Security Onion

Security Onion Aug 2014: ... my purpose for installing this was to: - learn more about security stuff - steal the packet captures (pcap) provided so I can replay them using tcpreplay for snort testing, as it's not so sexy to just test using ICMP ping data or local rules that match anything see: the following is from: ... the above refers to installing SO 12.04 on a VirtualBox VM, but new installation guides for Xubuntu 14.04 64-bit no longer refer to VirtualBox -- see: (1) (2) Download our Security Onion ISO image and Quickly Evaluate (3) Post Installation page: ______________________________________________________________________________________ Security Onion is configured to run on version 12.04 of any Ubuntu-based Linux server or desktop distribution, such as Ubuntu, Lubuntu, Xubuntu, and Kubuntu. Your base operating system choice really depends on personal preference, your hardware and how you intend to interact with Security Onion. If you're experienced with the flavors of Ubuntu you probably have already made this decision. We're going to walkthrough setting up the Security Onion Live Xubuntu 12.04 distribution in a virtual machine (VM) and installing Security Onion using the Quick Setup option. Having Security Onion installed in a VM gives you an isolated environment which can act as a "client" for interacting with a remote Security Onion server. In an Ubuntu Server deployment, where access to the server is limited to SSH and command line, the client VM will let us setup remote servers and sensors graphically. It is also recommended for analysts to run Security Onion in a virtual machine for client access to ensure you have all the tools needed to manage and monitor a deployment in an isolated environment. You'll need a computer with at least 4GB of RAM (ideally 8GB) for best results. We'll use VirtualBox, a free desktop virtualization tool, but the process is very similar for VMware or others. You can download a copy of VirtualBox for Windows, Mac OS X or Linux at We'll also need to download the Security Onion 12.04 Live distribution from Once downloaded, install VirtualBox, then launch it and click the "New" button.

Type "cd /media/VBOX" then hit the key to autofill the folder name and to change to that directory. To install the Guest Additions type: sudo ./VBoxLinuxAdditions.run You'll again be prompted for your password since we're running sudo for the first time after a reboot. The installation will launch and after a couple minutes you'll return to the command prompt when it's complete. In the upper right hand corner of your Xubuntu desktop, click your username then "Shut down" to shut down the system. ______________________________________________________________________________________ Before we install Security Onion, this is an excellent time to take a snapshot of your virtual machine. While the system is shutdown, you'll notice two icons on the top right in VirtualBox Manager when you select your virtual machine: Details and Snapshots. Click "Snapshots" then click the camera icon and give your snapshot a name and description. I recommend something descriptive here, perhaps naming it "New Build SO Client" with a description including details that the system was patched and updated with VirtualBox Guest Additions installed and provide the date. Once we have a snapshot, we'll be able to make changes to the system and revert those changes back to the state we are preserving. For a Security Onion client this is useful, as we can setup Security Onion as a standalone server for testing, then later revert to the snapshot and reinstall Security Onion to only use the client tools. Boot up the system again once you've completed the snapshot and we'll install Security Onion. ______________________________________________________________________________________ At this point, without running the Security Onion setup script, you have a fully functioning Security Onion client workstation environment with which to access a Security Onion server. Next we're going to install Security Onion using the Quick Setup to familiarize ourselves with the setup and get started learning the tools. Once we're done experimenting we can revert our VM to the snapshot we just took at be back to a clean Security Onion client only state. * note: snort and other stuff is not installed at this point! ______________________________________________________________________________________ When you're logged in again, double-click the "Setup"

For troubleshooting. A useful script to provide performance and health status of your Security Onion hosts is "sostat." You should run it periodically on any deployment with the command: sudo sostat | less to review and monitor all aspects of Security Onion. It includes nsm_server|sensor_ps-status results, network interface status, disk usage, network sockets, IDS rule update status, CPU usage, log archive size, IDS engine packet drops, pf_ring stats, Sguil uncategorized events and summaries, top 50 URLs for previous day, and Snorby events and summaries. It provides powerful visibility into the health of Security Onion and should be adopted as part of your monitoring routine. ______________________________________________________________________________________ If everything looks ok, we can quickly test Sguil and Snort/Suricata detections. Double-click the Sguil icon on the desktop and enter your Sguil username and password (created during the Security Onion Setup). You'll be prompted to choose which network(s) to monitor: the monitored network interface(s) and/or OSSEC events. Choose "Select All" then "Start SGUIL" and the Sguil client will load. You might already have some events showing up, but just to confirm type: curl in a terminal window and you should see an event appear in Sguil for "GPL ATTACK_RESPONSE id check returned root." Security Onion includes a number of useful links on the desktop in addition to the Security Onion application menu which provides access to man pages for tools included in Security Onion. The "README" icon on the desktop is a good starting point and will open in a web browser with local links to Squert, Snorby, ELSA, and Xplico and external links to additional useful Security Onion information. Sguil, Squert and ELSA all share the same username/password, while Snorby uses e-mail addresses for usernames. ______________________________________________________________________________________ Here's a brief description of the primary tools available in Security Onion for security monitoring: Sguil ( - THE analyst console for security monitoring. There isn't a more powerful and capable solution available for event analysis, correlation and review. Squert ( - A web interface to query and view Sguil event data that was designed to supplement Sguil by providing additional context around events. Snorby ( -

