Wednesday, July 30, 2014

Only 1 week until Security Onion training in Sacramento CA!

We still have a few seats left for the 2-day Security Onion class in Sacramento CA (only 1 week away!).  Here's a discount code good for $200 off!
1weekleft48314

For more details and to register, please see:
https://securityonion20140807.eventbrite.com/

Monday, July 28, 2014

New securityonion-web-page package resolves two issues

I've built a new version of securityonion-web-page that resolves two issues.  The updated package version is as follows:
securityonion-web-page - 20120722-0ubuntu0securityonion23

This new package has been tested by the following (thanks!):
Eddy Simons

Issues Resolved

Issue 562: securityonion-web-page: break OSSEC alerts out into separate ELSA queries
https://code.google.com/p/security-onion/issues/detail?id=562

Issue 563: securityonion-web-page: add link for training/support
https://code.google.com/p/security-onion/issues/detail?id=563

Screenshots
Host Logs: File Changes - OSSEC File Integrity Checksum Alerts
Host Logs: OSSEC Status - OSSEC Server/Agent status messages

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Friday, July 25, 2014

New securityonion-rule-update package resolves an issue

I've built a new version of rule-update that resolves an issue.  The updated package version is as follows:
securityonion-rule-update - 20120726-0ubuntu0securityonion22

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 560: rule-update: run PulledPork with -T option if ENGINE=suricata
https://code.google.com/p/security-onion/issues/detail?id=560

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

New securityonion-setup package resolves two issues

I've built a new version of Setup that resolves two issues.  The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion113

This new package has been tested by the following (thanks!):
David Zawdie
Eddy Simons

Issues Resolved

Issue 564: sosetup: avoid breaking ELSA syslog-ng.conf
https://code.google.com/p/security-onion/issues/detail?id=564

Issue 565: sosetup: run PulledPork with -T option if ENGINE=suricata
https://code.google.com/p/security-onion/issues/detail?id=565

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need commercial support/training?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, July 23, 2014

$200 discount for Security Onion class in Sacramento CA

We still have a few seats left for the 2-day Security Onion class in Sacramento CA (only 2 weeks away!).  Here's a discount code good for $200 off!
2weeksleft5602

For more details and to register, please see:
https://securityonion20140807.eventbrite.com/

Tuesday, July 22, 2014

New securityonion-setup package resolves eight issues

I've built a new version of Setup that resolves eight issues.  The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion110

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 522: sosetup should handle more than 10 interfaces correctly
https://code.google.com/p/security-onion/issues/detail?id=522

Issue 525: sosetup: configure all available sniffing interfaces and prompt for which interfaces to enable
https://code.google.com/p/security-onion/issues/detail?id=525

Issue 527: sosetup: when choosing sensor-only and entering server name, do not allow the hostname or IP address of the sensor itself
https://code.google.com/p/security-onion/issues/detail?id=527

Issue 543: sosetup: if no Internet access, notify user that we're setting LOCAL_NIDS_RULE_TUNING=yes
https://code.google.com/p/security-onion/issues/detail?id=543

Issue 539: sosetup: support more network card naming stuff
https://code.google.com/p/security-onion/issues/detail?id=539

Issue 538: sosetup: add references to sostat, sostat-redacted and sostat-quick
https://code.google.com/p/security-onion/issues/detail?id=538

Issue 545: sosetup: add comments to /etc/nsm/securityonion.conf
https://code.google.com/p/security-onion/issues/detail?id=545

Issue 546: sosetup: change true/false options to yes/no
https://code.google.com/p/security-onion/issues/detail?id=546

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need commercial support/training?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, July 15, 2014

Wednesday, July 9, 2014

Registration for the Security Onion Conference is now open

Registration for the 2014 Security Onion Conference is now open!
http://securityonionconference2014.eventbrite.com

If you register before July 31, you can use the following early bird discount code:
earlybird1447

If you have any questions about the conference, please use the Contact link at the bottom of the Eventbrite page.

