Friday, October 16, 2020

Security Onion 2 Has Reached General Availability (GA)!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:

After 4 Technology Preview releases, 4 Alpha releases, and 3 Beta releases, we dropped the Hybrid Hunter code name and announced 2.0 (RC1), 2.1 (RC2), and 2.2 (RC3). This has been our most ambitious project to date, taking over 34 months and resulting in a whopping 5,034 git commits. Today, we are proud to announce that Security Onion 2.3 has reached General Availability (GA)! 

Changes from Security Onion 16.04

Here are some of the major differences of the new Security Onion 2.3 compared to Security Onion 16.04:

  • Features a new web interface called Security Onion Console (SOC) that includes native alert management, threat hunting, and pcap retrieval
  • Adds TheHive, Strelka, support for Sigma rules, Grafana/InfluxDB (independent health monitoring/alerting), Fleet (osquery management), and Playbook (detection playbook tool).
  • Moves from Ubuntu packages to containers
  • Supports both CentOS 7 and Ubuntu 18.04
  • Changes pcap collection tool from netsniff-ng to Google Stenographer
  • Upgrade to Elastic Stack 7.x and support the Elastic Common Schema (ECS)
  • Completely replaces unsigned kernel module PF_RING with AF_PACKET
  • Suricata completely replaces Snort. (We may elect to add Snort back after Snort 3.0 is officially released.)
  • Removes Sguil, Squert, capME, and PHP
  • Storage Nodes are now known as Search Nodes
  • The first node in a distributed deployment is now called a Manager

Changes from Security Onion 2.2 RC3

If you tried out Security Onion 2.2 RC3, you will notice some changes in this release.

This release features a brand new web interface for alerts. This includes NIDS alerts from Suricata, HIDS alerts from Wazuh, Playbook alerts, and YARA matches from Strelka. This interface is specifically designed to help you triage alerts as quickly as possible. Slice and dice your alerts with multiple views and then pivot to full packet capture or our Hunt interface to investigate IP addresses or other items of interest. Once you've made a determination about an alert, you can either acknowledge it or escalate it to TheHive to create a case.

Next, we've continued to iterate on Hunt, improving its default queries and default pivot actions. Hunt now supports more customization as well.

Finally, we've continued to improve support for airgap deployments. Airgap deployments now include a local copy of the documentation. Also, airgap deployments now support updates using the latest ISO image.


We've started migrating our documentation to 2.3:

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then.

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

Existing Installations

If you have an existing 2.x (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:

New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:

Questions or Problems

If you have questions or problems, please see our new community support forum:

Known Issues

Changes from Previous Releases


Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

ISO Boot Menu

ISO Installer

ISO Install Complete

Welcome to Setup

Choose the Setup type
Set hostname

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Configure networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

Optionally enable Analyst Workstation with so-analyst-install

Enter username to login to GNOME

Enter password to login to GNOME

GNOME Desktop

Analyst Workstation includes Chromium, NetworkMiner, and Wireshark

Login to Security Onion Console (SOC)

SOC Overview page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to review all alerts and logs

New Alerts interface

Use the Quick Action Bar to pivot to the PCAP page for full packet capture

PCAP Overview

PCAP transcript

Download the pcap and open in NetworkMiner for file extraction

All this in a minimal VM with only 4GB RAM!

No comments:

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive