in and security obviously is a topic today So yeah, that would be a fun topic for sure. Yeah, I think my ways is we'll tackle that one as well But thank you let out for sponsoring and for those of you want to get signed up There's an offer code down below in the links if you're watching this on the YouTube's or you can of course find it on our website for the podcast But thank you very much. No for sponsoring the show and let's dive into security again. Yes, let's do that And let's also address the fact that we're at episode number 42 Which is actually the answer to the great question. I just wanted to make sure no one thought I'd forget about that I had to throw that in there for sure Yes, you know, I thought about that too. I was like it dawned on me after once I typed it I'm like, oh it is episode 42 because we don't think about the episode number as much as we think about What is the show going to be about? I'm like, oh the next one we should do security again. Um But I don't like oh it's 42. We should have made it like a question and answers to life It's been a great q&a, but we didn't have enough questions. Come on guys And then some questions those some questions at us. All right. Well, that's for the uh, as in my state their questions That's actually for the form not to be answered necessarily right here But we do uh, love our q&a episodes and there's enough questions in there. We'll be doing one soon What do we do with that? Let's talk about security onion first. What is it and It's an interesting conglomeration of open source tools. So there's a lot of open source tooling in the space of network Investigation and that's specifically what security is for so this would be looked at as an investigative tool a sim tool To monitor where all of your traffic is going all the ins and outs hunting for threats Diving deep in there as in the tools That are used in securing and are ones used by security analyst teams as an so see as me A sock is what you've probably heard these teams referred to as and what a sock team does is they're always just watching all the Traffic going around and going is that a good piece of traffic or a bad piece of traffic? How do we analyze it or sometimes when you know there's an endpoint with a problem? They want to know all right. We know this endpoint is infected with something Where did it go? How did that get there? What did it reach out and do did some data exfiltration happen? So there's a lot of different tools for doing this security onion And it started all the way back in 2008 is a collection of open source tools Beautifully put together into one package with one installer There is a lot of technologies underneath the hood there and they don't hide or obscure them They do a great job of gluing them all together to make this work. So it's it's no small undertaking Uh, where they are. So let's talk about Little little bit of the background on it and it was originally called just security onion and then a version number and this can Be a little bit confusing because you go Oh version 1604 because they were following the a bunch to style version numbers because they were just based on a bunch to and then they Retooled the entire stack and now it's called security onion 2 now It's not like it was 1.6.04. I've seen a few people ask me about the confusion in the naming scheme They went to just calling it security onion 2 and then they have a series of subversion numbers after that That's because one of the big things they did was they went to an entire Container based system on the back end So all the different applications that they put together are all done as a series of docker containers This made it a lot easier for them to update and if you look at the back end engineering They're using salt stack. Uh, have you ever used salt stack j? It's like the only configuration management tool. I have yet to use Okay, unfortunately It's a it's interesting if you start looking at it and they did this for scalability And I've talked to the people and the engineers at security union And they have security union installs at very large enterprise companies This is actually on par with some of the tools And this is coming from someone who actually uses one of my friends used to use security union at one company That's where he learned to be a sim engineer s i e m Engineer to be able to understand things and start diving into networks Then from there he now works for a fortune 500 company using q radar But he says yeah, honestly, he says there's still things he misses about how the security union system work compared to the way IBM's q radar works Which is saying something because they spend two million dollars a year licensing for the q radar so Yeah, he's the software. So you're getting some You're getting some pretty serious tools here. All right enough of gloating about it So hopefully get you a little bit of background on what it is now. What does it include? This is where it gets a little interesting. They have the hive I think it's called stroka stroka. I'm not sure st R. E. L. K. Grafana fleet playbook hunt And then they also include wazoo and sericada Now they have really solid documentation that lets you dive into the details of each of these But what all these tools give you together is a couple different possibilities with security union You have the ability to first set up a full well before we say full tap. Let's actually scoot back before I Skip over something. What does security union run on is uh, probably the thing I should just write away as I I did always I skip that in my notes here You really should run this on bare metal. Is it possible to load it in vm? Yes for testing purposes One of the requirements for security union though is to be able