This is the first in a new series where I’ll be putting a greater focus on blue/defensive topics. Don’t worry, I’ll still be creating the ‘classic’ Attack Detect Defend style videos too! Please let me know in the comments what you think of this new style, and if you have good ideas for future topics!
awesome content! maybe when you are done with this series, you can make a short video on security automation using SOAR technology and how such incidents and alerts are handled automatically...
That sounds like a great idea! It'll probably be a while before I get to it, but it'll fit in perfectly to this 'blue'-focussed series - thanks for the suggestion! :-)
Hi Andy, really awesome content !!! Is it possible to implement Security Onion in VMware Fusion with min. specs? I need help with this.. Thank you for your awesome channel content !!!!
Hello! Thanks a lot mate for your very informative tutorial 🙏 very helpful! I wanted to ask if I can use a screenshot of your SecurityOnion Architecture Overview at 1:12 for my Bachelor thesis, of course referencing/acknowledging accordingly? (you can also let me know how I shall acknowledge/reference to you) And regarding ideas for additional content, could you maybe do an Architecture Overview for the Host based tools as well, as you did for the Network based tools? Would super great and helpful! Greetings! PS: subbed of course 🙏
Thanks for checking! :-) Yes, feel free to use that screengrab with a reference to the video URL and "Attack Detect Defend". And thanks for the idea around host-based tools... I'll add it to my 'TODO' list! :-) Good luck with the thesis - sounds like an awesome project!
@@rot169 Thanks a lot man! Yeah, so in my thesis I am setting up a virtual Windows test environment, including a standalone SecurityOnion node, and running Red Canary Atomic Tests against one Windows machine and checking for each test, what SecurityOnion detects. Greetings!
very informative! can please tell me how to enable SO to capture live traffic? I have it configured on VM standalone and 2 LAN interfaces added, the only time I was able to get traffic is when I used the command "sudo so-test". can I capture live traffic? if yes, kindly help
SecOnion should just do this automatically, based on the network interfaces you configured for monitoring during the setup process. You can also run 'so-monitor-add' to add a network interface to be monitored at a later date. I hope this helps!
No; if you configured your monitor interfaces as part of the install, or you use 'so-monitor-add' later, then SecOnion should just do everything else. Can you see traffic if you run 'tcpdump' on your monitor interface? If not, maybe your issue is with the VM network config? What hypervisor are you using, and what mode are the interfaces in?
This is the first in a new series where I’ll be putting a greater focus on blue/defensive topics. Don’t worry, I’ll still be creating the ‘classic’ Attack Detect Defend style videos too! Please let me know in the comments what you think of this new style, and if you have good ideas for future topics!
I’m very much a fan of this direction you’re taking your channel. Maybe next we could see augmenting the SIEM with log forwarding / Sysmon?
Host logs, sysmon, etc... Oh yes, that's very much where I'm heading with this :-) Thank you for your support!
Excellent video, great explanation
Yes, more detail on virtual monitoring, please.
This will help a lot of folks! Great explanation, keep making more and more videos.
Awesome looking forward for this series
That's great to hear - I hope I don't disappoint! 😂
@@rot169 trust me your videos are sooo cool and helpful.
Thanks a lot, for good quality Infosec videos!
My pleasure - I'm glad you like them!
You earned my follow. Very decisive and informative. Thank you
I love your content very much!!
Thanks Andy.
love from India ;p
Thank you for the kind words and support!! :-)
Excellent looking for more step by step videos..
awesome content! maybe when you are done with this series, you can make a short video on security automation using SOAR technology and how such incidents and alerts are handled automatically...
That sounds like a great idea! It'll probably be a while before I get to it, but it'll fit in perfectly to this 'blue'-focussed series - thanks for the suggestion! :-)
thanks a lot, now i'm a big fan of your channel
I appreciate your help so much.
when will you be making more videos like this?
Hi Andy, really awesome content !!! Is it possible to implement Security Onion in VMware Fusion with min. specs? I need help with this.. Thank you for your awesome channel content !!!!
Hello!
Thanks a lot mate for your very informative tutorial 🙏 very helpful!
I wanted to ask if I can use a screenshot of your SecurityOnion Architecture Overview at 1:12 for my Bachelor thesis, of course referencing/acknowledging accordingly?
(you can also let me know how I shall acknowledge/reference to you)
And regarding ideas for additional content, could you maybe do an Architecture Overview for the Host based tools as well, as you did for the Network based tools?
Would super great and helpful!
Greetings!
PS: subbed of course 🙏
Thanks for checking! :-) Yes, feel free to use that screengrab with a reference to the video URL and "Attack Detect Defend".
And thanks for the idea around host-based tools... I'll add it to my 'TODO' list! :-)
Good luck with the thesis - sounds like an awesome project!
@@rot169
Thanks a lot man!
Yeah, so in my thesis I am setting up a virtual Windows test environment, including a standalone SecurityOnion node, and running Red Canary Atomic Tests against one Windows machine and checking for each test, what SecurityOnion detects.
Greetings!
very informative! can please tell me how to enable SO to capture live traffic? I have it configured on VM standalone and 2 LAN interfaces added, the only time I was able to get traffic is when I used the command "sudo so-test". can I capture live traffic? if yes, kindly help
SecOnion should just do this automatically, based on the network interfaces you configured for monitoring during the setup process. You can also run 'so-monitor-add' to add a network interface to be monitored at a later date. I hope this helps!
@@rot169 Hi, do I need to run any command to enable the sniffing interface to be active?
No; if you configured your monitor interfaces as part of the install, or you use 'so-monitor-add' later, then SecOnion should just do everything else. Can you see traffic if you run 'tcpdump' on your monitor interface? If not, maybe your issue is with the VM network config? What hypervisor are you using, and what mode are the interfaces in?