Install / Update / Upgrade¶
What’s the recommended procedure for installing Security Onion?¶
Please see the Installation Procedure section.
Why does the installer crash when selecting a non-English language?¶
Why do I get
Snort/Suricata/Zeek errors after upgrading the
Please see the Updating section.
Ubuntu is saying that my kernel has reached EOL (End Of Life). Should I update to the newer HWE stack?¶
Please see the HWE section.
Why does my VMware image rename
Usually this happens when you clone a VM. VMware asks if you moved it or copied it. If you select “copied”, it will change the MAC address to avoid duplication. At the next boot, Ubuntu’s udev will see a new MAC address and create a new network interface (eth1). To fix this:
sudo rm /etc/udev/rules.d/70-persistent-net.rules sudo reboot
Can I run Security Onion on Raspberry Pi or some other non-x86 box?¶
No, we only support 64-bit Intel/AMD architectures. Please see the hardware section.
What’s the difference between a
server and a
Users / Passwords¶
Support / Help¶
I submitted a message to the security-onion Google Group. Why isn’t it showing up?¶
Please see the Moderation section.
Why does rule-update fail with Error 400 when running behind a proxy?¶
Please see the Proxy#pulledpork section.
Why does rule-update fail with an error like “Error 404 when fetching s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5”?¶
The Snort Community ruleset has moved to a different URL. You can run the following command to update the Snort Community URL in
sudo sed -i 's\rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g' /etc/nsm/pulledpork/pulledpork.conf
soup fail with an error message like “find: `/usr/lib/python2.7/dist-packages/salt/’: No such file or directory”?¶
This is a bug in the salt packages that can manifest when skipping salt versions. Resolve with the following:
sudo mkdir -p /usr/lib/python2.7/dist-packages/salt/ sudo apt-get -f install sudo soup
Why does barnyard2 keep failing with errors like “Returned signature_id is not equal to updated signature_id”?¶
I just updated Snort and it’s now saying ‘ERROR: The dynamic detection library “/usr/local/lib/snort_dynamicrules/chat.so” version 1.0 compiled with dynamic engine library version 2.1 isn’t compatible with the current dynamic engine library “/usr/lib/snort_dynamicengine/libsf_engine.so” version 2.4.’¶
Run the following:
For more information, please see:
I get periodic MySQL crashes and/or error code 24 “out of resources” when searching in Sguil. How do I fix that?¶
Modern versions of Setup should set MySQL’s
open-files-limit to 90000 to avoid this problem.
Barnyard2 is failing with an error like “ERROR: sguil: Expected Confirm 13324 and got: Failed to insert 13324: mysqlexec/db server: Duplicate entry ‘9-13324’ for key ‘PRIMARY’”. How do I fix this?¶
Sometimes, just restarting Barnyard will clear this up:
Other times, restarting Sguild and then restarting Barnyard will clear it up:
sudo so-sguild-restart sudo so-sensor-restart --only-barnyard2
If that doesn’t work, then try also restarting mysql:
sudo service mysql restart sudo so-sguild-restart sudo so-sensor-restart --only-barnyard2
If that still doesn’t fix it, you may have to perform MySQL surgery on the database
securityonion_db as described in the Sguil FAQ:
Why does Snort segfault every day at 7:01 AM?¶
7:01 AM is the time of the daily PulledPork rules update. If you’re running Snort with the Snort Subscriber (Talos) ruleset, this includes updating the SO rules. There is a known issue when running Snort with the Snort Subscriber (Talos) ruleset and updating the SO rules: https://groups.google.com/d/topic/pulledpork-users/1bQDkh3AhNs/discussion
After updating the rules, Snort is restarted, and the segfault occurs in the OLD instance of Snort (not the NEW instance). Therefore, the segfault is merely a nuisance log entry and can safely be ignored.
Why does the pcap_agent log show “Error: can’t read logFile: no such variable”?¶
This usually means that there is an unexpected file in the dailylogs directory. Run the following:
You should see a bunch of date stamped directories and you may see some extraneous files. Remove any extraneous files and restart pcap_agent:
Why does Chromium display a black screen and/or crash?¶
This is a known issue with certain versions of VMware. You can either:
- go into the VM configuration and disable 3D in the video adapter OR
- upgrade the VM hardware level (may require upgrading to a new version of VMware)
Why does Zeek log
Failed to open GeoIP database and
Fell back to GeoIP Country database?¶
The GeoIP CITY database is
not free and thus we cannot include it in the distro. Zeek fails to find it and falls back to the GeoIP COUNTRY database (which is free). As long as you are seeing some country codes in your conn.log, then everything should be fine. If you really need the CITY database, see this thread for some options: https://groups.google.com/d/topic/security-onion-testing/gtc-8ZTuCi4/discussion
I’m currently running
Snort. How do I switch to
Please see the NIDS#switching-from-snort-to-suricata section.
