Security Onion Documentation

Welcome to the Security Onion Documentation!

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

For more information about Security Onion not contained in this Documentation, please see our main site:

https://securityonion.net

Table of Contents

• About This Documentation
  • Formats
  • Contributing
  • Naming Convention
• Introduction
  • Core Components
  • Analysis Tools
  • Deployment Scenarios
  • Conclusion
• Use Cases
  • Classroom
  • Pcap Forensics
  • Production Server - Standalone
  • Production Server - Distributed Deployment
  • Analyst VM
  • Sending Logs to Separate SIEM
• Hardware Requirements
  • 32-bit vs 64-bit
  • UEFI Secure Boot
  • UPS
  • Elastic Stack
  • Standalone Deployments
  • Master server with local log storage
  • Master server with storage nodes
  • Storage Node
  • Forward Node (Sensor)
  • Heavy Node (Sensor with ES components)
  • Sensor Hardware Considerations
• Download/Install
  • Hardware
  • UEFI
  • UEFI Secure Boot
  • Language
  • Choose your Installation Guide
• ISO Release Notes
• Quick Evaluation using Security Onion ISO image
• Quick Evaluation on Ubuntu
• Production Deployment
  • Hardware Requirements
  • Download and Verify
  • Install
• After Installation
  • Tuning / Miscellaneous
  • Optional
  • Learn More
• UTC and Time Zones
  • How do I change the timezone for Ubuntu?
  • How do I change the timezone in Squert?
  • Why are the timestamps in Kibana not in UTC?
• Services
  • Server services
  • Sensor services
• VirtualBox Walkthrough
  • Walkthrough
• VMWare Walkthough
  • Overview
  • Installation
  • Soup
  • Setup: Phase 1
  • Setup: Phase 2
  • Post-Installation
  • Things to keep in mind
• Videos
  • Youtube Channel
  • Security Onion Conference 2017
  • Security Onion Conference 2016
  • Angler Exploit Kit Analysis
  • Old Videos for Security Onion 12.04
• Architecture
  • High-Level Architecture Diagram
  • Core Components
  • Auxilliary Components
  • Detailed Data Flow Diagram
  • Deployment Types
  • Node Types
• Cheat Sheet
• Conference
  • Who should attend Security Onion Conference?
  • Social Media
  • Security Onion Conference 2019
  • Security Onion Conference 2018
  • Security Onion Conference 2017
  • Security Onion Conference 2016
  • Security Onion Conference 2015
  • Security Onion Conference 2014

Update/Upgrade

• Updating
  • soup - Security Onion Update
  • Snort/Suricata
  • Bro
  • Wazuh
  • MySQL
  • HWE
  • Initiating an update over SSH
  • Distributed deployments
  • Using salt and soup to Update your entire Deployment
  • Standard Ubuntu package management tools
  • Upgrades
• HWE
  • Security Onion 14.04 ISO images and HWE stacks
  • Install updates first
  • Check HWE Status
  • Upgrade HWE
  • Example
  • More information
• Upgrading from 14.04 to 16.04
  • Disclaimers
  • Warnings
  • Pre-upgrade Notes
  • Preparation
  • Upgrade from Ubuntu 14.04 to Ubuntu 16.04
  • Add back Security Onion packages
  • Clean Up
  • Verify
  • MySQL root password
  • Optional
• MySQL Upgrade Errors
  • Error messages regarding MySQL upgrade process
  • Error message regarding MySQL 5.5
• EOL

Analyst Tools

• Kibana
  • Configuration
  • Pivoting
  • Search Results
  • Search Request Timeout
  • Plugins
• CapME
  • Accessing
  • Logging In
• CyberChef
  • Accessing
• Squert
  • Authentication
  • Prepared Statements
  • Data Types
  • Time Interval
  • Timeplot
  • Toggle Options
  • Alerts
  • Pivoting to Full Packet Capture
  • Pivoting to Kibana
  • Adding your own pivots
• Sguil
  • Authentication
  • Data Types
  • Pivot
  • Agents
  • Management
  • Customize (Sguil client)
  • DNS Lookups
• NetworkMiner
  • Usage
  • More Information
• Wireshark
  • Usage
  • More Information

Network Visibility

• NIDS
  • Usage
  • Performance
  • Analysis
  • Switching from Snort to Suricata
  • Switching from Suricata to Snort
  • NIPS
  • More Information
• Snort
  • Performance
  • Configuration
  • Logging
  • More Information
• Suricata
  • Performance
  • Configuration
  • Logging
  • Stats
  • More Information
• Bro
  • Logs
  • Intel
  • Bro * n
  • Custom Scripts
  • Email
  • Syslog
  • Top for Bro
  • /nsm/bro/spool/tmp
• netsniff-ng
  • Usage
  • Output
  • Analysis
  • Troubleshooting
  • Tuning
  • More Information
  • Reducing Storage

