What is Security Onion ?

What is Security Onion ?​

Security Onion is a free and open source alternative to expensive enterprise security solutions!

Security Onion can be described as a Network Security Monitoring (NSM) platform that “provides context, intelligence and situational awareness of your network.”
  • It is an open source intrusion detection system (IDS)
  • plus, Enterprise Security monitoring
  • Plus, Log management solution
  • all-in-one package.
With its witty slogan, "Peel back the layers of security in your enterprise," it offers full packet capture, both network-based and host-based intrusion detection systems (NIDS and HIDS, respectively), but also includes powerful indexing, search, visualization and analysis tools to make sense of those mountains of data.

It is a Linux distro that is based on Ubuntu and contains a wide spectrum of security tools. It is so named because these tools are built as layers to provide defensive technologies in the form of a variety of analytical tools. When you install Security Onion, you are effectively building a defensive threat-hunting platform.

These layers can be packaged into three broad areas:

Layer 1. Full Packet Capture

It offers the tools like netsniff-ng, which is used to capture a record of the network traffic as picked up by the Security Onion sensors.

Layer 2. Network-Based and Host-Based Intrusion Detection Systems (NIDS and HIDS)

HIDS: The host agent in the HIDS offering of Security Onion is Wazuh; the agent of which is installed to endpoints on a network. Wazuh performs a number of activities including log analysis, file integrity checking, rootkit detection and real-time alerts.

It also has OSSEC to perform HIDS. OSSEC is a host intruder detection system, the technical characteristics of this tool are : Rootkits Detection, Active response and notification in real time, System architecture based on a centralized service hosted by a server and several agents installed in the devices that need to be monitored, Files verification system.

NIDS method 1: Rules-driven, using Snort or Suricata. They work by identifying fingerprints that are matched to known anomalies and malicious traffic

NIDS method 2: Analysis-driven. Uses Zeek (Previously known as Bro) as a file analysis framework to monitor and analyze events. The output logs cover various aspects of a network including SSL certificates, DNS requests, syslog activity and more. Bro also checks common protocols such as MD5 for file downloads and checks them against a malware registry, the Team Cymru Malware Hash Registry. This registry checks a computed MD5 or SHA-1 hash of a specific file against a registry of known malware signatures

Layer 3. Analysis Tools

The data captured using the NIDS and HIDS tools can be analyzed by many analysis tools:

Sguil: This is a console that provides visibility of the captured data. The GUI pulls together the data from Snort, Suricata and Wazuh. It provides important context for an alert to give you more details that you can use to analyze it. It also has collaboration features, so you can work with team members on problems

Squert: An add-on Web interface for Squil. It adds extensions to Squil visualizations, including time series representations and logical grouping of data. It also integrates with Capme

Full ELK Stack: From the folks at Elastic. This set of tools pulls the logs and event data together (including syslog events) into a single pane

Capme: Allows you to view PCAP transcripts and download full PCAP files

Well, There are many more tools in Security Onion. For example:

NetworkMiner: Network Forensic Analysis Tool (NFAT). Useful for detecting things like openports. It can also be used to parse PCAP files for off-line analysis
Wireshark: Network protocol analyzer
And so on…

Security Onion is much more of an enterprise analysis tool. It gives you an inside view of what is going on across your network. A security professional who understands how to interpret event analysis could gain benefit from Security Onion. If you use the Security Onion outputs with your enterprise SIEM system, you would have a useful view of network security events. Recently it has got a new Alert Interface too.

Is Security Onion For You?

By the admission of the developers of Security Onion, it is not a universal panacea for security. Administrators need to work with the system to get the most out of it; professionals working in security will need the experience and knowledge to fully analyze alerts and take action based on this information.

Q1. Does Security Onion do exactly what you want it to do?
Probably not.

Q2. Will you have to tweak it to fit your enterprise?
Probably yes.

Q3. Will you need skilled security people to run it?
Definitely yes.

Security Onion is looking more and more polished with every year that passes, and it may be worth considering if you've got a deep enough security bench to customize, deploy and maintain Security Onion for your enterprise.

Guys, what do you think of think about Security Onion?

Kindly leave me your thoughts in the comment section.