Security Onion Components

April 27th, 2019 Posted by Blog, Members Only 0 thoughts on “Security Onion Components”


Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes.

How does Security Onion work?

Security Onion is built on a modified distributed client-server model. In the past, Security Onion relied solely on the use of a “sensor” (the client) and a Security Onion “server” (the server). With the inclusion of the Elastic Stack, the distributed architecture has since changed, and now includes the use of Elastic components and separate nodes for processing and storing Elastic stack data.

This means that a standard distributed deployment is now comprised of the master server, one or more forward nodes (previously called a sensor — runs sensor components), and one or more storage nodes (runs Elastic components). This architecture is ideal; while it may cost more upfront, this architecture provides for greater scalability and performance down the line, as one can simply “snap in” new storage nodes to handle more traffic or log sources.



In the image above we can see the architecture of a Security Onion Instance, this can be deployed in a distributed or standalone way. For our Lab, we will set up and use standalone mode which combines the functions of a master serverforward node, and storage node.


In a standalone mode, the deploy consists of a single server running master server components, sensor, and Elastic stack components.


Technical Aspects of Security Onion:

As a Linux distribution based on Ubuntu, Security Onion contains several tools of security like Suricata, Snort, Bro, CapME, Squert, NetworkMiner, Wireshark, ELSA ( which are now Logstash + Kibana) and some others, all these tools are integrated in the system, the use of these features is quite easy to set up due to the complementation configurated for them is relatively easy to pivot between each one of them.

The principal objective of these tools is the detection of intrusions and monitoring the process of the network by keeping special attention over the security events within the network. Now to understand a little better the functions of each tool, we have to describe a few one of them which are the most used or relevant tools included in Security Onion:


OSSEC is a host intruder detection system, the technical characteristics of this tool are the following:

  • Rootkits Detection
  • Active response and notification in real time
  • System architecture based on a centralized service hosted by a server and several agents installed in the devices that need to be monitored.
  • Files verification system

Bro Security Monitor:

Bro Network monitor is a framework which is used for network monitoring activities, the technical characteristics of Bro monitor can be listed as:

  • Bro monitor includes features that can be used to scan the most common network protocols.
  • The information can be gathered in a database and can be consulted through ELSA or Logstash, which complements the information at the time that alerts need to be analyzed.
  • The tool can be used to monitor the network activity and generates active logs for TCP/UDP connections, network services, and software tools detected that affect the network, DNS requests, SSH petitions, SSL certificates integrity, HTTP activity and FTP shared services.


Snort IDS are based on an Open-Source software, the technical aspects of Snort can be listed as:

Functioning process:

  • Sensors which can capture network packets
  • Features which handled the normalization of the traffic
  • The tool detects threats and attacks and generates alerts for the administrators
  • The results of the threats captured are compared with previous patterns and rules created by the administrators to handle the threats
  • The scanning process can be switched to Suricata
  • The rules included in the detection scheme are updated automatically through a function called pulled-pork


Sguil is a console system which can be used for security analysis, the technical aspects of Sguil can be described as:

  • Sguil posses a graphic interface which allows the access to the security alerts, the data capture, and the session data.
  • Sguil posses integrated tools like  CapMe, Network Miner and Wireshark
  • All the alerts inform the context which has produced the initial error.

Here is a picture demo of the system that shows the event logs:


Squert can be described as a web application which can serve to visualize events and posses the following characteristics:

  • Squert posses an analyst console which complements with Sguil
  • Squert import information about the context of alerts, group of events and creates a timeline to follow each aspect of them
  • It shows the Sguil database but it shows a different perspective of the data.


Elasticsearch is a distributed, RESTful search and an analytic engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.



Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources. It  simultaneously transforms it, and then sends it to your favorite “stash”.



Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.


As we have seen, Security Onion is built under a set of tools, each with a specific function.  We will see how to install Security Onion and also explore each of the tools described in this lesson.

Try Certified Ethical Hacker for FREE!!!