to really access these network interfaces I have gotten it to work in a vm. It requires sometimes some uh, googling and some troubleshooting But it's best designed to run as a independent piece of hardware that you load the software directly on The reason for this and now we can get into where it sits on your network is one of the primary use cases You'll have now I'll talk about standalone mode in a moment But the primary use case the way it's going to be implemented in the commercial world Is you're going to set up a port mirror and what a port mirror is or a port tap depending on how you want to label it And depending on what your switch calls it But you want to take all the data from your network and mirror it So it's like tapping and sniffing all the network data All the ins and outs of your network and you're doing this Meaning you take it at your WAN side and mirror all that data out This is what gives it that visibility to sing in your network. Uh, I can't remember it I think I've done a couple port tap videos or not hard to set up I've even talked to I don't talk about in my live stream But you can google how to set those up on most of your managed switches support it whether it's unify sysco Meeker tech most any company has the ability to mirror that traffic Then you take that traffic mirror and you just run one network cable over generally speaking from that mirrored port And that's how security onion and when you're setting it up it should have multiple network interfaces That's how it ingests all the data It's like a fire hose and just blasting all the ip data at it And then it has all the tools to parse and sort that data But that's only one use case for it. The other use case where you can also get more intelligence is when you have Tools like wazoo now wazoo itself is probably an episode if I uh get around to it It's a really neat Open source management tool that gives you a lot of security insight into any individual host And that can also be tied then again to security union what each of these are doing is creating pivot points of data So we have the full fire hose stream of all the network traffic And we know by ip address what hosts that may have come from but then we can get even deeper insights with something like wazoo So you can set up these telemetries Where wazoo is loaded as an agent on each of the nodes and I believe wazoo has full window support as well So you can collect data from more than just your linux devices and pipe that in as well The goal of all of this is to create correlation data The correlation data you're going to be able to get with this is be able to go in and say What is the entire history that led up to this incident that i'm investigating or just the head scratchy curiosity of When I fire up this host, where does it go? What are all the different servers it reaches out to how often does it and This is what security onions real goal is here is to be able to do and have the tools to both log Based on how much storage you have and obviously if you're doing full mirroring And if you use 10 gigs of data a day and you want to keep 30 days Well, you're going to need 300 gigs of storage on your system because it's exactly How that works so as you pull in data, yes, there's some compression and things like that But for the most part depending on how much data you would like to keep and some companies actually this is When you hear me talk about selling large storage servers on my channel Sometimes these are some of the back end uses that these companies have is just to Sort and store all the data for investigative purposes Because once you have all the data security onion when you have an incident the incident may have happened two days ago You realized it today. You need the ability to walk back two days ago So you can find the start of the event. That's why this logging is so important This is also one of the reasons they recommend it on real hardware Now good news is for you homeland people if you are going Hey, I have a limited amount of resources. I can really only run this on some small older device or Maybe just a virtual box instance or something, you know, really minimal It does have the ability to just take pcaps and dissect them for you into the same threat intelligence So instead of having a port mirror It does have a full standalone mode that you can just go and grab a pcat file drop it in there Now this is a really great feature for people that just kind of want to see how it works And this is some of the demonstrations i've seen Uh from youtube videos that they've put out on security union is just how to grab a pcat file And they walk through what does that look like and it gives you that same tool And the good thing is a lot of different tools such as pf sense Supportful pcaps so you can grab pcap files out of pf sense And of course in the broader sense if you're not familiar with pcaps Might be another fun show topic of how to gather network intelligence data with pcaps and wire shark pcaps are very common in the Network industry to be able to do investigative work a lot of times people like when you're troubleshooting anything Let's look at the pcap file of all the traffic. It's basically like a raw Collection of this all the traffic for some defined period and the ability to import these standardized pcap files is great I seen someone uh asking and I uh bought in the chat though like can it run on lesser devices like us Raspberry Pi Yeah, oh even better. I've seen security union has entered the chat So that's really awesome. Wow. Yeah, they are We didn't even know we were doing this episode until like less than 12 hours before it's time to start Yeah, we're trying to come up with a good security episode is on there So we're