Tuesday, July 8, 2014

New securityonion-pulledpork and securityonion-rule-update packages

I've updated our securityonion-pulledpork package to PulledPork 0.7.0.  I also applied a patch from Will Metcalf to allow PulledPork to request ET rules using the proper Suricata version number.  Additionally, the new version of PulledPork required a slight change to rule-update.

The updated package versions are as follows:
securityonion-pulledpork - 0.7.0-0ubuntu0securityonion5
securityonion-rule-update - 20120726-0ubuntu0securityonion21

These new packages have been tested by the following (thanks!):
David Zawdie
Heine Lysemose
Mike Pilkington
Travis Schack

Issues Resolved

Issue 390: PulledPork 0.7.0
https://code.google.com/p/security-onion/issues/detail?id=390

Issue 425: PulledPork should request ET rules using proper Suricata version
https://code.google.com/p/security-onion/issues/detail?id=425

Issue 552: rule-update: run PulledPork with -P option to process tarball
https://code.google.com/p/security-onion/issues/detail?id=552

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need commercial support/training?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, July 7, 2014

Introducing Security Onion Solutions, LLC

I started Security Onion in 2008 to provide a quick and easy way for folks to get up and running with intrusion detection and network security monitoring.  Over the years, it has grown to be a comprehensive platform for not only IDS and NSM, but also log management. Today, Security Onion has over 100,000 downloads and is being used by organizations around the world to help monitor and defend their networks. To help those organizations, I've started Security Onion Solutions, LLC to provide commercial support and training.

Q&A


Will Security Onion continue to be developed and supported?

Yes, Security Onion will continue to be developed and supported!  We're simply adding commercial support and training options.

I'm interested in commercial support and/or training.  How do I contact you?

Go to Security Onion Solutions and use the contact form.


Monday, June 23, 2014

New securityonion-rule-update package resolves two issues

We recently released new barnyard2 and rule-update packages:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html 

Some folks have reported a few issues since updating to these new packages, so we're releasing a new version of rule-update which should help with these issues.

The first issue is that rule-update takes longer now.  Per the barnyard2 developers, all entries in the sig_reference table must be deleted when upgrading to this new version of barnyard2.  rule-update then uses barnyard2 to re-populate this table.  Depending on the size of your Snorby database, this may take a while.  The new version of rule-update (released today) will only do a full delete of the sig_reference table once, so subsequent runs of rule-update should be much faster.

The second issue is that users running the Snort engine with the VRT ruleset are experiencing barnyard2 failing with errors like "Returned signature_id is not equal to updated signature_id".  This is due to some wrong entries in the database left by the previous version of barnyard2.  One of the barnyard2 developers wrote a MySQL script to fix these entries and I've packaged it into a shell script called so-snorby-fix-sigs and included it in today's rule-update package.  If you're running the Snort engine with the VRT ruleset, please run so-snorby-fix-sigs and follow the directions (including shutting down all barnyard2 instances).

The updated package version is as follows:
securityonion-rule-update - 20120726-0ubuntu0securityonion20

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 556: rule-update: add so-snorby-fix-sigs script
https://code.google.com/p/security-onion/issues/detail?id=556

Issue 557: rule-update: only delete sig_reference table once
https://code.google.com/p/security-onion/issues/detail?id=557

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, June 19, 2014

New securityonion-web-page package adds an ELSA query

I've updated our securityonion-web-page package to add a new ELSA query under the HTTP category labeled "Sites Hosting CABs".

The updated package version is as follows:
securityonion-web-page - 20120722-0ubuntu0securityonion22

This new package has been tested by the following (thanks!):
David Zawdie
Heine Lysemose

Issues Resolved

Issue 549: securityonion-web-page: add ELSA query for Sites Hosting CABs
https://code.google.com/p/security-onion/issues/detail?id=549

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, June 18, 2014

New NSM package resolves an issue

The recently released NSM scripts had a typo:

Thanks to Andrea De Pasquale for the notification!  

I've updated the NSM package to fix the typo.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion77

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 555: NSM: replace "2>1" with "2>&1"

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:

Feedback
If you have any questions or problems, please use our security-onion mailing list:

Training
Want to learn more about Security Onion?  Check out our 2-day training class:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list:

We also need help testing new packages:

Thanks!

