Up & Running With Security Onion – PSW #713

There are many options to choose from when setting up The Security Onion. The use cases are vast, including a NIDS (Zeek, Suricata), HIDS (Beats, Wazuh, osquery) and standalone instances for a SOC workstation and static analysis. I really like SO as a platform to collect all kinds of data from the network and from your systems (some even use the word XDR). Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

Up & Running With Security Onion

I am using the open-source version of The Security Onion, on my own hardware and VMs for monitoring the systems in our studio. It’s a mix of Windows, Linux, and Mac. I use this platform for threat hunting and security investigations.

Deployment – First, decide whether or not you are going to run it in the cloud or locally. If you run it locally, decide if you will use VMs, physical hardware, or a combination of the two. Also, decide where to place the sensors and the log collectors and which systems you want to monitor. For me, I have one sensor on a network span port (a physical system) and a VM.

Pay Attention To Requirements – I had to upgrade the storage of my sensor. I’m using a Qotom system and it required a new mSata drive. You will need at least 12GB of RAM, 4 Cores, and 200GB of storage (https://docs.securityonion.net/en/2.3/hardware.html). If you don’t have enough storage SO will not install.

Understand The Modes – Evaluation and Standalone puts everything all on one system, great for testing, but I find this is sorta waste of time. This is a great, free, project for all and you should really just be deploying it. So put your big boy pants on and jump right to a distributed deployment. Distributed deployments have Forwarding Notes, Managers, and Search Nodes. I run one Forwarding node and one Manager + Search Node system. Spend some time with the architecture (https://docs.securityonion.net/en/2.3/architecture.html) first to really understand it as there are a few more options than previous versions.

Installation – You can install SO directly using their ISO image (based on Centos), or directly on Centos or Ubuntu 18.04 (Yes, 18.04). I highly recommend using the SO ISO installer.

Commands – From the command line so-status will give you a breakdown of the running processes. so-allow is a command you will have to run in order to allow your local systems and networks to access the SO processes. Use so-user-add to add new users.

Tools – There are so many things to implement now! I’ll start with the easy ones, like Grafana, which is a nice interface that monitors the health of your SO systems. You also get FleetDM, which allows you to manage osquery. We are installing osquery on all the systems here in the studio to start, very handy to query all of your systems. Kibana is your console for security events. There are even some nice tools built into SO itself, one for alerts and once for hunting.


Josh Marpet

Josh Marpet – Executive Director at RM-ISAO


Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Lee Neely

Lee Neely – Senior Cyber Analyst at Lawrence Livermore National Laboratory


Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory (LLNL) with over 25 years of experience. He has been involved in many aspects of IT from system integration and quality testing to system and security architecture since 1986. He has had extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. Lee has worked with securing information systems since he installed his first firewall in 1989.

Paul Asadoorian

Paul Asadoorian – Founder at Security Weekly


Paul Asadoorian is the founder of Security Weekly, which was acquired by CyberRisk Alliance. Paul spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.

Tyler Robinson

Tyler Robinson – Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element


As the Managing Director of Offensive Security & Research at Trimarc, Tyler leads a team of high-performance security professionals within the offensive security field by simulating sophisticated adversaries and creating scalable offensive security platforms using the latest techniques as seen in the wild. With over 2 decades of experience, Tyler specializes in Red Teaming, APT threat modeling, blackbox network penetration testing, and Physical/Social-Engineering. Tyler has presented at multiple conferences including BSides, DefCon and Blackhat panels, SANS security events and to multiple branches of the military.


  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!