excited to see the security union team. So right so that's awesome They are actively a security union is very actively engaged their founder like I said gives many talks as I said so, uh, definitely Excited to see them here. I like this is not an important thing They're not just an open source company doing an open source thing. They're very engaged in the community as well so awesome Yeah Very happy to see him here. And I'm sorry if I get anything wrong. I don't claim to be a security expert I am just trying to spread some enthusiasm for the product All right Now some of the other things you can ingest inside of here is some of the other logs It's not the same as a logging server, but you can send other network information to it so it does have other ways to ingest a lot of this intelligence and This is just great because the more data you can put towards it is what Really helps with your investigations because this is where the challenge really comes in when you're doing any type of threat monitoring is figuring out that data point and you're always Always feels like you're short one more piece of data I need one more thing that would help me figure out how this got here what it reached out to And this is one of the things the security onion does very well Now I want to touch a little bit on scalability too One of the neat things about security onion is they build a system that can stand alone and be this one box But if you're familiar with how enterprise environments work That really isn't a practical use case because you couldn't build the single box big enough for a very large enterprise security onion expands out and scales out quite a bit It would say essentially horizontally where you can have a series of sensors that you build to collect all this data back to Some of the architectural design it goes all the way from this simple standalone device that can manage just some pcat files And a small you know small environment like I want to do some testing Then it can be a standalone box that does the investigation Maybe you had a small business network then it can go on to be the much larger enterprise product with a series of nodes and there's Just a pretty amazing possibilities you can do with these and I did some consulting and like I said talked with them before I got to see them talk about what it looks like for a larger more enterprise Many node environment setup. So this is one of those things that if you take the time to really learn this the knowledge you'll gain from security onion and then the Uh pivot you can do to using this in larger environments if this is your career path thinking about getting into being a security analyst This is really helpful. So it's really helpful if you're ever doing any type of malware dissection You can maybe have security onion just as part of a tap on a small segment of your network And if you want to you know test out some malware or understand deeper what type of network connections and what type of traffic goes through It does give you those abilities to pick and slice those things apart Have you ever worked with any sim or uh sock tools j Um a little bit. Yeah, I haven't gotten too much into security on my end But it is something that I expect to get more into not too much longer. Yeah um One of the other things about this is it the threat intelligence feeds in there now This is they're using the et open free feeds are available You can add more feeds in there because there's the other component is not just what you can track internally But you have to have some comparative analysis externally One of the features this has built in when you're setting up security onion Is the ability to pull in what they refer to as et open rules and this is like your seracada rules Which by the way also has seracada in the back end on there This gives you some of the other analysis because there's always the ability to Try to look at a piece of traffic and define that pattern into something and what that Tools like seracada allow you to do is you can look at that and go ah, I recognize this traffic This is what it looks like when someone's doing. I don't know log 4j. There's a popular in riso I know we can talk about and then you can start analyzing the attacks This is another place where security onion can sit is monitoring that traffic that might be heading there Now by the way, this is all monitoring. This is not active engagement active Stopping it. This is all when you do something like a port tap This is ingestion of data for analysis. This is in debt ingestion of data to understand what's going on It is not the point to actively engage and stop that thing from happening It's to let you know that it happened and this is really important because the Example and there was actually a great discussion over in reddit just the other day Well, I don't know about great people get angry on reddit sometimes, but it was definitely a discussion And what happened is someone had their System that they did not patch. They were doing a hosted Ubiquity system and they didn't patch it in time because you know They just set it up in a cloud and you go. Oh, that's right That that means me when it said you should patch things that use Log 4j. Well, if you're a security analyst one of the things and this is what happened at my friend Who works at the large company and this is where these sim tools become very handy The question is where you breach we do we know? Well, we can replay the traffic once we've added more analysis like we know what an attack at log 4j looks like We can look at the parsing data that security union had in there And then we can determine if the period between the vulnerability being known or out in the wild and being abused And the time you