SECURENEXUS - TO INVESTIGATE

NETWORK PACKETS FOR UNAUTHORIZED

ACCESS USING SECURITY ONION

MINI PROJECT REPORT

Submitted by

AKASH.K (622121111001)

KESHAVAN.T (622121111027)

VINOTH KUMAR.M (622121111063)

In partial fulfillment for the award of the degree of

BACHELOR OF ENGINEERING

IN

CYBER SECURITY

PAAVAI ENGINEERING COLLEGE, NAMAKKAL

(AUTONOMOUS)

wNOVEMBER 2024
 SECURENEXUS - TO INVESTIGATE
NETWORK PACKETS FOR UNAUTHORIZED
ACCESS USING SECURITY ONION

MINI PROJECT REPORT

Submitted by

AKASH.K (622121111001)

KESHAVAN.T (622121111027)

VINOTH KUMAR.M (622121111063)

In partial fulfillment for the award of the degree of

BACHELOR OF ENGINEERING

IN

CYBER SECURITY

PAAVAI ENGINEERING COLLEGE, NAMAKKAL

(AUTONOMOUS)

NOVEMBER 2024

i
 BONAFIDE CERTIFICATE

Certified that this project report “ SECURENEXUS - TO

INVESTIGATE NETWORK PACKETS FOR UNAUTHORIZED ACCESS
USING SECURITY ONION ” is bonafide work of “AKASH.K
(622121111001), KESHAVAN.T (622121111027) and VINOTH KUMAR.M
(622121111063)” who carried out the project work under my supervision.

SIGNATURE SIGNATURE

Dr. P. MUTHUSAMY, M.E.,Ph.D., Mrs.J.VELUMANI

PROFESSOR PROFESSOR

HEAD OF THE DEPARTMENT ASSOCIATE PROFESSOR

DEPARTMENT OF CYBER SECURTIY DEPARTMENT OF CYBER SECURITY
PAAVAI ENGINEERING COLLEGE PAAVAI ENGINEERING COLLEGE,
PACHAL, NAMAKKAL-637018. PACHAL, NAMAKKAL-637018.

Submitted for the Project Viva Voice held on ……………………..

INTERNAL EXAMINER EXTERNAL EXAMINER

ii
 DECLARATION

We, AKASH.K, KESHAVAN.T and VINOTH KUMAR.M here

by declare that the project report titled SECURENEXUS - TO INVESTIGATE
NETWORK PACKETS FOR UNAUTHORIZED ACCESS USING
SECURITY ONION done by us under the guidance of Mrs.VELUMANI
ASSOCIATE PROFESSOR at PAAVAI ENGINEERING COLLEGE,
NAMAKKAL is submitted in partial fulfillment of the requirements for the award
of BACHELOR OF ENGINEERING degree in CYBER SECURITY. Certified
further that, to the best of our knowledge, the work reported here in does not form
part of any other project report or dissertation on the basis of which a degree or
award was conferred on an earlier occasion on this or any other candidate.

1.

2.

DATE : 3.
PLACE: PACHAL SIGNATURE OF THE CANDIDATES

iii
 ACKNOWLEDGEMENTS

A great deal of arduous work and efforts has been spent in implementing this projectwork.
Several special people have guided us and have contributed significantly to this workand so this
becomes obligatory to record our thanks to them.

We express our profound gratitude to our honorable Chairman,

Shri.CA.N.V.NATARAJAN, B.Com.,F.C.A. and also to our Correspondent
Smt.N.MANGAINATARAJAN, M.Sc., for providing all necessary facilities for the successful
completion of this project.

We wish to express our sincere thanks to our respected Director Administration,

Dr.K.K.RAMASAMY, M.E., Ph.D., for all the blessing and help provided during the period of
project work.

We would like to thank our respected Principal Dr.M.PREM KUMAR, M.E., Ph.D.,
for allowing us to do this project and providing requires time to complete the same.

We wish to express our sincere gratitude to Dr.P.MUTHUSAMY, Head Department

of Cyber Security for his extended encourage fulfilling this project.

We express our sincere thanks, Mr.R.LOGANATHAN, as a Project Coordinator for

the useful suggestions; this helped us for completing the project, work in time.

We would like to extend our sincere thanks Mrs.VELUMANI, for giving this
opportunity to do this project and also for her inspiring guidance, generous help and support.

We would like to extend our sincere thanks to all our Department faculty members
and to our parents for their advice and encouragement to do the project work with full interest
and enthusiasm.

iv
 ABSTRACT

This Securenexus –To Investigate Network Packets for Unauthorized

Access Using Security Onion focuses on implementing a PCAP (packet capture)
investigation module using Security Onion to enhance the analysis and response
capabilities of a Security Operations Center (SOC). PCAP investigations allow
for a deep examination of network traffic data to uncover potential security
incidents and reconstruct malicious activities. By leveraging Security Onion’s
powerful analysis tools such as Suricata, Zeek, and Kibana, this project provides
a comprehensive platform for detecting anomalous traffic patterns and
investigating security events in detail. The system supports full packet capture,
enabling analysts to identify threat signatures, analyze payloads, and trace the
actions of threat actors effectively. Although challenges include handling large-
scale data storage and the complexity of data interpretation, this PCAP-focused
approach ensures thorough incident response and forensic analysis, contributing
to improved network defense and threat intelligence in a SOC environment..

