Security Onion

Thursday, February 26. 2015

The other day, I came across an interesting looking security suite called Security Onion. The author doesn't like the term distro, as it is more based on Ubuntu with extra packages, than a custom distribution like Kali. The main purpose of the distribution is a quick and easy distributed NSM platform.

NSM, or Network Security Monitor, is like an IDS. It differs by using multiple sources of information, and different analysis tools to find the bad packets. in addition, Security Onion is meant to become an IPS, so the rule-sets are never "dumbed down". This means you always see the alert, even if you do nothing. A false positive on an IPS is bad, but it may mean you miss something.

In Security Onion, there are three different types of  deployment, Standalone, Sensor or Server. A Standalone installation contains both a server and one or more sensors. After the break, I'll describe the parts in a bit more detail.