FAQ¶
Install / Update / Upgrade¶
Why won’t the ISO image boot on my machine?¶
Please see the TroubleBooting section.
What’s the recommended procedure for installing Security Onion?¶
Please see the Installation section.
What languages are supported?¶
We only support the English language at this time.
What connectivity does Security Onion need to stay up to date?¶
- Ubuntu PPAs (Ubuntu Updates)
- repo.securityonion.net (CentOS Updates)
- raw.githubusercontent.com (Security Onion public key)
- sigs.securityonion.net (Signature files for Security Onion containers)
- ghcr.io (Container downloads)
- rules.emergingthreatspro.com (ET IDS rules)
- www.snort.org (Paid snort ruleset)
- github.com (Strelka and Sigma rules updates)
- notary.kolide.co (osquery agent update)
- download.docker.com (Docker packages - Ubuntu only)
- repo.saltstack.com (Salt packages - Ubuntu only)
- packages.wazuh.com (Wazuh packages - Ubuntu only)
What do I need to do if I’m behind a proxy?¶
Please see the Proxy Configuration section.
Can I run Security Onion on Raspberry Pi or some other non-x86 box?¶
No, we only support 64-bit Intel/AMD architectures. Please see the Hardware Requirements section.
Support / Help¶
Where do I send questions/problems/suggestions?¶
Please see the Community Support section.
Is commercial support available for Security Onion?¶
IDS engines¶
Security Onion internals¶
Where can I read more about the tools contained within Security Onion?¶
Please see the Tools section.
What’s the directory structure of /nsm?¶
Please see the Directory Structure section.
Why does Security Onion use UTC?¶
Please see the UTC and Time Zones section.
Why are the timestamps in Kibana not in UTC?¶
Please see the UTC and Time Zones section.
Why is my disk filling up?¶
Security Onion records full packet capture to disk via Stenographer.
Tuning¶
How do I configure email for alerting and reporting?¶
Please see the Email Configuration section.
What do I need to modify in order to have the log files stored on a different mount point?¶
Please see the Adding a new disk section.
Miscellaneous¶
Where can I find interesting pcaps to replay?¶
Please see the PCAPs for Testing section.
Why is Security Onion connecting to an IP address on the Internet over port 123?¶
Please see the NTP section.
Should I backup my Security Onion box?¶
Network Security Monitoring as a whole is considered “best effort”. It is not a “mission critical” resource like a file server or web server. Since we’re dealing with “big data” (potentially terabytes of full packet capture), backups would be prohibitively expensive. Most organizations don’t do any backups and instead just rebuild boxes when necessary.
How can I add and test local rules?¶
Please see the Adding Local Rules section.
Can I connect Security Onion to Active Directory or LDAP?¶
We understand the appeal of integrating with directory services like Active Directory and LDAP, but we typically recommend against joining any security infrastructure (including Security Onion) to directory services. The reason is that when you get an adversary inside your network, one of their first goals is going to be gaining access to that directory. If they get access to the directory, then they get access to everything connected to the directory. For that reason, we recommend that all security infrastructure (including Security Onion) be totally separate from directory services.