### Download Security Onion Repo and Start Network Setup Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/network-installation.md Clones the Security Onion repository and executes the network setup script. Ensure you are in the correct directory before running. ```bash git clone -b 2.4/main https://github.com/Security-Onion-Solutions/securityonion cd securityonion sudo bash so-setup-network ``` -------------------------------- ### Start Zeek service Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/services.md Starts the Zeek service. This command is an example; substitute 'zeek' with other service names like 'logstash' or 'elasticsearch' as needed. ```bash sudo so-zeek-start ``` -------------------------------- ### Manually Restart Security Onion Setup Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/installation.md If the Security Onion Setup script does not automatically start after logging in, you can manually initiate it using this command. Ensure you are in the correct directory or provide the full path. ```bash sudo SecurityOnion/setup/so-setup iso ``` -------------------------------- ### Install Git, Curl, and Ethtool on Ubuntu/Debian Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/network-installation.md Installs git, curl, and ethtool packages using apt for Ubuntu or Debian systems. ```bash sudo apt -y install git curl ethtool ``` -------------------------------- ### Install Elastic Agent on Windows via MSI with Runtime Flags Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/elastic-agent.md This snippet shows how to install the Elastic Agent on Windows using the MSI installer with custom runtime flags for token and timeout. ```bash msiexec /i so-elastic-agent_windows_amd64_msi TOKEN=$TOKEN TIMEOUT=10m ``` -------------------------------- ### Restart Security Onion Setup Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/cloud-amazon.md After preparing the filesystem, restart the Security Onion network setup process using this command. ```default cd /securityonion sudo ./so-setup-network ``` -------------------------------- ### Salt Master Error Log Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/release-notes.md Example log entry from `/opt/so/log/salt/master` showing a rejected authentication attempt due to an outdated protocol version. ```log 2026-02-20 14:37:13,515 [salt.channel.server:147 ][WARNING ][2313166] Rejected authentication attempt using protocol version 2 (minimum required: 3) ``` -------------------------------- ### Example Sync Block File Output Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md This is an example of the output from the syncBlock file, showing that Suricata ruleset sync is blocked and indicating custom configurations like ETPRO. ```text Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block Custom so-rule-update detected (hash: 207d8918a2d963bb7dcc0f1ebf28d6f7b5778019fedf0cc36d5d0850cbd8a529) ETPRO code found: YOUR_LICENSE_KEY ``` -------------------------------- ### Salt Minion Error Log Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/release-notes.md Example log entries from `/opt/so/log/salt/minion` indicating a failed sign-in attempt to the Salt master. ```log 2026-02-20 14:36:43,479 [salt.crypt :884 ][ERROR ][2215] Sign-in attempt failed: bad load 2026-02-20 14:36:43,480 [salt.minion :1155][ERROR ][2215] Error while bringing up minion for multi-master. Is master at soman1 responding? The error message was Unable to sign_in to master: Attempt to authenticate with the salt master failed ``` -------------------------------- ### Install VMware Tools Desktop Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/vmware.md Install the open-vm-tools-desktop package on graphical desktop environments for improved screen resolution and features. This is useful for ISO image or standard Oracle Linux 9 installations. ```bash sudo dnf install open-vm-tools-desktop ``` -------------------------------- ### Install Git on RHEL Derivatives Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/network-installation.md Installs the git package using dnf for Oracle Linux 9 or other RHEL derivatives. ```bash sudo dnf -y install git ``` -------------------------------- ### Prepare Local Disk with Custom Device and Mount Point Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/cloud-google.md If the default NVMe device or mount point is not suitable, specify them as arguments to `so-prepare-fs`. This example uses `/dev/nvme0n1` and mounts at `/nsm/elasticsearch`. ```bash sudo so-prepare-fs /dev/nvme0n1 /nsm/elasticsearch ``` -------------------------------- ### Example Rule Before Threshold Change Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Shows the original Suricata rule configuration before modifying the threshold seconds. ```text alert http any any -> any any (msg:"Test"; threshold:type limit,track by_src,count 1,seconds 60; sid:1001;) ``` -------------------------------- ### List All Docker Images Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/docker.md Use this command to view all Docker images available on your system after installation. ```bash sudo docker images ``` -------------------------------- ### Example Sigma Detection with Custom Notifications Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/notifications.md This example demonstrates how to tag a Sigma detection to use custom alerters and parameters for notifications. It specifies 'SysAdminAlerters' and 'SysAdminParams' for high severity events and ensures notifications are sent. ```yaml title: Security Onion - Grid Node Login Failure (SSH) (copy) id: 0c880a39-f2cc-4e80-af26-eb08e2fe4b0a status: experimental description: Detects when a user fails to login to a grid node via SSH. Review associated logs for username and source IP. author: Security Onion Solutions date: 2024/08/27 logsource: product: linux service: auth detection: selection: event.outcome: failure process.name: sshd tags|contains: so-grid-node filter: system.auth.ssh.method: '*' condition: selection and not filter tags: - so.alerters.SysAdminAlerters - so.params.SysAdminParams - so.notification falsepositives: - none level: high license: Elastic-2.0 ``` -------------------------------- ### Example Rule Before Modification Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Illustrates the original format of a Suricata rule before applying a modify override for excluding an IP range. ```text alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Example"; sid:1001;) ``` -------------------------------- ### so-status Quiet Mode Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/so-status.md Demonstrates how to use so-status in quiet mode (-q) for automation. The exit code is captured and printed to verify the system's status. ```bash sudo so-status -q echo $? ``` -------------------------------- ### Example Rule Before Content Match Modification Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Displays the original Suricata rule content prior to changing a specific string match. ```text alert tls any any -> any any (msg:"SSL Cert"; content:"67:98:30:81:90"; sid:1001;) ``` -------------------------------- ### Configure Endgame Host During Setup Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/endgame.md Set the ENDGAMEHOST variable to the IP address of your Endgame SMP to enable data ingestion. This command also opens the necessary firewall ports. ```bash sudo ENDGAMEHOST=192.168.1.100 ./so-setup-network ``` -------------------------------- ### Custom Sigma Repository Configuration Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/sigma.md Configuration example for pulling Sigma rules from a custom Git repository. This can be accessed via HTTPS or the local filesystem. ```default file:///nsm/rules/detect-sigma/repos/my-custom-rep ``` -------------------------------- ### Enable Specific Sigma Rules by Filters Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/sigma.md This example enables all critical and high severity rules from the 'securityonion-resources' ruleset. Rules are enabled if they match all specified filters. ```yaml # Enable all critical and high rules from the "securityonion-resources" ruleset - ruleset: ["securityonion-resources"] level: ["critical", "high"] product: ["*"] category: ["*"] service: ["*"] ``` -------------------------------- ### Display so-user Help Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/so-user.md Run 'so-user' with no options to view all available operations. ```bash sudo so-user ``` -------------------------------- ### Prepare and Run Elastic Agent on macOS Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/elastic-agent.md This snippet demonstrates the necessary steps to prepare an Elastic Agent binary for macOS: removing the quarantine attribute, making it executable, and running it with sudo. ```bash xattr -d com.apple.quarantine ./so-elastic-agent_darwin_amd64 chmod +x ./so-elastic-agent_darwin_amd64 sudo ./so-elastic-agent_darwin_amd64 ``` -------------------------------- ### Salt Master Log Error Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/salt.md This is an example of an error that may appear in the salt-master log. It can be ignored as it does not indicate a problem with the minions. ```log [ERROR ][24983] Event iteration failed with exception: 'list' object has no attribute 'items' ``` -------------------------------- ### Connect to Elasticsearch and Initialize Search Context Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/jupyter.md Establish a connection to the Elasticsearch instance using provided credentials and configure a search context for a