Skip to content

Complited Cyber Security Docs #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 27, 2025
Merged

Complited Cyber Security Docs #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/lighthouse-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,15 @@ jobs:
with:
urls: |
http://localhost:3000/tutorial/
http://localhost:3000/tutorial/category/html
http://localhost:3000/tutorial/html/intro-html
http://localhost:3000/tutorial/category/css
http://localhost:3000/tutorial/category/html/
http://localhost:3000/tutorial/css/introduction/what-is-css
http://localhost:3000/tutorial/category/javascript
http://localhost:3000/tutorial/category/react
http://localhost:3000/tutorial/javascript/introduction-to-javascript/what-is-js
http://localhost:3000/tutorial/git/introduction
http://localhost:3000/tutorial/category/getting-started-with-github
http://localhost:3000/tutorial/github/introduction-to-github
http://localhost:3000/tutorial/react/react-intro
http://localhost:3000/tutorial/cybersecurity
http://localhost:3000/tutorial/tags
configPath: ./.github/workflows/lighthouserc.json
uploadArtifacts: true
temporaryPublicStorage: true
Expand Down
187 changes: 185 additions & 2 deletions docs/cybersecurity/cybersecurity-tools/monitoring-and-defense/security-onion.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,186 @@
import ComingSoon from '@site/src/components/ComingSoon';
---
title: "Security Onion"
description: "Learn about Security Onion — an open-source Linux distribution for intrusion detection, network monitoring, and log management. Explore its architecture, components, and setup for modern SOC environments."
---

<ComingSoon />
**Security Onion** is a free and open-source **Linux distribution** for **intrusion detection**, **network security monitoring (NSM)**, and **log management**. It’s widely used in **Security Operations Centers (SOCs)**, **cybersecurity training labs**, and **enterprise monitoring setups**.

Developed and maintained by **Doug Burks** and the Security Onion team, it provides an integrated suite of tools like **Snort**, **Suricata**, **Zeek**, **Wazuh**, and **Elasticsearch** — all preconfigured for rapid deployment.

## Why Security Onion?

Security Onion simplifies complex security infrastructure into a **single, cohesive platform**.

```mermaid
flowchart TD
A[Network Traffic] --> B[Packet Capture]
B --> C[Intrusion Detection - Snort/Suricata]
B --> D[Protocol Analysis - Zeek]
B --> E[Log Collection - Wazuh/OSSEC]
C --> F[Elastic Stack Visualization]
D --> F
E --> F[Security Onion Console]
```

**In simple terms:**

Security Onion collects, inspects, and visualizes network data — helping analysts **detect**, **investigate**, and **respond** to security threats efficiently.


## Core Components

| Component | Description |
| ----------------------- | ---------------------------------------------------------------------- |
| **Snort / Suricata** | Network Intrusion Detection Systems (IDS/IPS) |
| **Zeek (formerly Bro)** | Network analysis framework for protocol and behavior-based detection |
| **Wazuh / OSSEC** | Host-based intrusion detection (HIDS) and log analysis |
| **Elastic Stack (ELK)** | Elasticsearch, Logstash, and Kibana — for storing and visualizing logs |
| **TheHive + Cortex** | Incident response and case management |
| **CyberChef** | Data decoding, conversion, and analysis tool |

## Architecture Overview

```mermaid
graph LR
subgraph "Data Layer"
A[Network Traffic]
B[Host Logs]
end

subgraph "Collection Layer"
C1[Snort / Suricata]
C2[Zeek]
C3[Wazuh Agents]
end

subgraph "Analysis Layer"
D1[Logstash]
D2[Elasticsearch]
D3[TheHive]
end

subgraph "Visualization Layer"
E1[Kibana Dashboards]
E2[Security Onion Console]
end

A --> C1
A --> C2
B --> C3
C1 --> D1
C2 --> D1
C3 --> D1
D1 --> D2
D2 --> D3
D2 --> E1
D3 --> E2
```

This architecture allows real-time traffic inspection, data correlation, and security event visualization from a **single pane of glass**.

## Installation Modes

Security Onion supports three main deployment modes:

| Mode | Use Case |
| --------------- | ------------------------------------------------------- |
| **Standalone** | Ideal for labs and small networks |
| **Distributed** | For enterprise-scale environments with multiple sensors |
| **Eval Mode** | Quick evaluation using a single VM (best for beginners) |

```bash
sudo so-setup
```

You can select the desired mode during setup and configure sensors, managers, and storage accordingly.

