Use Cases

Security Onion is designed for many different use cases! When you run Setup, it will ask you if you want Evaluation Mode or Production Mode. Each of these modes presents different options that may be applicable to different use cases. Here are just a few examples.

Classroom

Evaluation Mode is ideal for classroom or small lab environments.

Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, and then choose Evaluation Mode.

For more information, please see the Quick Evaluation section.

Pcap Forensics

Need to review a pcap with original timestamps preserved? Install Security Onion in Evaluation Mode as described above and then run so-import-pcap.

Production Server - Standalone

Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, choose Production Mode, choose New Deployment, and enable network sensor services.

For more information, please see the Production Deployment section.

Production Server - Distributed Deployment

Install Security Onion on the master server box. Run Setup and configure network interfaces. Reboot, run Setup again, choose Production Mode, and then choose New Deployment.

Install Security Onion on one or more nodes and then on each one: run Setup, configure network interfaces, reboot, run Setup again, choose Production Mode, and then choose Existing Deployment to join to master.

For more information, please see the Production Deployment section.

Analyst VM

If you’ve built a Production Server as described above, you may want to connect to it using an Analyst VM. Install Security Onion in a VM on your local desktop or laptop. You do NOT need to run Setup in the Analyst VM since this VM won’t be running any services, only applications such as Sguil, Wireshark, NetworkMiner, and a web browser.

For more information, please see the Analyst-VM section.

Sending Logs to Separate SIEM

You can install Security Onion and then configure it to send logs to a separate SIEM.

For more information, please see the Syslog Output section.