This article is the first of a series of articles, below we will explain general information about Security Onion as well as perform a practical installation.Presentation of the open source platform for network and host monitoringOfficial website documentation repository is Security Onion?Security Onion by Security Onion Solutions, LLC is a free and open source platform for network, host and enterprise security monitoring and log management (collection and subsequent analysis). With the available package collections, Security Onion offers an optimal, highly scalable solution for high-demand incident response and forensics use cases – but also for simple experimentation in the home lab.Security Onion is suitable for companies of different sizes as well as for home networkers, security enthusiasts and home labbers! For the latter, it’s a wonderful way to get deeper into the world of intrusion detection & network monitoring!Security Onion can be used both proactively and reactively, for example by proactively discovering vulnerabilities (not by included vulnerability scanners like OpenVas, which is included in OSSIM) or expiring SSL certificates, as well as responding to security incidents and subsequent forensic investigation.The basic functions can be divided into these core functions:Full packet captureNetwork and endpoint detection (rule-based)Analysis and correlation of the acquired data setsThese core functions are implemented using the following program packages, among others:Suricata (IDS/IPS rule-based detection fingerprints and identifiers)Zeek (powerful network analysis framework, formerly Bro)Wazuh (HIDS/EDR -log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting)ElasticStack (visualization and search operations – Elastic Search Query,)TheHive (reporting and escalation – incident-response platform, including MISP)Strelka (real-time file analysis for IR)Support for Sigma rules (log conversion for other platforms, Splunk, Logrythm,ESQ)Grafana/influx (graphical interface for independent system monitoring/alerting)Fleet (Osquery management)Playbook (individual detection rule sets -detection strategy)OnionHunt (correlation tool)SO-Console (web-based access to individual components)Syslog and Beats (integration optional)Data types which Security Onion or its components can

Process and generateVon Security Onion gesammelte DatentypenSecurity Onion GeneralSince version 2.0 Security Onion is based on CentOS 7, but can also be installed manually via CLI on Ubuntu 18.04 and CentOS 7.The installation and management of the individual package collections is realized with the help of Docker containers. Since many different use cases are supported, scaling is also possible on a large scale. From dedicated and distributed installations with separate sensors and independent search nodes to installations in air-gapped environments, many scenarios are possible. Meanwhile, Security Onion is also available in the AWS Marketplace, implementations in Azure are also possible.For a virtualized installation, at least one network interface must be assigned to the VM via PCI passthrough. Please note that Intel features like VT-D (AMD IOV) have to be available on the hardware side and have to be activated accordingly (check motherboard chipset & CPU specifications).Security Onion has been using Suricata as IDS since 2.X, unfortunately deployment is only possible in IDS mode.Scenario of a setupA simplified topology for standalone mode operation would look like this:In this example the data line is duplicated 1:1 by a TAP Device, which also redirects the stream to the sensor devices (Security Onion). This enables the observation of network traffic between network segments or endpoint within an segment. Usually these techniques are set up to monitor network transitions, for example between two networking devices such as routers or switches. Depending on the desired performance, you have to decide whether to use classic TAPs or switches with port mirroring.Scenario with a TAPThe following scenario can be achieved with a 40$ managed switch (Netgear GS308e or Mikrotik Routerboard RB2011 models). The Setup is much more easier, but take note that this setup is not recommended for large scale networks due to performance issues. For enterprise networks

Please note! This wiki is no longer maintained. Our documentation has moved to Please update your bookmarks. You can find the latest version of this page at: Security Monitoring (NSM) is, put simply, monitoring your network for security related events. It might be proactive, when used to identify vulnerabilities or expiring SSL certificates, or it might be reactive, such as in incident response and network forensics. Whether you’re tracking an adversary or trying to keep malware at bay, NSM provides context, intelligence and situational awareness of your network. There are some commercial solutions that get close to what Security Onion provides, but very few contain the vast capabilities of Security Onion in one package.Many assume NSM is a solution they can buy to fill a gap; purchase and deploy solution XYZ and problem solved. The belief that you can buy an NSM denies the fact that the most important word in the NSM acronym is “M” for Monitoring. Data can be collected and analyzed, but not all malicious activity looks malicious at first glance. While automation and correlation can enhance intelligence and assist in the process of sorting through false positives and malicious indicators, there is no replacement for human intelligence and awareness. I don’t want to disillusion you. Security Onion isn’t a silver bullet that you can setup, walk away from and feel safe. Nothing is and if that’s what you’re looking for you’ll never find it. Security Onion will provide visibility into your network traffic and context around alerts and anomalous events, but it requires a commitment from you the administrator or analyst to review alerts, monitor the network activity, and most importantly, have a willingness, passion and desire to learn.Core ComponentsSecurity Onion seamlessly weaves together three core functions:full packet capture;network-based and host-based intrusion detection systems (NIDS and HIDS, respectively);and powerful analysis tools.Full-packet capture is accomplished via netsniff-ng ( “the packet sniffing beast”. netsniff-ng captures all the traffic your Security Onion sensors see and stores as much of it as your storage solution will hold (Security Onion has a built-in mechanism to purge old data before your disks fill to capacity). Full packet capture is like a video camera for your network, but better because not only can it tell us who came and went, but also exactly where they went and what they brought or took with them (exploit payloads, phishing emails, file exfiltration). It’s a crime scene recorder that can tell us a lot about the victim and the white chalk outline of a compromised host on the ground. There is certainly valuable evidence to be found on the victim’s body, but evidence at the host can be destroyed or manipulated; the camera doesn't lie, is