## Workflow: From Detection to Response

```mermaid
sequenceDiagram
participant Net as Network Traffic
participant IDS as IDS/IPS (Snort/Suricata)
participant Zeek as Zeek
participant Log as Logstash
participant ES as Elasticsearch
participant Kib as Kibana
participant Hive as TheHive

Net->>IDS: Detect anomalies
Net->>Zeek: Analyze protocol behavior
IDS->>Log: Send alerts/logs
Zeek->>Log: Send connection metadata
Log->>ES: Store structured data
ES->>Kib: Visualize dashboards
Kib->>Hive: Escalate incidents
```

This flow demonstrates how Security Onion provides **end-to-end visibility**, from detection → analysis → investigation → response.

## Log Correlation Formula

To understand correlation mathematically, think of Security Onion’s detection engine as:

$$
A(t) = \sum_{i=1}^{n} (E_i \times W_i)
$$

Where:

* $ A(t) $: Alert strength at time *t*
* $ E_i $: Event score (based on severity, frequency, or signature match)
* $ W_i $: Weight of event importance

Higher $ A(t) $ indicates higher confidence of a real incident — enabling analysts to **prioritize critical alerts** efficiently.

## Real-World Use Cases

| Scenario | Description |
| --------------------- | ----------------------------------------------------------- |
| **SOC Operations** | Centralized log management and real-time threat monitoring |
| **Threat Hunting** | Searching for Indicators of Compromise (IOCs) and anomalies |
| **Incident Response** | Using TheHive to manage and document security incidents |
| **Training Labs** | Perfect for blue team exercises and cyber range setups |

## Key Tools Inside Security Onion

* **so-status** — Check system and service health
* **so-allow** — Manage firewall rules and IP access
* **so-import-pcap** — Import and analyze captured network traffic
* **so-query** — Query Elasticsearch directly from the terminal
* **so-dashboard** — Manage and monitor dashboard views

```bash
sudo so-import-pcap /path/to/traffic.pcap
```

This command imports and indexes network captures into the Elastic Stack for retrospective analysis.

## Integration with SIEM and EDR

Security Onion can send data to external systems like:

* **Splunk**
* **Microsoft Sentinel**
* **Wazuh EDR**
* **Graylog**
* **ArcSight**

```mermaid
flowchart LR
SO[Security Onion] --> Splunk
SO --> Sentinel
SO --> Wazuh
SO --> Graylog
SO --> ArcSight
```

This allows hybrid monitoring and advanced analytics across diverse environments.

## Key Takeaways

* Security Onion is an **all-in-one platform** for IDS, NSM, and log management.
* Combines **Snort/Suricata**, **Zeek**, **Elastic Stack**, **Wazuh**, and **TheHive**.
* Perfect for **SOC environments**, **blue team training**, and **incident response**.
* Supports **distributed deployments** for scalability.
* Offers **real-time dashboards** and **correlation across multiple data sources**.
174 changes: 172 additions & 2 deletions docs/cybersecurity/cybersecurity-tools/monitoring-and-defense/snort-ids.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,173 @@
import ComingSoon from '@site/src/components/ComingSoon';
---
title: "Snort IDS (Intrusion Detection System)"
description: "Learn how Snort works as one of the most powerful open-source Intrusion Detection and Prevention Systems (IDS/IPS). Understand its architecture, rule-based detection, deployment modes, and real-world use cases."
sidebar_label: "Snort IDS"
---

<ComingSoon />
**Snort** is an **open-source Intrusion Detection and Prevention System (IDS/IPS)** developed by **Cisco**. It’s one of the most widely used network security tools for detecting and preventing malicious network traffic in real time.

## What is Snort?

Snort acts as a **network traffic analyzer** that monitors packets flowing through the network and compares them against predefined **rules** or **signatures**.