Host Visibility

• Beats
  • Installation
  • Firewall
  • Log files
  • Data
  • Encryption
• Wazuh
  • Description
  • Security Onion Usage
  • Active Response
  • Tuning Rules
  • Adding Agents
  • Maximum Number of Agents
  • Automated Deployment
  • Downloads
• Sysmon
  • Integration
  • Configuration
  • Downloads
  • More Information
• Autoruns
  • Integration
  • Downloads
• Syslog
  • Usage
  • Configuration
  • Forwarding
  • More Information

Elastic Stack

• Elastic Stack
  • Videos
  • Hardware Requirements
• Elasticsearch
  • Configuration
  • Logs
  • Distributed
  • Master
  • Forward Nodes
  • Heavy Nodes
  • Storage Nodes
  • Removing a node from the master
  • Storage
  • Snapshots
• Logstash
  • Configuration
  • Adding New Logs or Modifying Existing Parsing
  • Queue
  • Data Fields
  • Log
  • Errors
• Kibana
  • Configuration
  • Pivoting
  • Search Results
  • Search Request Timeout
  • Plugins
• ElastAlert
  • Configuration
  • More Information
• Curator
  • Actions
• FreqServer
  • Configuration
  • Kibana
  • DNS Frequency Analysis
  • HTTP Frequency Analysis
  • SSL Frequency Analysis
  • X.509 Frequency Analysis
• DomainStats
  • Configuration
  • Kibana
• Docker
  • Images
  • Registry
  • Sneakernet Updates
  • Networking
  • Bridge
  • Containers
  • Download
  • Update
  • Security
  • VMware Tools
• Redis
  • Queue
• Data Fields
  • Fields
  • Template files
• Alert Data Fields
• Bro Fields
  • conn.log
  • dhcp.log
  • dns.log
  • dpd.log
  • files.log
  • ftp.log
  • http.log
  • intel.log
  • irc.log
  • kerberos.log
  • modbus.log
  • mysql.log
  • notice.log
  • pe.log
  • radius.log
  • rdp.log
  • rfb.log
  • signatures.log
  • sip.log
  • smtp.log
  • snmp.log
  • socks.log
  • software.log
  • ssh.log
  • ssl.log
  • syslog.log
  • tunnel.log
  • weird.log
  • x509.log
  • Pivot Fields
• Elastalert Fields
• Beats
  • Installation
  • Firewall
  • Log files
  • Data
  • Encryption
• ELSA to Elastic
  • Warning
  • Exporting Data from ELSA
  • Importing Data to Elastic
  • Upgrade Process
• Re-Indexing

Customizing for your network

• Network Configuration
  • Management interface
  • Sniffing interface(s)
  • Sample /etc/network/interfaces
• Proxy Configuration
  • Docker
  • sudo
  • PulledPork
• Firewall
  • Setup defaults to only allowing port 22 (ssh)
  • Sensors automatically add their own firewall rules to the master server
• Email Configuration
  • so-email
  • Sguil client
  • Overview
  • How do I configure the OS itself to send emails?
  • How do I configure Sguil to send alerts via email?
  • How do I configure Wazuh to send emails?
  • How do I configure Bro to send emails?
  • How do I configure Elastalert to send emails?
  • How can I get an email alert when my sensor stops seeing traffic?
• Changing IP Addresses
  • Update the actual IP address of the management interface
  • Update NSM config files to reflect the new IP address
  • Files to update when changing the IP address
• NTP
  • Modifying
  • IDS Alerts

Tuning

• Managing Alerts
  • Testing to make sure the IDS is working
  • Identifying overly active signatures
  • From Squert
  • From Sguil
  • From the Command Line
  • Listing the top twenty signatures
  • Identifying rule categories
  • Recovering from too many alerts
  • So what’s next?
  • Disable the sid
  • Disable the category
  • modifysid.conf
  • Rewrite the signature
  • Threshold
  • Suppressions
  • Autocategorize events
  • Why is pulledpork ignoring disabled rules in downloaded.rules
  • Sguil Days To Keep
• Managing Rules
  • Options
• Adding Local Rules
  • IPS Policy
  • Steps
  • MISP
• Disabling Processes
  • Sguil Agent
  • Disabling Wazuh
• BPF
  • Configuration
• PF_RING
  • Tuning
  • Snort/Suricata
  • Bro
  • Slots
  • Updating
• AF-PACKET
  • Tuning
  • Suricata
  • Bro
• MySQL Tuning
  • mysqltuner
  • /etc/mysql/my.cnf vs /etc/mysql/conf.d/
  • Restart MySQL
  • Variables
  • MySQL slow to start on boot
  • table_definition_cache
• Adding a new disk
  • Method 1: LVM (Logical Volume Management)
  • Method 2: Mount a separate drive to /nsm
  • Method 3: Make /nsm a symlink to the new logging location
  • Moving the MySQL Databases
  • Synopsis:
  • Procedure:
• High Performance Tuning
  • Ubuntu Server
  • Best Practices
  • Disable GUI
  • Disable Unnecessary Services
  • CPU Affinity/Pinning
  • RSS
  • Disk/Memory
  • Other
• Trimming PCAPs
  • Trimming

Tricks and Tips

• Airgapped Networks
  • Updating
  • Docker
• Analyst VM
  • Screen Resolution
  • Ultimate Forensics VM
• Automating Setup
  • Starting from scratch
  • Using sosetup -w
• Best Practices
• Cloud Client
  • Traffic Flow and NIC offloading functions
  • Daemonlogger vs netsniff-ng
  • References and Thanks
  • Security Onion Sensor
  • Generate client certs
  • Cloud client
  • Check traffic
  • Hardening
  • Tuning
• Connecting to Sguild
  • Connecting to Sguild from an Analyst Machine
  • Connect to Sguild Locally (not recommended)
  • Connect Remotely via SSH w/ X11 Forwarding
• Disabling Desktop
• DNS Anomaly Detection
• ICMP Anomaly Detection
  • Usage
  • Presentation
  • Download
• Metapackages
• PCAPs for Testing
  • Links
  • tcpreplay
  • so-replay
  • so-import-pcap
• Removing a Sensor
  • Disable sensor interface
  • Delete sensor configuration
  • Wipe sensor configuration and data
  • Remove sensor reference from master server
  • Remove storage node reference from Master server Elasticsearch _cluster/settings
• Salt
  • What is OnionSalt?
  • Best Practices
  • Salt and OnionSalt are optional packages
  • Firewall Requirements
  • Installation
  • Checking Status
  • Remote Execution
  • Features
  • Using Salt to Install Updates Across Your Entire Deployment
  • Modifying Salt config files
  • Changing Minion ID
  • Salting an Existing Deployment
  • Configure the Master Server first
  • Now configure salt-minion on a Sensor
  • Now return to the Master and accept the new minion
  • Maximum Event Size
  • Additional Reading
• Sensor Stops Seeing Traffic
  • Wazuh
  • Bro
• SSH
  • Changing the default ssh listening port

Integrations

• AlienVault-OTX
  • Warning
  • Installation
• Critcal Stack Intel Client
  • Install and Configure
  • Profit
• Etherpad
• FIR
  • Warning
  • Installation
• GRR
  • Warning
  • Installation
  • Firewall Rules
  • Management
• MISP
  • Warning
  • Installation
• NtopNG
• RITA
  • Warning
  • Installation
  • Usage
  • Configuration
• Strelka
  • Warning
  • Installation
• Integrating with other systems
  • Support
  • How do I send Bro and OSSEC logs to an external syslog collector?
  • How do I send IDS alerts to an external system?

Help

• Support
  • Commercial Support
  • Free Support
• Help
• FAQ
  • Install / Update / Upgrade
  • Users / Passwords
  • Support / Help
  • Error messages
  • IDS engines
  • Security Onion internals
  • Tuning
  • sostat output
  • Miscellaneous
• Passwords
  • OS root account
  • Sguil
  • Squert
  • Kibana
  • MySQL
• Mailing Lists
  • Check Documentation First
  • Moderation
  • Etiquette
  • Questions/Problems
  • Security-Onion mailing list
• Help Wanted
  • Marketing Team
  • Support Team
  • Testing/QA Team
  • Documentation Team
  • Core Development
  • Thanks
• Secure Boot
• Security
• Booting Issues

Other

• Directory Structure
  • /nsm Directory Structure
  • /nsm
  • /nsm/bro
  • /nsm/elasticsearch
  • /nsm/sensor_data
  • /nsm/server_data
• Tools

Utilities

• jq
  • Usage
  • More Information
• so-allow
  • so-allow-view
• so-import-pcap
  • Usage
  • Example
  • Warning