Use Cases

Security Onion is designed for many different use cases! Here are just a few examples.

Pcap Forensics

One of the easiest ways to get started with Security Onion is using it to forensically analyze one or more pcap files. Just install Security Onion and then run so-import-pcap on one or more of the pcap files in /opt/samples/. For example, to import the 2019 pcaps in /opt/samples/mta/:

sudo so-import-pcap /opt/samples/mta/2019*

For more information, please see the so-import-pcap section.

Evaluation

Evaluation Mode is ideal for classroom or small lab environments.

Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, and then choose Evaluation Mode.

For more information, please see the Quick Evaluation section.

Minimal Evaluation

If you have have a classroom or small lab environment with minimal RAM, you might want to try Minimal Evaluation mode using sosetup-minimal. This mode gives you the bare minimum log parsing for IDS alerts and Bro logs in JSON format. It therefore requires less RAM than traditional Evaluation Mode.

Install Security Onion. Run sosetup-minimal and configure network interfaces. Reboot, run sosetup-minimal again, and then choose Evaluation Mode.

For more information, please see the Quick Evaluation section.

Production Server - Standalone

Install Security Onion. Run Setup and configure network interfaces. Reboot, run Setup again, choose Production Mode, choose New Deployment, and enable network sensor services.

For more information, please see the Production Deployment section.

Production Server - Distributed Deployment

Install Security Onion on the master server box. Run Setup and configure network interfaces. Reboot, run Setup again, choose Production Mode, and then choose New Deployment.

Install Security Onion on one or more nodes and then on each one: run Setup, configure network interfaces, reboot, run Setup again, choose Production Mode, and then choose Existing Deployment to join to master.

For more information, please see the Production Deployment section.

Analyst VM

If you’ve built a Production Server as described above, you may want to connect to it using an Analyst VM. Install Security Onion in a VM on your local desktop or laptop. You do NOT need to run Setup in the Analyst VM since this VM won’t be running any services, only applications such as Sguil, Wireshark, NetworkMiner, and a web browser.

For more information, please see the Analyst-VM section.

Sending Logs to Separate SIEM

You can install Security Onion and then configure it to send logs to a separate SIEM.

For more information, please see the Syslog Output section.