Merge pull request #62 from codeharborhub/dev-1

Complited Cyber Security Docs

Author: ajay-dhangar

.github/workflows/lighthouse-report.yml

@@ -40,13 +40,15 @@ jobs:
         with:
           urls: |
             http://localhost:3000/tutorial/
-            http://localhost:3000/tutorial/category/html
-            http://localhost:3000/tutorial/html/intro-html
-            http://localhost:3000/tutorial/category/css
+            http://localhost:3000/tutorial/category/html/
             http://localhost:3000/tutorial/css/introduction/what-is-css
-            http://localhost:3000/tutorial/category/javascript
-            http://localhost:3000/tutorial/category/react
+            http://localhost:3000/tutorial/javascript/introduction-to-javascript/what-is-js
+            http://localhost:3000/tutorial/git/introduction
+            http://localhost:3000/tutorial/category/getting-started-with-github
+            http://localhost:3000/tutorial/github/introduction-to-github
             http://localhost:3000/tutorial/react/react-intro
+            http://localhost:3000/tutorial/cybersecurity
+            http://localhost:3000/tutorial/tags
           configPath: ./.github/workflows/lighthouserc.json
           uploadArtifacts: true
           temporaryPublicStorage: true

docs/cybersecurity/cybersecurity-tools/monitoring-and-defense/security-onion.mdx

@@ -1,3 +1,186 @@
-import ComingSoon from '@site/src/components/ComingSoon';
+---
+title: "Security Onion"
+description: "Learn about Security Onion — an open-source Linux distribution for intrusion detection, network monitoring, and log management. Explore its architecture, components, and setup for modern SOC environments."
+---
 