patched it This is where you can go back Investigatively and reverse that and go through there This is where security union and these sims type tools are extremely helpful for your knowledge on there So this is one of the big use cases that you have for Using this is being able to answer that question was I breach? There's some weird anomalies, especially when you go to places like gray noise Is an easy example gray noise.io is a website that's a service That has listed IPs that are known doing bad things You can also use like alien vault and if you have some of those IPs and you go Hey, I know this IV was IP was a cobalt strike server or something bad Then you can go back and reverse and hunt for that inside of your security union system to be able to do that Now a few other tools that are in there They have This is not something I've dove much into I just want to mention it's on there It's it's the hive dash project that org So security union has all the tools that are built in for all this analysis But there's of course a little bit more you might need for some of your investigative searches Now when you're working in a home lab and on your own It's a good practice to add Notes to why something happened security union doesn't just give you a bunch of data It lets you create an investigation and then add the notes to it So they've included a few different tools that allow you To have a scalable open source free security incident response platform And that's what the hive the hive dash project.org is this is one of the tools that's included in there This allows you and the security union is a multi-user system So you can create multiple multiple users and for a larger environment That's normal You usually have a security team and you can start making notes and on the anomalies that you find and that's actually built in as well Um For people who like pretty graphs and we're not going to show them here because this is the podcast But don't worry. They got plenty of screenshots and security union for this One of the really cool things is they do have grafana and I actually as j Neither one of us are experts in grafana. So we might have a guest come on the podcast that is more of an expert We've reached out to a couple people and we're working on scheduling. But yes, we know The homelab world loves their pretty graphs and they're sometimes pretty cool Especially if you can get a good pew pew map of the world and see where all the ip's are and go Why is that ip in russia pinging me? That's always interesting Grafana is integrated in there and grafana will produce some really nice charts Now this can be helpful. Well, you're just trying to say what's this surge in traffic when you do a pivot And it's fully integrated in there. They also use elastic. Uh, that's all part of the Platform that's in there for the investigations Now the next couple things to talk about is The let me jump over to It's the cookbook. I'm looking for remember the cookbook as they have in there I didn't forget to put in my notes They have the elastic stitch hunt council on there. Uh, but they also have some of the reverse engineering. Um What is that? I man, sorry that's someone say it technical difficulties You fell out of my head and it was on a different memory I know we'll just move on they it's the tool. Uh, I think it's called cyber chef cyber chef It's the ability and it lets you kind of uh take different files and reverse them and break it break it down That's also something else that's integrated in there. So all right, sorry about my little That happens it happens to me a lot. Um, I think we have more memory issues than our computers do so Yep, especially as we get older it gets a little worse over time. Um So what something that I'm noticing, you know as I look at this because I've never used it before so You know, I'm quiet because I'm learning today along with everyone else because this is really cool And I'm learning while tom talks about this Um, there's a lot of questions in the chat room about like, okay What can I install this on like Rick? Can I put this on a raspberry pi raspberry pi is very popular in home lab because well We could put something on it and it's this low power dedicated box It's not supported but when I look at the minimum specs And I I kind of hate the term minimum specs because it almost implies that as long as I have these specs everything's okay in the world that means Uh, basically you can get it off the ground and if you just have You just go crazy with all the features then, um, of course, there's going to be a problem But the minimum specs are four gigs of ram two cpu cores and 200 gigs of storage and 200 gigs of storage is also, um You know recommended as well because they if you're that's if you're just doing like importing pcaps But if you're going to be doing more than that Then they recommend 12 gigs of ram and four cpu cores also 200 gigs of storage But of course if you go crazy, you know, that's not going to be enough But that's kind of like where your starting point is So if you go to lab gopher or something like that, you could find something there to run it on If that's what you'd like to do Yes Um and cybershaft is the name of the thing I was looking for data decoding made easy So cybershaft is really slick for Being able it's a whole all done like a web application. It allows you to basically like a swiss army knife take apart a different XOR base 64 or even more complicated like 80s des blowfish and creating binary and hex stops There's one things you're going to find is as you do some of these investigations You are here's a file, but it was base 64 encoded And there's a lot of different obfuscation techniques to try to get around different tools and antiviruses