hack3rs.ca network-security
/learning/tools/security-onion :: tool-guide-5

defender@hack3rs:~/learning/tools$ open security-onion

Security Onion

Blue team platform

Security Onion bundles network telemetry, IDS alerting, log collection, host visibility, and analyst case workflows into one integrated blue-team platform — making it an efficient way to learn how SOC components fit together in a lab.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

  • $Name the specific question this tool answers — and one question it cannot answer alone.
  • $Run the simplest command in a lab against a host you control; read every field in the output before moving on.
  • $Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
  • $Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
  • $Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

  • $Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
  • $State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
  • $Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
  • $Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
  • $Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

  • $Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
  • $Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
  • $Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
  • $Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
  • $Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Official Security Onion documentation about Platform overview and architecture concepts release notes Version and update notes

ethical-use-and-defense-scope

Deploy Security Onion only in environments where you are authorized to collect and analyze security telemetry. Because it centralizes network packets, host logs, and alert data in one place, governance over who can access what is essential — not optional.

Be explicit about which data sources are ingested and who can query them. This is a security operations platform, not a general monitoring tool. Access should be role-based and limited to defensive responsibilities.

When using Security Onion for training, prefer lab data or synthetic traffic. If you mirror production traffic for testing purposes, apply the same privacy, access, and retention controls you would apply to any production telemetry system.

tool-history-origin-and-purpose

  • $When created: Started as a free/open project in 2008 (with the platform growing significantly across later releases).
  • $Why it was created: Blue teams often struggled to assemble, tune, and operate many separate tools for network visibility, host visibility, alerts, and case workflows. Security Onion was created to reduce that integration burden.

Doug Burks created Security Onion to make enterprise-grade defensive monitoring more accessible by integrating multiple security tools into a usable platform for defenders.

why-defenders-still-use-it

People use Security Onion because it provides a practical blue-team platform that combines visibility, detection, search, and case management into one operational environment. It helps teams move faster from telemetry to investigation.

How the tool evolved
  • +Began as a free/open project and later matured into a broader platform used by many security teams.
  • +Integrated core network and host telemetry tools into a more coherent analyst workflow.
  • +Became a common training and lab platform because it helps learners see how tools fit together.

when-this-tool-is-a-good-fit

  • +SOC lab training that shows how sensors, alerts, log queries, and case management fit together.
  • +Pilot blue-team monitoring deployments where standing up integrated visibility quickly matters.
  • +Alert triage and investigation workflows backed by network and host data in a single interface.
  • +Detection tuning: test a rule change, see the alert impact, and validate with correlated log data.

when-to-use-another-tool-or-source

  • !When you need host process/user context, pair with endpoint or OS logs.
  • !When you need ownership and business impact, pair with CMDB/ticketing/asset context.
  • !When the tool output is ambiguous, validate using a second evidence source before concluding.
  • !When production risk is high, test in a lab first and use change coordination.

1. What Security Onion Provides

Security Onion packages network telemetry, IDS detections, log management, host visibility, case management, and platform tooling into one deployable system. Instead of assembling each component separately and wiring them together, a lab or small team can stand up integrated blue-team visibility in an afternoon.

For learners, the bundled approach has a specific advantage: you see how sensors, alerts, log searches, and case workflows interact in one place. That context accelerates understanding of how SOC operations actually work — not as isolated tools but as a connected data and workflow pipeline.

For operational teams, the platform offers a starting point that is faster than building from scratch, with enough flexibility to tune, swap data sources, and grow as the program matures.

2. Architecture and Deployment Mindset

Security Onion scales from a small single-node lab instance to a distributed deployment across multiple sensors. Before you install it, decide on your use case: training lab, pilot monitoring segment, or production deployment. Each has different resource, retention, and change-control requirements.

Understand where data enters the platform — network SPAN ports, agent-based host logs, syslog feeds — and where it lands for analyst queries. When pipelines fail or sensors go silent, that architecture knowledge is what lets you diagnose quickly rather than reboot and hope.

Sensor placement and data quality still matter more than interface features. A clean UI is not useful if the traffic mirror drops packets, the host logs never arrive, or there is no consistent hostname to pivot on across data types.

3. Blue Team Workflows Inside the Platform

Define the analyst workflow before you start using the platform in a real environment. Alert review, network log pivot, host context lookup, case note, disposition, escalation — if every analyst improvises a different sequence, you cannot compare investigations or measure analyst performance over time.

Security Onion supports both reactive and proactive work. Reactive: triage an alert, look at associated network and host logs, decide on containment. Proactive: hunt for a behavior in historical logs, look for gaps in alert coverage, tune noisy detections.

For training, practice tracing one event all the way through: from alert to network log, to host activity, to analyst note and decision. That end-to-end trace is the core skill the platform is designed to teach.

4. Operational Maintenance and Data Hygiene

Integrated platforms fail quietly. Sensors stop sending data, parsers break, storage fills up, and analysts keep querying while unknowingly looking at incomplete information. Monitor ingestion health, sensor status, and storage usage as routine operational work, not as incident response.