I’m currently running
Suricata. How do I switch to
Please see the NIDS#switching-from-suricata-to-snort section.
Security Onion internals¶
Where can I read more about the tools contained within Security Onion?¶
Please see the Tools section.
Why is my disk filling up?¶
Sguil uses netsniff-ng to record full packet captures to disk. These pcaps are stored in
/etc/cron.d/sensor-clean is a cronjob that runs every minute that should delete old pcaps when the disk reaches your defined disk usage threshold (90% by default). It’s important to properly size your disk storage so that you avoid filling the disk to 100% between purges.
I just rebooted and it looks like the services aren’t starting automatically.¶
Older versions of Security Onion waited 60 seconds after boot to ensure network interfaces are fully initialized before starting services. Starting in 16.04, services should start automatically as soon as network interfaces are initialized.
What do I need to modify in order to have the log files stored on a different mount point?¶
Please see the Adding a New Disk for /nsm section.
How do I disable the graphical
Network Manager and configuring networking from the command line?¶
Please see the Network Configuration section.
I disabled some Sguil agents but they still appear in Sguil’s
Agent Status tab.¶
Please see the Disabling Processes section.
What can I do to decrease the size of my
securityonion_db (sguild) MySQL database?¶
How do I change the fonts in the Sguil client?¶
Please see the Sguil#customize-sguil-client section.
Can I be alerted when an interface stops receiving traffic?¶
Please see the Interface stops receiving traffic section.
How do I boot Security Onion to text mode (CLI instead of GUI)?¶
Please see the Disabling Desktop section.
I’m running Security Onion in a VM and the screensaver is using lots of CPU. How do I change/disable the screensaver?¶
- Click Applications.
- Click Settings.
- Click Screensaver.
- Screensaver Preferences window appears. Click the Mode dropdown and select "Disable Screen Saver" or "Blank Screen Only".
- Close the Screensaver Preferences window.
What does it mean if
sostat show a high number of
Sguil Uncategorized Events?¶
Sguild has to load uncategorized events into memory when it starts and it won’t accept connections until that’s complete. You can either:
wait for sguild to start up (may take a LONG time), then log into Sguil, and
F8LOTS of events OR
sudo so-sguild-stopand manually categorize events using
Uncategorized Eventsfrom getting too high, you should log into Sguil/Squert on a daily/weekly basis and categorize events.
Where can I find the version information for Security Onion?¶
If the machine was built with the Security Onion 16.04 ISO image, version information can be found in
Why is Security Onion connecting to an IP address on the Internet over port 123?¶
Please see the NTP section.
Should I backup my Security Onion box?¶
Network Security Monitoring as a whole is considered “best effort”. It is not a “mission critical” resource like a file server or web server. Since we’re dealing with “big data” (potentially terabytes of full packet capture), backups would be prohibitively expensive. Most organizations don’t do any backups and instead just rebuild boxes when necessary.
How can I add and test local rules?¶
Please see the Adding local rules and testing them with scapy section.
Where can I get the source code?¶
You can download the full source code for any of our packages like this:
apt-get source PACKAGE-NAME
PACKAGE-NAME is usually something like
securityonion-snort. Here’s a list of all of our packages:
How can I remote control my Security Onion box?¶
Why isn’t Squert showing GeoIP data properly?¶
If the Squert map is not showing the country for IPs, try running the following:
sudo /usr/bin/php -e /var/www/so/squert/.inc/ip2c.php 0'/
Why do I get segfaults when booting on VMware ESX?¶
How do I open rar files?¶
We’re not allowed to redistribute the unrar plugin, so you’ll need to install it manually:
sudo apt-get update sudo apt-get install unrar
How do I perform “X” in Ubuntu?¶
Security Onion is based on Ubuntu, but we don’t provide community support for the Ubuntu OS itself. If you have questions about Ubuntu, you should check the Ubuntu website, forums, and Google.
Can I connect Security Onion to Active Directory?¶
We understand the appeal of Active Directory integration, but we typically recommend against joining any security infrastructure (including Security Onion) to Active Directory. The reason is that when you get an adversary inside your network, one of their first goals is going to be gaining access to Active Directory. If they get access to Active Directory, then they get access to everything connected to Active Directory. For that reason, we recommend that all security infrastructure (including Security Onion) be totally separate from Active Directory.