v
 TABLE OF CONTENTS

CHAPTER NO TITLE PAGE

NO
ABSTRACT v

LIST OF FIGURES vii

LIST OF ABBREVIATIONS ix

1 INTRODUCTION 1

1.1 Introduction 1
1.2 objective 2
2 LITERATURE REVIEW 3

2.1 Existing survey 3

3 SYSTEM ANALYSIS 7

3.1 Existing system 7

3.1.1 Drawbacks 7

3.2 Proposed system 8

3.2.1 Advantage 11

4 SOFTWARE SPECIFICATION 12

4.1 Hardware requirements 12

4.2 Software requirements 12

5 PROJECT DESCRIPTION 13

5.1 Problem definition 13

5.2 Overview of the project 13

vi
6 MODULE DESCRIPTION 15

6.1 Modules used 15

6.2 Module description 15

6.2.1 Network Traffic module 15

6.2.2 Intrusion Detection module 16
6.2.3 Threat Intelligence Integration module 16

6.2.4 Log Management and Storage module 17

6.2.5 Visualization and Dashboard module 17
6.2.6 PCAP Analysis module 18

7 SYSTEM DESIGN 20

7.1 System architecture 20

7.2 System diagram 21

8 RESULT 24

8.1 Datasets 24

8.2 Result 24

9 CONCLUSION AND FUTURE ENHANCEMENT 25

9.1 Conclusion 25

9.2 Future enhancement 25

APPENDIX-I(SCREENSHORTS) 27

REFERENCE 30

vii
 LIST OF FIGURES
FIGURE NO. TITLE PAGE NO.

3.1 The propose of watermarking and blockchain 9

7.1 System diagram 21
7.2 Work flow process 22
7.3 Blockchain technology explained 23
1 Code execution platform 35
2 Running the code in the open server 35
3 Front page of the project 36
4 Result with hash value 36

viii
 LIST OF ABBREVIATIONS

DRM Digital Rights Management

DAOS Decentralized Autonomous Organization
LSB Least Significant Bit
DWT Discrete Wavelet Transform
AR Augmented Reality
VR Virtual Reality
DMM Decentralized Marketplace Module

ix
 CHAPTER 1

INTRODUCTION
1.1 INTRODUCTION

In the evolving landscape of cybersecurity, effective monitoring and analysis of network traffic
are crucial for detecting and responding to potential threats. This project, titled Securenexus – To
Investigate Network Packets for Unauthorized Access Using Security Onion, is designed to
bolster network security by leveraging Security Onion for comprehensive PCAP (packet capture)
investigations. Security Onion is an open-source platform that integrates powerful tools like
Suricata, Zeek, and Kibana to enable real-time monitoring, threat detection, and forensic
analysis. The primary goal of this project is to utilize PCAP analysis to identify and investigate
unauthorized access and suspicious activities within network traffic. By capturing and examining
packet-level data, the system allows for in-depth exploration of security events, facilitating the
detection of anomalies, tracing of malicious actors, and reconstruction of attack scenarios. This
approach empowers SOC analysts with detailed insights into the nature and scope of potential
incidents, enabling effective incident response and proactive defense measures. While the use of
PCAP investigation provides a robust method for threat analysis, challenges such as large-scale
data management and the complexity of interpreting captured data must be addressed. Despite
these obstacles, integrating Security Onion for PCAP investigations enhances the capabilities of
a SOC, promoting a higher level of network security and resilience against cyber threats.

1
 1.2 OBJECTIVE

The primary objective of the Securenexus – To Investigate Network Packets for Unauthorized
Access Using Security Onion project is to enhance the threat detection and investigation
capabilities within a Security Operations Center (SOC). By employing Security Onion, this
project aims to establish a comprehensive platform for real-time monitoring and analysis of
network traffic. The system will focus on capturing packet-level data (PCAP) to identify
unauthorized access attempts, detect anomalies, and correlate security events effectively using
tools like Suricata and Zeek.

A significant goal of the project is to utilize PCAP investigations for detailed forensic analysis,
enabling SOC analysts to trace attack vectors, reconstruct incidents, and gain a thorough
understanding of security breaches. The project will support the examination of payloads, packet
headers, and metadata to uncover the tactics and techniques employed by malicious actors. By
integrating Security Onion’s capabilities, this project aims to equip analysts with actionable
insights to enhance incident response and improve the overall cybersecurity posture.

Despite the potential challenges of managing large-scale data and interpreting complex traffic
information, this project will explore solutions to optimize data handling and streamline analysis
processes. The ultimate objective is to empower network security analysts with the tools needed for
efficient and accurate packet analysis, reducing response times and improving the effectiveness of
threat mitigation efforts. Through this project, the SOC will gain enhanced visibility and control over
Network s trategies

2
 CHAPTER 2

LITERATURE REVIEW
2.1 EXISTING SURVEY
1. Kawadia, V., & Kumar, P. R. (2005). Experimental Investigations into TCP Performance
over Wireless Multihop Networks. In SIGCOMM'05 Workshops, August 22–26, Philadelphia,
PA, USA, ACM, 29-34.

In their paper, Kawadia and Kumar (2005) explore the performance of the TCP protocol in static
wireless multihop networks through a series of real-world experiments. They used laptops with
IEEE 802.11b wireless cards and copper tape to create controlled topologies. Their findings
highlight the importance of factors like congestion window clamping and disabling RTS-CTS
handshakes, showing significant improvements in delay, jitter, and throughput. They conclude
with recommendations for TCP parameters and modifications to enhance performance in such
networks, including maintaining small buffer sizes and adaptive retry limits at the MAC layer.

2. Babu, R. (2022). Network Traffic Analysis and Anomaly Detection: A Comparative Case
Study. Master’s thesis, Halmstad University, Master’s Programme in Network Forensics.

In Rona Babu's (2022) master’s thesis titled "Network Traffic Analysis and Anomaly Detection:
A Comparative Case Study," the author investigates network traffic analysis (NTA) and anomaly
detection using two prominent tools: Splunk and Security Onion. The study aims to evaluate the
efficiency, usability, and key differences between these tools in terms of network traffic
monitoring and intrusion detection. Security Onion, an open-source platform, and Splunk, a paid
SIEM tool, were compared through a case study involving packet analysis from network traffic
data.

3. Heikkinen, R. (2018). Information Security Case Study with Security Onion at Kajaani
UAS Datacentre Laboratory. Bachelor’s thesis, Kajaani University of Applied Sciences.

In Raimo Heikkinen's (2018) thesis titled "Information Security Case Study with Security Onion
at Kajaani UAS Datacentre Laboratory," the author examines the deployment and efficacy of
Security Onion as an intrusion detection system (IDS) within the university's data center
environment. The study aims to bolster the data center’s security through practical
implementation, focusing on network traffic monitoring and full packet capture for forensic.
3
4. Dr. Amit Sharma (2018) ,PCAP ANALYSIS OF CLOUD NETWORK USING
ADVANCE MACHINE LEARNING.

The investigation of learning in antagonistic situations is a developing control at the point

between Advance Machine learning and PC security. The enthusiasm for learning-based
strategies for security-and framework plan applications originates from the high level of intricacy
of marvels fundamental the security and dependability of PC frameworks. As it turns out to be
progressively trouble some to achieve the craved properties exclusively utilizing statically
planned components.

5. Ross Heenan and Naghmeh Moradpoor (2016) Introduction to Security Onion.

In his article Security Onion is a Network Security Manager (NSM) platform that provides
multiple Intrusion Detection Systems (IDS) including Host IDS (HIDS) and Network IDS
(NIDS). Many types of data can be acquired using Security Onion for analysis. This includes
data related to: Host, Network, Session, Asset, Alert and Protocols.

6. Resmi AM (2017) Intrusion Detection System Techniques and Tools Ph D. Research

Scholar, Dept of Computer Science, NGM college, (Autonomous).

An intrusion detection system (IDS) examines network traffic for any suspicious and irregular
activity and alerts the system or network administrator [1]. In some cases the IDS it may also
counter to anomalous or malicious traffic by taking action such as blocking or isolating the user
or source IP address from accessing the network The goal of Intrusion detection systems is to
identify attacks with a high detection rate and a low false alarm rate Host-based intrusion
detection system are designed to monitor, detect, and respond to user system activity and attacks.

4
7. Bezborodov Sergey(1016) , Intrusion Detection System and Intrusion Prevention System
with Snort provided by Security Onion. Bachelor’s Thesis Information Technology.

In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution
with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion
environment and check what features it provides for processing with Snort. During the work I
needed to figure out the pros and cons of using Security Onion with Snort as a security system
for network. I compared it with alternatives and briefly describe it.

8. Jansen, Kayla, "Testing the Security Onion" (2018). Culminating Projects in

Information Assurance. 70.

Security professionals utilize different types of systems, tools, and software in an attempt to
secure an organization from external threats. There are many challenges that professionals face,
when attempting to choose and execute a system into their framework. Because of these
challenges, professionals may decide to go with a free open source system, such as the Security
Onion. However, there is little information or results that show the effectiveness of the system.
Several articles indicate ways of configuring the system or examining certain components within
it.

9. Bezborodov Sergey (2016). Intrusion Detection Systems and Intrusion Prevention

System with Snort provided by Security Onion.

In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution
with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion
environment and check what features it provides for processing with Snort. During the work I
needed to figure out the pros and cons of using Security Onion with Snort as a security system
for network. I compared it with alternatives and briefly describe it . As result I installed Security
Onion, work with the environment, configured different features, created and modified rules and
so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it
should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make
comparison with another one and just get familiar with the network security tools. Also, this
thesis can be a part of big research of network security tools,

10. F . K a t u l i ć , D . S u m i n a , I . E r c e g , S . G r o š . (2022). Enhancing

Modbus/TCP-Based Industrial Automation and Control Systems Cybersecurit yUsing a
Misuse-Based Intrusion Detection System
5
The Modbus over TCP (Modbus/TCP) is a very popular protocol in industrial automation and
control systems (IACS), but at the same time it is completely unprotected in terms of
cybersecurity. This allows adversaries to manipulate controlled processes by forging or
modifying process values in the Modbus protocol data unit (PDU), potentially causing damage to
IACSs. In this paper, we propose the use of a misusebased intrusion detection system (IDS) to
detect out-of-bound process values and in that way make it difficult for an adversary to
manipulate process values. To test the feasibility of this approach, a cyber-physical system was
created, simulating an IACS water treatment plant. The implemented rule-based alarms and
warnings were based on the industrial process and an adversary threat model, focusing on the
process values of the IACS. This approach shows a promise as an additional safety mechanism to
standard IACS cybersecurity solutions. This paper gives an analysis of potential IACS
cybersecurity enhancements based on the generation of rules for process values for the plant-
specific misuse-based intrusion detection system (IDS). In contrast to previous studies in which
the IDS was implemented at the IT level, this paper proposes an additional implementation of the
IDS.

6
 CHAPTER 3

SYSTEM ANALYSIS
3.1 EXISTING SYSTEM

Current approaches to network security and packet analysis in many organizations rely on
separate tools for intrusion detection, traffic monitoring, and log analysis. While these systems
can provide basic security insights, they often lack full integration, resulting in fragmented data
sources and limited cross-referencing capabilities. Traditional Intrusion Detection Systems (IDS)
might detect known threats but often do not offer the in-depth packet capture and inspection
necessary for comprehensive incident analysis. This can make it difficult for security teams to
accurately identify and trace complex attacks or reconstruct incidents for thorough investigation.
Existing systems typically focus on network metadata and higher-level logs, which, while useful
for basic detection, do not provide the detail required for deep forensic investigations. The
absence of full-packet capture (PCAP) capabilities restricts analysts from examining the entire
payload of network packets. This limitation reduces their ability to uncover hidden threats,
analyze the exact behavior of attackers, and determine the full impact of a breach. Furthermore,
tools that do support packet capture often come with high resource demands and are challenging
to scale, making them less practical for large or high-traffic networks..

3.1.1 DRAWBACKS

1. High Resource Consumption: Full packet capture (PCAP) and analysis require significant
processing power, memory, and storage, especially in high-traffic networks. This can lead to
performance issues and increased infrastructure costs.

2. Data Volume Management: PCAP analysis generates large volumes of data that can be
difficult to store and manage efficiently. Handling and archiving this data for long-term use can
add complexity and resource requirements.

3. Complexity in Data Interpretation: Analyzing raw packet data can be challenging and time-
consuming. Security analysts may need specialized skills to parse and interpret the vast amount
of detailed information generated by PCAP captures.. The complexity increases as analysts need
to differentiate between normal network activity and potential threats, often requiring advanced
knowledge of network protocols, attack patterns, and the tools used to process the data.
7
 4. Slower Incident Response: The sheer volume of data generated by PCAP captures can lead to
slower incident response times, especially when analysts must sift through large amounts of
traffic data to identify threats.

5. Integration Challenges: Integrating Security Onion with existing security infrastructure can
be complex, requiring extensive configuration and potentially creating compatibility issues with
other security tools.

6. False Positives and Alert Overload: If Security Onion is not properly tuned, the system may
generate false positives or excessive alerts, overwhelming analysts and hindering effective threat
detection and response.

PROPOSED SYSTEM

The proposed system was implemented in two stages:

• Setup and Configuration of Security Onion

• PCAP Analysis and Investigation

Setup and Configuration of Security Onion :

1. Installation and Component Setup: The first step involved installing Security Onion on
a dedicated machine or virtual environment. After installation, components such as
Suricata (for intrusion detection), Zeek (for network monitoring), and the Elastic Stack
(Elasticsearch, Logstash, Kibana) were configured. These tools were set up to collect,
store, and analyze network traffic data, ensuring that Security Onion was ready to handle
large-scale security monitoring and PCAP captures.
2. Network Traffic Capture and Sensor Deployment: The next phase involved deploying
network sensors across the network to capture live traffic. Configuration was done to ensure
that all network traffic was properly monitored, and PCAP data was recorded. Rules were
applied for detecting known threats and anomalies, while Security Onion's web interface was
configured for easy management of the captured data. This stage ensured that the system could
continuously monitor network traffic for potential security incidents Network traffic filters
were also configured to capture specific protocols of interest, enabling more focused analysis
and ensuring that only relevant data was collected for efficient threat detection and
investigation.
8
Figure 3.1 illustrates the proposed system of Security onion .

9
PCAP Analysis and Investigation

In the PCAP analysis and investigation phase, the primary focus was on utilizing the packet capture
data collected by Security Onion to investigate potential security incidents. The PCAP files, containing
detailed network traffic data, were examined using the integrated tools within Security Onion, such as
Suricata for intrusion detection, Zeek for network monitoring, and Kibana for data visualization. Once
the network traffic was captured, Suricata’s IDS capabilities were used to analyze the traffic for known
threat signatures and suspicious activities. Alerts and logs generated by Suricata helped to identify any
anomalous behavior or unauthorized access attempts in the network. These alerts were then cross-
referenced with the full PCAP data to investigate further. Zeek, another key tool, was utilized to provide
deeper network insights by parsing network traffic into structured logs. This allowed analysts to gain a
more comprehensive view of the network’s behavior, identifying patterns and correlating events that
may indicate a potential attack. PCAP data was further analyzed to track the flow of malicious traffic
and determine the attack's origin, methods, and impact. Kibana was used to visualize and filter the
captured data, allowing for easier identification of trends and anomalies. It helped security analysts
trace specific packets, reconstruct attack scenarios, and assess the full scope of the incident. By
analyzing the packet-level data, the system was able to reconstruct attack patterns, providing insights
into the vulnerabilities exploited and improving the response to future threats. This detailed forensic
investigation enhanced the overall security posture of the network. The PCAP analysis and investigation
phase involved examining captured network traffic using Security Onion's tools to identify, analyze,
and trace potential security incidents, providing detailed insights for effective incident response.

10
 3.2.1 ADVANTAGE:

1. Comprehensive Threat Detection: Security Onion integrates tools like Suricata and Zeek,
providing real-time detection of network-based threats, enhancing the ability to identify a wide
range of potential security risks including malware, intrusions, and unauthorized access.

2. Deep Packet Inspection: The use of PCAP for detailed packet-level analysis offers a deeper
understanding of network traffic, enabling the detection of hidden threats, such as data exfiltration
or command-and-control traffic, that are often missed by traditional systems..

3. Centralized Security Management: Security Onion consolidates security monitoring, intrusion

detection, and traffic analysis into a single platform, simplifying the management process and
improving operational efficiency by eliminating the need for multiple separate tools..

4. Real-Time Forensic Investigation: The ability to capture and store network packets enables
immediate forensic analysis, helping security teams trace the full scope and nature of a security
incident, uncovering attack methods, and providing actionable intelligence.

5. Improved Incident Response: With granular visibility into network activity, analysts can track
attack paths, reconstruct incidents, and respond more quickly to security breaches, minimizing
damage and enhancing the overall effectiveness of incident response.

6. Scalability and Flexibility: Security Onion provides excellent scalability, making it suitable for
networks of any size, from small businesses to large enterprises. Its flexible configuration allows
customization to meet diverse security requirements, ensuring it can be adapted to different
infrastructures and evolve with changing network environments and emerging security threats.

11
 CHAPTER 4

SOFTWARE SPECIFICATION
4.1 HARDWARE REQUIREMENTS

❖ Processor : Intel / AMD

❖ RAM : 4 to 8 GB
❖ Hard disk : 512 GB
❖ Other : keyboard and mouse

4.2 SOFTWARE REQUIREMENTS

❖ Operating system : Windows 10 (or) 11

❖ Security Onion : on virtual install

12
 CHAPTER 5

PROJECT DESCRIPTION
5.1 PROBLEM DEFINITION

This project, Security Onion + PCAP Investigation, addresses these challenges by

providing an integrated solution for deep packet inspection and real-time network monitoring.
By capturing and analyzing network packets in detail through Security Onion, we aim to uncover
hidden threats, identify unauthorized access attempts, and enable thorough forensic
investigations. This approach enhances threat detection, reduces false positives, and improves
incident response by providing a clearer understanding of the attack's scope and tactics. The lack
of real-time packet-level analysis is a critical gap, as malicious actors can disguise their attacks
within legitimate-looking traffic, making it difficult to detect threats. Furthermore, network
traffic can become overwhelming, with massive volumes of data making it hard for security
analysts to isolate and investigate suspicious packets effectively. Without detailed forensic tools
to trace and analyze each packet, identifying the origin, path, and purpose of malicious traffic
becomes a daunting task. detecting unauthorized access and security breaches remains a
significant challenge.

5.2 OVERVIEW OF THE PROJECT

The Security Onion + PCAP Investigation project aims to enhance network security by integrating
Security Onion, an open-source intrusion detection and network monitoring platform, with packet
capture (PCAP) analysis for in-depth traffic investigation. Security Onion provides a comprehensive
suite of tools for monitoring network traffic, detecting intrusions, and managing security events. By
capturing raw network packets in real-time, the system enables detailed analysis of network activities,
uncovering hidden threats and unauthorized access attempts that may otherwise go undetected. The
project involves deploying Security Onion in a network environment to monitor and capture all
incoming and outgoing network traffic. The captured packets are stored and analyzed using Security
Onion’s integrated tools like Suricata (IDS), Zeek (network monitoring), and the Elastic Stack (for data
storage and visualization). The primary focus of the project is to enable real-time identification of
suspicious activities, such as malicious payloads, unauthorized access, and attempts to exploit network
vulnerabilities.