and Each one of these uh Sometimes comes with the the unique challenges of it. I'm sure I remember Uh, one of the examples that the folks over at huntress used they were actually doing a red team blue team exercise There's an entirely weird way They obfuscated ip addresses Because windows will accept ip addresses in a couple different notations And some security tools apparently it can evade. I think they've been fixed since then But this is where why can you base 64 encode something and then actually have it work Uh, me and j were talking about wordpress doing this where when someone hacks your wordpress You'll find a bunch of stuff where they base 64 encoded blobs to try to get past normal detection So there's that's where cybershaft comes in to start reversing all of that So you can go what exactly is this thing that I found on there because out of a p cap You can extract like what payloads or files may came out of it But then the layer of obfuscation is a deeper so you use something cybershaft to pull it out Now someone asked a really good question here of why not Why you know that was a difference between an analyzing with security onion And then compared to like active filtering a block to threat And this is where things are a little bit grayer and this is the challenge In my there's teams of people working at the security uh sock Locations they have to go through and figure out whether or not something's a false positive So it tripped the security system and we actually do investigations And I'll use the example like we use set in the one for this We'll do an investigation because something tripped one of our security things that may have stopped the user from doing something Now we have to make a determination. Was that a real Quickbooks update. Was that a fake quickbooks update that it decided to stop? so the tools sometimes just have false positive and That's one of the reasons like you want to have those things and those tools on there But in order to back those tools up and validate their findings This is where tools like security onion help you investigate it Also, sometimes things get through and an easy example or probably famous example I should say is if you dive deep into and I've got a couple videos on this the solar winds orion hack That was a really interesting one because it obviously got by all the different neck gen firewalls pretty much this tool The tool set that was used by the threat actors that was done for espionage around the solar winds orion they were able to bypass All these different firewalls at pretty much every major fortune 1000 companies and I at one point there was a I think they said solar winds orion was installed in 400 of the 500 fortune 500 companies So yeah, it's that popular of a product and they said it was also used by the department of defense in all branches of the military So somehow this system sat for six months when you dive deep into the mandian investigation into it You realize all these neck gen firewalls Had no way of understanding this but let's go backwards to you know something and how mandian was able to find it Because even though the tool that espionage tool was removed They had a years worth of logs. They could go backwards through So if you're using a tool and you've got it set up like security onion And you've created a years worth of logs if I told you today Two months ago We know the IP addresses and we know the payloads and This is the information that we can now make public You could then go back and reverse through your network and go well my next gen firewall never flagged anything back then But of course, nobody's did so now we have these IP addresses Let's start reversing through all of our logs for x number of months and see if we were a victim That's actually how companies that had good security and sim tools were able to determine whether or not they were victims or not victims Companies like mandian and microsoft Google and some of these very large Companies have the storage and have put forth the resources to having this and some of you probably going I can't get my approval for more than even two weeks worth of logs holding Yeah, that's a that is a smaller business problem for sure. So Yeah Yeah, you I think j's seen that a couple times when you talk about Wow, what is it the the preview one of your previous employers? Maybe some of the things about how much resources need to be put more into logging. I'm not here to throw anyone into no, but but it's a good point though because it's commonly when you work in the industry that You know, you there's a pretty decent idea of the right way to do things But you know, obviously there's some debate depending on, you know, the the administrator, but Yeah, I mean There's all kinds of examples that I can give about, you know, doing it the right way and doing it the wrong way We could probably make an entire episode out of it. But I think that might be better for your other channel If you wanted to cover that so yeah, yeah Yeah, there's a there's a lot in there. Um A couple of the little things I want to talk about on there now. Let me jump over to The One of the ways it has in there and this is one of one more tool and I mentioned it briefly But I want to make sure this is clear the file beat system The file beat helps you keep simple by offering a lightweight way to forward and centralized logs So because they're building this off of file beat and elastic This is what offers you even more integration with this to be able to forward and ingest more data That's why I said earlier is when I say not just your Firewalls, but all of your network equipment or any of the endpoints through wazoo This is all a series of tools that let you build and have all these queries