Setting up a properly installed and well-tuned IDS/IPS system can be time consuming. If you have ever tried to set up a fully-functional Snort system, you are familiar with the time it requires. If you want to get an IPv6-capable IDS system up and going quickly then you should look at Security Onion. Once you get it working there are also some low-cost alternatives to capture the packets and observe them.



Security Onion    is a Linux distribution for intrusion detection and network security monitoring. Security Onion for Splunk is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC.




Security Onion is a non-commercial Linux distribution based on Xubuntu 12.04 that aims to simplify the installation of numerous widely used security tools, especially those focused on intrusion detection and Network Security Monitoring (NSM) and log management. It’s contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, Vortex IDS, nmap, metasploit, scapy, hping, netcat, tcpreplay and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!



Security Onion seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively), and powerful analysis tools, and provide log and alert data for detected events and activity. Security Onion provides multiple IDS options


It is open source and free. Developed by Doug Burks.


It includes:

Sguil : Sguil (pronounced sgweel or squeal) is a collection of Free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts.


Snorby : Snorby is a new and modern Snort IDS front-end.


Squert : Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets.


ELSA : Enterprise log search and archive (ELSA) is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.




Before I dive directly into my tutorial here, please be aware that Irongeek has posted a great video tutorial here.
In order to install Security Onion, first download the iso image which can be found at:

Latesr version is  securityonion-12.04.3-20130904.iso



Either burn the ISO image to a disk and boot your machine from that disk or utilize the ISO directly for installation in a virtual instance. In either case, boot your machine from the ISO.



Once at the Grub Menu select “Install – Start the Installer Directly” this will launch a typical Ubuntu installation which really does not need much explanation.










It should be easy as its installation process is equal to a normal Ubuntu installation.
Once the Linux installation has finished, reboot and login via the username and password you setup during the Linux installation. Next open a terminal and input the command #sudo apt-get update; sudo apt-get dist-upgrade.

Now we have Security Onion installed and updated, well not quite. Until now all we did was install Xubuntu and all the tools that came with it so, as we see an icon called “Setup”, and that’s what matter is for us now. This “Setup” icon will configure our installation. So let’s click on “Setup” to start the configuration process.




he first step is choosing if we want to configure the interfaces right now or later, as this step will automatically optimize our network interfaces let’s configure them now so choose “Yes, configure /etc/network/interfaces!” and static after, because we don’t want this machine to change ip address.






Enter the IP address, subnet mask, gateway and the DNS server.










Give a local domain name for the machine. You can give it whatever name you would like to.

Now we just configured our network interfaces, so click on “Yes, make changes and reboot!” to reboot the system and make the changes. The setup is not complete yet, so we will need to click on the “Setup” icon again after the reboot but for now its reboot time.

Now we face a decision to do a “Quick Setup” or an “Advanced Setup”, as we can see from the image the “Advanced Setup” let us have more control about the configurations that we want such as:



Gives you more control over the details of your system;
Allows you to build a distributed sensor network;
You choose Sguil server, Seguil sensor, or both;
You choose which IDS engine to use (Snort or Suricata);
You choose which IDS ruleset(s) to use (Emerging Threats, Snort VRT, or both);
You choose which network interfaces should be monitored by the IDS Engine and Bro;
You choose how many processes to run for Snort/Suricata/Bro.


Choose “Standalone” because we are using only one machine to be the server and the sensor.







Now we have to choose the IDS Engine that we would like to use and in this installation we will use “Suricata”.




Now it asks us which IDS ruleset we would like to use. The rulesets are the rules for which the IDS will obey and find out if there are problems in the network. We are going to use “Emerging Threats GPL” because we don’t have any oinkcode. The oinkcode is a code given by snort that will allow us to have different access to updates or more rules. Next we must insert a username and password to log in into our system and enabling ELSA (centralized syslog framework).

















Finally say “Yes, proceed with the changes!” to finalize the setup configuration of our Security Onion. Sit back and wait while the system makes the changes.




Once you get your Security Onion system working then you can start to use it to gain more understanding about IPv4 and IPv6 protocol security and help defend your organization from security threats.