13
 CHAPTER 6

MODULE DESCRIPTION
6.1 MODULES USED

The project will involve six modules to implement the digital rights management (DRM) system
effectively. Here are the main modules:
❖ Network Traffic Capture Module
❖ Intrusion Detection Module
❖ Threat Intelligence Integration Module
❖ Log Management and Storage Module
❖ Visualization and Dashboard Module
❖ PCAP Analysis Module
6.2 MODULE DESCRIPTION

6.2.1 NETWORK TRAFFIC CAPTURE MODULE

In the Security Onion and PCAP investigation project, the Network Traffic Capture Module
involves setting up and configuring Security Onion on a server or virtual machine with network
interfaces set in promiscuous mode for traffic monitoring. Tools like Suricata and Zeek provide real-
time analysis and detailed traffic parsing. Traffic capture is conducted either live or on a schedule, with
the use of filters for refining the data. Captured data is stored following data retention policies and
managed through log rotation to ensure efficiency. The ELK Stack integrated with Security Onion aids
in visualizing data and creating dashboards for monitoring. Analysts use the Security Onion Console
(SOC) for alert triaging, and tools like Wireshark for in-depth PCAP analysis, enabling packet
inspection to identify potential threats. Post-capture, PCAPs are indexed, managed, and correlated with
logs for comprehensive investigation, forming a robust approach to network traffic analysis and
incident detection. This thorough process ensures that captured network traffic is efficiently managed,
analyzed, and correlated with alerts to enhance the overall security posture and incident response
capabilities.

14
6.2.2 INTRUSION DETECTION MODULE

The Intrusion Detection Module in your Security Onion and PCAP Investigation project is
essential for identifying potential threats within network traffic. This module leverages the power
of Suricata and Zeek as its primary components. Suricata serves as an advanced intrusion
detection system (IDS) that monitors network traffic in real-time, analyzing packets and
generating alerts when suspicious patterns or known threat signatures are identified. It provides
robust detection capabilities through rule-based analysis, enabling quick identification of potential
security breaches. Zeek, on the other hand, adds depth by parsing network traffic into detailed
logs, offering rich contextual information about each communication event. This module
continuously examines incoming and outgoing network traffic and generates alerts for anomalies
or security incidents. Analysts can access and review these alerts through the Security Onion
Console (SOC), correlating them with PCAP data to perform a comprehensive investigation. By
connecting these alerts to network session logs and packet data, analysts gain insights into the
nature and scope of potential intrusions, such as malware infections or unauthorized data access.
The Intrusion Detection Module thus enhances the organization’s ability to detect, respond to,
and mitigate security threats effectively.

6.2.3 THREAT INTELLIGENCE INTEGRATION MODULE

The Threat Intelligence Integration Module in your Security Onion and PCAP Investigation
project enhances the effectiveness of intrusion detection by integrating external threat
intelligence feeds into the network monitoring and analysis process. This module allows Security
Onion to consume and utilize threat intelligence from various external sources, such as open-
source intelligence (OSINT), commercial threat feeds, and government or industry-specific
sources. By incorporating these threat intelligence feeds, the system can correlate network traffic
with known Indicators of Compromise (IOCs), such as malicious IP addresses, domain names,
and file hashes. The integration of threat intelligence helps to improve the detection of advanced
persistent threats (APTs), zero-day vulnerabilities, and other sophisticated attack techniques.
Alerts generated by Suricata and Zeek are enhanced with contextual information from threat
intelligence sources, allowing analysts to quickly assess whether detected activity is tied to
known threat actors or campaigns. The Threat Intelligence Integration Module also facilitates
more proactive defense by continuously updating the network defense with the latest threat data,
enabling rapid response to emerging threats and reducing the time to detection. The Threat
15
 Intelligence Integration Module in the Security Onion and PCAP Investigation project further
strengthens the security posture by automating the enrichment of network traffic data with
external threat intelligence.

6.2.4 LOG MANAGEMENT AND STORAGE MODULE

The Log Management And Storage Module in your Security Onion and PCAP
Investigation project is crucial for organizing, storing, and managing large volumes of network
traffic and security-related logs. This module ensures that logs from tools like Suricata, Zeek,
and PCAP captures are efficiently collected, indexed, and stored for easy retrieval and analysis.
Security Onion leverages Elasticsearch to store logs in a scalable and searchable format,
allowing analysts to quickly query and analyze the data for potential threats or incidents. Data
retention policies are implemented to manage the lifespan of stored logs, ensuring that critical
data is retained for compliance and investigative purposes while old or unnecessary data is
archived or deleted. Additionally, Logstash is used to process and transform log data, enhancing
its quality and usability. The Kibana dashboard provides a user-friendly interface for visualizing
logs, creating alerts, and performing in-depth log analysis. This module helps streamline incident
response by ensuring that logs are securely stored, accessible, and ready for forensic
investigation whenever necessary, facilitating faster detection and resolution of security
incidents. The Log Management And Storage Module in the Security Onion and PCAP
Investigation project plays a pivotal role in the long-term management and analysis of network
traffic data and security alerts.

