Friday, January 22, 2016

Security Onion Screenshot Tour

Below is a quick screenshot tour of the new Security Onion ISO image.

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!

We have online training classes starting next Monday:

Commercial Support
Need commercial support?  Please see:

If you have any questions or problems, please use our security-onion mailing list:


ISO Boot Menu

Boot splash

Installer - Welcome

Installer - Preparing

Installer - Installation Type (now with LVM)

Installer - Verify disk changes

Installer - Time Zone

Installer - Keyboard Layout

Installer - hostname, username, and password

Installer - Copying files

Installer - Installation Complete

Installer - ready to reboot

GRUB Boot Menu

Login screen


Installing updates with soup

Setup - Welcome

Setup - Network Interfaces
Setup - Management Interface 
Setup - IP Address for Management Interface

Setup - Monitor (sniffing) interfaces 
Setup - Monitor (sniffing) interfaces 
Setup - Verify Choices

Setup - Network Configuration Complete

Reboot and log back in

Run Setup Phase 2

Setup - Welcome

Setup - Skip Network Configuration

Setup - Evaluation Mode or Production Mode

Setup - Monitor (sniffing) interface

Setup - Username

Setup - Password

Setup - Confirm Password

Setup - Confirm Options

Setup - Progress Bar

Setup - Complete

Setup - sostat

Setup - Rules

Setup - links

Setup - commercial support

Verifying services 
Replaying pcaps to create traffic

Launching Squert web interface

Logging into Squert

Squert Main Page

Squert - drilling into a NIDS alert

Squert - viewing NIDS alert payload

Squert - viewing full packet capture

Squert - Geoip Mapping

Squert - Top Signatures

Squert - Top IP Addresses

Squert - Top Countries

Squert - Top Ports

Squert - Sankey Diagram

Logging into Sguil

Sguil - selecting networks (sensors)

Sguil RealTime Events tab

Sguil - pivoting from a NIDS alert to full packet capture

Pivoting from a NIDS alert and sending pcap to Wireshark

Pivoting from a NIDS alert and sending pcap to NetworkMiner

Pivoting from a NIDS alert and decoding gzip-encoded data using Bro

Logging into ELSA 
ELSA - Connections - Top SRC IPs

ELSA - Connections - Top DST IPs

ELSA - Connections - Top DST Ports

ELSA - Connections - Top Services

ELSA - Connections - Groupby Protocol

ELSA - Connections - Groupby Responder's Country Code

ELSA - DHCP - Top Assigned IPs

ELSA - DHCP - DHCP Servers

ELSA - DNS - Top Query Type

ELSA - DNS - Top Return Code

ELSA - Top nxdomain

ELSA - Files - MIME Types

ELSA - FTP - Top arg

ELSA - HTTP - Top DST Ports

ELSA - HTTP - Top MIME Types

ELSA - HTTP - Top User Agents

ELSA - HTTP - Top Sites

ELSA - HTTP - Sites hosting EXEs

ELSA - HTTP - Sites hosting CABs

ELSA - HTTP - Sites Hosting JARs

ELSA - HTTP - Sites hosting SWFs

ELSA - HTTP - Sites hosting ZIPs

ELSA - Kerberos - Top Services

ELSA - Notices - Top Notice Types 
ELSA - SMTP - Top Subjects

ELSA - Snort/Suricata - Top NIDS Alerts

ELSA - Software - Software Detected by Bro

ELSA - SSL - Top Hostnames

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive