Tricks and Tips

This section is a collection of miscellaneous tricks and tips for Security Onion.

• Airgapped Networks
  • Updating
  • Docker
• Analyst VM
  • Ultimate Forensics VM
• Best Practices
• Cloud Client
  • Traffic Flow and NIC offloading functions
  • Daemonlogger vs netsniff-ng
  • References and Thanks
  • Install Packages
  • Security Onion Sensor
  • Generate client certs
  • Cloud client
  • Check traffic
  • Hardening
  • Tuning
• Connecting to Sguild
  • Connecting to Sguild from an Analyst Machine
  • Connect to Sguild Locally (not recommended)
  • Connect Remotely via SSH w/ X11 Forwarding
• Disabling Desktop
• DNS Anomaly Detection
• ICMP Anomaly Detection
  • Usage
  • Presentation
  • Download
• MetaPackages
• Adding a new disk
  • Method 1: LVM (Logical Volume Management)
  • Method 2: Mount a separate drive to /nsm
  • Method 3: Make /nsm a symlink to the new logging location
  • Moving the MySQL Databases
• PCAPs for Testing
  • Links
  • tcpreplay
  • so-replay
  • so-import-pcap
• Removing a Sensor
  • Disable sensor interface
  • Delete sensor configuration
  • Wipe sensor configuration and data
  • Remove sensor reference from master server
  • Remove storage node reference from Master server Elasticsearch _cluster/settings
• Salt
  • OnionSalt
  • Best Practices
  • Salt and OnionSalt are optional packages
  • Firewall Requirements
  • Installation
  • Checking Status
  • Remote Execution
  • Features
  • Using Salt to Install Updates Across Your Entire Deployment
  • Modifying Salt config files
  • Changing Minion ID
  • Salting an Existing Deployment
  • Maximum Event Size
  • Additional Reading
• Sensor Stops Seeing Traffic
  • Wazuh
  • Zeek
• SSH
  • Changing the default ssh listening port
• UTC and Time Zones
  • How do I change the timezone for Ubuntu?