Search the Community

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.3.80 FEATURE: Ability to disable Zeek, Suricata #4429 FEATURE: Add docs link to Setup #5459 FEATURE: Add evtx support in Import Node #2206 FEATURE: Consolidate whiptail screens when selecting optional components #5456 FEATURE: Distinguish between Zeek generated syslog and normal syslog in hunt for event fields #5403 FEATURE: Enable index sorting to increase search speed #5287 FEATURE: Expose options for elasticsearch.yml via Salt pillar #1257 FEATURE: Role-based access control (RBAC) #5614 FEATURE: soup -y for automation #5043 FIX: Add new default filebeat module indices to the global pillar. #5526 FIX: all.rules file can become empty on non-airgap deployments if manager does not have access to the internet. #3619 FIX: Curator cron should run less often #5189 FIX: Improve unit test maintainability by refactoring to use Golang assertion library #5604 FIX: Invalid password message should also mention dollar signs are not allowed #5381 FIX: Max files for steno should use a pillar value for easy tuning. #5393 FIX: Remove raid check for official cloud appliances #5449 FIX: Remove watermark settings from global pillar. #5520 FIX: SOC Username case sensitivity #5154 FIX: so-user tool should validate password before adding user to SOC #5606 FIX: Switch to new Curator auth params #5273 UPGRADE: Curator to 5.8.4 #5272 UPGRADE: CyberChef to 9.32.2 #5158 UPGRADE: SOC UI 3rd Party dependencies to latest versions #5603 UPGRADE: Zeek to 4.0.4 #5630 [hide][Hidden Content]]