IT Get in touch

Security Onion 2.4: open source distribution for NSM, SIEM and DFIR

Security Onion, Linux distribution created by Doug Burks in 2008 for Network Security Monitoring, SIEM and DFIR. Version 2.4 released 9 October 2023 with Elastic Stack 8. Integrates Suricata, Zeek, Wazuh, TheHive, CyberChef, Kibana.

Cyber SecurityOpen Source
Cyber SecurityOpen Source Security OnionNSMSIEMDFIRCyber SecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Origins

Security Onion was started in 2008 by Doug Burks as a Linux distribution dedicated to Network Security Monitoring (NSM). The idea is to bundle into a single installer the reference open source tools for network sensors, forensic analysis and incident response.

The project quickly became a de facto standard in SANS courses and threat hunting exercises. In 2014 Security Onion Solutions, LLC was founded, a US company offering training, pre-configured hardware and commercial support, while keeping the distribution fully open source.

On 9 October 2023 Security Onion 2.4 was released, based on Elastic Stack 8 and with a refactored grid installer.

Included components

Security Onion bundles into a single distribution tools maintained by distinct projects:

  • Suricata — IDS/IPS with Emerging Threats rules
  • Zeek — event-driven Network Security Monitor
  • Stenographer — full packet capture
  • Wazuh — HIDS with distributed agents
  • Elastic Stack — Elasticsearch, Logstash, Kibana
  • TheHive / Cortex — case management and observables
  • CyberChef — data transformations for analysts
  • Playbook — detection engineering with Sigma rules
  • Strelka — file analysis and scanning

Grid architecture

Security Onion 2.4 offers three deployment modes:

  • Evaluation — everything on one node, for testing and labs
  • Standalone — sensor + manager on single host for small perimeters
  • Distributed — grid with separated nodes (manager, search, storage, heavy sensor, forward node) for production

The so-setup installer handles orchestration via Salt, with roles assignable to nodes.

Licences

The distribution mixes components with different licences:

  • Suricata, Zeek — BSD / GPLv2
  • Wazuh — GPLv2
  • TheHive, Cortex — AGPLv3
  • Elastic Stack — Elastic License 2.0 + SSPL (not OSI-approved)
  • CyberChef — Apache 2.0
  • SO scripts and tooling — Apache 2.0 and related licences

Use of Elastic components requires attention in scenarios strictly requiring OSI-approved licences.

Use cases

  • SOCs and threat hunting teams — retrospective search on pcap, Zeek logs and Suricata alerts
  • CERTs and incident response — triage, timeline, observable management
  • Teaching and training — university labs, SANS, CTF exercises
  • Red team / blue team — drills with real telemetry

In the Italian context

Security Onion is widespread in universities, research centres, regional CERTs and internal SOCs of mid-to-large organisations. It is often the reference environment for training L1/L2 analysts and for practical exercises on detection and incident response, thanks to the amount of data produced on a single lab host.

References: Security Onion 2.4 (9 October 2023). Created by Doug Burks in 2008. Company: Security Onion Solutions, LLC (USA). Components: Suricata, Zeek, Stenographer, Wazuh, Elastic Stack, TheHive, Cortex, CyberChef, Strelka. Mixed licences: BSD, GPL, Apache, Elastic License. Website: https://securityonionsolutions.com

Need support? Under attack? Service Status
Need support? Under attack? Service Status