specific index pattern. Certificate verification is disabled for simplicity in this example. ```python es = Elasticsearch(['https://192.168.6.100:9200'], ca_certs=False,verify_certs=False, http_auth=('jupyter','password')) searchContext = Search(using=es, index='*:so-*', doc_type='doc') ``` -------------------------------- ### Update Security Onion 2.3 Installation Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/appendix.md Ensure your Security Onion 2.3 installation is fully updated before proceeding with the migration. This command uses the 'soup' utility. ```bash sudo soup ``` -------------------------------- ### Suricata Flowbit Setter Rule Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Example of a Suricata rule that sets a flowbit named 'malware.detected'. This is used to mark a network flow for subsequent rules. ```suricata flowbits:set,malware.detected ``` -------------------------------- ### Configure ET PRO Ruleset Source (Directory) Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Example configuration for a new ruleset source pointing to a local directory containing the ET PRO ruleset archive. Recommended settings for 'Read Only' and 'Delete Unreferenced' are included. ```yaml - Ruleset Name: ETPRO-Airgap Source Type: directory Source Path: /nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz Read Only: "true" Delete Unreferenced: "true" Ruleset License: Commercial Enabled: "true" ``` -------------------------------- ### Example of a Disabled Flowbit Setter Rule Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md This example shows a disabled rule (SID 2012236) that sets a flowbit. It is auto-enabled because other rules depend on this flowbit, but it will not generate alerts. ```text # AUTO-ENABLED (flowbit: et.x0proto, required by 2 rule(s)): This disabled rule runs with noalert alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"x0Proto Init"; ... noalert; sid:2012236; ...) ``` -------------------------------- ### Prepare Ephemeral Storage with so-prepare-fs Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/cloud-amazon.md Use this command to prepare ephemeral storage for Security Onion, typically mounting it at /nsm/elasticsearch. Specify device and mount point if defaults are not suitable. ```default sudo so-prepare-fs ``` ```default sudo so-prepare-fs /dev/nvme3n0 /nsm/elasticsearch ``` -------------------------------- ### Suricata Flowbit Getter Rule Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Example of a Suricata rule that checks if the 'malware.detected' flowbit is set. This rule will only alert if a previous rule on the same flow has set this flowbit. ```suricata flowbits:isset,malware.detected ``` -------------------------------- ### Running so-test Command Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/so-test.md This snippet shows the output of the so-test command when executed. It details the process of enabling replay functionality, pulling the so-tcpreplay Docker image, starting the container, and replaying pcap data. It also includes statistics on packet transmission, flow information, and network device performance. ```text so-test Replay functionality not enabled; attempting to enable now (may require Internet access)... Pulling so-tcpreplay image ========================================================================= Starting tcpreplay... This could take a while if another Salt job is running. Run this command with --force to stop all Salt jobs before proceeding. ========================================================================= local: ---------- ID: so-tcpreplay Function: docker_container.running Result: True Comment: Created container 'so-tcpreplay' Started: 15:55:48.390107 Duration: 1460.452 ms Changes: ---------- container_id: ---------- added: f035103cd8bf43134b56d4b19d77a0ae9e7c09fcb54ef6da67cf89bef5fc4019 state: ---------- new: running old: None Summary for local ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 1.460 s Replaying PCAP(s) at 10 Mbps on interface bond0... Actual: 111557 packets (12981286 bytes) sent in 10.38 seconds Rated: 1249997.6 Bps, 9.99 Mbps, 10742.07 pps Flows: 4102 flows, 394.99 fps, 2074477 flow packets, 45106 non-flow Statistics for network device: bond0 Successful packets: 55304 Failed packets: 444 Truncated packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 Replay completed. Warnings shown above are typically expected. ``` -------------------------------- ### Install Python Libraries for Elasticsearch Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/jupyter.md Install the required Python libraries for interacting with Elasticsearch and pandas for data manipulation. These commands can be run on the Jupyter host or within a Docker container. ```bash pip3 install elasticsearch pip3 install elasticsearch_dsl