6.2.5 VISUALIZATION AND DASHBOARD MODULE

The Visualization And Dashboard Module in your Security Onion and PCAP Investigation project
provides an intuitive interface for analyzing and visualizing network traffic data and security alerts.
This module leverages Kibana, an open-source data visualization platform, to create interactive
dashboards that allow security analysts to monitor and interpret large volumes of data from Suricata,
Zeek, and PCAP captures in real-time. The ability to visualize network traffic patterns, detected
intrusions, and other relevant security metrics enables analysts to quickly spot trends, identify
anomalies, and respond to potential threats more effectively. With customizable dashboards, users can
create visualizations based on specific search criteria, such as IP addresses, protocol types, ports, or
alert severity. These visualizations can include time-series graphs, pie charts, tables, and heat maps,
which provide valuable insights into network behavior and potential security incidents.
16
6.2.6 PCAP ANALYSIS MODULE

The PCAP Analysis Module in your Security Onion and PCAP Investigation project is
essential for inspecting and analyzing network traffic captured in PCAP (Packet Capture) files.
This module uses tools such as Wireshark, tcpdump, and Zeek to parse, filter, and analyze
packet-level data for signs of suspicious activity or security incidents. The PCAP Analysis
Module enables security analysts to perform detailed investigations of captured network traffic,
looking for anomalies, unusual patterns, or specific indicators of compromise (IOCs), such as
malicious IP addresses, unusual communication protocols, or unauthorized data flows. Once the
network traffic is captured in PCAP files, these can be imported into Security Onion’s analysis
tools for deeper inspection. Wireshark, a popular packet analysis tool, allows for in-depth
examination of individual packets, enabling analysts to view the contents of communication
sessions and protocols, which can reveal hidden threats such as malware communication, data
exfiltration attempts, or unauthorized access. Additionally, Zeek can parse PCAP files to
generate detailed logs, offering insights into higher-level network behavior and context. By
correlating these logs with alerts from other modules (such as Suricata or Zeek), analysts can
enhance their understanding of the incident and develop a more comprehensive response. The
PCAP Analysis Module not only helps in identifying malicious activities but also plays a vital
role in post-event forensics, helping to trace the origins, tactics, and progression of an attack.
This module is critical for providing a clear and actionable view of network traffic, enabling
effective detection, response, and prevention of security incidents. The PCAP Analysis Module
in the Security Onion and PCAP Investigation project further enhances threat detection by
allowing analysts to perform granular analysis of network traffic captured in PCAP files.

17
 CHAPTER 7

SYSTEM DESIGN
7.1 SYSTEM ARCHITECTURE

The System Architecture for the Security Onion + PCAP Investigation project is designed
to provide an efficient, scalable, and secure platform for network traffic analysis and threat
detection. The architecture is built around VirtualBox, where Security Onion is installed on a
virtual machine (VM). This setup ensures an isolated environment, allowing the Security Onion
tools to function without affecting the host operating system. Once installed, Security Onion is
accessible through a localhost web interface, which serves as the primary control point for
configuration, monitoring, and data analysis. Additionally, SSH access is provided for advanced
users who prefer direct terminal interaction, enabling manual configurations and system
maintenance. Vulnerable PCAP files, containing network traffic data, are uploaded into Security
Onion for analysis. These files are processed by tools like Suricata and Zeek, which generate
detailed logs and alerts for potential security incidents. The captured network traffic is analyzed
in-depth through the PCAP Analysis Module, where packet-level investigations are conducted to
identify malicious activity or abnormal behavior. Logs generated from this analysis are stored in
Elasticsearch and visualized through Kibana for real-time monitoring and investigation. The
Visualization And Dashboard Module provides intuitive dashboards to view traffic patterns,
detect threats, and correlate network data, facilitating quicker identification and response to
security incidents. This architecture enables efficient and thorough investigation of network
security events while maintaining a flexible and isolated testing environment.,

18
Figure: 7.1 [System Diagram]

19
Figure:7.2[ pcap analyzed process]

20
Figure:7.3[Pcap Analysis Explained]

21
 CHAPTER 8

RESULT AND DISCUSSION

8.1 DATASETS

the Security Onion + PCAP investigation project, it is essential to provide a

comprehensive overview of the datasets analyzed and the findings derived from those analyses.
The project typically involves using publicly available PCAP files sourced from well-known
repositories like Malware-Traffic-Analysis.net, Wireshark, or custom network captures. The
datasets may include a range of traffic types, such as normal user behavior, malicious activity
like Distributed Denial-of-Service (DDoS) attacks, ransomware communications, and phishing
attempts. For instance, one dataset might represent simulated attacks from sources like the
CICIDS 2017, which provides labeled traffic data to highlight intrusion patterns, while another
might include real-world malicious traffic samples from Contagio . Each dataset is characterized
by its volume, number of packets, duration, and types of protocols observed . The analysis of
these PCAPs using Security Onion often reveals key findings, including incident patterns such as
repeated brute force attempts, port scans, and potential data exfiltration attempts.