Monday, June 16, 2014

New Barnyard2, NSM, rule-update, and securityonion-server packages

You may have noticed previously that when barnyard2 started up, it would consume a large amount of CPU (on both the sensor and the server) for a while (more than a minute in some cases) while it updated Snorby's reference table.  Multiply this by several barnyard instances per interface and several interfaces per physical sensor and you now have multiple instances fighting each other for scarce CPU resources.

To alleviate this, the barnyard2 folks introduced a new option called disable_signature_reference_table that allows you to disable the reference table update on all sensors, leaving just one barnyard2 instance on the server itself to update Snorby's reference table, avoiding the duplication of effort.  I packaged the latest version of barnyard2 (version 2.1.13 Build 333) which contains this option and also updated the NSM scripts to add the new option to all barnyard2.conf files on all sensors. rule-update has been modified such that right after the master downloads new rules from the Internet, it will use barnyard2 to update Snorby's reference table.  Finally, since we're now forcing the server to use barnyard2 to update Snorby's reference table, I updated the securityonion-server metapackage to require securityonion-barnyard2 as a dependency.

The updated package versions are as follows:
securityonion-barnyard2 - 20140531-0ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion76
securityonion-rule-update - 20120726-0ubuntu0securityonion15
securityonion-server - 20120722-0ubuntu0securityonion11

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie
Kevin Branch

Issues Resolved
Issue 294: Barnyard2-1.13
https://code.google.com/p/security-onion/issues/detail?id=294

Issue 550: securityonion-server: add barnyard2 as a dependency
https://code.google.com/p/security-onion/issues/detail?id=550

Issue 411: NSM: have only one copy of barnyard2 that updates signature
reference table
https://code.google.com/p/security-onion/issues/detail?id=411

Issue 551: rule-update: have server use barnyard2 to update Snorby
reference table
https://code.google.com/p/security-onion/issues/detail?id=551

Issue 399: rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true
https://code.google.com/p/security-onion/issues/detail?id=399

Issue 544: rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true
https://code.google.com/p/security-onion/issues/detail?id=544

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, June 12, 2014

New securityonion-sguil-db-purge package resolves two issues

I've updated our securityonion-sguil-db-purge package to resolve two issues.

The updated package version is as follows:
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion9

This new package has been tested by the following (thanks!):
Eddy Simons

Issues Resolved

Issue 406: sguil-db-purge needs to purge history table as well
https://code.google.com/p/security-onion/issues/detail?id=406 

Issue 428: sguil-db-purge should check for existence of tables
https://code.google.com/p/security-onion/issues/detail?id=428 

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, June 10, 2014

Save the Date: Security Onion Conference

I recently asked the community if there was interest in a Security Onion Conference:
http://blog.securityonion.net/2014/05/security-onion-conference.html

The response was overwhelmingly positive!

The Security Onion Conference will be held in Augusta GA on Friday September 12 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

UPDATE 2014/07/11

Registration is now open:
http://blog.securityonion.net/2014/07/registration-for-security-onion.html

CFP is now closed!  Thanks to all who responded!

June 10 - CFP Open
July 10 - CFP Closed
July 31 - Speakers selected and notified

Friday, June 6, 2014

New securityonion-sostat package resolves an issue

sostat-quick now checks for privileges.

The updated package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion26

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 537: sostat-quick: check for root
https://code.google.com/p/security-onion/issues/detail?id=537

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn what all that sostat output means?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, June 4, 2014

2-day Security Onion class in Sacramento CA

Do you want to...

... learn more about Security Onion?

... get the most out of your Security Onion deployment?

... catch more bad guys and catch them faster?

In addition to the recently announced 2-day Security Onion class in Raleigh NC, we're now also offering the 2-day Security Onion class in Sacramento CA!

If you sign up before June 25, you can use the following promo code for $100 off!
earlybird56219

If you are a student or work for a non-profit and need an additional discount, please contact me using the "Contact Doug Burks" link at the bottom of the Eventbrite page.