It can operate in multiple modes:

| Mode | Description |
|------|--------------|
| **Sniffer Mode** | Reads network packets and displays them on the console. |
| **Packet Logger Mode** | Logs packets to disk for later analysis. |
| **Network Intrusion Detection (NIDS) Mode** | Analyzes network traffic and alerts for suspicious activity. |
| **Intrusion Prevention (IPS) Mode** | Detects and blocks malicious packets in real time. |


## Snort Architecture

```mermaid
graph TD
A[Packet Capture - Libpcap] --> B[Preprocessors]
B --> C[Detection Engine]
C --> D[Logging & Alerting]
D --> E[Output Plugins]

subgraph "Snort IDS Pipeline"
A
B
C
D
E
end
```

**Explanation:**

* **Packet Capture:** Uses `libpcap` to capture live network packets.
* **Preprocessors:** Normalize and prepare packets for detection (e.g., decode protocols, detect anomalies).
* **Detection Engine:** Matches traffic against Snort rules and triggers alerts.
* **Logging & Alerting:** Records alerts or logs for review.
* **Output Plugins:** Export data to databases, dashboards, or SIEM tools.

## Snort Rule Syntax

Snort rules are written in a simple yet powerful format:

```bash
alert tcp any any -> 192.168.1.0/24 80 (msg:"Possible web exploit"; content:"/bin/sh"; sid:1000001; rev:1;)
```

### Rule Breakdown

| Part | Meaning |
| ----------------------------- | --------------------------------------- |
| `alert` | Action to take (alert, log, pass, drop) |
| `tcp` | Protocol type |
| `any any` | Source IP and port |
| `->` | Traffic direction |
| `192.168.1.0/24 80` | Destination IP range and port |
| `msg:"Possible web exploit";` | Description shown in alert |
| `content:"/bin/sh";` | Signature or string to match |
| `sid:1000001;` | Unique Snort rule ID |
| `rev:1;` | Rule version |


## How Snort Detects Intrusions

Snort’s detection process follows a **rule-based mathematical model**:

$$
A(t) = f(P, R, C)
$$

Where:

* $A(t)$ = Alert at time *t*
* $ P $ = Packet data captured
* $ R $ = Rule set applied
* $ C $ = Context (state/session information)

The function $( f ) $ determines whether a packet matches a rule condition, producing an alert if true.

## Example: Detecting a Port Scan

```bash
alert tcp any any -> any 22 (flags:S; msg:"Possible SSH Port Scan"; sid:2000001;)
```

This rule triggers an alert whenever a **TCP SYN packet** targets port **22 (SSH)** — a common behavior during a scan.

## Snort in Action (Workflow)

```mermaid
sequenceDiagram
participant Net as Network Traffic
participant Cap as Packet Capture
participant Pre as Preprocessor
participant Det as Detection Engine
participant Log as Alert System

Net->>Cap: Capture packets (libpcap)
Cap->>Pre: Normalize data
Pre->>Det: Match with rules
Det->>Log: Generate alert/log
```

## Integration & Automation

Snort integrates with various tools for **alert management** and **data visualization**:

* **Snorby** – Web interface for Snort alerts
* **BASE** – Basic Analysis and Security Engine
* **Splunk / ELK Stack** – For SIEM and visualization
* **Security Onion** – Linux distro with Snort preconfigured

```mermaid
flowchart LR
Snort --> BASE
Snort --> Snorby
Snort --> Splunk
Snort --> ELK[ELK Stack]
ELK --> SOC[Security Operations Center]
```

## Formula: Rule Matching Probability

Snort’s detection efficiency can be approximated as:

$$
P_{match} = \frac{M_r}{T_p}
$$

Where:

* $P_{match} $ = Probability of rule match
* $ M_r $ = Matched rules count
* $ T_p $ = Total packets processed

A higher $ P_{match} $ indicates frequent matches, possibly signaling an attack or misconfigured rule.

## Deployment Options

| Environment | Recommended Mode |
| ---------------------- | --------------------------- |
| **Home / Lab** | IDS (alert-only) |
| **Enterprise Network** | IPS (preventive blocking) |
| **Cloud / VM** | Inline bridge mode |
| **SOC Environment** | Combined Snort + SIEM setup |

## Example: Inline IPS Mode Setup (Linux)

```bash
sudo snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf -A console
```

* `-Q`: Enables inline mode
* `--daq afpacket`: Uses AFPacket for inline packet capture
* `-i eth0:eth1`: Bridge between two interfaces
* `-A console`: Prints alerts to the console

## Key Takeaways

* **Snort** is a rule-based **IDS/IPS** used for packet-level network security.
* It uses **libpcap** for packet capture and **custom rules** for detection.
* Supports **multiple operation modes** (sniffer, logger, IDS, IPS).
* Easily integrates with **SIEMs** like Splunk and ELK for advanced monitoring.
* **Continuous rule updates** and **proper tuning** are critical for accuracy.
Loading
Loading