-<ComingSoon />
+**Security Onion** is a free and open-source **Linux distribution** for **intrusion detection**, **network security monitoring (NSM)**, and **log management**. It’s widely used in **Security Operations Centers (SOCs)**, **cybersecurity training labs**, and **enterprise monitoring setups**.
+
+Developed and maintained by **Doug Burks** and the Security Onion team, it provides an integrated suite of tools like **Snort**, **Suricata**, **Zeek**, **Wazuh**, and **Elasticsearch** — all preconfigured for rapid deployment.
+
+## Why Security Onion?
+
+Security Onion simplifies complex security infrastructure into a **single, cohesive platform**.
+
+```mermaid
+flowchart TD
+  A[Network Traffic] --> B[Packet Capture]
+  B --> C[Intrusion Detection - Snort/Suricata]
+  B --> D[Protocol Analysis - Zeek]
+  B --> E[Log Collection - Wazuh/OSSEC]
+  C --> F[Elastic Stack Visualization]
+  D --> F
+  E --> F[Security Onion Console]
+```
+
+**In simple terms:**
+
+Security Onion collects, inspects, and visualizes network data — helping analysts **detect**, **investigate**, and **respond** to security threats efficiently.
+
+
+## Core Components
+
+| Component               | Description                                                            |
+| ----------------------- | ---------------------------------------------------------------------- |
+| **Snort / Suricata**    | Network Intrusion Detection Systems (IDS/IPS)                          |
+| **Zeek (formerly Bro)** | Network analysis framework for protocol and behavior-based detection   |
+| **Wazuh / OSSEC**       | Host-based intrusion detection (HIDS) and log analysis                 |
+| **Elastic Stack (ELK)** | Elasticsearch, Logstash, and Kibana — for storing and visualizing logs |
+| **TheHive + Cortex**    | Incident response and case management                                  |
+| **CyberChef**           | Data decoding, conversion, and analysis tool                           |
+
+## Architecture Overview
+
+```mermaid
+graph LR
+  subgraph "Data Layer"
+    A[Network Traffic]
+    B[Host Logs]
+  end
+
+  subgraph "Collection Layer"
+    C1[Snort / Suricata]
+    C2[Zeek]
+    C3[Wazuh Agents]
+  end
+
+  subgraph "Analysis Layer"
+    D1[Logstash]
+    D2[Elasticsearch]
+    D3[TheHive]
+  end
+
+  subgraph "Visualization Layer"
+    E1[Kibana Dashboards]
+    E2[Security Onion Console]
+  end
+
+  A --> C1
+  A --> C2
+  B --> C3
+  C1 --> D1
+  C2 --> D1
+  C3 --> D1
+  D1 --> D2
+  D2 --> D3
+  D2 --> E1
+  D3 --> E2
+```
+
+This architecture allows real-time traffic inspection, data correlation, and security event visualization from a **single pane of glass**.
+
+## Installation Modes
+
+Security Onion supports three main deployment modes:
+
+| Mode            | Use Case                                                |
+| --------------- | ------------------------------------------------------- |
+| **Standalone**  | Ideal for labs and small networks                       |
+| **Distributed** | For enterprise-scale environments with multiple sensors |
+| **Eval Mode**   | Quick evaluation using a single VM (best for beginners) |
+
+```bash
+sudo so-setup
+```
+
+You can select the desired mode during setup and configure sensors, managers, and storage accordingly.
+
+## Workflow: From Detection to Response
+
+```mermaid
+sequenceDiagram
+  participant Net as Network Traffic
+  participant IDS as IDS/IPS (Snort/Suricata)
+  participant Zeek as Zeek
+  participant Log as Logstash
+  participant ES as Elasticsearch
+  participant Kib as Kibana
+  participant Hive as TheHive
+
+  Net->>IDS: Detect anomalies
+  Net->>Zeek: Analyze protocol behavior
+  IDS->>Log: Send alerts/logs
+  Zeek->>Log: Send connection metadata
+  Log->>ES: Store structured data
+  ES->>Kib: Visualize dashboards
+  Kib->>Hive: Escalate incidents
+```
+
+This flow demonstrates how Security Onion provides **end-to-end visibility**, from detection → analysis → investigation → response.
+
+## Log Correlation Formula
+
+To understand correlation mathematically, think of Security Onion’s detection engine as:
+
+$$
+A(t) = \sum_{i=1}^{n} (E_i \times W_i)
+$$
+
+Where:
+
+* $ A(t) $: Alert strength at time *t*
+* $ E_i $: Event score (based on severity, frequency, or signature match)
+* $ W_i $: Weight of event importance
+
+Higher $ A(t) $ indicates higher confidence of a real incident — enabling analysts to **prioritize critical alerts** efficiently.
+
+## Real-World Use Cases
+
+| Scenario              | Description                                                 |
+| --------------------- | ----------------------------------------------------------- |
+| **SOC Operations**    | Centralized log management and real-time threat monitoring  |
+| **Threat Hunting**    | Searching for Indicators of Compromise (IOCs) and anomalies |
+| **Incident Response** | Using TheHive to manage and document security incidents     |
+| **Training Labs**     | Perfect for blue team exercises and cyber range setups      |
+
+## Key Tools Inside Security Onion
+
+* **so-status** — Check system and service health
+* **so-allow** — Manage firewall rules and IP access
+* **so-import-pcap** — Import and analyze captured network traffic
+* **so-query** — Query Elasticsearch directly from the terminal
+* **so-dashboard** — Manage and monitor dashboard views
+
+```bash
+sudo so-import-pcap /path/to/traffic.pcap
+```
+
+This command imports and indexes network captures into the Elastic Stack for retrospective analysis.
+
+## Integration with SIEM and EDR
+
+Security Onion can send data to external systems like:
+
+* **Splunk**
+* **Microsoft Sentinel**
+* **Wazuh EDR**
+* **Graylog**
+* **ArcSight**
+
+```mermaid
+flowchart LR
+  SO[Security Onion] --> Splunk
+  SO --> Sentinel
+  SO --> Wazuh
+  SO --> Graylog
+  SO --> ArcSight
+```
+
+This allows hybrid monitoring and advanced analytics across diverse environments.
+
+## Key Takeaways
+
+* Security Onion is an **all-in-one platform** for IDS, NSM, and log management.
+* Combines **Snort/Suricata**, **Zeek**, **Elastic Stack**, **Wazuh**, and **TheHive**.
+* Perfect for **SOC environments**, **blue team training**, and **incident response**.
+* Supports **distributed deployments** for scalability.
+* Offers **real-time dashboards** and **correlation across multiple data sources**.

docs/cybersecurity/cybersecurity-tools/monitoring-and-defense/snort-ids.mdx

@@ -1,3 +1,173 @@
-import ComingSoon from '@site/src/components/ComingSoon';
+---
+title: "Snort IDS (Intrusion Detection System)"
+description: "Learn how Snort works as one of the most powerful open-source Intrusion Detection and Prevention Systems (IDS/IPS). Understand its architecture, rule-based detection, deployment modes, and real-world use cases."
+sidebar_label: "Snort IDS"
+---
 
