Splunking the Onion

Five months brewing, I’m pleased and excited (and mostly ready to spend some time watching playoff hockey) to announce the initial release of Security Onion for Splunk has been submitted to Splunkbase (should appear here once approved). I’ve talked about Security Onion before, but in brief it’s an incredibly powerful compilation of open source network security monitoring tools that is so easy to configure and deploy it probably makes some commercial vendors blush. I started playing with Splunk about 6 months ago and it didn’t take long to realize what a powerful combination it could make with Security Onion.

Splunkbase, Splunk’s repository of community contributed apps, already had some apps relevant to Security Onion, but they were tool specific, like Splunk for OSSEC and Splunk for Snort. I wanted to create a broader canvas, pulling together events from as many layers of the onion as possible. I also wanted a better way to visualize Bro IDS logs for event correlation and mining events for incidents.

I want to emphasize this has been a learning process. The last 5 months have been spent learning Splunk and figuring out how I could improve access to the data from Security Onion tools I have spent the previous year learning. I have a lot to learn on both fronts and hope this app will ultimately reflect that as it matures. While some of the Splunk views have been tested with lots of data, the majority of testing has been done on my home install or with sample packet captures. So if you give it a spin, keep that in mind and please let me know if you run into any issues that need to be addressed for broader deployments.

So without further ado…splunking the onion.


The Overview provides visibility into the current status of your Security Onion (hereafter referred to as SO) deployment. The first panel displays recent Sguil events with total count of events and a sparkline to show the event trend over time, sortable by name or total number of events. The second panel leverages Splunk for OSSEC to show recent OSSEC events, followed by a timechart of Bro IDS notice events in panel three. From these three panels you can get incredible insight into what has been going on in your environment and the fourth panel pulls everything together to give you a timechart of all SO log activity.

Splunk provides some neat drilldown capabilities and I’ve included them on most of the panels throughout the app. Clicking on any result will provide a drilldown menu at the bottom of the panel showing specific event data. In the screenshot below, I’ve drilled down on SSL::Invalid_Server_Cert events from the Bro Notice panel and Bro SSL events in the Activity by Sourcetype panel. Additionally, the time range picker’s associated with each panel allow you to adjust your visibility over time on a panel by panel basis (notice the Sguil Events are displaying the last 4 hours of activity, while OSSEC is displaying the last 7 days).


The Monitors view takes us a step deeper into the SO event data. Six panels give us quick access to Sguil Events by Priority, Bro Weird events, Bro SSL Validation Status Messages, Bro HTTP Status Messages, Bro Dynamic Protocol Detection events and FTP arguments monitored.

As with the Overview, drilldowns are in play. In the screenshot below you can see how easy it is to piece together the bits of an incident for targeting your investigation. In this case, I’d be heading over to the IR Search view and giving a deeper look (which we’ll do momentarily).


The GeoIP view includes a geographical representation of events accompanied by an alphabetical listing of those events by destination country. As you can see from the screenshot, selecting a country from the list on the left will provide a drilldown listing of Bro Connection events to that country.

IR Search

Now let us go take a look at The IR Search allows you to search by source IP, destination IP, source or destination ports and gives a holistic view of activity based on your search parameters.

For starters, we see Bro Notice and Sguil events specific to the IP address being investigated paired with a breakdown of all activity seen from our source IP by sourcetype in a timechart, followed by Bro Weird events, SSL Validation Status Messages and HTTP MIME Types associated with the host.

Continuing down the page, we see HTTP Filenames and FTP Arguments detected by Bro IDS, Bro Dynamic Protocol Detections and a grand finale of all events, line by line, of activity from our suspect IP.

Web Monitor

The Web Monitor view is an attempt at expanding the “reuse” potential of SO collected data, by providing a basic, high level view of HTTP related activity being monitored. Geared less towards investigative analysis, it can be used to supplement existing web filter capabilities, or for home or small office deployments it can provide great awareness of HTTP activity of monitored hosts. Two pie charts show activity by source and geoip, followed by the top source and destination IPs, and domains.


In using Bro IDS, I’ve noticed some events can be direct indicators of activity, while others more indirect leading you towards potential issues or activity that is otherwise suspicious. The Mining view attempts to ease the process of identifying items of interest with six table panels with drilldown capability: Bro Weird Events (anomolous activity), Bro Dynamic Protocol Detection Events, Bro HTTP Status Messages, Bro SSL Validation Status Messages, Bro HTTP Filenames Detected (exe, bat, cmd, pdf, jar, swf, doc, xls, sh) and FTP Arguments detected.

The Bro HTTP Filenames Detected can often be a dead giveaway of suspicious activity, but others can be more subtle. For example, deploying an SO sensor in front of critical web servers gives visibility into HTTP Status Messages, so you can quickly and easily monitor Forbidden or Not Authorized attempts to access web sites. Similarly, Bro SSL Validation Status Messages can help you monitor untrusted or expired certs.


The OSSEC menu leverages the Splunk for OSSEC app, which is a pre-requisite for Security Onion for Splunk. I won’t go into too many details on it. While I leverage Splunk for OSSEC for the data inputs and field extractions to tie into Bro IDS and Sguil, the OSSEC app itself is very well done and provides excellent visibility, via dashboards, reports and searches, all canned and ready to be consumed directly from the SO app menu.


These menu items are designed to link directly to Snorby and Squert. Unfortunately, I’ve not figured out a way to dynamically generate the links based on the SO server hostname, so they point to http://localhost:<port> by default. I’ve included instructions in the README on how to modify those to fit your deployment.

Long term, I do not plan on trying to mature this app to replace the other tools included in SO. They all have unique value and use cases: Sguil is great for analysts; Snorby is great for Snort; Squert provides a good high level view. If anything I hope to improve the integration over time.


SO includes a status monitoring script called “sostat” for verifying the status of agents, collecting disk and performance data, and stats related to Sguil and Snorby. I actually delayed the release of the app until I could get this piece integrated as the importance of monitoring your SO deployment is as significant as the data it’s collecting.

The Server/Service Status panel shows the last two status changes. The first service status listed is the status when SOstat last checked. If there is a second status listed for the same service you can see when it last changed. In the screenshot below you’ll see ossec_agent (sguil) with a status of FAIL on 4/13 @ 9:33. Towards the bottom of the list you’ll see it listed again with a status of OK on 4/11 @ 10:20.

SOstat also monitors Snort packet drop percent, disk status, interfaces, system info (via top), Snorby top 50 events and top events from the previous day, and directory listings for the NSM log archive.

What’s Next?

  • GeoIP – add tracking by event type, name and severity.
  • SOstat – implement Bro status monitoring; trending charts where applicable, like disk utilization.
  • Optimize searches and views for efficiency.
  • Suricata – incorporate and test.
  • Sideview Utils for Splunk – I’m going to start exploring where this add-on can benefit views and the interactivity of the Security Onion app.

If you find any bugs, have suggestions on how to improve the app or have ideas for correlation searches that could help improve the usability, effectiveness and efficiency of detecting and investigating events, please feel free to contact me at brad@eyeis.net or via Twitter: @bradshoop.

3 thoughts on “Splunking the Onion

  1. I would like to remove the red numbers from displaying in the security onion data flow visualizer. I thought I had seen a post somewhere that changed the red numbers to black dots, I would like to have them not display at all as every time they drop I am seeing a slow down on the rest of the screen, please advise.

  2. Thank you, that was the location that I had seen the reference before. Couldn’t find it again. Thank you for the assist.

Leave a Reply