Security Onion: Creating a Virtual Lab Environment—macOS, 2022

I created this tutorial in mid-2022. I am adding this note in July 2026. So much of the content is four years old and has accuracy and currency issues, particularly when it describes older versions of Security Onion and OPNsense. For example, the version of Security Onion used is 2.3; Security Onion is now on version 3, and 2.3 is considered end-of-life.

Perhaps more importantly, I created this on an older Apple computer with an Intel processor with x86-64 architecture. x86-64 architecture is much more favorable for creating this type of environment. Security Onion is designed to run on x86-64. I am not even sure if I would be able to repeat these steps on a current Apple computer, which now use Apple Silicon processors with an ARM64/aarch64 architecture. It would be a lot of work to even get some of these virtual machines to run on that type of computer, and the performance and behavior could vary.

I am leaving this series up for now as it is still a useful conceptual approach on how you set up the networks, create the virtual machines, and install the software.

  1. Overview
  2. Prerequisites

This series of how-to articles describes how to set up your own virtual lab for information security research using virtual machines (VMs). I am using VMware Fusion Pro, which is a Type 2 hypervisor used for desktop virtualization on host operating systems running macOS.

The centerpiece of the lab is a virtual machine (VM) running Security Onion, which is a leading open-source network intrusion detection system (NIDS) and network security monitor (NSM). Security Onion uses containers to give users a wide variety of tools that allow for network monitoring and alerting, threat hunting, and more. It utilizes well-known, widely used open-source applications, including:

  • Zeek (formerly known as Bro) analyzes traffic on the network, collects metadata about that traffic and logs all of it, making it a powerful tool for network detection and forensics.
  • Suricata is a signature-based network intrusion detection system originally developed by the Open Information Security Foundation.
  • The ELK stack, for Elasticsearch, Logstash, and Kibana. The ELK stack serves as a security information and event management (SIEM) platform, receiving Security Onion’s log events from Logstash (as well as Filebeat). Elasticsearch is the search and analytics engine. Kibana is a user-interface and visualization tool.

Security Onion is set up on a private network with a network interface card (NIC) that works in promiscuous mode to “sniff” all the traffic traversing the network. In practice this can be done by connecting Security Onion to a SPAN or TAP port. Since I am creating my environment virtually on a MacBook Pro laptop, I will need to create some network infrastructure that will allow me to sniff traffic with Security Onion.

The basic components of my virtual lab will be:

  • A virtual machine running OPNsense, an open-source firewall and networking platform. I will use the OPNsense VM as a virtual router to create a local area network (LAN) that the other lab virtual machines will connect to. OPNsense provides the LAN so that these virtual machines can talk to each other, and it can also connect them to the wide area network (WAN), or public internet, for things like updates. Using OPNsense also gives me the ability to connect Security Onion to the LAN and sniff traffic.
  • A virtual machine running Security Onion. This tutorial will go over how to set up a Security Onion deployment that monitors the virtual lab and some basics on what Security Onion does and how to use it.
  • A Kali Linux virtual machine. I’m going to use Kali to manage the OPNsense router. But the primary use of Kali Linux is for penetration testing and other security research, so I will also be using Kali to reconnoiter and attack other virtual machines on the network, generating traffic that Security Onion should identify as malicious.
  • Target virtual machines. I will start with Metasploitable 3 VMs running both Ubuntu and Windows Server 2008. I may also use Metasploitable 2. These are virtual machines that intentionally include many security vulnerabilities that can be exploited with tools in Kali such as Metasploit.

Overview

The first set of how-to articles on this site will make up a tutorial on everything I needed to do to create a Security Onion-monitored virtual lab on a MacBook Pro. Just that part itself is a considerable amount of work… and it doesn’t always work for me. I think the articles provide good lessons on a variety of skills needed to administer virtual machines, manage a network, and more. Here’s what the first articles will cover:

  1. Prepare OPNsense and Security Onion Installation Media: Some instructions on downloading and validating OPNsense and Security Onion and preparing them for installation in VMware Fusion Pro.

    • Note: Installation instructions for other VMs, like Kali or Metasploitable, are out of scope for this tutorial, but I hope to come back and cover them later.
  2. Create VMware Private Virtual Networks for the Security Onion Environment: Create private virtual networks within VMware Fusion Pro.
  3. Create the OPNsense Virtual Machine: Create a virtual machine where you will install and configure OPNsense.
  4. Configure the OPNsense Virtual Machine: Set up OPNsense and use it to create the routing capabilities you need for your private virtual networks.
  5. Create the Security Onion Virtual Machine: Create a virtual machine where you will install and configure Security Onion.
  6. Configure the Security Onion Virtual Machine: Walk through Security Onion’s installation wizard.
  7. Using Security Onion and the Security Onion Console: Get to know Security Onion and some of its features through its web management interface and by using the command line.

Prerequisites

This tutorial requires you to have some familiarity with and knowledge of desktop virtualization and the Linux command line. I created the virtual lab for this tutorial using:

  • Host Computer: A 2016 MacBook Pro running macOS 12.4. This is a very powerful laptop, but it’s probably not enough to do this right. In 2022 Security Onion had a minimum RAM requirement of 12GB; my whole laptop only has 16GB, so a virtual lab running Security Onion and the other VMs (OPNsense, Kali, Metasploitable) will be slow if your host machine running the VMs does not have the processor power and RAM. (In 2026 the RAM requirement is 24GB.)
  • Virtualization Platform: VMware Fusion Pro. I’ve played around with VirtualBox, which is free, and Parallels, which I have paid for. I’ve had lots of problems with both. That could be my fault. But the $199 I paid for VMware Fusion Pro was definitely worth it. VMs I create on Fusion Pro on a Mac or on Workstation Pro on a PC work so much faster and more reliably for me.

    I started using VMware Fusion Pro for Mac in 2020, and have also used more professional-grade VMware virtualization products in the workplace. VMware generally set the standard for virtualization. Since its acquisition by Broadcom peoples’ opinions have been changing about the VMware products, although both Workstation Pro and Fusion Pro are now free. I’m not sure what I think; the situation is certainly evolving.

  • Command-line Interface: I use ITerm2 with Zsh for the terminal on my MacBook Pro host machine.
  • Web Browser: You will also need a web browser, both on the host operating system and in at least one of the VMs connected to the lab. I typically use Firefox.

I use angle brackets (< and >) to enclose placeholder text for filenames, paths, URLs, software versions, or anything where the value may be different for you than it is for me.


Table of contents


Back to top

Last built: Friday, July 17, 2026 at 14:34 UTC
This site uses Just the Docs, a documentation theme for Jekyll.