-<ComingSoon />
+**Snort** is an **open-source Intrusion Detection and Prevention System (IDS/IPS)** developed by **Cisco**. It’s one of the most widely used network security tools for detecting and preventing malicious network traffic in real time.
+
+## What is Snort?
+
+Snort acts as a **network traffic analyzer** that monitors packets flowing through the network and compares them against predefined **rules** or **signatures**.
+
+It can operate in multiple modes:
+
+| Mode | Description |
+|------|--------------|
+| **Sniffer Mode** | Reads network packets and displays them on the console. |
+| **Packet Logger Mode** | Logs packets to disk for later analysis. |
+| **Network Intrusion Detection (NIDS) Mode** | Analyzes network traffic and alerts for suspicious activity. |
+| **Intrusion Prevention (IPS) Mode** | Detects and blocks malicious packets in real time. |
+
+
+## Snort Architecture
+
+```mermaid
+graph TD
+  A[Packet Capture - Libpcap] --> B[Preprocessors]
+  B --> C[Detection Engine]
+  C --> D[Logging & Alerting]
+  D --> E[Output Plugins]
+  
+  subgraph "Snort IDS Pipeline"
+  A
+  B
+  C
+  D
+  E
+  end
+```
+
+**Explanation:**
+
+* **Packet Capture:** Uses `libpcap` to capture live network packets.
+* **Preprocessors:** Normalize and prepare packets for detection (e.g., decode protocols, detect anomalies).
+* **Detection Engine:** Matches traffic against Snort rules and triggers alerts.
+* **Logging & Alerting:** Records alerts or logs for review.
+* **Output Plugins:** Export data to databases, dashboards, or SIEM tools.
+
+## Snort Rule Syntax
+
+Snort rules are written in a simple yet powerful format:
+
+```bash
+alert tcp any any -> 192.168.1.0/24 80 (msg:"Possible web exploit"; content:"/bin/sh"; sid:1000001; rev:1;)
+```
+
+### Rule Breakdown
+
+| Part                          | Meaning                                 |
+| ----------------------------- | --------------------------------------- |
+| `alert`                       | Action to take (alert, log, pass, drop) |
+| `tcp`                         | Protocol type                           |
+| `any any`                     | Source IP and port                      |
+| `->`                          | Traffic direction                       |
+| `192.168.1.0/24 80`           | Destination IP range and port           |
+| `msg:"Possible web exploit";` | Description shown in alert              |
+| `content:"/bin/sh";`          | Signature or string to match            |
+| `sid:1000001;`                | Unique Snort rule ID                    |
+| `rev:1;`                      | Rule version                            |
+
+
+## How Snort Detects Intrusions
+
+Snort’s detection process follows a **rule-based mathematical model**:
+
+$$
+A(t) = f(P, R, C)
+$$
+
+Where:
+
+* $A(t)$ = Alert at time *t*
+* $ P $ = Packet data captured
+* $ R $ = Rule set applied
+* $ C $ = Context (state/session information)
+
+The function $( f ) $ determines whether a packet matches a rule condition, producing an alert if true.
+
+## Example: Detecting a Port Scan
+
+```bash
+alert tcp any any -> any 22 (flags:S; msg:"Possible SSH Port Scan"; sid:2000001;)
+```
+
+This rule triggers an alert whenever a **TCP SYN packet** targets port **22 (SSH)** — a common behavior during a scan.
+
+## Snort in Action (Workflow)
+
+```mermaid
+sequenceDiagram
+  participant Net as Network Traffic
+  participant Cap as Packet Capture
+  participant Pre as Preprocessor
+  participant Det as Detection Engine
+  participant Log as Alert System
+
+  Net->>Cap: Capture packets (libpcap)
+  Cap->>Pre: Normalize data
+  Pre->>Det: Match with rules
+  Det->>Log: Generate alert/log
+```
+
+## Integration & Automation
+
+Snort integrates with various tools for **alert management** and **data visualization**:
+
+* **Snorby** – Web interface for Snort alerts
+* **BASE** – Basic Analysis and Security Engine
+* **Splunk / ELK Stack** – For SIEM and visualization
+* **Security Onion** – Linux distro with Snort preconfigured
+
+```mermaid
+flowchart LR
+  Snort --> BASE
+  Snort --> Snorby
+  Snort --> Splunk
+  Snort --> ELK[ELK Stack]
+  ELK --> SOC[Security Operations Center]
+```
+
+## Formula: Rule Matching Probability
+
+Snort’s detection efficiency can be approximated as:
+
+$$
+P_{match} = \frac{M_r}{T_p}
+$$
+
+Where:
+
+* $P_{match} $ = Probability of rule match
+* $ M_r $ = Matched rules count
+* $ T_p $ = Total packets processed
+
+A higher $ P_{match} $ indicates frequent matches, possibly signaling an attack or misconfigured rule.
+
+## Deployment Options
+
+| Environment            | Recommended Mode            |
+| ---------------------- | --------------------------- |
+| **Home / Lab**         | IDS (alert-only)            |
+| **Enterprise Network** | IPS (preventive blocking)   |
+| **Cloud / VM**         | Inline bridge mode          |
+| **SOC Environment**    | Combined Snort + SIEM setup |
+
+## Example: Inline IPS Mode Setup (Linux)
+
+```bash
+sudo snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf -A console
+```
+
+* `-Q`: Enables inline mode
+* `--daq afpacket`: Uses AFPacket for inline packet capture
+* `-i eth0:eth1`: Bridge between two interfaces
+* `-A console`: Prints alerts to the console
+
+## Key Takeaways
+
+* **Snort** is a rule-based **IDS/IPS** used for packet-level network security.
+* It uses **libpcap** for packet capture and **custom rules** for detection.
+* Supports **multiple operation modes** (sniffer, logger, IDS, IPS).
+* Easily integrates with **SIEMs** like Splunk and ELK for advanced monitoring.
+* **Continuous rule updates** and **proper tuning** are critical for accuracy.