Contact UsGet started

SecurityOnion

Updated April 3, 2025

Security Onion is a Linux distribution for security monitoring, incident detection, and network traffic analysis. It integrates a number of tools to create a complex platform for monitoring, analysis, and responding to network security events.

Security Onion features

  • Network Security Monitoring (NSM): Security Onion uses the tools called Snort, Suricata, and Zeek (formerly known as Bro) for real-time traffic analysis, packet data capture, and intrusion detection.

  • Log management: Elasticsearch, Logstash, and Kibana (ELK) are the centralized log management, analysis, and visualization tools. Your security analysts can use these to effortlessly locate, analyze, and correlate logs form different sources.

  • Incident response: You can choose from a number of utilities and processes for incident detection and response, including legal expertise, malware analysis, and threat detection tools.

  • Visualization and reporting: Security Onion offers customizable Kibana dashboards and visualizations for network traffic monitoring, security event analysis, and reporting.

  • Scalability: You can deploy Security Onion in different network architectures — from small single-component installations to large distributed deployments — which makes it suitable for organizations of all sizes.

  • Open-source code: Security Onion is open-source software, so users can set up and build it out as per their specific security requirements.

Deployment instructions

Warning

After you create a VM, the generation of product settings will be automatically initiated to give you a complete and secure product. This process takes 40 to 50 minutes depending on the VM specification.

  1. Get an SSH key pair for connection to a virtual machine.

  2. Create a network to deploy the SecurityOnion VM in.

  3. Create two subnets in one availability zone and in the network the SecurityOnion VM will be deployed in.

  4. Create a security group in the network the SecurityOnion VM will be deployed in and configure the following rules:

    Traffic<br/>direction Port range Protocol Source CIDR blocks /<br/>Security group
    Incoming 22 TCP CIDR 0.0.0.0/0
    Incoming 443 TCP CIDR 0.0.0.0/0
    Outgoing - Any CIDR 0.0.0.0/0

    Security groups are used in Yandex Cloud services to control network access to the object they apply to. If you assign a security group without rules to the network interface of a VM, the VM will not be able to send or receive traffic.

  5. Create a VM from a public image:

    • On the Marketplace tab, under Boot disk image, in the Product search field, enter SecurityOnion and select the SecurityOnion public image.

    • Under Network settings:

      • Select the first subnet in the Subnet field; in the Security groups field, select the security group you created previously.
      • Click Add network interface.
      • Select the second subnet in the Subnet field; in the Security groups field, select the security group you created previously.

    • Under Access:

      • Enter the username in the Login field.
      • Paste the contents of the public SSH key file in the SSH key field.

      Save the VM public IP address and usedname.

  6. Connect to the VM over SSH. To do this, use the VM’s username and public IP address you saved earlier.

  7. Upgrade user permissions to root:

    sudo su

  8. (Optional) To monitor the installation process, enter:

    cat ../../var/log/messages

    or

    so-status

    Note

    You can also use the serial port to monitor the installation process.

  9. Get the administrator password from the so-admin-password file:

    cat /root/so-admin-password

  10. Copy the password. You will need it to access the web interface.

  11. In the browser, go to https://<VM_public_IP_address>/.

  12. Use the following parameters to connect to the service:

    • Username: soadmin@so.local
    • Password: <password_from_root_password_file>

    Change the password if needed.

Create VM
Billing type
Hourly (Pay as you go)
Type
Virtual Machine
Category
Network infrastructure
Security
Publisher
OpenNix Cloud security
Use cases

  • Network intrusion detection (NIDS): SecurityOnion includes a number of NIDS tools, such as Suricata and Snort, for real-time traffic analysis to detect and report suspicious activities like intrusion, malware infection, and suspicious networking behavior.

  • Network security monitoring (NSM): SecurityOnion’s all-round NSM capabilities are enabled through capturing, indexing, and analysis of network traffic. This allows security analysts to detect security incidents, explore security events, and conduct forensic analysis.

  • Log analysis: SecurityOnion aggregates and analyses logs from different sources, such as network devices, operating systems, applications, and security tools. This will help you to detect security incidents, monitor user activities, and detect anomalies.

  • Incident response: SecurityOnion facilitates incident response actions by providing network traffic, logging, and system activity visibility. Security teams can thus quickly detect, minimize, and address security incidents, such as data leaks, malware infection, and unauthorized access.

  • Threat detection: SecurityOnion supports proactive threat detection, allowing your security analysts to search for indicators of compromise (IOC), suspicious patterns, and abnormal network behaviors. This will help you to detect hidden threats and enhance overall security level.

  • Forensic analysis: SecurityOnion has tools and features for forensic analysis of network traffic, logs, and system artifacts. This will help you with recovery of security incidents, finding the root causes of security violations, and gathering evidence for court cases.

  • Malware analysis: You can use SecurityOnion to analyze and disassemble malware samples in a controlled environment. This will help you to understand malware behavior, discover its capabilities, and develop countermeasures for protection against future infections.

  • Vulnerability assessment: SecurityOnion can be integrated with vulnerability scanning tools to identify vulnerabilities in your network infrastructure, systems, and applications. This will help you to prioritize your corrective actions and reduce the attack surface.

  • Compliance monitoring: SecurityOnion helps organizations to comply with regulatory requirements through continuous monitoring, logging, and reporting. This will help you to demonstrate compliance with regulations and security frameworks, such as PCI DSS, HIPAA, GDPR.

Links
Official documentationIntegration of pfSense with SecurityOnion
Technical support

OpenNix
OpenNix provides support to SecurityOnion users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.

Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the vendor’s information resources.

Product IDs
image_id:
fd86fvepc7jtigdst8j0
family_id:
opennix-securityonion
Product composition
SoftwareVersion
Oracle Linux9.3
SecurityOnion2.4.60
Terms
By using this product you agree to the Yandex Cloud Marketplace Terms of Service and the terms and conditions of the following software: EULA
Create VM
Billing type
Hourly (Pay as you go)
Type
Virtual Machine
Category
Network infrastructure
Security
Publisher
OpenNix Cloud security