Install / Update / Upgrade

Why won’t the ISO image boot on my machine?

Please see the TroubleBooting section.

Why does the installer crash when selecting a non-English language?

We only support the English language at this time:

Why can’t I see the Continue button on the Keyboard Layout screen of the installer?

The Keyboard Layout screen may be larger than your screen resolution and so the Continue button may be off the screen to the right( as shown in https://launchpadlibrarian.net/207213663/Screenshot_wilyi386deskmanual_2015-05-22_13%3A05%3A41.png). You can simply slide the window over until you see the Continue button. For more information, please see https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1458039.

How do I install Security Onion updates?

Please see the Upgrade Procedure section.

Why do I get Snort/Suricata/Bro errors after upgrading the kernel and pfring packages?

Please see the Updating section.

What do I need to do if I’m behind a proxy?

Please see the Proxy Configuration section.

Ubuntu is saying that my kernel has reached EOL (End Of Life). Should I update to the newer HWE stack?

Please see the HWE section.

Why does my VMware image rename eth0 to eth1?

Usually this happens when you clone a VM. VMware asks if you moved it or copied it. If you select “copied”, it will change the MAC address to avoid duplication. At the next boot, Ubuntu’s udev will see a new MAC address and create a new network interface (eth1). To fix this:

sudo rm /etc/udev/rules.d/70-persistent-net.rules
sudo reboot

Can I run Security Onion on Raspberry Pi or some other non-x86 box?

No, we only support 64-bit Intel/AMD architectures. Please see the hardware section.

What’s the difference between a server and a sensor?

Definition: A physical or virtual machine running the Security Onion operating system.

Definition: A set of processes that receive data from sensors and allow analysts to see and investigate that data. The set of processes includes sguild, mysql, and optionally the Elastic stack (Elasticsearch, Logstash, Kibana) and Curator. The server is also responsible for ruleset management.
Naming convention: The collection of server processes has a server name separate from the hostname of the box. Security Onion always sets the server name to securityonion.
Configuration files: /etc/nsm/securityonion/
Controlled by: /usr/sbin/nsm_server

server box
Definition: A machine running the server processes. May optionally be running sensor processes.
Example 1: User runs Quick Setup on machine with hostname securityonion and two ethernet interfaces. Setup creates a server and two sensors (securityonion-eth0 and securityonion-eth1).
Example 2: User runs Advanced Setup and chooses Server. Setup creates a server only (no sensor processes).

Definition: A set of processes listening on a network interface. The set of processes currently includes Snort/Suricata, netsniff-ng, and bro (although this is in constant flux as we add new capabilities and find better tools for existing capabilities).
Naming convention: $HOSTNAME-$INTERFACE
Configuration files: /etc/nsm/$HOSTNAME-$INTERFACE/
Example: sensor1-eth0
Controlled by: /usr/sbin/nsm_sensor

sensor box
Definition: A machine having one or more sensors that transmit to a central server. Does not run server processes. Pulls ruleset from server box. (In some contexts, I refer to this a slave pulling rules from the master.)
Example: A machine named sensor1 having sensors sensor1-eth0 and sensor1-eth1.

Users / Passwords

What is the password for root/mysql/Sguil/Squert/Kibana?

Please see the Passwords section.

How do I add a new user account for logging into Sguil/Squert/Kibana?

Please see the Adding Sguil accounts section.

Support / Help

Where do I send questions/problems/suggestions?

security-onion Google Group

I submitted a message to the security-onion Google Group. Why isn’t it showing up?

Please see the Moderation section.

Is commercial support available for Security Onion?

Error messages

Why does rule-update fail with Error 400 when running behind a proxy?

Please see the Proxy#pulledpork section.

Why does rule-update fail with an error like “Error 404 when fetching s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5”?

The Snort Community ruleset has moved to a different URL. You can run the following command to update the Snort Community URL in pulledpork.conf:

sudo sed -i 's\rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g' /etc/nsm/pulledpork/pulledpork.conf

Why does soup fail with an error message like “find: `/usr/lib/python2.7/dist-packages/salt/’: No such file or directory”?

This is a bug in the salt packages that can manifest when skipping salt versions. Resolve with the following:

sudo mkdir -p /usr/lib/python2.7/dist-packages/salt/
sudo apt-get -f install
sudo soup

Why does barnyard2 keep failing with errors like “Returned signature_id is not equal to updated signature_id”?

