// Security Onion

Security Onion 2.4 Setup Guide: NSM Platform for Enterprise Network Detection

📅 June 2025🕐 19 min readSecurity Onion

Introduction to Security Onion

Security Onion is a free and open Network Security Monitoring (NSM) platform that bundles best-of-breed open-source tools into a unified detection and investigation environment. For blue teams without budget for expensive commercial NDR solutions, Security Onion provides enterprise-grade capabilities at zero licensing cost.

The platform integrates Suricata (IDS/IPS), Zeek (network analysis), Elastic Stack (log storage and visualization), and various forensics and investigation tools through a single management interface. At PostEx, we deployed Security Onion to provide visibility into network traffic that our host-based Wazuh agents could not capture.

Architecture Options

  • Standalone - All components on one server. Good for labs and small organizations up to ~5Gbps.
  • Distributed - Manager node + sensor nodes for large environments and high throughput
  • Eval Mode - Minimal install for testing and lab environments

Hardware Requirements (Production)

# Minimum for 1Gbps network monitoring
CPU: 8 cores (16 recommended)
RAM: 16GB minimum (32GB recommended)
Storage: 1TB+ for log retention (SSD for hot storage)
Network: 2 NICs (management + monitoring/span port)
OS: Ubuntu 22.04 LTS or CentOS Stream 9

Installation

# Download Security Onion ISO
wget https://github.com/Security-Onion-Solutions/securityonion/releases/download/2.4.60/securityonion-2.4.60.iso

# After OS install, run setup wizard:
sudo so-setup
# Select: Standalone (or Eval for lab)
# Configure management NIC
# Configure monitoring interface (connected to SPAN port)
# Set admin credentials

Suricata IDS Configuration

# /etc/suricata/suricata.yaml key settings
af-packet:
  - interface: eth1  # Your monitoring interface
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

# Rule sources (so-rule manages these)
default-rule-path: /etc/suricata/rules
rule-files:
  - suricata.rules

# Threat Intel integration
threat-intel:
  - type: url
    url: https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz

Writing Custom Suricata Rules

# Detect Mimikatz via LSASS network connection
alert tcp any any -> $HOME_NET 445 (
  msg:"ET POLICY Possible Mimikatz SMB Activity";
  flow:established,to_server;
  content:"|60 48 81 ec|";
  threshold:type limit, track by_src, seconds 60, count 1;
  classtype:credential-theft;
  sid:9000001;
  rev:1;
)

# Detect DNS tunneling - high query volume
alert dns any any -> any 53 (
  msg:"HUNTING DNS Tunneling - High Query Rate";
  threshold:type threshold, track by_src, count 100, seconds 60;
  classtype:policy-violation;
  sid:9000010;
  rev:1;
)

Zeek Network Analysis

Zeek provides rich protocol-level analysis that Suricata cannot match. Key Zeek logs for SOC operations:

  • conn.log - All network connections with duration, bytes, state
  • dns.log - DNS queries and responses for C2 and tunneling detection
  • http.log - HTTP transactions for web threat detection
  • ssl.log - TLS metadata including JA3 fingerprints for encrypted C2 detection
  • x509.log - Certificate details for suspicious certificate detection
# Kibana query for JA3 fingerprint hunting
# Known bad JA3: 51c64c77e60f3980eea90869b68c58a8 (Cobalt Strike)
event.dataset:zeek.ssl AND ssl.ja3:51c64c77e60f3980eea90869b68c58a8

SOC Dashboards in Security Onion

📌[Screenshot: Security Onion Analyst dashboard showing alert timeline, connection map, and Suricata category breakdown]

Security Onion ships with pre-built dashboards for: Alerts overview, Network connections, DNS analysis, HTTP analysis, TLS/SSL analysis, and File extraction. We customized the alerts dashboard to highlight MITRE ATT&CK tactic distribution and top alerting hosts.

Security OnionSuricataZeekNSM