Monday, July 6, 2015

Security Onion 12.04.5.2 ISO image now available

We have a new Security Onion 12.04.5.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 17, 2015!

This resolves the following issue:

Issue 733: 12.04.5.2 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/733

This new ISO image has been tested by the following (thanks!):
Shane Castle
James Taylor
Robert Bardo
Jeff Tehovnik
Jay Holmes
LeeJR

Training
This new ISO image will be used in our upcoming class in the Washington DC area:
http://security-onion-class-20150810.eventbrite.com/

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.2 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5 e35846293dcecf76e5b8d39f6d48c9de
SHA1 a8c04e9bde175425835537cb3d9b336e2614a363

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.2 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Monday, June 29, 2015

OSSEC 2.8.2 now available!

OSSEC 2.8.2 was recently released:
http://www.ossec.net/?p=1198

I've packaged OSSEC 2.8.2 and the new package version is as follows:

ossec-hids-server - 2.8.2-ubuntu10securityonion2

The new package has been tested by the following (thanks!):
James Taylor
Shane Castle

Issues Resolved

Issue 745: OSSEC 2.8.2
https://github.com/Security-Onion-Solutions/security-onion/issues/745

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, June 19, 2015

New Setup package resolves an issue

I've updated our Setup package and the new package is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion142

This new package resolves the following issue:

Issue 744: sosetup: Restart Apache to activate new ELSA apikey
https://github.com/Security-Onion-Solutions/security-onion/issues/744

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 18, 2015

New NSM package resolves an issue

Pete sent a patch for the nsm-watchdog cron job that should help avoid a race condition.  I've applied the patch and the new package is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion120

This new package resolves the following issue:

Issue 751: NSM: change watchdog run time to avoid race condition
https://github.com/Security-Onion-Solutions/security-onion/issues/751

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

4-day Security Onion Training in the Washington DC area

The next run of our expanded 4-day Security Onion class will be in the Washington DC area in August!

For more details and to register, please see:
http://security-onion-class-20150810.eventbrite.com/

Wednesday, June 17, 2015

New ELSA packages resolve three issues

ELSA 1205 packages were recently released:
http://blog.securityonion.net/2015/06/elsa-1205-now-available.html

A few issues were found so I've built these new packages:

securityonion-elsa - 1205-1ubuntu0securityonion5
securityonion-elsa-extras - 20131117-1ubuntu0securityonion91

These new packages resolve the following issues:

Issue 746: ELSA 1205 package enabled perl module on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/746

Issue 747: ELSA 1205 package duplicated syslog-ng.conf entries on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/747

Issue 748: ELSA 1205 package didn't add the pid column to the query_log table for upgrades
https://github.com/Security-Onion-Solutions/security-onion/issues/748

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

New tcltls package resolves OpenSSL issue

Recent OpenSSL changes prevented the default Debian/Ubuntu tcltls package from working properly, so I've built a new one:
tcltls - 1.5.0.dfsg-10build1securityonion2

This new package resolves the following issue:

Issue 749: Update tcl-tls package and replace DH512 key with DH2048
https://github.com/Security-Onion-Solutions/security-onion/issues/749

This new package has been tested by the following (thanks!):
Shane Castle
James Taylor
Larry Layten
hakawarrior

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you continue to have issues with the Sguil client/agents connecting to sguild, you may need to restart services:
sudo service nsm restart

and/or reboot:
sudo reboot

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 11, 2015

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

UPDATE 2015/06/17 08:52
All clear! You may safely resume your normal "soup" updates! New tcl-tls package resolves the OpenSSL issue:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

UPDATE 2015/06/12 7:18
Please see the following mailing list thread for updated information:
https://groups.google.com/d/topic/security-onion/E7HdGGUuq6c/discussion

New securityonion-nsmnow-admin-scripts package resolves an issue

If you're running salt, you may have noticed that if you run a command like this:
sudo salt '*' cmd.run 'service nsm status'
you get some garbled output as the bash color codes aren't interpreted by salt.  I've updated the NSM scripts to only output these color codes if they are running on a tty.  The result looks much better:



The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion119

Issues Resolved

Issue 732: NSM: only output color codes if running on a tty
https://github.com/Security-Onion-Solutions/security-onion/issues/732

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, June 10, 2015

ELSA 1205 now available!

I've updated our packages to reflect the latest version of ELSA:

securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25

These new packages resolve the following issues:

Issue 657: ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/657
This version of ELSA fixes many bugs in our previous version of ELSA.

Issue 447: ELSA syslog-ng.conf rewrite r_pipes
https://github.com/Security-Onion-Solutions/security-onion/issues/447
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.

Issue 512: ELSA syslog-ng.conf filter f_bro_headers
https://github.com/Security-Onion-Solutions/security-onion/issues/512
Syslog-ng will now filter out headers in Bro logs.

Issue 726: ELSA syslog-ng.conf - add filesystem destinations
https://github.com/Security-Onion-Solutions/security-onion/issues/726
Syslog-ng will now output some logs to their standard filesystem locations.  This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.