for any of those functions on there to be able to Do any of the things like the investigative tools that were on there now Once you have all this set up It can be I was reading through the documentation. It's it's a lot to get this whole thing going. I do recommend for getting it going though They have really solid documentation. I have gone through and I was reading through it again It's even better than the last time when I was playing this with a few months ago This is one thing that's important to me from and this is a change for some of the Well, I changed just really helpful when you have an open source project that's been around since 2008 It becomes this mature And also has the accompanying documentation for it one thing though is before you even start I do really recommend. I mean run head first into it and get stuck if you want But take the time to rtm Before you set any of these things up and by the way, they do link back out to things like elastic and Cyberchef because they've integrated some of these tools But each one of these tools have their own separate documentation They've just included them in there and made the connections, but they still run somewhat as independent tools within there So that's a little little word to the vise there. So that's the uh When you're when you're going into this, it's uh, not for the faint of heart. I definitely just want to make sure that part's clear Now go ahead I was just going to also say too that sometimes that excites us in homelab because um If something is a long-term project, especially in michigan, I mean like we're not going outside in the winter Come on. What else are we going to do? So a lot? I mean if a project is um bigger There's a subset of our audience. It's like well, that's great. That means I have something to do Um other than just work all day. I actually have another project I can work on that's going to give me some learning and some things over the course of time Um that actually I actually like it when someone says it's going to it's a little bit to get into or it's going to take A little while but that sounds good to me Yeah, that's a lot about it there. They also have a complete set And I you know, if it wasn't a podcast I'd be showing them all on the screen here Uh complete set of how the data flows through the system how you have the management network versus the sniffing networks And how each of these packets get broke down This is really nice. So you kind of understand where it sits and where it stacks into your network So what it gains visibility into now one other thing I'm going to say is really nice about security young and and I was running it For example doing full cap logging at my house For a little while as a side project, but I also put it on auto update the one of those minor things that um Annoying me about things like let's just say elastic is it seems to break occasionally with updates This is where the security union team has actually done a really good job on handling all the updates That's one of the reasons I took the time to reload it from scratch before I did this video and almost didn't have time To finish the load. I will warn you it is a pretty big download and uh even with a reasonably fast machine It took a little bit to load on there. It does rely heavily on um a good i o performance and a reasonably fast machine. That's one of the reasons it kind of ruling out things like uh What'd you call it um running it on like a raspberry pi or a low power device? I mean you can get it working in standalone, but it's once you pack this many tools together I think the iso download is close to eight gigs to give you an idea of just how much is packed into The install it's bigger than probably a lot of distributions And it's not and it's not a one access top environment. This is all web interface here Yeah, you know, that's the thing about um raspberry pi because it's you know, if we're not careful It's like, you know, yeah, it's a big download big install and then you know, of course, well, I have a 128 gig sd card I don't care or I have a one terabyte sd card. I'm fine, but um, you know, again Raspberry pi not supported, but even if they did it's like I think people have to keep in mind that Raspberry pi is awesome and I will totally float it like brag about it But anything that is i o heavy Is going to be a potential problem on the raspberry pi and this is very i o heavy And also keep in mind that unless you are going to have two dongles that are ethernet jacks on your pi Assuming you could get it to work Then you have not only i o contention But now you have like two external or actually at least one external um ethernet if you want to actually do capture It's just going to be um a rabbit hole. You probably don't want to go into to try to make that work. So um, yeah, and it's not supported anyway But yeah, I just want to just clear that up before someone's well I have a one terabyte sd card watch me try to make this work but absolutely um Few few notes final notes on this to wrap it up because the other stuff I want to dive into is more visual and maybe i'll do a video on it But I do highly recommend checking out the security union their videos There's stuff they put on youtube a few talks they've give on the product There's there's a lot you can find out about them. They're like the best kept secret because they are More popular than I think people realize out in the market. It's not just some cobbled together tool It's an entire group of security professionals that do the team and it is a little bit of their business model Just an fyi. Uh, here's all the tools for free. Oh, by the way, we do sell consulting to help you stand this up Because it is a complicated project. Uh, so, you know shout out to them. That's I actually really love an open source project That has a business model around it. Um, that's actually something to me. That's really important That's what allows further future development. They offer professional services around it. So that's Absolutely, if someone happens to work in an enterprise environment and needs to reach out to Or have support for a product. This is a product that does come with that support I've talked about this like with xcp ag and some of the other tools we use here Absolutely, if you need help standing up environment, that's kind of the way their business model Which is of course goes back into the product and I love that they have put the time and dedication into it Um among the things that are of note is that they do have a backup on there Which is actually kind of cool because that was an aggravation when I played with some of the some different products out there You spend a lot of time configuring them and especially when you're doing something on bare metal Not having a way to back up easily those customizations. VMs are easy I'll just snapshot the VM and export them and put them into my VM process and me and jf certainly dove into that quite a bit Talking about like the proxmox backup server or the way you can back up any of the virtualization stacks But when you got bare metal, it's a little bit tricky when you have bare metal that's Having this much data Well, now you've got some other challenges So they do have some configuration backup and management backup and the ability to migrate the system So as your network changes they have a series of scripts because you'll run a series of scripts to get it configured They also allow the rerunning of all those scripts to make modifications to your network Maybe different segments or different ads And everything's you know, it could be really really locked down with all the configuration tools So hopefully I did I cover pretty well jade I give you an idea what it is now because jade is not used this So that's where that's what I'm asking him And you know, I love these kinds of episodes because I come away with homework. It's like I Live or die by what I call rainy day projects when you know, the weather's crappy can't get outside I have a list of things I want to check into build or deploy that would be fun So it's another thing to add to the list So if I have one of those slower days, you know, just just set up security on you and that would be a fun project. So Absolutely, I can't wait to check it out Yeah, like I said, this is if you're going to get into the cyber security side I think it's really important to be on the sim and sock side too to have an understanding of how these threats get in there So whether your job is a security analyst as in you're analyzing what happened at an end point What happened at workstation pretty much the way modern things get there. I mean with some exception I know there was a recent hack with a bunch of usb sticks floating around again. That happens But the majority of the tax are going to come across the internet Which means they passed through a firewall and hopefully that firewall had some portmere set up and has some investigative tools Like security onion tied there collecting all the data so you can actually do these investigations And of course what better place to start than your home network because boy with all the devices you have reaching out The amount of data from I remember when I was testing it in home I was just like blown away with a number of connections the volumes of them You're like there's so much going on here and it's like just Just a few of the kids being home and playing some games online Watching my son's computer and everywhere it connects to you're like there's a lot of connections It's got like, you know all this games open and everything else to let you peer into how all that traffic's going It's definitely really cool Yeah, and speaking of cool like talking about security on you and you know how you can just find out The lateral movement and what's going on and packet capturing and security analysis Just makes me want to like if I get a hacker, right? Just just blast some techno music has some like flashing lights and just see oh i'm gonna i'm after the hacker Let me get the hacker Yeah, it's gonna re-enact a 90s movie or something like that um as you go through the process But I'm in all seriousness though. It sounds like a really nice tool Yeah, it's it's a set more than you know in in the basics and we've talked about graylog on this channel Graylog is great for all of your logging needs not just ip-based logging needs But you know different devices you have on a network and ingesting all those logs But this is a step further when you go. I need to slice and dice all the network traffic I need to know With these rule based that the et open rules to sarah kata look at this and perceive this as a threat Or does it perceive it as a threat now if I try to replay this p-cap because I have some data from before But the rules came out today about something that was going on last week Was I affected by that thing last week? These are the types of tools that you need in order to understand that answer that question You know was I a victim of this particular attack? Did someone poke at my network for this information? This is um Absolutely like the key you need in order to do this and it's unfortunately More than once that I've been in helped out as an assistant. I'm not a lead for investigations and security But I've been there when this happened I've got to watch the teams work and they're run around asking for logs and more times than not and my friends that are red team They know that logs don't exist and my