arkime VS securityonion

Arkime: https://arkime.com/ Packet capture and search

Also consider running full PCAP collection with https://arkime.com/ so you can monitor your past network traffic. That has come in handy many times for security and troubleshooting, and doesn't require as much horsepower as you might think.

Anyone using Arkime? https://arkime.com/

dns && ip.src==x.y.z.w Note that this display filter will not display the DNS replies for the requests sent by x.y.z.w if you want those as well then it will be dns && ip.addr==x.y.z.w Although DNS will be displayed in upper case in Wireshark, it has to be in lower case in the display filter, that said, like others said based on your exact needs and the size of your resulting pcap / pcapng file you may want to look at capture filters, finally if you are dealing with multiple gegabytes file(s) you may want to take a look at another tool like Arkime (formerly moloch) https://arkime.com/

Full PCAP's? Look at https://arkime.com/ or network miner. Arkime is probably more what you're looking for. But I love network miner

I used moloch which is now https://arkime.com/. It used to be free and was a great tool for pcaps. Uses elastic underneath.

Arkime is secure, scaleable, indexed packet capture and search tool that can improve your network security by providing greater visibility. This open-source tool stores and indexes network traffic in standard PCAP format. Our thanks for the suggestion goes to Security_Chief_Odo.

I would suggest instead of graylog look into something like this https://arkime.com/

I'm trying to get Security Onion running in my lab on my Proxmox server. I'm having trouble getting my WAN traffic to my SO VM. My WAN comes in on VLAN 100 to my switch and goes to my router (Virtual VyOS on the same physical host). I have a ton of VMs and really don't want to move to OVS if I don't absolutely have to. I found this discussion which included some commands for getting SO working on a Linux bridge, but this didn't work for me. Probably because my environment is different. Does anybody have SO setup this way? If so, how did you do it?

https://securityonionsolutions.com/software/ https://github.com/Security-Onion-Solutions/securityonion

I have been debating in my head whether to keep my current setup (PFsense on an old laptop) or buy a 'proper?' solution, by this I mean specialised hardware. PFsense has had a few issues like randomly dropping out, but it has been fine for around 4 days now. My question is: Should I buy a Mikrotik HEX S and use the laptop for other things, or not buy a Mikrotik and instead buy a Dell Optiplex 3020 from Ebay and run SecurityOnion (https://github.com/Security-Onion-Solutions/securityonion) or pfELK (https://github.com/pfelk/pfelk) on it.

Community support is here. You can also purchase support from the developers on their website.