Security Onion

Thursday, August 7, 2025

Registration Now Open for Augusta Cyber Week 2025!

Registration is now open for Augusta Cyber Week in beautiful Augusta GA from October 20, 2025 through October 25, 2025! This includes:

4-day Security Onion training
Security Onion Conference (SOCAugusta)
BSidesAugusta

These are separate events, but if you sign up for the 4-day training class, then you get a FREE non-transferable ticket to both Security Onion Conference and BSidesAugusta!

Even if you can't make the training class, you won't want to miss Security Onion Conference!

4-day Security Onion training:
https://bsidesaugusta.org/training/#so

Security Onion Conference:
https://securityonion.com/conference

BSidesAugusta:
https://bsidesaugusta.org/

Hope to see you there!

Thursday, July 17, 2025

Quick Malware Analysis: KOI LOADER/KOI STEALER INFECTION pcap from 2025-07-08

Thanks to Brad Duncan for sharing this pcap from 2025-07-08 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.160:

https://blog.securityonion.net/2025/06/security-onion-24160-now-available.html

If you'd like to follow along, you can do the following:

install Security Onion 2.4.160 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
import the pcap using the SOC Grid interface:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
optionally enable the DNS lookups feature:
https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups
if you are a Security Onion Pro customer, set up our MCP server:
https://docs.securityonion.net/en/2.4/mcp.html

The screenshots at the bottom of this post show some of the interesting alerts and their associated AI Summaries and Guided Analysis. At the end, we use the new MCP server (available to Security Onion Pro customers) to ask a few questions and get some nicely formatted reports back.

Keep in mind that this is not some contrived demo, we simply downloaded a recent malware PCAP from Brad Duncan's site and imported it into Security Onion. Also keep in mind that this was just a PCAP and so there was no endpoint data. Had there been endpoint data, the results would have been even more in-depth.

Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

Let's start with an overview of all logs generated by Security Onion:

Now let's look at just the alerts:

We can switch the view to Ungroup to see a little more detail:

Next, let's drill into the first alert ("ET MALWARE Win32/Koi Stealer CnC Checkin (GET)"), review the AI Summary on the right, and then start going through its Guided Analysis questions:

Now let's drill into the second alert ("ET ATTACK_RESPONSE Koi Loader/Stealer CnC Config Inbound"), review the AI Summary on the right, and then start going through its Guided Analysis questions:

Now let's drill into the third alert ("ET INFO Windows Powershell User-Agent Usage"), review the AI Summary on the right, and then start going through its Guided Analysis questions:

If you're a Security Onion Pro customer, then you can set up our MCP Server (https://docs.securityonion.net/en/2.4/mcp.html) and then start asking questions and getting nicely formatted reports. For example, we can ask to investigate all alerts for July 8:

Finally, we can ask to investigate all HTTP traffic for July 8:

Tuesday, July 8, 2025

Quick Malware Analysis: NETSUPPORT RAT pcap from 2025-06-18

Thanks to Brad Duncan for sharing this pcap from 2025-06-18 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.160:

https://blog.securityonion.net/2025/06/security-onion-24160-now-available.html

If you'd like to follow along, you can do the following:

install Security Onion 2.4.160 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
import the pcap using the SOC Grid interface:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
optionally enable the DNS lookups feature:
https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, their associated AI Summaries, and the new Guided Analysis feature. Keep in mind that this is not some contrived demo, we simply downloaded a recent malware PCAP from Brad Duncan's site and imported it into Security Onion. Also keep in mind that this was just a PCAP and so there was no endpoint data. Had there been endpoint data, the Guided Analysis results would have been even more in-depth.

Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Screenshots

Let's start with an overview of all alerts:

Now let's drill into the first alert, review its AI Summary on the right, and then drill into the Guided Analysis questions:

Now let's drill into the next alert, review its AI Summary on the right, and then drill into the Guided Analysis questions:

Monday, July 7, 2025

Thanks to our Customers and Community for 11 Years!

We recently celebrated 16 years of the Security Onion project and today we celebrate 11 years of Security Onion Solutions as a company! Thanks to our customers and community for your support throughout the years! We've come a long way, but the best is yet to come!

Monday, June 30, 2025

Quick Malware Analysis: Lumma Stealer pcap from 2025-06-26

Thanks to Brad Duncan for sharing this pcap from 2025-06-26 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.160:

https://blog.securityonion.net/2025/06/security-onion-24160-now-available.html

If you'd like to follow along, you can do the following:

install Security Onion 2.4.160 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
import the pcap using the SOC Grid interface:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
optionally enable the DNS lookups feature:
https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, their associated AI Summaries, and the new Guided Analysis feature. Keep in mind that this is not some contrived demo, we simply downloaded the latest Lumma malware PCAP from Brad Duncan's site and imported it into Security Onion. Also keep in mind that this was just a PCAP and so there was no endpoint data. Had there been endpoint data, the Guided Analysis results would have been even more in-depth.