Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes TheHive, Playbook and Sigma, Fleet and osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, Zeek, Wazuh, and many other security tools. Security Onion has been downloaded over 1 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Security Onion started in 2008 and was originally based on the Ubuntu Linux distribution. Throughout the years, the Security Onion version tracked the version of Ubuntu it was based on. For example, the last major version of Security Onion was based on Ubuntu 16.04 and so it was called Security Onion 16.04. Security Onion is now container based and thus no longer limited to just Ubuntu. To signify this change, Security Onion now has its own versioning scheme and this new platform is Security Onion 2.
Here are some high level system differences between Security Onion 2 and the older legacy versions:
- Move from Ubuntu packages to containers
- Support both CentOS 7 and Ubuntu 18.04
- Change pcap collection tool from netsniff-ng to Google Stenographer
- Upgrade to Elastic Stack 7.x and support the Elastic Common Schema (ECS)
- Remove unsigned kernel module PF_RING and completely replace with AF_PACKET
- Suricata completely replaces Snort. (We may elect to add Snort back after Snort 3.0 is officially released.)
- Sguil, Squert, and capME are removed
- Storage Nodes are now known as Search Nodes
- Incorporate new tech: TheHive, Strelka, support for Sigma rules, Grafana/influx (independent health monitoring/alerting), Fleet (osquery management), Playbook (detection playbook tool), Onion Hunt (hunting tool), Security Onion Console (PCAP collection tool)
For more information about Security Onion not contained in this Documentation, please see our community site at https://securityonion.net.
Security Onion Solutions, LLC¶
Doug Burks started Security Onion as a free and open source project in 2008 and then founded Security Onion Solutions, LLC in 2014.
Security Onion Solutions, LLC is the only official provider of hardware appliances, training, and professional services for Security Onion.
For more information about these products and services, please see our company site at https://securityonionsolutions.com.
We’ve started updating this documentation for Security Onion 2. However, please note that this is a work in progress. Many pages have not been updated yet and thus may have incorrect or missing information.
This documentation is published online at https://securityonion.net/docs/2.3. If you are viewing an offline version of this documentation but have Internet access, you might want to switch to the online version at https://securityonion.net/docs/2.3 to see the latest version.
This documentation is also available in PDF format at https://readthedocs.org/projects/securityonion/downloads/pdf/2.3/.
We welcome your contributions to our documentation! We will review any suggestions and apply them if appropriate.
If you are accessing the online version of the documentation and notice that a particular page has incorrect information, you can submit corrections by clicking the
Edit on GitHub button in the upper right corner of each page.
To submit a new page, you can submit a pull request (PR) to the 2.3 branch of the
securityonion-docs repo at https://github.com/Security-Onion-Solutions/securityonion-docs.
Pages are written in RST format and you can find several RST guides on the Internet including https://thomas-cokelaer.info/tutorials/sphinx/rest_syntax.html.
Our goal is to allow you to easily guess and type the URL of the documentation you want to go to.
To achieve this goal, new documentation pages should use the following naming convention:
- all lowercase
- ideally, the name of the page should be one simple word (for example:
- try to avoid symbols if possible
- if symbols are required, use hyphens (NOT underscores)