General security

Peeling the onion — Security onion OS

Susan Morrow
March 25, 2019 by
Susan Morrow

In a world where security threats feel out of control, the security professional needs some help to do their job. Security tools are an important part of the armory for those professionals. But there is quite a bit of choice, including open-source enterprise toolkits. The question being asked is do you build your own setup, or do you look to other solutions to give you what you need to tackle cyberthreats?

Security Onion is a Linux distro that is based on Ubuntu and contains a wide spectrum of security tools. It is so named because these tools are built as layers to provide defensive technologies in the form of a variety of analytical tools. When you install Security Onion, you are effectively building a defensive threat-hunting platform.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Security Onion is described as a Network Security Monitoring (NSM) platform that “provides context, intelligence and situational awareness of your network.” (Source.)

Although Security Onion is free and open-source there is a company associated with it, Security Onion Solutions who offer related services and products.

What Is security onion?

Security Onion comes encapsulated with a variety of security tools covering:

  • Intrusion detection
  • Enterprise security monitoring
  • Log management

These layers can be packaged into three broad areas:

Full packet capture

It offers the tool netsniff-ng, which is used to capture a record of the network traffic as picked up by the Security Onion sensors.

Network-Based and Host-Based Intrusion Detection Systems (NIDS and HIDS)

  • NIDS method 1: Rules-driven, using Snort or Suricata. They work by identifying fingerprints that are matched to known anomalies and malicious traffic
  • NIDS method 2: Analysis-driven. Uses Bro as a file analysis framework to monitor and analyze events. The output logs cover various aspects of a network including SSL certificates, DNS requests, syslog activity and more. Bro also checks common protocols such as MD5 for file downloads and checks them against a malware registry, the Team Cymru Malware Hash Registry. This registry checks a computed MD5 or SHA-1 hash of a specific file against a registry of known malware signatures
  • HIDS: The host agent in the HIDS offering of Security Onion is Wazuh; the agent of which is installed to endpoints on a network. Wazuh performs a number of activities including log analysis, file integrity checking, rootkit detection and real-time alerts

Analysis tools

The data captured using the NIDS and HIDS tools can be analyzed by four analysis tools:

  • Sguil: This is a console that provides visibility of the captured data. The GUI pulls together the data from Snort, Suricata and Wazuh. It provides important context for an alert to give you more details that you can use to analyze it. It also has collaboration features, so you can work with team members on problems
  • Squert: An add-on Web interface for Squil. It adds extensions to Squil visualizations, including time series representations and logical grouping of data. It also integrates with Capme
  • Kibana: From the folks at Elastic. This tool pulls the logs and event data together (including syslog events) into a single pane
  • Capme: Allows you to view PCAP transcripts and download full PCAP files

Other tools

When would you use security onion?

Security Onion identifies a number of areas suited to using Security Onion. These include:

  • As a learning tool: In evaluation mode. Used to configure network interfaces
  • PCAP forensics: PCAP files (packet capture — basically all files transmitted across a network) can be used for packet-sniffing and data network characteristic analysis
  • As a production server: Both standalone and distributed
  • Analyst VM: As a virtual machine to allow analysts to perform digital forensics
  • To populate SIEM: As a connection to an external SIEM system.

Kali Linux — A brief comparison with security onion

Where Security Onion uses defensive tools for analysis, Kali Linux offers an offensive approach to security, based on penetration testing and research. Kali is a Debian-based Linux distribution, built specifically for Penetration testing and security audit. It has more than 600 penetration tools packaged into the build.

Some Pros and Cons

  • Security Onion Pros: It has a booming community that updates it regularly
  • Kali Linux Pros: It has wireless device support and multi-language support
  • Security Onion Cons: Has a high overhead of knowledge. Administrators need to learn how to use the tools well to get the full benefit. It only currently supports the English language
  • Kali Linux Cons: Users need a solid understanding of penetration testing techniques and must have a deep understanding of the Linux OS

Security Onion is much more of an enterprise analysis tool. It gives you an inside view of what is going on across your network. A security professional who understands how to interpret event analysis could gain benefit from Security Onion. If you use the Security Onion outputs with your enterprise SIEM system, you would have a useful view of network security events.

If you work as a penetration tester or ethical hacker, Kali Linux would make a much better choice than Security Onion. Kali offers a number of tools used to scan for vulnerabilities and exploits, wireless attacks, Web applications and exploitation tools, and includes various forensic tools.

Is security onion for you?

By the admission of the developers of Security Onion, it is not a universal panacea for security. Administrators need to work with the system to get the most out of it; professionals working in security will need the experience and knowledge to fully analyze alerts and take action based on this information. Kali Linux, however, is a different kettle of fish. It is a hacking box of tricks that can be used to carry out penetration testing across a network.

Further still, a number of security professionals prefer to “roll their own” versions to create a mix and match security toolset which works for them. As an option, NIST offers a Network Security Toolkit (NST) which can be used as a reference architecture and contains peer-reviewed open-source network security tools.

The choice of which distro you choose as a security professional depends on the tasks you focus on. As a penetration tester/ethical hacker, Kali Linux is your weapon of choice. But if you work in an enterprise and require monitoring and analyses across a variety of network traffic and events, then Security Onion could offer some useful tools.


Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.