Ensuring the security of a company's IT infrastructure becomes increasingly important as new threats and forms of attack continually emerge. Linux already has numerous tools for detecting anomalies in networks across platforms that evaluate logfiles, among other tasks. However, many of the security tools that make life easier for administrators are scattered across the Internet and not easy to find.

The Security Onion [1] project addressed this shortcoming back in 2008. Originally based on Ubuntu, the security suite, which now runs in Docker environments, bundles professional tools for monitoring the IT infrastructure, including logfile analysis and intrusion detection [2]. The various ways of using the system include cloud images, which are intended for use in the Amazon, Google, and Azure clouds, and a downloadable ISO image that you can install on a dedicated host and deploy in virtual environments such as VirtualBox or VMware.

Strategies

When collecting, aggregating, and analyzing data, Security Onion can take both a host-based and network-based approach. The suite uses three tools for host-based intrusion detection: (1) Wazuh [3] is a fork of the OSSEC [4] intrusion detection system; it monitors hosts and sends data to a server in the event of anomalies. A cross-platform agent is installed on the computers for this purpose. By analyzing the log data, Security Onion detects malware and identifies further vulnerabilities that need to be addressed. (2) Osquery [5] is another host-based tool that queries and logs the system status. (3) Beats [6] uses Winlogbeat to monitor Windows-specific logs and files. Filebeat, on the other hand, is used across all platforms. Both tools transfer their data to the Logstash server integrated into Security Onion. Like other tools in the suite, Beats uses the Elasticsearch search and analysis engine.

Security Onion comes with five tools for network-based monitoring: (1) OpenCanary [7] is a honeypot for intrusion detection; (2) Stenographer  [8], developed by Google, focuses on collecting large volumes of data; (3) Strelka [9] scans content and prepares it for detailed analysis; (4) Zeek [10] is dedicated to monitoring and analyzing large volumes of data and can limit the data volume with its own scripting language, which allows you to generate customized logfiles; and (5) Suricata  [11] integrates an intrusion detection/intrusion prevention system and uses signatures to find anomalies in network communication.

Matter of Opinion

Some of the individual tools in Security Onion work with specific web interfaces that are intended to provide their own overview. The security suite, on the other hand, offers a standardized web interface, the Security Onion Console, that not only simplifies data analysis, irrespective of the tools you use, but also supports manual searches for vulnerabilities and anomalies and offers alerting functions. The Security Onion web interface uses standardized tools to display content, primarily relying on Kibana [12] and Grafana [13]. Kibana displays the incoming data on various dashboards, and Grafana is responsible for analyzing the statuses of the system and monitors their performance.

Automated

Security Onion lets you define detection patterns for vulnerabilities and develop solution strategies for eliminating specified problems with the help of a playbook. The playbooks comprise several plays that handle different tasks, so the security suite does the work for you. Security Onion comes with around 600 plays out of the box; you can view the results at any time on the dashboard of the web-based interface.