Without knowing too much about the data and events, Squert’s visualization tools will help to identify suspicious sessions or behaviours. When Squert first opens you will see a list of all the events. Squert helps provide additional context to the events through the use of metadata and time series representations. Now that we have imported the packet capture file, let’s look at the alerts that were generated by Snort using Squert, a visualization tool that will query and view event data. To import the fake_av.pcap file, type the following command in a terminal window: $ sudo so-replay fake_av.pcapįigure 2 - Output of the so-replay command. so-import-pcap: Import one or more capture files while keeping the timestamp the same as the original packet capture dates and times.so-replay: Import all pcap samples in /opt/samples and replay them with the current timestamp.
tcpreplay: Import one or more of the packet capture files as new traffic and replay with the current timestamp.There are three ways to import the pcap files into the Security Onion logs: To find out more about the samples, refer to Security Onion’s documentation.įigure 1 - Directory listing of Security Onion’s example packet captures. Security Onion includes some example packet captures (pcap files) in the /opt/samples directory. It includes a host of open source tools, including: Security Onion is an open source Linux distribution for intrusion detection, network monitoring and log management.
While there are many FOSS (Free and Open Source Software) tools available, I am focusing on Security Onion because of the included tool set and the ease of installation. This ‘how to’ will expand on the skills that we teach in workshops and discuss some open source tools that can be used for network security monitoring. As part of the training APNIC delivers, we talk about best practices for setting up logs, intrusion detection systems and using automation to keep things up to date.