For full details and to register, please see:
https://securityonion20140807.eventbrite.com

What do previous students say about the class?
"I highly, HIGHLY recommend attending this class.  I attended the class in Houston and it was excellent.
Doug is very knowledgeable and has an informal style of instruction that keeps the class interesting and encourages interaction with the students, and is not simply a 16 hour lecture.
I also met many interesting people and made some new contacts. All in all, if this class comes anywhere near me again ... I'll be going if I have to host a bake sale to get there." 
-- Jake Sallee 

Tuesday, June 3, 2014

New Salt and OnionSalt packages

Mike Reeves has updated his OnionSalt scripts to be compatible with the latest Salt packages.  I've packaged these scripts and copied the latest Salt packages to our stable repo.

The updated package versions are as follows:
securityonion-onionsalt - 20130817-0ubuntu0securityonion11
salt-master - 2014.1.4-2precise2
salt-minion - 2014.1.4-2precise2

This new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Please see the updated OnionSalt page on our Wiki:
https://code.google.com/p/security-onion/wiki/Salt

Issues Resolved
Issue 540: Update Salt packages/scripts
https://code.google.com/p/security-onion/issues/detail?id=540

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, June 2, 2014

New Setup package changes the way in which we disable some services

We have a new Setup package that changes the way in which we disable services like network-manager, salt-master, and salt-minion.  Previously, we were disabling these services by renaming their init script.  For example, we would disable salt-master as follows:
mv /etc/init/salt-master.conf /etc/init/salt-master.DISABLED

We're getting ready to update to the latest salt packages which don't handle that method of disabling gracefully.  So we're going to move to a more graceful method of disabling these services which is to create an override file as follows:
echo "manual" > /etc/init/salt-master.override

When the new Setup package installs, it has a preinst script that should check /etc/init/ and see if network-manager, salt-master, and/or salt-minion were disabled via the old method.  If so, it will then migrate them to the new style of disabling.  /usr/bin/sosetup and /usr/bin/sosetup-network have also been updated such that new runs of Setup will result in the new method of disabling.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion105

This new package has been tested by the following (thanks!):
David Vasil
Eddy Simons

Issues Resolved

Issue 542: Setup: when disabling salt, avoid modifying salt package files
https://code.google.com/p/security-onion/issues/detail?id=542

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Do you want to learn more about Security Onion?
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, May 28, 2014

2-day Security Onion class in Raleigh NC

Do you want to...

... learn more about Security Onion?

... get the most out of your Security Onion deployment?

... catch more bad guys and catch them faster?

If so, then sign up for the new and expanded 2-day Security Onion class in Raleigh NC!

If you sign up before June 11, you can use the following promo code for $100 off!
earlybird5621

If you are a student or work for a non-profit and need an additional discount, please contact me using the "Contact Doug Burks" link at the bottom of the Eventbrite page.

For full details and to register, please see:
https://securityonion20140718.eventbrite.com

What do previous students say about the class?
"I highly, HIGHLY recommend attending this class.  I attended the class in Houston and it was excellent.
Doug is very knowledgeable and has an informal style of instruction that keeps the class interesting and encourages interaction with the students, and is not simply a 16 hour lecture.
I also met many interesting people and made some new contacts. All in all, if this class comes anywhere near me again ... I'll be going if I have to host a bake sale to get there."
-- Jake Sallee 

Friday, May 16, 2014

Security Onion Conference?

I'd like to see if there's interest in a Security Onion Conference, so I've put together a short survey to gather your feedback.  It should only take you 2-3 minutes, so please complete it today:
https://www.surveymonkey.com/s/H7BYLVZ

Thanks in advance for your feedback!

Friday, May 2, 2014

New securityonion-sostat package resolves an issue

Andrew Colfelt fixed a bug in sostat-redacted and I've updated our securityonion-sostat package with his patch.  Thanks Andrew!

The updated package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion25

This new package has been tested by the following (thanks!):
David Zawdie
Eddy Simons

Issues Resolved

Issue 533: sostat-redacted: fix ssh_port redact
https://code.google.com/p/security-onion/issues/detail?id=533

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, April 29, 2014

New securityonion-sostat package resolves six issues

I've updated our securityonion-sostat package to resolve six issues.