Issue 674: ELSA - update bro_notice parser to parse src and dst fields
https://github.com/Security-Onion-Solutions/security-onion/issues/674
Syslog-ng will now parse src and dst fields out of Bro Notices.

Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/722
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.

Issue 723: CapMe: Update for new ELSA API
https://github.com/Security-Onion-Solutions/security-onion/issues/723
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.

Issue 500: sosetup: restart starman
https://github.com/Security-Onion-Solutions/security-onion/issues/500
When running Setup and choosing sensor-only, starman should now restart properly.

Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
https://github.com/Security-Onion-Solutions/security-onion/issues/504
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.

Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/547
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.

Issue 740: sosetup: sensor should use sudo to restart apache on master
https://github.com/Security-Onion-Solutions/security-onion/issues/740
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.

Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
https://github.com/Security-Onion-Solutions/security-onion/issues/741
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.

These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Screenshots
Update process

"About ELSA" now shows ELSA Rev 1205

New ELSA Query "HTTP: Sites Hosting JARs"

New ELSA Query "HTTP: Sites Hosting ZIPs"

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Bro Scanning Notices should now be parsed correctly

CapME now uses the ELSA JSON API and provides better error handling

Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, June 9, 2015

Next Round of Online Training Sessions - 6/29 through 7/2

The next round of online training sessions will be held Monday 6/29 through Thursday 7/2!

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Snort 2.9.7.3 now available!

Snort 2.9.7.3 was recently released:
http://blog.snort.org/2015/05/snort-2973-is-now-available.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.3-0ubuntu0securityonion3
securityonion-daq - 2.0.5-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 730: Snort 2.9.7.3
https://github.com/Security-Onion-Solutions/security-onion/issues/730

Issue 731: Snort DAQ 2.0.5
https://github.com/Security-Onion-Solutions/security-onion/issues/731

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
  • sudo rule-update



Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, June 8, 2015

New securityonion-suricata package resolves an issue

We recently released a securityonion-suricata package for Suricata 2.0.8:
http://blog.securityonion.net/2015/05/suricata-208.html

An issue was found in the packaging:
https://groups.google.com/d/topic/security-onion/1MmmmO2XOyc/discussion

I've updated the securityonion-suricata package to resolve this issue.

The new package version is:
securityonion-suricata - 2.0.8-0ubuntu0securityonion2

Issues Resolved

Issue 742: securityonion-suricata package missing debian/install
https://github.com/Security-Onion-Solutions/security-onion/issues/742

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, May 21, 2015

New securityonion-sguil-agent-ossec package resolves three issues

Brian Kellogg sent some patches for our ossec_agent for Sguil and I've updated the package.  The new package has been tested by David Zawdie and Brian Kellogg (thanks!).

The new package version is:
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion15

Issues Resolved

Issue 705: ossec_agent: improvements from Brian Kellogg
https://github.com/Security-Onion-Solutions/security-onion/issues/705

Issue 716: ossec_agent: tighten regex to only look for -> anchored to hostname or IP
https://github.com/Security-Onion-Solutions/security-onion/issues/716

Issue 717: ossec_agent: send alerts to sguild immediately instead of waiting for next alert
https://github.com/Security-Onion-Solutions/security-onion/issues/717

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, May 20, 2015

New NSM package resolves three issues

I've updated our NSM package and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion118

Issues Resolved

Issue 241: NSM scripts should have a timeout period when stopping services
https://github.com/Security-Onion-Solutions/security-onion/issues/241

Issue 392: Patch for lib-nsm-common-utils from Mark Seiden
https://github.com/Security-Onion-Solutions/security-onion/issues/392

Issue 714: nsm_server_user-disable
https://github.com/Security-Onion-Solutions/security-onion/issues/714

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, May 19, 2015

Sphinxsearch 2.1.9

I've updated our Sphinxsearch package to 2.1.9 and it has been tested by David Zawdie (thanks!).

The new package version is:
sphinxsearch - 2.1.9-release-0ubuntu15~precise

Issues Resolved
Issue 718: Sphinx 2.1.9
https://github.com/Security-Onion-Solutions/security-onion/issues/718

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, May 18, 2015

Suricata 2.0.8

Suricata 2.0.8 was recently released:
http://suricata-ids.org/2015/05/06/suricata-2-0-8-available/

I've packaged Suricata 2.0.8 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.8-0ubuntu0securityonion1

Issues Resolved

Issue 725: Suricata 2.0.8
https://github.com/Security-Onion-Solutions/security-onion/issues/725

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak and migrate the HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:


  • re-apply any other local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Saturday, May 9, 2015

Testers Needed!

We have lots of new packages queued up for release, but we need your help testing them!

If you're not already a member of our security-onion-testing group, please join and then click the following links for testing guidelines.

