security-onion-solutions/securityonion

★ 4,605ShellAudience · ops devopsComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((securityonion))
    Detection Tools
      Suricata IDS
      Zeek network monitor
      osquery host queries
    Data Layer
      Elasticsearch storage
      Log ingestion
    Web Interfaces
      Alert dashboards
      Case management
      CyberChef analysis
    Audience
      Security teams
      Linux admins

mindmap root((securityonion)) Detection Tools Suricata IDS Zeek network monitor osquery host queries Data Layer Elasticsearch storage Log ingestion Web Interfaces Alert dashboards Case management CyberChef analysis Audience Security teams Linux admins

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Set up a dedicated server to monitor your organization's network traffic for intrusions and suspicious behavior.

USE CASE 2

Search and correlate security logs using the built-in Elasticsearch interface and dashboards.

USE CASE 3

Manage and document security incidents end-to-end using the included case management interface.

USE CASE 4

Query the state of connected computers using osquery to check for indicators of compromise.

Tech stack

ShellElasticsearchSuricataZeekosquery

Getting it running

Difficulty · hard Time to first run · 1day+

Requires a dedicated Linux server, this branch (2.3) reached end-of-life April 2024, new installs should use the 2.4 branch.

In plain English

Security Onion is a free, open-source platform designed for organizations that want to monitor their networks and computers for signs of malicious activity. It brings together a collection of well-known security tools under one installation, including systems for detecting intrusions, capturing and inspecting network traffic, storing and searching logs, and managing alerts when something suspicious is found. The platform includes its own web-based interfaces for things like reviewing alerts, building dashboards, searching through recorded activity, and managing security cases when an incident needs to be investigated and documented. Alongside those custom interfaces it bundles third-party tools such as Suricata and Zeek for network monitoring, Elasticsearch for storing and searching large volumes of log data, and osquery for querying the state of individual computers as if they were a database. CyberChef is also included as a utility for decoding and analyzing data in various formats. This particular repository holds version 2.3 of Security Onion. That version reached its end-of-life date in April 2024, meaning it no longer receives updates or support from the maintainers. The README notes that new installations should use the 2.4 branch of the same repository, and existing 2.3 installations have migration documentation available. The README for this branch is minimal and consists mainly of links to external documentation for hardware requirements, download instructions, installation steps, and a FAQ. Security Onion is aimed at security teams, system administrators, and anyone responsible for watching over a network for threats. Setting it up requires a dedicated machine or server, and the platform is best suited to people comfortable with Linux-based systems and network security concepts.

Copy-paste prompts

Prompt 1

How do I migrate an existing Security Onion 2.3 installation to version 2.4?

Prompt 2

What are the hardware requirements for setting up Security Onion on a new dedicated server?

Prompt 3

How do I configure Suricata rules in Security Onion to detect a specific type of network threat?

Prompt 4

How do I search through Zeek network connection logs in Security Onion's web interface?

Prompt 5

How do I create a security case and link alerts to it in Security Onion's case management tool?

Open on GitHub → Explain another repo

← security-onion-solutions on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.