pip3 install pandas ``` -------------------------------- ### Custom Report OQL and Template Example Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/reports.md This snippet shows an example of OQL queries and markdown templating for a custom report in Security Onion Pro. It defines query parameters and a basic report structure, including error handling and date formatting. ```go-template {{- /* query.myDocEvents.Oql = metadata.type: _doc | groupby event.module, event.dataset | sortby @timestamp desc */ -}} {{- /* query.myDocEvents.MetricLimit = 10 */ -}} {{- /* query.myDocEvents.EventLimit = 100 */ -}} Security Onion Custom Report ============================ {{ if .Error }} **NOTE: This report encountered a problem extracting the relevant data and may not be complete.** **Error:** {{.Error}} {{ end }} Records must have been created or updated during the following time frame in order to be reflected in this report. **Report Start Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .BeginDate}} **Report End Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .EndDate}} ## Sample Doc Events **Total Events:** {{ formatNumber "%d" "en" .Results.myDocEvents.TotalEvents}} ``` -------------------------------- ### Download and Execute tmNIDS Utility Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/suricata.md This command downloads the tmNIDS utility, makes it executable, and runs it to test Suricata alerting capabilities. ```bash curl -sSL https://raw.githubusercontent.com/0xtf/testmynids.org/master/tmNIDS -o /tmp/tmNIDS && chmod +x /tmp/tmNIDS && /tmp/tmNIDS ``` -------------------------------- ### Uninstall and Reinstall Elastic Agent Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/elastic-agent.md Use these commands to remove the existing Elastic Agent and then install it again on a Security Onion grid member. ```bash sudo elastic-agent uninstall sudo salt-call state.apply elasticfleet.install_agent_grid ``` -------------------------------- ### Unmount and Export NSM Volume Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/appendix.md Unmount the /nsm filesystem, deactivate the volume group, and export it. This prepares the disk for the new installation. ```bash sudo umount /nsm sudo vgchange -an /dev/mapper/nsm sudo vgexport /dev/mapper/nsm ``` -------------------------------- ### Download ET PRO Ruleset Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/nids.md Use this command to download the ET PRO ruleset archive on a system with internet access. Replace YOUR_LICENSE_KEY with your actual ET PRO license key. ```bash # Replace YOUR_LICENSE_KEY with your actual ET PRO license key curl -o etpro.rules.tar.gz \ "https://rules.emergingthreatspro.com/YOUR_LICENSE_KEY/suricata-7.0.3/etpro.rules.tar.gz" ``` -------------------------------- ### Execute Command with Root Privileges Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/passwords.md Prefix commands requiring administrative access with 'sudo'. For example, running 'so-status' requires sudo. ```default sudo so-status ``` -------------------------------- ### Prepare Local Disk for Search Data Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/cloud-google.md Use this command to prepare a local NVMe disk for storing search data on distributed search nodes or evaluation nodes. It defaults to using `/dev/nvme1n1` and mounting at `/nsm/elasticsearch`. ```bash sudo so-prepare-fs ``` -------------------------------- ### Copy NSM Data to Temporary Location Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/appendix.md Before re-partitioning, copy all contents from the /nsm directory to a temporary location. This preserves your data during the OS installation. ```bash sudo cp -av /nsm/* /home/user/ ``` -------------------------------- ### Restart Zeek service Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/services.md Restarts the Zeek service. This command is an example; substitute 'zeek' with other service names like 'logstash' or 'elasticsearch' as needed. ```bash sudo so-zeek-restart ``` -------------------------------- ### Create Custom Role from Scratch Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/rbac.md Define a new custom role by specifying existing roles or permissions and the new role name. Use this method when building a role with a unique set of permissions. ```text case-admin:eastcoast-analyst event-admin:eastcoast-analyst node-monitor:eastcoast-analyst user-monitor:eastcoast-analyst job-user:eastcoast-analyst ``` -------------------------------- ### Stop Zeek service Source: https://github.com/security-onion-solutions/securityonion-docs/blob/2.4/services.md Stops the Zeek service. This command is an example; substitute 'zeek' with other service names like 'logstash' or 'elasticsearch' as needed. ```bash sudo so-zeek-stop ```