9.2 RESULT

The implementation of the project using Security Onion for PCAP investigation
demonstrated its effectiveness in detecting, analyzing, and responding to network security
threats. By setting up Security Onion and utilizing tools such as Kibana, Squert, and the Elastic
Stack, the system successfully captured and analyzed network traffic, highlighting events such as
suspicious packet transfers, unusual communication, and intrusion attempts. The IDS/IPS
features were able to detect anomalies like port scans and potential malware activity.
Additionally, tools like Wireshark and Zeek facilitated deep packet inspection and allowed
detailed examination of data to identify specific threats. This project underscored both the
strengths and challenges of using Security Onion, showcasing its comprehensive and powerful
toolset while noting the need for user familiarity to leverage its full capabilities. Overall, the
project enhanced the understanding of network defense mechanisms and highlighted the
importance of timely analysis and response in maintaining cybersecurity . .

22
 CHAPTER 9

CONCLUSION AND FUTURE ENHANCEMENT

10.1 CONCLUSION

The Security Onion + PCAP investigation project successfully demonstrated the power
and effectiveness of using a comprehensive, open-source security platform for detecting,
analyzing, and responding to network security threats. By deploying Security Onion and utilizing
its suite of integrated tools such as Kibana, Zeek, and Wireshark, the project showcased how
network traffic can be captured, analyzed, and visualized to identify security issues like
suspicious communication patterns, port scans, and potential malware activity. The project also
highlighted the importance of deep packet inspection through PCAP analysis, which allowed for
detailed examination of network packets and identification of specific threats . While Security
Onion proved to be a robust toolset for network monitoring and investigation, the project also
emphasized the need for users to develop a strong understanding of the platform's capabilities to
effectively configure and interpret its outputs. The complexity of setting up and utilizing the
various tools within Security Onion requires time and expertise, but once mastered, the platform
can provide comprehensive insights into network behavior and potential security risks. Overall,
this project underscored the critical role of continuous network monitoring, timely analysis, and
response in safeguarding against cybersecurity threats.

10.2 FUTURE ENHANCEMENT

The Security Onion + PCAP investigation project could focus on improving automation,
scalability, and advanced analytics to increase the efficiency of network security monitoring.
Integrating machine learning models for anomaly detection would help automatically identify
emerging threats, reducing reliance on manual rule creation. Additionally, enhancing
visualization capabilities with advanced techniques like 3D traffic flow analysis and real-time
heat maps could make data interpretation faster and more intuitive for analysts. Implementing
automated threat response mechanisms, such as triggering firewall rules or isolating
compromised devices, would streamline incident response and minimize potential damage. To
accommodate larger environments, improving the scalability of Security Onion by optimizing
node deployments and data aggregation processes would enable it to handle higher volumes of
traffic. Integrating external threat intelligence feeds could provide real-time updates on known
23
threats, further enhancing detection accuracy. Expanding Security Onion’s capabilities for hybrid
and cloud-native environments would ensure it can monitor traffic across diverse infrastructures.
Lastly, improving the user interface and offering better documentation and tutorials would make
the platform more accessible to security professionals of all skill levels, broadening its use in
diverse cybersecurity operations. These enhancements would help Security Onion evolve into an
even more powerful and adaptable tool for real-time threat detection and network defense.
Additionally, incorporating advanced reporting features with customizable dashboards would
allow for more efficient tracking of security metrics and easier communication of findings to
stakeholder

24
APENDIX-I

RESULT SCREENSHOT

25
26
27
REFERENCES

[1] Kawadia, V., & Kumar, P. R. (2005). Experimental Investigations into TCP Performance
over Wireless Multihop Networks. In SIGCOMM'05 Workshops, August 22–26, Philadelphia,
PA, USA, ACM, 29-3.

[2] Babu, R. (2022). Network Traffic Analysis and Anomaly Detection: A Comparative Case
Study. Master’s thesis, Halmstad University, Master’s Programme in Network Forensics.

[3] Heikkinen, R. (2018). Information Security Case Study with Security Onion at Kajaani UAS
Datacentre Laboratory. Bachelor’s thesis, Kajaani University of Applied Science.

[4] Dr. Amit Sharma (2018), PCAP ANALYSIS OF CLOUD NETWORK USING ADVANCE
MACHINE LEARNING.

[5] Ross Heenan and Naghmeh Moradpoor (2016) Introduction to Security Onion., 5(2), 210-
230.

[6] Resmi AM (2017) Intrusion Detection System Techniques and Tools Ph D. Research
Scholar, Dept of Computer Science, NGM college, (Autonomous).

[7] Bezborodov Sergey(1016) , Intrusion Detection System and Intrusion Prevention System
with Snort provided by Security Onion. Bachelor’s Thesis Information Technology.

[8] Jansen, Kayla, "Testing the Security Onion" (2018). Culminating Projects in Information
Assurance. 70.

[9] Bezborodov Sergey (2016). Intrusion Detection Systems and Intrusion Prevention System
with Snort provided by Security Onion.

[10] F. Katulić, D. Sumina, I. Erceg, S. Groš. (2022). Enhancing Modbus/TCP-Based Industrial

Automation and Control Systems Cybersecurit yUsing a Misuse-Based Intrusion Detection
System.

28
29
30
31
32
33