SECURITY ONION TOOLS LAB
VIRTUAL MACHINES AND TOOLS NEEDED FOR LAB:
Security Onion 14.04
Username: soadmin
Password: password
LAB
Lab Goal: Become familiar with various tools comprising
Security Onion
Objective: Replay a packet capture onto the monitoring interface
a) Login to the Security Onion 14.04 VM and launch a terminal window
b) Replay outbound.pcap onto the monitoring interface
soadmin@so-sa:~$ sudo tcpreplay -i eth1 -M10 /opt/samples/markofu/outbound.pcap
[sudo] password for soadmin:
sending out eth1
processing file: /opt/samples/markofu/outbound.pcap
Actual: 1812 packets (1152828 bytes) sent in 1.35 seconds.
Rated: 853946.7 bps, 6.52 Mbps, 1342.22 pps
Statistics for network device: eth1
Attempted packets: 181
Successful packets: 1812
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
The rest of this lab is dependent upon this step executing
successfully. If for any reason you have experienced issues on this
step then please reach out to an instructor for assistance!
Objective: Create a new OSSEC agent and retrieve its key
7021 Columbia Gateway Dr. Suite 250, Columbia, MD 21046
www.chirontech.com | 410.672.1522 | @ChironTech
Any unauthorized use or disclosure of this material is strictly prohibited. © Chiron Technology Services
, c) In an existing, or new, terminal window run the manage_agents command
soadmin@so-sa:~$ sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
d) Press A to add an agent, then complete the prompts as shown
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: Win7
* The IP Address of the new agent: 192.168.12.53
* An ID for the new agent[001]: Agen information:
ID: 001
Name: Win7
IP Address: 192.168.12.53
Confirm adding it?(y/n): y
Agent added.
e) Press E to extract the key for the agent
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: Win7, IP: 192.168.12.53
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAyIG15YWdlbnQgMTAuMjAuMzAuNDAgZjQ2YTFhNzNkNjcyNTgxNjgxMDFhMjExYTcwMDdl
ZjM1NDlhOTFhNTQwMTI0Njc4OWQyOTAyNzA3ODIzOWU3Mw==
** Press ENTER to return to the main menu.
7021 Columbia Gateway Dr. Suite 250, Columbia, MD 21046
www.chirontech.com | 410.672.1522 | @ChironTech
Any unauthorized use or disclosure of this material is strictly prohibited. © Chiron Technology Services
VIRTUAL MACHINES AND TOOLS NEEDED FOR LAB:
Security Onion 14.04
Username: soadmin
Password: password
LAB
Lab Goal: Become familiar with various tools comprising
Security Onion
Objective: Replay a packet capture onto the monitoring interface
a) Login to the Security Onion 14.04 VM and launch a terminal window
b) Replay outbound.pcap onto the monitoring interface
soadmin@so-sa:~$ sudo tcpreplay -i eth1 -M10 /opt/samples/markofu/outbound.pcap
[sudo] password for soadmin:
sending out eth1
processing file: /opt/samples/markofu/outbound.pcap
Actual: 1812 packets (1152828 bytes) sent in 1.35 seconds.
Rated: 853946.7 bps, 6.52 Mbps, 1342.22 pps
Statistics for network device: eth1
Attempted packets: 181
Successful packets: 1812
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
The rest of this lab is dependent upon this step executing
successfully. If for any reason you have experienced issues on this
step then please reach out to an instructor for assistance!
Objective: Create a new OSSEC agent and retrieve its key
7021 Columbia Gateway Dr. Suite 250, Columbia, MD 21046
www.chirontech.com | 410.672.1522 | @ChironTech
Any unauthorized use or disclosure of this material is strictly prohibited. © Chiron Technology Services
, c) In an existing, or new, terminal window run the manage_agents command
soadmin@so-sa:~$ sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
d) Press A to add an agent, then complete the prompts as shown
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: Win7
* The IP Address of the new agent: 192.168.12.53
* An ID for the new agent[001]: Agen information:
ID: 001
Name: Win7
IP Address: 192.168.12.53
Confirm adding it?(y/n): y
Agent added.
e) Press E to extract the key for the agent
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: Win7, IP: 192.168.12.53
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAyIG15YWdlbnQgMTAuMjAuMzAuNDAgZjQ2YTFhNzNkNjcyNTgxNjgxMDFhMjExYTcwMDdl
ZjM1NDlhOTFhNTQwMTI0Njc4OWQyOTAyNzA3ODIzOWU3Mw==
** Press ENTER to return to the main menu.
7021 Columbia Gateway Dr. Suite 250, Columbia, MD 21046
www.chirontech.com | 410.672.1522 | @ChironTech
Any unauthorized use or disclosure of this material is strictly prohibited. © Chiron Technology Services
