- Joined
- Jan 8, 2019
- Messages
- 56,607
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,453
- Points
- 2,313
- Credits
- 32,590
6 Years of Service
76%
Security Onion
Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.
Core Components
Logstash – Parse and format logs.
Elasticsearch – Ingest and index logs.
Kibana – Visualize ingested log data.
Auxiliary Components
Curator – Manage indices through scheduled maintenance.
ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.
Changelog v2.3.80
FEATURE: Ability to disable Zeek, Suricata #4429
FEATURE: Add docs link to Setup #5459
FEATURE: Add evtx support in Import Node #2206
FEATURE: Consolidate whiptail screens when selecting optional components #5456
FEATURE: Distinguish between Zeek generated syslog and normal syslog in hunt for event fields #5403
FEATURE: Enable index sorting to increase search speed #5287
FEATURE: Expose options for elasticsearch.yml via Salt pillar #1257
FEATURE: Role-based access control (RBAC) #5614
FEATURE: soup -y for automation #5043
FIX: Add new default filebeat module indices to the global pillar. #5526
FIX: all.rules file can become empty on non-airgap deployments if manager does not have access to the internet. #3619
FIX: Curator cron should run less often #5189
FIX: Improve unit test maintainability by refactoring to use Golang assertion library #5604
FIX: Invalid password message should also mention dollar signs are not allowed #5381
FIX: Max files for steno should use a pillar value for easy tuning. #5393
FIX: Remove raid check for official cloud appliances #5449
FIX: Remove watermark settings from global pillar. #5520
FIX: SOC Username case sensitivity #5154
FIX: so-user tool should validate password before adding user to SOC #5606
FIX: Switch to new Curator auth params #5273
UPGRADE: Curator to 5.8.4 #5272
UPGRADE: CyberChef to 9.32.2 #5158
UPGRADE: SOC UI 3rd Party dependencies to latest versions #5603
UPGRADE: Zeek to 4.0.4 #5630