This post is a tutorial on using Security Onion OS tools such as Sguil and Wireshark for investigating network alerts to determine if they are false positives or true negatives.

Here’s a detailed breakdown of the key points covered:

  • The video focuses on analyzing security alerts in a network using SQL to identify whether they are genuine threats or false positives.
  • The instructor explains how network engineers and security analysts often deal with various alerts from different systems such as IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems).

Blue Team Cyber Security & SOC Analyst Study Notes

Certified Cyber Defender (CCD) Study Notes

What is Security Onion

Security Onion is a powerful open-source platform designed for network security monitoring, intrusion detection, and threat analysis. It integrates various security tools to help analysts detect, investigate, and respond to potential threats within an organization’s network. This article provides a step-by-step guide on using Security Onion to detect and analyze malware activity in a network environment.

Security Onion is built to collect, store, and analyze network traffic and system logs to identify suspicious activities. It provides tools such as:

  • Snort: An intrusion detection system (IDS) that detects malicious network activity.
  • Network Miner: A forensic tool that captures network traffic and extracts transferred files.
  • SQL Database: Helps query and analyze security logs for investigative purposes.

Interface and Network Topology:

  • The interface displayed includes sections for alerts, rules that trigger those alerts, packet data, DNS information, and system messages.
  • The network topology consists of two devices:
    • A DMZ server with the IP address 172.16.1.10.
    • A Windows PC client with the IP address 10.1.6.1.
  • The DMZ server is considered external, while the Windows PC is internal.

Step-by-Step Malware Detection

1. Monitoring Network Activity

The first step in detecting malware using Security Onion is monitoring traffic in real-time. Analysts use SQL queries to retrieve alerts and logs, identifying unusual activities such as unauthorized file downloads.

2. Identifying Suspicious Files

A critical detection method involves identifying files downloaded from external sources. In the video example, a Java file was detected being downloaded by an internal machine (10.10.6.11).

3. Checking for Vulnerabilities

Security Onion’s Snort sensor can identify vulnerabilities on a machine. In this case, the outdated Java version made the internal machine susceptible to malicious attacks.

4. Extracting Files with Network Miner

Network Miner helps retrieve and analyze transmitted files to assess their legitimacy. Security analysts can check whether a file is unusual or suspicious based on:

  • File name structure (e.g., unrecognizable or gibberish names may indicate malware).
  • Unusual network behavior associated with the file download.

5. Uploading Files to VirusTotal

To confirm whether a file is malicious, analysts upload it to VirusTotal, an online malware scanning service. In the video example, the Java file was flagged as a Java Trojan by multiple security engines, including AVG, BitDefender, and F-Secure.

Analyzing an RDP (Remote Desktop Protocol) Alert:

  • The first alert analyzed shows communication between the DMZ server and the internal Windows PC over RDP (Port 3389).
  • The video explains how to right-click and view correlated events to investigate if the alert is part of a potential Denial of Service (DoS) attack.
  • By inspecting the packet data in Wireshark, the instructor finds that the DMZ server initiated the connection, which is unusual because external connections to internal clients are typically blocked by firewalls unless explicitly allowed.

Suspicious Network Behavior:

  • The instructor notes that this unexpected connection may indicate that the internal client is being used as a proxy or has been compromised.
  • The investigation continues by analyzing the packet data further to identify any malicious behavior or signs of exploitation.

File Analysis:

  • A file downloaded by the internal client is analyzed using VirusTotal to check if it is malicious.
  • VirusTotal flags the file as suspicious, but only by a few antivirus engines, suggesting that it could be a false positive or an obfuscated malware file.

Nmap Scan Detection:

  • The tutorial identifies a network scan using Nmap from the DMZ server targeting the internal Windows PC.
  • The scan seeks to detect open services and operating system details, which could be a precursor to exploitation.

Exploit Investigation:

  • Another alert shows a potential Internet Explorer vulnerability being exploited.
  • The instructor explains a typical scenario where an attacker sends a malicious URL through phishing or social engineering, and the victim unknowingly clicks it, leading to exploitation.
  • By reviewing the full transaction between the DMZ server and the Windows PC in Wireshark, it is revealed that the client visited a malicious webpage, resulting in a successful exploitation.

Incident Escalation:

  • The instructor advises escalating such incidents to tier-two analysts for further investigation and initiating incident response.
  • This includes isolating the compromised machine, conducting forensic analysis, and cleaning or wiping any traces of malware.

Upon detecting a malicious file, security analysts follow the incident response process:

  1. Log Collection – Gathering logs and scan reports related to the incident.
  2. Incident Escalation – If the malware is confirmed, the event is escalated to Tier 2 security analysts for deeper investigation.
  3. Containment & Remediation – The infected system is isolated, and security patches or mitigation steps are applied to prevent further compromise.

Conclusion

Security Onion is an essential tool for network security monitoring and malware detection. By leveraging Snort alerts, Network Miner, and VirusTotal, analysts can efficiently detect and contain threats before they spread. Understanding how to use these tools ensures a proactive defense against cyber threats and enhances an organization’s cybersecurity posture.

Summary

🔍 Introduction to Security Onion – Security Onion is a tool used to monitor and detect malware in a network.

🖥 Using SQL for Security Alerts – SQL queries can be used to display security alerts in Security Onion.

📡 Identifying Suspicious Activity – The example scenario shows an internal IP (10.10.6.11) downloading a suspicious Java file.

Vulnerable Java Version Detection – A Snort sensor alerts that the system has an outdated Java version, making it vulnerable.

🛠 Using Network Miner for Analysis – Captures and analyzes network traffic to inspect transmitted files.

🔬 Investigating Malicious Files – Uploading the Java file to VirusTotal shows that multiple antivirus engines (AVG, BitDefender, F-Secure) detect it as a Java Trojan.

🔄 Incident Response Process – The detected malware is escalated for further investigation by Tier 2 security analysts.

🛡 Security Operations Center Workflow – Tier 1 analysts gather logs and scan results before escalation for deeper analysis and incident containment.

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles