Security Onion Documentation Release 2.3 Sep 24, 2021 Table of Contents 1 About 1 1.1 Security Onion..............................................1 1.2 Security Onion Solutions, LLC.....................................2 1.3 Documentation..............................................2 2 Introduction 5 2.1 Network Security Monitoring......................................7 2.2 Enterprise Security Monitoring.....................................7 2.3 Analysis Tools..............................................8 2.4 Deployment Scenarios.......................................... 12 2.5 Conclusion................................................ 12 3 License 13 4 First Time Users 15 5 Getting Started 39 5.1 Architecture............................................... 40 5.2 Hardware Requirements......................................... 48 5.3 Partitioning................................................ 53 5.4 Download................................................. 55 5.5 VMware................................................. 55 5.6 VirtualBox................................................ 57 5.7 Booting Issues.............................................. 58 5.8 Installation................................................ 58 5.9 AWS Cloud AMI............................................. 60 5.10 Azure Cloud Image............................................ 66 5.11 Configuration............................................... 70 5.12 Machine Learning............................................ 71 5.13 After Installation............................................. 73 6 Security Onion Console (SOC) 75 6.1 Alerts................................................... 79 6.2 Hunt................................................... 86 6.3 PCAP................................................... 94 6.4 Grid.................................................... 98 6.5 Downloads................................................ 98 i 6.6 Administration.............................................. 99 6.7 Kibana.................................................. 99 6.8 Grafana.................................................. 103 6.9 CyberChef................................................ 105 6.10 Playbook................................................. 109 6.11 Fleet................................................... 114 6.12 TheHive................................................. 115 6.13 ATT&CK Navigator........................................... 117 7 Analyst VM 119 7.1 NetworkMiner.............................................. 120 7.2 Wireshark................................................. 123 8 Network Visibility 129 8.1 AF-PACKET............................................... 130 8.2 Stenographer............................................... 131 8.3 Suricata.................................................. 133 8.4 Zeek................................................... 136 8.5 Strelka.................................................. 144 9 Host Visibility 149 9.1 osquery.................................................. 149 9.2 Beats................................................... 151 9.3 Wazuh.................................................. 153 9.4 Syslog.................................................. 156 9.5 Sysmon.................................................. 156 9.6 Autoruns................................................. 158 10 Logs 159 10.1 Ingest................................................... 159 10.2 Filebeat.................................................. 161 10.3 Logstash................................................. 177 10.4 Redis................................................... 182 10.5 Elasticsearch............................................... 183 10.6 ElastAlert................................................. 190 10.7 Curator.................................................. 193 10.8 Data Fields................................................ 195 10.9 Alert Data Fields............................................. 195 10.10 Elastalert Fields............................................. 196 10.11 Zeek Fields................................................ 197 10.12 Community ID.............................................. 197 10.13 Re-Indexing............................................... 198 11 Updating 199 11.1 soup.................................................... 199 11.2 Airgap.................................................. 202 11.3 End Of Life................................................ 203 12 Accounts 205 12.1 Passwords................................................ 205 12.2 Adding Accounts............................................. 206 12.3 Listing Accounts............................................. 207 12.4 Disabling Accounts........................................... 208 12.5 Role-Based Access Control (RBAC)................................... 209 ii 13 Services 215 14 Customizing for Your Environment 217 14.1 Cortex.................................................. 217 14.2 Proxy Configuration........................................... 218 14.3 Firewall.................................................. 219 14.4 Email Configuration........................................... 224 14.5 NTP.................................................... 225 14.6 SSH.................................................... 226 14.7 Changing IP Addresses.......................................... 227 14.8 Changing Web Access URL....................................... 227 15 Tuning 229 15.1 Salt.................................................... 229 15.2 Homenet................................................. 231 15.3 BPF.................................................... 232 15.4 Managing Rules............................................. 234 15.5 Adding Local Rules........................................... 236 15.6 Managing Alerts............................................. 237 15.7 High Performance Tuning........................................ 245 16 Tricks and Tips 247 16.1 Backups................................................. 247 16.2 Docker.................................................. 248 16.3 DNS Anomaly Detection......................................... 250 16.4 ICMP Anomaly Detection........................................ 251 16.5 Adding a new disk............................................ 251 16.6 PCAPs for Testing............................................ 252 16.7 Removing a Node............................................ 253 16.8 Syslog Output.............................................. 254 16.9 UTC and Time Zones.......................................... 255 17 Utilities 257 17.1 jq..................................................... 257 17.2 so-allow................................................. 257 17.3 so-elastic-auth.............................................. 258 17.4 so-elasticsearch-query.......................................... 259 17.5 so-import-pcap.............................................. 260 17.6 so-import-evtx.............................................. 261 17.7 so-monitor-add.............................................. 261 17.8 so-test................................................... 261 17.9 so-zeek-logs............................................... 263 18 Help 265 18.1 FAQ.................................................... 265 18.2 Directory Structure............................................ 269 18.3 Tools................................................... 270 18.4 Support.................................................. 271 18.5 Community Support........................................... 271 18.6 Help Wanted............................................... 272 19 Security 275 19.1 Vulnerability Disclosure......................................... 275 19.2 Product and Supply Chain Integrity................................... 275 iii 20 Appendix 277 21 Release Notes 281 21.1 2.3.80 Changes.............................................. 281 21.2 2.3.70 Hotfix [WAZUH]......................................... 282 21.3 2.3.70 Hotfix [GRAFANA_DASH_ALLOW].............................. 282 21.4 2.3.70 Hotfix [CURATOR]........................................ 282 21.5 2.3.70 Changes.............................................. 282 21.6 2.3.61 Hotfix [STENO, MSEARCH].................................. 283 21.7 2.3.61 Changes.............................................. 283 21.8 2.3.60 Hotfix [ECSFIX, HEAVYNODE, FBPIPELINE, CURATORAUTH] Changes......... 283 21.9 2.3.60 Changes.............................................. 284 21.10 2.3.52 Changes.............................................. 285 21.11 2.3.51 Changes.............................................. 285 21.12 2.3.50 Changes.............................................. 285 21.13 2.3.50 Known Issues........................................... 287 21.14 2.3.40 Changes.............................................. 287 21.15 2.3.40 Known Issues........................................... 288 21.16 2.3.30 Changes.............................................. 288 21.17 2.3.30 Known Issues........................................... 290 21.18 2.3.21 Changes.............................................. 290 21.19 2.3.10 Changes.............................................. 292 21.20 2.3.10 Known Issues........................................... 294 21.21 2.3.2 Changes.............................................. 294 21.22 2.3.1 Changes.............................................. 294 21.23 2.3.1 Known Issues............................................ 294 21.24 2.3.0 Changes.............................................