The updated package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion24

This new package has been tested by the following (thanks!):
David Zawdie
JP Bourget

Issues Resolved
Issue 483: sostat-redacted should redact usernames
https://code.google.com/p/security-onion/issues/detail?id=483

Issue 509: sostat-quick
https://code.google.com/p/security-onion/issues/detail?id=509

Issue 510: sostat: change "ELSA Date Range" to "ELSA Index Date Range"
https://code.google.com/p/security-onion/issues/detail?id=510

Issue 515: sostat: avoid displaying "ELSA Log Node SSH Tunnels:" if there are no SSH tunnels
https://code.google.com/p/security-onion/issues/detail?id=515

Issue 517: sostat: only display "Top 50 URLs for yesterday" if http_agent is enabled
https://code.google.com/p/security-onion/issues/detail?id=517

Issue 531: sostat: improve checking of autossh tunnels
https://code.google.com/p/security-onion/issues/detail?id=531

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only two days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!


Monday, April 28, 2014

New securityonion-nsmnow-admin-scripts package

I've updated our securityonion-nsmnow-admin-scripts package to resolve two issues.

The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion75

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved
Issue 529: nsm: check for null dns domain before updating ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=529

Issue 530: nsm: change sshd_config ClientAliveInterval to 30
https://code.google.com/p/security-onion/issues/detail?id=530

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only a few days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, April 23, 2014

Only 1 week left to register for Security Onion class in Houston TX!

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!

The registration deadline is April 30, so there is only 1 week left to register!

Here's a discount code good for $100 off:
lastminute52949

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Tuesday, April 22, 2014

New securityonion-setup package

I've updated our securityonion-setup package to resolve an issue.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion103

This new package has been tested by the following (thanks!):
David Vasil
David Zawdie

Issues Resolved
Issue 524: Setup should test connection to master server using ssh instead of nc
https://code.google.com/p/security-onion/issues/detail?id=524

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only a few days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, April 21, 2014

New securityonion-onionsalt package

I've updated our securityonion-onionsalt package to improve NIDS and HIDS updates.  Please see the updated OnionSalt page on our Wiki:
https://code.google.com/p/security-onion/wiki/Salt

The updated package version is as follows:
securityonion-onionsalt - 20130817-0ubuntu0securityonion10

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved
Issue 519: onionsalt: improve ids/bro/ossec updates
https://code.google.com/p/security-onion/issues/detail?id=519

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only a few days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, April 16, 2014

Only 2 weeks left to register for Security Onion class in Houston TX!

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!

The registration deadline is April 30, so there are only 2 weeks left to register!

Here's a discount code good for $100 off:
lastminute52949

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Tuesday, April 15, 2014

New securityonion-nsmnow-admin-scripts package resolves several issues

I've updated our securityonion-nsmnow-admin-scripts package to resolve several issues.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion72

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie
inuk-x

Issues Resolved

Issue 501: /etc/init/securityonion.conf needs to check that variables were only declared once
https://code.google.com/p/security-onion/issues/detail?id=501

Issue 516: Update sysctl settings
https://code.google.com/p/security-onion/issues/detail?id=516

Issue 518: NSM scripts: run "broctl install" when (re)starting Bro
https://code.google.com/p/security-onion/issues/detail?id=518

Issue 520: Configure /etc/ssh/sshd_config with ClientAliveInterval 60 and ClientAliveCountMax 3
https://code.google.com/p/security-onion/issues/detail?id=520

Issue 521: Replace test.com domain in /etc/nsm/ossec/ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=521

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, April 2, 2014

Tuesday, April 1, 2014

New securityonion-web-page package adds a BRO_FTP query and some BRO_INTEL queries

I've updated our securityonion-web-page package to add a BRO_FTP query and also some BRO_INTEL queries for our recently added BRO_INTEL parsers:
http://blog.securityonion.net/2014/03/new-securityonion-elsa-extras-and.html

The updated package version is as follows:
securityonion-web-page - 20120722-0ubuntu0securityonion21

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 506: securityonion-web-page: add FTP command query
https://code.google.com/p/security-onion/issues/detail?id=506

