Monday, March 30, 2020

Security Onion ISO image now available featuring Zeek 3.0.3, Suricata 4.1.7, Elastic 6.8.7, CyberChef 9.18.2, and more!

Our Security Onion ISO image is now available!

Security Onion boot menu

Major Changes Since Last ISO Image
Zeek 3.0.3
Suricata 4.1.7
Elastic 6.8.7
CyberChef 9.18.2

Thanks to Bryant Treacle for testing this ISO image!

Package Updates
This release also includes the following updated packages:
securityonion-setup - 20120912-0ubuntu0securityonion327
securityonion-web-page - 20141015-0ubuntu0securityonion106
pinguybuilder - 20180514-1ubuntu1securityonion22
securityonion-iso - 20151016-1ubuntu1securityonion35

These packages resolve the following issues:

sosetup-minimal: remove old check for securityonion_ssh.conf #1731

sosetup: new production deployments should default to LOGSTASH_MINIMAL #1732

sosetup-minimal: improve service check #1738

sosetup: set LOGSTASH_MINIMAL if running sosetup-minimal #1739

cheat sheet: convert to two pages #1717

Docs: add new cloud documentation #1733

CyberChef 9.18.2 #1730

securityonion-iso: latest chromium-browser packages #1721

pinguybuilder: increment version to #1736

Production Mode Now Defaults to LOGSTASH_MINIMAL For New Deployments
Please note that the new version of Setup now defaults to LOGSTASH_MINIMAL for new Production Mode deployments.  LOGSTASH_MINIMAL means that Logstash transports unparsed logs to Elasticsearch where they are parsed using ingest node parsing, which results in better performance.  Here are a few examples:

  • If you choose Production Mode and New to create a master server, then Setup will set LOGSTASH_MINIMAL in /etc/nsm/securityonion.conf on your master server.
  • If you then add a storage node to that master server, it will inherit the LOGSTASH_MINIMAL setting from the master server.
  • If you have an existing deployment without LOGSTASH_MINIMAL (traditional Logstash parsing), then if you add new nodes they will continue using traditional Logstash parsing.
  • Evaluation Mode is unchanged and will continue to use traditional Logstash parsing.

Issues Resolved
For a list of all issues resolved in this release, please see:

Release Notes
For more information about this release, please see:

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:

You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Need support?  Please see:

Security Onion Solutions is the only official authorized training provider for Security Onion:

We now offer hardware appliances!  For more information, please see:

Screenshot Tour
ISO boot menu

Once the Live Desktop appears, double-click the Install icon and follow the prompts

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup

Welcome to Setup

Configure network interfaces
If your hostname is securityonion, Setup gives you the opportunity to rename it

Configure your network interfaces, reboot, then log back in

Launch Setup again and skip network configuration to go to service configuration

Production Mode now defaults to LOGSTASH_MINIMAL for better performance

If you choose New to create a master server, Setup will add LOGSTASH_MINIMAL to /etc/nsm/securityonion.conf

Create username

Create Password

Confirm Password

In most cases, we recommend choosing Best Practices

Choose your NIDS ruleset

Choose your NIDS engine

Choose to enable or disable network services

Set PF_RING min_num_slots

Verify sniffing interface

Choose to store logs locally or add storage nodes

Allocate storage for Elasticsearch

Confirm all options

Setup complete

Desktop no longer prompts to run Setup and includes icons for analyst applications 
The README shortcut includes links to the cheat sheet and online and offline documentation

CyberChef 9.18.2

Single Sign On (SSO) for Squert, CapMe, and Kibana

Analyze IDS alerts using Squert
Retrieve full packet capture with CapMe

Kibana Overview Dashboard


Zeek Notices


HIDS Alerts from OSSEC/Wazuh

NIDS Alerts from Snort or Suricata

Zeek Connections

Zeek Total Bytes



Zeek DNP3

Zeek DNS

Zeek Files

Zeek FTP


Zeek Intel
Zeek IRC

Zeek Kerberos

Zeek Modbus

Zeek MySQL


Zeek PE


Zeek RDP

Zeek RFB

Zeek SIP

Zeek SMB



Zeek Software

Zeek SSH

Zeek SSL

Zeek Tunnels

Zeek Weird

Zeek X.509

OSSEC/Wazuh Logs


No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive