Security Onion ADVANCED Training September 16th 2019


About Security Onion

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, NetworkMiner, Elastic Stack, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

For more about Security Onion, please see:

About the Course

This advanced class is for graduates of the Security Onion Basic Course and existing Security Onion users – administrators, security engineers, SOC analysts, incident responders, and hunters – who want to get more out of their Security Onion deployment.

What do previous students say about the class?

“Great class with knowledgeable instructors.”

“Most useful class commissioned by [my employer].”

“Phil was professional and approachable with any and all questions. This was one of the best courses I’ve been to.”

What do students get?

  • 4 days of classroom instruction from the developers of Security Onion
  • over 300 pages of course material
  • Certificate of Completion

When is the class?

Monday, September 16, 2019 through Thursday, September 19, 2019

8:00 AM – 5:00 PM (Eastern Time) each day

When does registration close?

Registration closes Monday, September 9, at 11:59 PM Eastern.

Where is the class being held?

The class will be held at Traversed (IntelliGenesis Building), 7164 Columbia Gateway Drive, Suite 120, Columbia, MD 21046

What hardware will be required for the class?

***Laptops will be provided by Security Onion Solutions.***

Students can choose to bring their own laptop that meets the following requirements:

  • At least 12-16 GB RAM on the machine, so that a full 8 GB RAM that can be dedicated to one virtual machine (VM). More is better.
  • At least 4 total CPU cores on the machine, so that 2 cores can be dedicated to one VM. More is better.
  • One internal hard drive should have at least 50 GB free disk space. More is better. Solid State Drives are preferred, but not required.
  • Virtualization software must be installed. We recommend VMWare Workstation, Workstation Player, or Fusion. Oracle VirtualBox works also. Please, no ESXi or similar platforms. Each student machine will only run one VM, which students install in class from the Security Onion ISO image. The VM will not interconnect with VMs on other student machines.
  • The hardware and operating system must be capable of running a 64 bit VM. Note: Some 64 bit machines don’t automatically support a 64 bit VM. This should be tested ahead of class. See
  • Students need administrator/root access to the host operating system on the student machine. They should need this only once to add a virtual sniffing NIC to the VM.
  • Must have an adequately sized screen. Note: Tablet computers such as the Microsoft Surface usually do not meet this requirement.
  • Must be able to connect to a wireless network for Internet access.

Which version of Security Onion will we be using?

We’ll be using the latest Security Onion version as of August 26, 2019.

The latest release can be found here:

What do students need to bring to class?

Students need to bring the following:

  • Optionally, students can bring a laptop meeting the requirements described above
  • State-issued ID or Passport
  • Eventbrite ticket for this event

What skills/knowledge should students have before attending this course?

Previous attendance at the 4-day Security Onion Basic Course (or Security Onion 101, 201, and 301 online) is strongly recommended. At a minimum, students should have an intermediate or advanced understanding of:

  • Networks, TCP/IP, and network application protocols such as DNS, HTTP, FTP, etc.
  • Network Security Monitoring (NSM) methodology
  • Replaying PCAP samples
  • Analyzing IDS alerts
  • Linux operating system and command line

What’s the cancellation policy?

Security Onion Solutions reserves the right to cancel this class up to one day after registration closes if the class does not meet a minimum number of students. If class is cancelled, the training ticket cost will be refunded.

What’s the refund policy?

You may log into your Eventbrite account and request a refund up until the last day of ticket sales. Please use the “Request a Refund” button as shown here:

Are there discounts available?

We offer discounts for members of ISSA and Infragard. Contact us for more information.

What topics are covered in this class (subject to change)?

  • Abbreviated Installation and Configuration
  • Advanced Adminsitration, Optimization, and Troubleshooting
    • Tuning
    • Integrations
    • Security Onion in the Enterprise
      • Disabling/Enabling interfaces without running setup
      • Transient data management and configuration backup
    • Advanced Admin
      • Implementing and reverting global and granular BPF
      • Adding more disk space
      • Performance optimization
      • Sending data to an external SIEM
      • Using custom SSL certificates
      • Troubleshooting with sostat
      • Apt-cacher-ng and airgapped sesnors
      • Salt nodegroups
  • Detection in Depth
    • Snort and Suricata
      • Implementing custom rules
      • Implementing custom whitelist rules
    • Bro
      • Using Bro scripts to carve out more than EXEs
      • Automating suspicious file detection using a file analysis framework
      • Tuning existing Bro scripts
      • Implementing new Bro scripts
    • Elastic Stack
      • Adding new data sources in Logstash
      • Enriching data with Logstash
      • Automating with Elastalert
      • Building new Kibana dashboards
    • Additional host visibility and telemetry
      • Writing custom OSSEC rules for Wazuh
      • Sending Sysinternals Autoruns data to Security Onion
      • Configuring and analyzing Sysinternals Sysmon data in Security Onion
      • Sending Winlogbeat and Filebeat data to Security Onion
  • Advanced Analysis
    • Accelerated analysis demo
    • Analyst efficiencies and pivots
      • Squert
      • Kibana
      • Sguil
    • Working with securityonion_db
    • Querying Elasticsearch from the command line
    • Automating domain analysis using open source tools
    • Retrieving PCAP from the command line
    • Analyzing Bro logs at the command line
    • Bro’s SMB Analyzer
    • Analyzing encrypted web server traffic
  • Many hands-on labs and at least one case study per day
  • Wrap-up/Q&A

*This Course is being registered through Eventbrite and Security Onion Solutions

4-Day Course Cost $4398

Register Here


Sep 16 2019 - Sep 19 2019


8:00 am - 6:00 pm


7164 Columbia Gateway Drive, Ste 205 Columbia, MD 21046
Security Onion Solutions


Security Onion Solutions