Issue 507: securityonion-web-page: add queries for BRO_INTEL
https://code.google.com/p/security-onion/issues/detail?id=507

Screenshots
FTP: Top Commands - group all FTP logs by FTP command

Drilling into FTP STOR command to look for data exfil
Intel: Top SRC IPs - group all Intel logs by source IP address 
Intel: Top DST IPs - group all Intel logs by destination IP address 

Intel: Top DST Ports - group all Intel logs by destination port

Intel: Top Indicators - group all Intel logs by indicator

Intel: Top Indicator Types - group all Intel logs by indicator type

Intel: Top Sources - group all Intel logs by source

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, March 31, 2014

New securityonion-setup package

I've updated our Setup package to resolve a few issues.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion101

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 485: sosetup-network: mention MTU and other custom config can be
manually added to /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=485

Issue 499: sosetup-network: fix backup path in /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=499

Issue 511: sosetup-network: management interface selection should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=511

Issue 489: sosetup: capture rmmod output
https://code.google.com/p/security-onion/issues/detail?id=489

Issue 479: sosetup: should verify that it can resolve server hostname
before trying to connect
https://code.google.com/p/security-onion/issues/detail?id=479

Issue 496: sosetup: VRT policy screen should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=496

Issue 514: sosetup: fix df /nsm check
https://code.google.com/p/security-onion/issues/detail?id=514

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 20, 2014

New securityonion-elsa-extras and securityonion-elsa-node-perl packages

Scott Runnels has updated two of our ELSA packages to resolve a couple of issues.  Thanks, Scott!

The updated packages are as follows:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion41
securityonion-elsa-node-perl - 20130819-0ubuntu0securityonion3

These new packages have been tested by the following (thanks!):
David Zawdie
Matt Gregory
JP Bourget

Issues Resolved
Issue 502: securityonion-elsa-node-perl: add libtext-csv-perl as a dependency
https://code.google.com/p/security-onion/issues/detail?id=502

Issue 503: securityonion-elsa-extras: parsers for BRO_INTEL feed
https://code.google.com/p/security-onion/issues/detail?id=503

Screenshots

Show all entries in Bro's intel.log grouped by indicator

Drilling into an indicator

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, March 12, 2014

New securityonion-sostat package

Jon Schipp submitted some patches for soup (thanks Jon!) and I updated sostat to resolve a few issues.  The new package is securityonion-sostat - 20120722-0ubuntu0securityonion21 and it has been tested by Matt Gregory and David Zawdie (thanks!).

Issues Resolved
Issue 481: soup: Add skip interactive option
https://code.google.com/p/security-onion/issues/detail?id=481

Issue 494: sostat should display ELSA v_indexes
https://code.google.com/p/security-onion/issues/detail?id=494

Issue 497: sostat should ignore "Cannot set NIC flags!" in netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=497

Issue 508: sostat should include full process output but exclude usernames
https://code.google.com/p/security-onion/issues/detail?id=508

Screenshots
sostat now includes ELSA Index Date Range

soup now has options

sostat now includes expanded process output but excludes usernames

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, March 11, 2014

New securityonion-rule-update package

I've updated our securityonion-rule-update package to resolve an issue.  The new package is securityonion-rule-update - 20120726-0ubuntu0securityonion12 and it has been tested by David Zawdie (thanks!).

Issues Resolved
Issue 505: rule-update: check to see if barnyard and IDS engine are enabled
https://code.google.com/p/security-onion/issues/detail?id=505

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, March 10, 2014

New securityonion-web-page package updates OSSEC and DNS Queries

I've updated our securityonion-web-page package to resolve a few issues.  The new package is securityonion-web-page -20120722-0ubuntu0securityonion19 and it has been tested by Matt Gregory (thanks!).

