Show 95 – Security Onion with Doug Burks -or- Why IDS Rules and IPS Drools

Ethan Banks and Michele Chubirka (aka Mrs. Y aka the Network Security Princess) have a relaxed chinwag with Doug Burks, Deputy Chief Security Officer at Mandiant, community instructor for SANS, and the man behind Security Onion. What is Security Onion? To quote Doug’s website…

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools, all wrapped up with an easy-to-use Setup wizard.

What We Discuss

  • What was the driver that brought about the creation of Security Onion?
  • What security functions does Security Onion include?
  • Why is there such an emphasis on intrusion detection as opposed to intrusion prevention with this distro?
  • How is an IPS like a firewall?
  • Why does it make sense for an enterprise to have an IDS in addition to an IPS?
  • Why does full packet capture matter in an IDS system?
  • What packages are included in the Secuirty Onion distro?
  • How can Secuity Onion be used as a forensic analysis tool?
  • Why should a company that’s already invested in commercial IDS/IPS bother with Security Onion?
  • What role does Security Onion play in host-based intrusion detection (HIDS)?
  • How would you size server hardware & storage for a successful Security Onion deployment?
  • When will Security Onion be available in a 64-bit flavor?
  • What’s the profile of the typical shop that’s deployed Security Onion?
  • Can Security Onion monitor traffic on multiple interfaces simultaneously?
  • What’s the difference between a Security Onion “sensor” and “server”?
  • How much data does a Security Onion sensor send back to a server, and what’s the impact on WAN utilization?
  • Will there be wireless functionality built into Security Onion in the future?
  • Does Mandiant give Doug much time to work on Security Onion?
  • Can Security Onion be deployed as a virtual machine?


  • Security Onion
  • Doug Burks on Twitter
  • TaoSecurity – Richard Bejtlich’s blog on digital security
  • Snort – open source network intrusion prevention and detection system
  • OISF – home of Suricata. The Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine.
  • OSSEC – open source host-based intrusion detection system
  • Argus – a small, fast, and easily expandable network IDS designed with small to moderate sized networks in mind
  • Bro – powerful network analysis framework that is much different from the typical IDS
  • NetworkMiner – a Network Forensic Analysis Tool (NFAT) for Windows
  • PF_RING – a new type of network socket that dramatically improves packet capture speed
  • Kismet – an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
  • TCP/IP Weapons School 3.0 – TWS3 as taught by Richard Bejtlich. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth?
  • ELSA – enterprise log, search and archive. A centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search.


NEC ProgrammableFlow

Ethan Banks
Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
Ethan Banks
Ethan Banks
  • JR

    Thought this was an excellent episode and I’ll definitely be checking out Security Onion!

  • Brandon Mangold

    Great show and good discussion. Hopefully we continue to see the development of this product and community support for it. In an enterprise our size this wouldn’t be a viable production solution but I am certainly going to put this in my lab on a VM and start to work with it. As you said in the show one of the biggest issue with both IPS and IDS is context, not knowing enough about a traffic flow and any associated sessions to fully identify problems.

  • NetworkSpy

    Just when I thought this place couldn’t kick ass any more….Absolutely awesome show. Great job as always Ethan and Michele.