Doug Burks edited this page Jul 2, 2018 · 23 revisions
Clone this wiki locally

Security Onion consists of over 50 packages in a Launchpad PPA. You can install these packages individually or you can install one or more metapackages (groups of packages) depending on what functionality you need.


  • securityonion-client (about 525MB)
    Sguil client, Wireshark, NetworkMiner, etc.
    sudo apt-get install securityonion-client

  • securityonion-sensor (about 135MB)
    Snort, Suricata, Bro, netsniff-ng, Sguil agents, etc.
    sudo apt-get install securityonion-sensor

  • securityonion-server (about 265MB)
    Sguil server, Squert, CapMe, etc.
    sudo apt-get install securityonion-server

  • securityonion-elastic (about 5MB)
    Scripts and configuration files for the Elastic Stack (Elasticsearch, Logstash, and Kibana) and its associated log pipeline including syslog-ng. This package includes so-elastic-download which downloads the Docker images for the Elastic stack. You'll probably want to install syslog-ng-core explicitly to replace rsyslog.
    sudo apt-get install securityonion-elastic syslog-ng-core

  • securityonion-all (about 930MB)
    all of the above
    sudo apt-get install securityonion-all syslog-ng-core

  • securityonion-iso
    all of the above plus bridge-utils, byobu, foremost, pinguybuilder, securityonion-desktop-gnome, securityonion-onionsalt, securityonion-samples-bro, securityonion-samples-markofu, securityonion-samples-mta, securityonion-samples-shellshock, xfsprogs
    sudo apt-get install securityonion-iso syslog-ng-core