Issues Resolved
Issue 495: securityonion-web-page: OSSEC logs query should exclude MARK
https://code.google.com/p/security-onion/issues/detail?id=495

Issue 498: securityonion-web-page: add DNS IXFR query
https://code.google.com/p/security-onion/issues/detail?id=498

Release Notes
Previously, we added a "DNS - Zone Transfers" query that would look for full zone transfers (AXFR):
http://blog.securityonion.net/2014/02/new-securityonion-web-page-package-adds_19.html

This new package updates that query to also look for incremental zone transfers (IXFR) and group the results by the source IP address:
class=BRO_DNS proto="tcp" "axfr" OR "ixfr" groupby:srcip

The "Host Logs - All OSSEC Logs" query should now exclude any OSSEC --MARK-- logs as follows:
class=none program="ossec_archive" "2014" -"packets_received" -"--MARK--"

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 6, 2014

Expanded 2-Day Security Onion Training Class in Houston TX 5/8 - 5/9

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!  If you sign up before March 31, you can use the following promo code for $100 off!
earlybird46099

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Friday, February 28, 2014

Security Onion 12.04.4 ISO image now available

We have a new Security Onion 12.04.4 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 21, 2014!

Changes since 12.04.3 ISO

The new 12.04.4 ISO image has all Ubuntu and Security Onion updates as of 2/21 including:

  • Linux kernel 3.2.0-59
  • Snort 2.9.5.6
  • Suricata 1.4.7
  • Bro 2.2
  • ELSA 1.5
  • Squert 1.2.0
  • CapMe
  • securityonion-web-page (ELSA query page at https://onion/elsa)
  • Setup
  • sostat
  • NSM scripts
  • ET ruleset (/etc/nsm/rules/downloaded.rules)

Changes in the ISO Image Itself

The new 12.04.4 ISO image resolves a few issues in the ISO image itself:

  • boot menu: the Install option never really worked right and has now been removed so that folks will choose one of the Live options that allow them to Install but also allow them to check hardware and read the README
  • boot menu: added "nomodeset" option since some folks needed that to boot on certain video chipsets
  • after choosing an option on the boot menu, the Xubuntu boot progress indicator has been replaced with a Security Onion boot progress indicator
  • unnecessary shortcuts have been removed from the Live desktop so that users don't try to run Setup before running the Installer
  • previously, if you ran "sudo service nsm status" before running Setup, you'd get an error message.  This has been resolved.
  • salt-master and salt-minion were previously enabled on ISO boot, which resulted in lots of DNS lookups for "salt".  They are now disabled by default (you can still enable them during Setup of course).
  • byobu is now included by default:
    https://help.ubuntu.com/community/Byobu

In short, it's the best release ever!

Screenshots
Boot menu (Install option has been removed and replaced with "nomodeset" option)

Security Onion boot progress indicator

Removed extraneous icons from Live desktop 

Byobu is now installed by default

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.4 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.  Here's the MD5 for this release:
4107d6b6c469b27014da7ce26f249e5e

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.4 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Thanks

Thanks to George Jones for creating the torrent for the new ISO image!

Thanks to the following for testing the new ISO image!
Matt Gregory
David Zawdie
Heine Lysemose
JP Bourget

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Training
There will be a 2-day Security Onion class in Houston on May 8-9.  Stay tuned for further details!

Friday, February 21, 2014

New securityonion-squert package updates to Squert 1.2.0

Paul Halliday recently released Squert 1.2.0:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a couple of videos showcasing some of the new features recently added to Squert:
Changes v1.1.6: http://www.youtube.com/watch?v=_eheJv0MJDY
Changes v1.1.9: http://www.youtube.com/watch?v=QkgrigopfQA

I've packaged Squert 1.2.0 as securityonion-squert - 20140216-0ubuntu0securityonion2 and the package has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
Matt Gregory

Issues Resolved

Issue 448: When changing time zone in Squert, it needs to revert to UTC when requesting transcripts
https://code.google.com/p/security-onion/issues/detail?id=448

Release Notes

  • When you update the package, it will copy new files into place and then display "Updating database".  Please do not cancel or interrupt this process.
  • You no longer have to hardcode your Sguil credentials in config.php.
  • You may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
  • Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline.  De-select UTC, then specify your local timezone offset.  Then click the "save TZ" button to save your preference into the database and click "Update" to refresh the page with the new timestamps.

Screenshots
Do not cancel or interrupt the database update

Events tab

GeoIP mapping

Pivoting on an event and requesting a TCP transcript with the TX button

Summary tab

Views tab

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!