Show 95 – Security Onion with Doug Burks -or- Why IDS Rules and IPS Drools

Ethan Banks and Michele Chubirka (aka Mrs. Y aka the Network Security Princess) have a relaxed chinwag with Doug Burks, Deputy Chief Security Officer at Mandiant, community instructor for SANS, and the man behind Security Onion. What is Security Onion? To quote Doug’s website…

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools, all wrapped up with an easy-to-use Setup wizard.

What We Discuss

  • What was the driver that brought about the creation of Security Onion?
  • What security functions does Security Onion include?
  • Why is there such an emphasis on intrusion detection as opposed to intrusion prevention with this distro?
  • How is an IPS like a firewall?
  • Why does it make sense for an enterprise to have an IDS in addition to an IPS?
  • Why does full packet capture matter in an IDS system?
  • What packages are included in the Secuirty Onion distro?
  • How can Secuity Onion be used as a forensic analysis tool?
  • Why should a company that’s already invested in commercial IDS/IPS bother with Security Onion?
  • What role does Security Onion play in host-based intrusion detection (HIDS)?
  • How would you size server hardware & storage for a successful Security Onion deployment?
  • When will Security Onion be available in a 64-bit flavor?
  • What’s the profile of the typical shop that’s deployed Security Onion?
  • Can Security Onion monitor traffic on multiple interfaces simultaneously?
  • What’s the difference between a Security Onion “sensor” and “server”?
  • How much data does a Security Onion sensor send back to a server, and what’s the impact on WAN utilization?
  • Will there be wireless functionality built into Security Onion in the future?
  • Does Mandiant give Doug much time to work on Security Onion?
  • Can Security Onion be deployed as a virtual machine?


  • Security Onion
  • Doug Burks on Twitter
  • TaoSecurity – Richard Bejtlich’s blog on digital security
  • Snort – open source network intrusion prevention and detection system
  • OISF – home of Suricata. The Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine.
  • OSSEC – open source host-based intrusion detection system
  • Argus – a small, fast, and easily expandable network IDS designed with small to moderate sized networks in mind
  • Bro – powerful network analysis framework that is much different from the typical IDS
  • NetworkMiner – a Network Forensic Analysis Tool (NFAT) for Windows
  • PF_RING – a new type of network socket that dramatically improves packet capture speed
  • Kismet – an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
  • TCP/IP Weapons School 3.0 – TWS3 as taught by Richard Bejtlich. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth?
  • ELSA – enterprise log, search and archive. A centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search.


NEC ProgrammableFlow

Leave a Reply

Your email address will not be published. Required fields are marked *