Security Onion 2.1 RC2 releases: Linux distro for intrusion detection, enterprise security monitoring, and log management
Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.
High-Level Architecture Diagram
Curator – Manage indices through scheduled maintenance.
ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.
Changelog v2.1 RC2
One new feature in this release is that the installer now includes a new option for a dedicated import node. An import node is a single standalone box that runs just enough components to be able to import a pcap using so-import-pcap. When you run so-import-pcap, it analyzes the pcap using Suricata and Zeek and the resulting logs are picked up by Filebeat and sent to Elasticsearch where they are parsed and indexed. You can then view those logs in Security Onion Console (SOC). All this can be done in a minimal virtual machine with only 4GB RAM! For screenshots of the new import node, see the Screenshot Tour at the bottom of this blog post.
Another new feature that you’ll see in the Screenshot Tour is that our new Hunt interface is better than ever! It now dynamically updates the columns in the bottom data table based on the actual data type that you’re looking at. For example, if you’re looking at DNS logs, Hunt will show columns that are relevant to DNS logs like the DNS query, type, and response code. Additionally, you’ll notice that where field values used to have two magnifying glass icons (one to include the value in the search and the other to exclude the value from the search), there is now a third magnifying glass icon. This new icon starts a new search for just the value itself.