Use Cases
Security Onion is designed for many different use cases! When you run Setup, it will ask you if you want Evaluation Mode or Production Mode. Each of these modes presents different options that may be applicable to different use cases. Here are just a few examples.
Classroom
Evaluation Mode is ideal for classroom or small lab environments.
Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, and then choose Evaluation Mode.
Pcap Forensics
Need to review a pcap with original timestamps preserved? Install Security Onion in Evaluation Mode as described above and then run so-import-pcap.
Production Server - Standalone
Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, choose Production Mode, choose New Deployment, and enable network sensor services.
Production Server - Distributed Deployment
Production Mode, and then choose New Deployment.Production Mode, and then choose Existing Deployment to join to master.Analyst VM
If you’ve built a Production Server as described above, you may want to connect to it using an Analyst VM. Install Security Onion in a VM on your local desktop or laptop. You do NOT need to run Setup in the Analyst VM since this VM won’t be running any services, only applications such as Sguil, Wireshark, NetworkMiner, and a web browser.
Sending Logs to Separate SIEM
You can install Security Onion and then configure it to send logs to a separate SIEM.