friends that are the cleanup teams are also saying the same thing like yeah they the logging is always uh Kind of sparse that a lot of companies and I'm like at least start diving into and looking at something like security onion He's open source. It's free. It's something you can get started with in learning. So I'll uh, yeah I'll stop ranting about That's the point though. I mean it's like the art the art of home lab is the is similar to the art of the enterprise Infrastructure side of things because it's like Your you see a problem. There's an open source solution for it and then overall Your deployment in your infrastructure is a collection of Tools that are made by completely separate entities. They're not related at all, but they work well together So you can have one that's doing analysis of your network. You have a log server You know, you have some things that prevent intrusions things that look at if intrusions happen Why did they happen and a collection of all these things that are seemingly unrelated? Just work well together and that gives you your complete build and that's Kind of what a lot of us that do home lab is we like that complete picture that we've built and we've created as like an art form And I see some discussion about security concerns about when you're ingesting data Security is very well structured when you go through this setup It's going to have you set up the management interface and it's going to have you set up the Span or tap interface where you're ingesting all the data is not ever supposed to be where you're managing the system But this allows it to do is essentially be data flows this way in through this particular sniffing interface, but there's no way To do any management. It's not doing any of that It's just grabbing data pulling it in and then depending on how you want to do this You could even go as far as set up the management interface And the only time you go in and do investigations You keep an air gap to plug it in when you do the investigation This would stop anyone from having anything This essentially makes it an immutable log server at that point where it only ingests data and is only managed Even when you set up the management interface It it by default it asks you the question on setup what ip's can manage this now You can specify a subnet if you want But they say what ip's and you probably want to input like your ip address that way not anyone can even get to it I mean the management interface still has username and password It's protected by ssl But they take all the steps to try to lock this down because this is definitely one of those things where When a red team gets in they want to disable logging when a threat actor gets in they want to disable logging It's not easy for them in there in the environment Um when you have a logging server if they know it exists They really want to turn it off and in the case of security union when it's doing passive recon It's not even going to alert them that it exists So it gives you a better chance a better statistic of even if you didn't stop them because obviously you're in the network It gives you that analysis because frequently threat actors sitting in your network for a long time before doing something because they're they're actually all the way the marketplace works in the cyber security field right now is they're called i ebs or initial access brokers the people who break into systems and establish a beach head establish a Backdoor to your system aren't always the ones deploying it They actually grab that and then sell it. That's why they're called initial access brokers. They actually broker connections to People based on the value they find it. I'm like, oh, look what I got. I got a beach head in xyz company What's that worth and they go on the dark web and auction you off if you have the analysis tools You are able then to root them out of your network You're like, hey, I found them and of course those analysis tools they established a beach head But they just have a they just popped a web shell here through something They didn't actually do anything. There's no traffic. There's there's just the web shell There's a few kilobits to spawn it it contracted the command and control server, but it didn't respond So we're bad that we were breached, but it wasn't that bad. We didn't suffer a deeper breach They didn't pivot through the network. These are what these tools hopefully uh help clear that up there This is uh get a little off topic But I guess on topic for what we're talking about they have why this tool so important or why these type of tracking tools are So important Yep All right, anything else j I think we've Covered it all I think we have I mean there's always something else There's never going to be an episode where we cover 100 of anything because that's always impossible But I think you covered what we need to know Yeah, so thanks uh head over and obviously just go over to the security union's website Which is security onion solutions.com you can download it for free there No registration needed don't worry because I know that comes up sometimes of do they make you register? Do you make you do any of that? They offer training certifications if you're interested in diving deeper into it from a professional standpoint But on the homelab show we like to offer something that you can absolutely start on your own and just get started with it So head over there download it. Um, they also have specs on the hardware and everything else Uh in suggestions on that likes to read take the time rtfm You'll be better for it because there's there's a lot, but they have an entire step by step getting started with it so All right Thank you guys for watching and see you next time. Thank you You