Retention planning determines what you can investigate later. Security Onion can centralize a large volume of telemetry, and storage constraints will force prioritization. Make those choices deliberately based on investigative value and compliance requirements — not after a disk alert fires.

Document platform changes. When a new data source is added or a detection rule changes, that record explains sudden shifts in alert volume or query results. It also makes onboarding a new analyst much smoother than “ask whoever set this up.”

5. Training With Security Onion

Security Onion is one of the best platforms for blue-team labs because it makes component relationships visible. Build small scenarios — an Nmap scan, a suspicious DNS query, a simulated web attack — and trace them through sensors, alerts, and the search interface. See what each layer shows and what it misses.

Use repeatable datasets so you can compare your results across sessions. Learning the platform and learning analytical thinking are separate skills — repeatable exercises let you improve both without one obscuring the other.

Treat lab time as operational training. Ask why a particular query is useful, what evidence it produces, and how it would change a response decision. Clicking through the UI is not the point — building defensible conclusions is.

6. Security Onion in a Mature Defense Program

Security Onion centralizes visibility, but it does not create process or ownership. A mature program still needs: someone who owns sensor health, someone who manages detection rules, someone who owns investigation workflows, and someone who runs post-incident reviews and updates playbooks. The platform supports those people — it does not replace them.

Role clarity is what separates a working SOC from a dashboard that generates unreviewed alerts. Define ownership before incidents require it.

The most important skill, whether in a home lab or a production environment, is producing defensible conclusions from integrated telemetry — not counting alerts or maximizing dashboard coverage.

7. Responsible and Ethical Use in Organizations

Security Onion can aggregate large amounts of sensitive telemetry. Set clear policies for who can query what data, how long it is retained, how incidents are handled, and how analyst queries are logged. Analysts should access only data relevant to active security operations work.

Avoid collecting data “just in case” without a retention decision and data classification behind it. Defensive monitoring requires balancing operational visibility with user privacy and legal requirements — those constraints are not obstacles, they are the boundary between a security program and a surveillance system.

Document analyst workflows so activity is explainable and auditable. When a data subject or regulator asks what was done with their data during an investigation, the answer should come from written process, not memory.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. SOC lab training that shows how sensors, alerts, log queries, and case management fit together.

Suggested starting block: Initial Setup And Status Checks

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

2. Pilot blue-team monitoring deployments where standing up integrated visibility quickly matters.

Suggested starting block: Operational Health And Diagnostics

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

3. Alert triage and investigation workflows backed by network and host data in a single interface.

Suggested starting block: Lab Workflow Notes

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

4. Detection tuning: test a rule change, see the alert impact, and validate with correlated log data.

Suggested starting block: Initial Setup And Status Checks

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Initial Setup And Status Checks

Beginner
Command
sudo so-setup
Example Output
Security Onion Setup
Version: 2.4

Select your installation type:
  1) Standalone
  2) Manager
  3) Sensor
  4) Search Node
  5) Eval (Lab)

# For lab use, choose Eval/Standalone

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Operational Health And Diagnostics

Intermediate
Command
sudo so-checkin
Example Output
Checking in with Security Onion manager...
Last checkin: 2026-03-17 09:55:00
Node status: healthy
Pending updates: 0
Rule updates applied: yes

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Lab Workflow Notes

Advanced
Command
mkdir -p ~/security-onion-labs
Example Output
# no output — directory created successfully

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Initial Setup And Status Checks

Beginner
Command
sudo so-setup
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: so-setup
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Medium-High: may affect services/platform state depending on command and environment.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Security Onion Setup
Version: 2.4

Select your installation type:
  1) Standalone
  2) Manager
  3) Sensor
  4) Search Node
  5) Eval (Lab)

# For lab use, choose Eval/Standalone

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Initial Setup And Status Checks

Beginner
Command
sudo so-status
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: so-status
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Security Onion Status
manager: running
search: running
sensor: healthy

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Initial Setup And Status Checks

Beginner
Command
sudo so-test
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: so-test
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Running Security Onion self-tests...
[PASS] Manager connectivity
[PASS] Elasticsearch health: green
[PASS] Logstash pipeline
[PASS] Kibana reachable
[PASS] Zeek capturing on eth0
[PASS] Suricata alert pipeline
All tests passed.

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Operational Health And Diagnostics

Intermediate
Command
sudo so-checkin
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: so-checkin
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Checking in with Security Onion manager...
Last checkin: 2026-03-17 09:55:00
Node status: healthy
Pending updates: 0
Rule updates applied: yes

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Operational Health And Diagnostics

Intermediate
Command
sudo so-allow
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: so-allow
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
so-allow - Security Onion firewall rules

Options:
  analyst   Allow analyst access
  manager   Allow manager nodes
  logstash  Allow Logstash beats input
  reverse   Allow reverse proxy

Usage: so-allow <role> <ip-or-cidr>

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Operational Health And Diagnostics

Intermediate
Command
sudo docker ps | head
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: docker ps | head
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Platform setup, status, or health checks for Security Onion.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
CONTAINER ID   IMAGE                         COMMAND                  STATUS          NAMES
a1b2c3d4e5f6   securityonionsolutions/so-zeek  "/opt/zeek/bin/zeek"   Up 2 hours      so-zeek
b2c3d4e5f6a1   securityonionsolutions/so-suricata "/bin/suricata"       Up 2 hours      so-suricata
c3d4e5f6a1b2   securityonionsolutions/so-elastic "bin/elasticsearch"   Up 2 hours      so-elasticsearch

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Operational Health And Diagnostics

Intermediate
Command
sudo journalctl -xe --no-pager | tail -100
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: journalctl -xe --no-pager | tail
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Mar 17 10:00:00 so-manager systemd[1]: Starting Security Onion manager services...
Mar 17 10:00:01 so-manager so-zeek[1234]: Zeek deployed successfully
Mar 17 10:00:02 so-manager so-suricata[1235]: Suricata IDS engine started
Mar 17 10:00:03 so-manager so-elastic[1236]: Elasticsearch cluster health: green

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab Workflow Notes

Advanced
Command
mkdir -p ~/security-onion-labs
Command Anatomy
  • $Base command: mkdir
  • $Primary arguments/options: -p ~/security-onion-labs
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
# no output — directory created successfully

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab Workflow Notes

Advanced
Command
printf "Scenario
Data sources
Expected detections
Actual findings
" > ~/security-onion-labs/session-01.txt
Command Anatomy
  • $Base command: printf
  • $Primary arguments/options: "Scenario Data sources Expected detections
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab Workflow Notes

Advanced
Command
nano ~/security-onion-labs/session-01.txt
Command Anatomy
  • $Base command: nano
  • $Primary arguments/options: ~/security-onion-labs/session-01.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
# nano opens the file in an interactive terminal editor
# Edit the content, then save with Ctrl+O and exit with Ctrl+X

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Initial Setup And Status Checks

sudo so-setup
sudo so-status
sudo so-test

Operational Health And Diagnostics

sudo so-checkin
sudo so-allow
sudo docker ps | head
sudo journalctl -xe --no-pager | tail -100

Lab Workflow Notes

mkdir -p ~/security-onion-labs
printf "Scenario
Data sources
Expected detections
Actual findings
" > ~/security-onion-labs/session-01.txt
nano ~/security-onion-labs/session-01.txt

defensive-use-cases

  • $SOC lab training that shows how sensors, alerts, log queries, and case management fit together.
  • $Pilot blue-team monitoring deployments where standing up integrated visibility quickly matters.
  • $Alert triage and investigation workflows backed by network and host data in a single interface.
  • $Detection tuning: test a rule change, see the alert impact, and validate with correlated log data.

common-mistakes

  • $Deploying the platform without assigning ownership for sensors, rules, and investigations.
  • $Centralizing large volumes of telemetry without a storage and retention plan.
  • $Using the dashboard as the workflow instead of building documented triage and response steps.
  • $Ignoring sensor health and ingestion failures until an incident exposes the missing data.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

  • $Pick the least disruptive command that can still answer the question — then run that one first.
  • $Before you look at output, write one sentence stating what you expect to see.
  • $Mark each output field as 'observed' or 'inferred by tool' before acting on it.
  • $Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
  • $During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
  • $When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

  • ?What question is this tool best suited to answer first?
  • ?What permissions or scope approvals are needed before using it?
  • ?Which second evidence source should you pair with it for higher confidence?
  • ?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints
  • #Start from the tool’s role and the scenario you are investigating.
  • #Never rely on one tool alone for high-confidence incident decisions.
  • #Document normal output patterns during calm periods so anomalies are easier to spot.
  • #Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Deploy a lab instance, ingest network traffic from a SPAN or replay, and confirm data arrives in the search interface.
# Generate a small scenario — a port scan, a suspicious DNS query — and trace it from sensor through alert to case note.
# Write a one-page runbook for platform health checks: sensor status, ingestion rate, storage usage.
# Define retention periods and access roles before the lab is used for anything sensitive.

related-learning-modules

Study the core concepts and workflows behind this tool so your usage stays evidence-driven and repeatable.

open /learning/network-security-monitoring-zeek-suricata Network Security Monitoring with Zeek and Suricata open /learning/incident-response-playbooks-framework-functions Incident Response Playbooks Aligned to Recognized Cybersecurity Framework Functions

related-threat-workflows

See where this tool fits into threat-specific detection, triage, and remediation workflows.

open /threats/ransomware-and-data-extortion-operations Ransomware and data extortion operations open /threats/ddos-and-service-exhaustion-attacks DDoS and service exhaustion attacks

related-tools-in-this-path

Continue within the same guided track. These tools are commonly studied next in the path(s) this page belongs to.

<- previous tool Suricata -> next tool OpenVAS / Greenbone CE