Security Onion Review | LAS 331

Security Onion Review | LAS 331

Security Onion can turn you into a network super warrior, with its easy to setup IDS, Network Syslog, and more. We’ll show you how to take advantage of some of the best tools in open source, from beginner to expert!

Plus a great new game for Linux, Uselessd looks needed but is stirring up drama, why Gnome 3.14 will be the best Gnome yet & more!

Thanks to:




HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Security Onion


Brought to you by: System76

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Based on Ubuntu 12.04:
+ FAQ – security-onion – Frequently Asked Questions – Security Onion is a Linux distro for IDS, NSM, and log management. – Google Project Hosting

We have no immediate plans to move to Ubuntu 14.04. Ubuntu 12.04 should be fully supported until April 2017:

Core Components

Security Onion seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively), and powerful analysis tools.

Full-packet capture is accomplished via netsniff-ng (, “the packet sniffing beast”. netsniff-ng captures all the traffic your Security Onion sensors see and stores as much of it as your storage solution will hold (Security Onion has a built-in mechanism to purge old data before your disks fill to capacity). Full packet capture is like a video camera for your network, but better because not only can it tell us who came and went, but also exactly where they went and what they brought or took with them (exploit payloads, phishing emails, file exfiltration). It’s a crime scene recorder that can tell us a lot about the victim and the white chalk outline of a compromised host on the ground. T

Deployment Scenarios

Security Onion is built on a distributed client-server model. A Security Onion “sensor” is the client and a Security Onion “server” is, well, the server. The server and sensor components can be run on a single physical machine or virtual machine, or multiple sensors can be distributed throughout an infrastructure and configured to report back to a designated server. An analyst connects to the server from a client workstation (typically a Security Onion virtual machine installation) to execute queries and retrieve data.

The following are the three Security Onion deployment scenarios:

  • Standalone: A standalone installation consists of a single physical or virtual machine running both the server and sensor components and related processes. A standalone installation can have multiple network interfaces monitoring different network segments. A standalone installation is the easiest and most convenient method to monitor a network or networks that are accessible from a single location.

  • Server-sensor: A server-sensor installation consists of a single machine running the server component with one or more separate machines running the sensor component and reporting back to the server. The sensors run all of the sniffing processes and store the associated packet captures, IDS alerts, and databases for Sguil; Snorby and ELSA. The analyst connects to the server from a separate client machine and all queries sent to the server are distributed to the appropriate sensor(s), with the requested information being directed back to the client. This model reduces network traffic by keeping the bulk of the collected data on the sensors until requested by the analyst’s client. All traffic between the server and sensors and client and server are protected with SSH encrypted tunnels.

  • Hybrid: A hybrid installation consists of a standalone installation that also has one or more separate sensors reporting back to the server component of the standalone machine.

The Security Onion setup script allows you to easily configure the best installation scenario to suit your needs.

Install is as simple as installing Ubuntu:

Once Setup an easy to use GUI configures the basics:

Security Onion’s Great Tools:

Sguil – Open Source Network Security Monitoring

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Snorby – All About Simplicity

Snorby brings your existing and new network securits
monitoring data to life with a suite of beautiful, relevant, and, most importantly, actionable metrics. Share data like sensor activity comparisons or your most active signatures directly with your constituents with daily, weekly, monthly, and ad-hoc PDF reports.

the squertproject

Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.

enterprise-log-search-and-archive – Enterprise log search and archive (ELSA) is an industrial-strength solution for centralized log management.

ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.

Further Study:

Doug Burks – YouTube


Runs Linux

The Connected Wheelchair Project, Runs Linux

Desktop App Pick

Angry IP Scanner

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

Wasteland 2 on Steam

The Wasteland series impressive and innovative lineage has been preserved at its very core, but modernized for the fans of today with Wasteland 2. Immerse yourself in turn-based tactical combat that will test the very limits of your strategy skills as you fight to survive a desolate world where brute strength alone isn’t enough to save…

4K Stogram | Export, Download and Backup your Instagram photos

4K Stogram is an Instagram Downloader for PC, Mac and Linux. The program allows you to download and backup Instagram photos and videos, even from private accounts. Just enter Instagram user name or photo link and press ‘Follow user’ button. Open up wide new vistas of imagery all from your desktop.

Weekly Spotlight

Jupiter Broadcasting Jacket

Sport your favorite Linux Action Show logo on a comfy new jacket just in time for Fall (or Spring if you are from down under). This is a limited run jacket for just 8 days so buy it now, especially if you want it in time to wear to Ohio Linux Fest!

— NEWS —

Red Hat Buys FeedHenry For $82M To Add Mobile App Development To Its Platform

Some big news today for Red Hat, the open source company that provides a platform for application development and other platform as a service solutions: It is buying FeedHenry, an Ireland-based provider of a platform for mobile app developers, specifically for enterprises to build apps. In a statement on the acquisition, Red Hat says it will be paying €63.5 million ($82 million) in cash for FeedHenry. The deal is expected to close in Q3 (as a point of reference Red Hat is reporting Q2 fiscal 2015 figures today; Red Hat says it will be updating its guidance as a result of the acquisition).

Uselessd: A Stripped Down Version Of Systemd

Uselessd in its early stages of development is systemd reduced to being a basic init daemon process with “the superfluous stuff cut out”. Among the items removed are removing of journald, libudev, udevd, and superfluous unit types.

uselessd :: information system

Stopped Clock — Making of GNOME 3.14

The release of GNOME 3.14 is slowly approaching, so I stole some time from actual design work and created this little promo to show what goes into a release that probably isn’t immediately obvious (and a large portion of it doesn’t even make it in).

3.14 On Its Way

Often with new releases we focus on the big new features — obvious bits of new UI that do cool stuff. One of the interesting things about this release, though, is that many of the most significant changes are also the most subtle. There’s a lot of polish in 3.14, and it makes a big different to the overall user experience.

Ubuntu MATE will become an official flavor

Martin Wimpress updated the current development status of Ubuntu MATE in the distro’s blog today. In addition to the regular update, he has confirmed that the MATE variant is going to be recognized as an official Ubuntu flavor. Rejoice, MATE lovers!

The MATE desktop environment is a continuation of the GNOME 2 desktop environment for those who don’t like the bells and whistles of GNOME 3 but loved the simplicity and productivity GNOME 2.

The MATE team requested the Ubuntu Technical Board for an official flavor status recently and the board is supportive of the proposal.

You Can Now Run Android Apps on Chrome for Windows, Mac and Linux – OMG! Chrome!

It requires installing a custom version of the Android Runtime extension, called ARChon. This supports both desktop Chrome and Chrome OS, and also allows for an unlimited number of Android APKs packaged by the chromeos-apk tool.

Netflix Works with Ubuntu to Bring Native Playback to All (Updated) – OMG! Ubuntu!

Since this article was published Canonical has confirmed that a version bump to the current nss library is planned to be pushed out with the next ‘security update’. This could arrive on Ubuntu 14.04 LTS within the next two weeks.

This news has pleased Netflix’s Paul Adolph who, in response, says he will _’make a case to lift the user-agent filtering which will make Netflix HTML5 play in Chrome turnkey with no hacks required’ _as soon as the updated package lands.


Do you know of a great pfSense alternative?
  • A Linux alternative to pfSense
  • Something with a competitive UI to pfsense
  • With packages if possible, like squid, smokeping, etc.
  • Does not use iptables.
  • Big bonus if it does use nftables


Hang in our chat room: #jupiterbroadcasting


Find us on Google+

Find us on Twitter

Follow the network on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

Question? Comments? Contact us here!