I just updated Snort and it’s now saying ‘ERROR: The dynamic detection library “/usr/local/lib/snort_dynamicrules/chat.so” version 1.0 compiled with dynamic engine library version 2.1 isn’t compatible with the current dynamic engine library “/usr/lib/snort_dynamicengine/libsf_engine.so” version 2.4.’

Run the following:

sudo rule-update

For more information, please see:


I get periodic MySQL crashes and/or error code 24 “out of resources” when searching in Sguil. How do I fix that?

Modern versions of Setup should set MySQL’s open-files-limit to 90000 to avoid this problem.

Barnyard2 is failing with an error like “ERROR: sguil: Expected Confirm 13324 and got: Failed to insert 13324: mysqlexec/db server: Duplicate entry ‘9-13324’ for key ‘PRIMARY’”. How do I fix this?

Sometimes, just restarting Barnyard will clear this up:

sudo so-barnyard-restart

Other times, restarting Sguild and then restarting Barnyard will clear it up:

sudo so-sguild-restart
sudo so-sensor-restart --only-barnyard2

If that doesn’t work, then try also restarting mysql:

sudo service mysql restart
sudo so-sguild-restart
sudo so-sensor-restart --only-barnyard2

If that still doesn’t fix it, you may have to perform MySQL surgery on the database securityonion_db as described in the Sguil FAQ: http://nsmwiki.org/Sguil_FAQ#Barnyard_dies_at_startup.2C_with_.22Duplicate_Entry.22_error

Why does Snort segfault every day at 7:01 AM?

7:01 AM is the time of the daily PulledPork rules update. If you’re running Snort with the Snort Subscriber (Talos) ruleset, this includes updating the SO rules. There is a known issue when running Snort with the Snort Subscriber (Talos) ruleset and updating the SO rules: https://groups.google.com/d/topic/pulledpork-users/1bQDkh3AhNs/discussion

After updating the rules, Snort is restarted, and the segfault occurs in the OLD instance of Snort (not the NEW instance). Therefore, the segfault is merely a nuisance log entry and can safely be ignored.

Why does the pcap_agent log show “Error: can’t read logFile: no such variable”?

This usually means that there is an unexpected file in the dailylogs directory. Run the following:

ls /nsm/sensor_data/*/dailylogs/

You should see a bunch of date stamped directories and you may see some extraneous files. Remove any extraneous files and restart pcap_agent:

sudo so-pcap-agent-restart

Why does Chromium display a black screen and/or crash?

This is a known issue with certain versions of VMware. You can either:

  • go into the VM configuration and disable 3D in the video adapter OR
  • upgrade the VM hardware level (may require upgrading to a new version of VMware)

Why does Bro log Failed to open GeoIP database and Fell back to GeoIP Country database?

The GeoIP CITY database is not free and thus we cannot include it in the distro. Bro fails to find it and falls back to the GeoIP COUNTRY database (which is free). As long as you are seeing some country codes in your conn.log, then everything should be fine. If you really need the CITY database, see this thread for some options: https://groups.google.com/d/topic/security-onion-testing/gtc-8ZTuCi4/discussion

Why does soup tell me I need a Secure Boot key?

Please see the Secure Boot section. | | | back to top | |

IDS engines

I’m currently running Snort. How do I switch to Suricata?

Please see the NIDS#switching-from-snort-to-suricata section.

I’m currently running Suricata. How do I switch to Snort?

Please see the NIDS#switching-from-suricata-to-snort section.

Can Security Onion run in IPS mode?

Please see the NIDS#NIPS section.

back to top

Security Onion internals

Where can I read more about the tools contained within Security Onion?

Please see the Tools section.

What’s the directory structure of /nsm?

Please see the /nsm Directory Structure section.

Why does Security Onion use UTC?

Please see the UTC and Time Zones section.

Why are the timestamps in Kibana not in UTC?

Please see the UTC and Time Zones section.

Why is my disk filling up?

Sguil uses netsniff-ng to record full packet captures to disk. These pcaps are stored in nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/. /etc/cron.d/sensor-clean is a cronjob that runs every minute that should delete old pcaps when the disk reaches your defined disk usage threshold (90% by default). It’s important to properly size your disk storage so that you avoid filling the disk to 100% between purges.

I just rebooted and it looks like the services aren’t starting automatically.

Older versions of Security Onion waited 60 seconds after boot to ensure network interfaces are fully initialized before starting services. Starting in 16.04, services should start automatically as soon as network interfaces are initialized.

Why do apt-get and the Update Manager show tcl8.5 as held back?

Please see the tcl section. | | | back to top | |


What do I need to tune if I’m monitoring VLAN tagged traffic?

Please see the VLAN Traffic section.

How do I configure email for alerting and reporting?

Please see the Email section.

How do I configure a BPF for Snort/Suricata/Bro/netsniff-ng/prads?

Please see the BPF section.

How do I filter traffic?

Please see the BPF section.

How do I exclude traffic?

Please see the BPF section.

What are the default firewall settings and how do I change them?

Please see the Firewall section.

What do I need to modify in order to have the log files stored on a different mount point?

Please see the Adding a New Disk for /nsm section.

How do I disable the graphical Network Manager and configuring networking from the command line?

Please see the Network Configuration section.

How do I enable/disable processes?

Please see the Disabling Processes section.

I disabled some Sguil agents but they still appear in Sguil’s Agent Status tab.

Please see the Disabling Processes section.

What can I do to decrease the size of my securityonion_db (sguild) MySQL database?

You can lower the DAYSTOKEEP setting in /etc/nsm/securityonion.conf.
Also see UNCAT_MAX:

How do I change the fonts in the Sguil client?

Please see the Sguil#customize-sguil-client section.

Can I be alerted when an interface stops receiving traffic?

Please see the Interface stops receiving traffic section.

How do I boot Security Onion to text mode (CLI instead of GUI)?

Please see the Disabling Desktop section.

I’m running Security Onion in a VM and the screensaver is using lots of CPU. How do I change/disable the screensaver?

  1. Click Applications.
  2. Click Settings.
  3. Click Screensaver.
  4. Screensaver Preferences window appears. Click the Mode dropdown and select "Disable Screen Saver" or "Blank Screen Only".
  5. Close the Screensaver Preferences window.

sostat output

What does it mean if sostat show a high number of Sguil Uncategorized Events?

Sguild has to load uncategorized events into memory when it starts and it won’t accept connections until that’s complete. You can either:

  • wait for sguild to start up (may take a LONG time), then log into Sguil, and F8 LOTS of events OR

  • stop sguild

    sudo so-sguild-stop
    and manually categorize events using mysql
    lower your DAYSTOKEEP setting in /etc/nsm/securityonion.conf and run
    sudo sguil-db-purge

    To keep Uncategorized Events from getting too high, you should log into Sguil/Squert on a daily/weekly basis and categorize events.


Where can I find the version information for Security Onion?

If the machine was built with the Security Onion 16.04 ISO image, version information can be found in /etc/PinguyBuilder.conf.

Where can I find interesting pcaps to replay?

Please see the Pcaps section.

Why is Security Onion connecting to an IP address on the Internet over port 123?

Please see the NTP section.

Should I backup my Security Onion box?

Network Security Monitoring as a whole is considered “best effort”. It is not a “mission critical” resource like a file server or web server. Since we’re dealing with “big data” (potentially terabytes of full packet capture), backups would be prohibitively expensive. Most organizations don’t do any backups and instead just rebuild boxes when necessary.

How can I add and test local rules?

Please see the Adding local rules and testing them with scapy section.

Where can I get the source code?

You can download the full source code for any of our packages like this:

apt-get source PACKAGE-NAME

where PACKAGE-NAME is usually something like securityonion-snort. Here’s a list of all of our packages: | https://launchpad.net/~securityonion/+archive/stable

How can I remote control my Security Onion box?

A few options:
“ssh -X” - any program started in the SSH session will be displayed on your local desktop (requires a local X server)
xrdp - sudo apt-get install xrdp - requires an rdp client

Why isn’t Squert showing GeoIP data properly?

If the Squert map is not showing the country for IPs, try running the following:

sudo /usr/bin/php -e /var/www/so/squert/.inc/ip2c.php 0'/

Why do I get segfaults when booting on VMware ESX?

This is a known issue with Ubuntu 10.04 and ESXi 4.1 and is unrelated to Security Onion. Please see:

How do I run ntopng on Security Onion?

Please see the Deploying NtopNG section.

How do I open rar files?

We’re not allowed to redistribute the unrar plugin, so you’ll need to install it manually:

sudo apt-get update
sudo apt-get install unrar

How do I perform “X” in Ubuntu?

Security Onion is based on Ubuntu, but we don’t provide community support for the Ubuntu OS itself. If you have questions about Ubuntu, you should check the Ubuntu website, forums, and Google.

back to top