ELSA rev1205
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion

Suricata 2.0.8
https://groups.google.com/d/topic/security-onion-testing/WKeR1RViDlc/discussion

ossec_agent
https://groups.google.com/d/topic/security-onion-testing/N5gpeSHmIlk/discussion

Sphinxsearch 2.1.9
https://groups.google.com/d/topic/security-onion-testing/VWjichsRqPw/discussion

NSM
https://groups.google.com/d/topic/security-onion-testing/-cbA8FgH7lg/discussion

Setup
https://groups.google.com/d/topic/security-onion-testing/PBY2wJH9ruo/discussion

As you test each package, please add your test results to the thread.

Thanks in advance for your time and effort!

Friday, May 1, 2015

Security Onion Conference 2015 CFP

Security Onion Conference 2015 will be held in Augusta GA on Friday September 11 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

If you have a topic you'd like to present at this year's conference, please submit here:
https://docs.google.com/forms/d/1AnREgxc4rMqqWX6pVwG2zaTQ5U2jPGUH02Wq74IiiUU

We want to hear from you!  

How are you...
...using Security Onion to fight evil?
...handling lots of traffic using Security Onion?
...integrating Security Onion with other technologies?
...automating common tasks with your own scripts?

Each talk should be 30-35 minutes with an additional 10 minutes for questions.

May 1 - CFP Open
June 1 - CFP Closed
July 1 - Speakers selected and notified

Tuesday, April 28, 2015

New securityonion-rule-update package

securityonion-rule-update - 20120726-0ubuntu0securityonion28 is now available and should resolve the following issue:

Issue 715: securityonion-rule-update: sensor-only boxes running salt shouldn't try to copy /etc/cron.d/rule-update
https://github.com/Security-Onion-Solutions/security-onion/issues/715

The new package has been tested by Ryan Peck (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, April 23, 2015

Security Onion Training in May

Only 2 weeks left to register for the upcoming 4-day Security Onion class in Houston TX which will be held May 12-15.  Here's a discount code good for $400 off!
sos20150423

For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/

If you can't make it to Houston, we also have online training sessions May 19-22:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Wednesday, April 22, 2015

New securityonion-rule-update package

securityonion-rule-update - 20120726-0ubuntu0securityonion27 is now available and should resolve the following issues:

Issue 681: rule-update: wipe snort_dynamicrules directory on sensor
https://github.com/Security-Onion-Solutions/security-onion/issues/681

Issue 677: rule-update: create /usr/local/lib/snort_dynamicrules/ if it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/677

Issue 678: rule-update: /etc/cron.d/rule-update should have 2>&1
https://github.com/Security-Onion-Solutions/security-onion/issues/678

Issue 697: rule-update: log snorby reference table update to barnyard2-snorby.log
https://github.com/Security-Onion-Solutions/security-onion/issues/697

Issue 679: rule-update: run pulledpork as unprivileged user
https://github.com/Security-Onion-Solutions/security-onion/issues/679

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, April 21, 2015

New securityonion-sostat package

securityonion-sostat - 20120722-0ubuntu0securityonion34 is now available and should resolve the following issues:

Issue 692: sostat: list number of ELSA buffers in queue and warn if higher than 20
https://github.com/Security-Onion-Solutions/security-onion/issues/692

Issue 701: sostat: include number of CPU cores
https://github.com/Security-Onion-Solutions/security-onion/issues/701

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, April 20, 2015

New securityonion-sguil-db-purge package

securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion12 is now available and should resolve the following issue:

Issue 711: Add "date" command to /usr/bin/sguil-db-purge
https://github.com/Security-Onion-Solutions/security-onion/issues/711

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, April 3, 2015

Security Onion 301: Best Practices for Distributed Deployments

Our next online class has been scheduled!  "Security Onion 301: Best Practices for Distributed Deployments" will be Tuesday, April 21.  For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Tuesday, March 31, 2015

Four package updates

I've updated four packages to resolve a few issues and these new packages have been tested by Josh Brower (thanks!).

The new package version are as follows:
securityonion-setup - 20120912-0ubuntu0securityonion132
securityonion-sostat - 20120722-0ubuntu0securityonion33
securityonion-web-page - 20141015-0ubuntu0securityonion22
securityonion-elsa-extras - 20131117-1ubuntu0securityonion58

Issues Resolved

Issue 703: Move from Google Code to Github
https://github.com/Security-Onion-Solutions/security-onion/issues/703
Security Onion has moved to Github, so some of the hyperlinks in Setup and sostat had to be updated.

Issue 706: Add Josh Brower's ELSA parsers for process logs and sysmon
https://github.com/Security-Onion-Solutions/security-onion/issues/706
If you have Windows machines with OSSEC agents on them and process auditing enabled, ELSA now parses those "new process" logs.

Issue 709: Add fear.nothing's ELSA parsers for pfSense
https://github.com/Security-Onion-Solutions/security-onion/issues/709
If you're running pfSense firewalls and send their logs to Security Onion via syslog, ELSA will now parse them.

Issue 710: securityonion-web-page: add ELSA queries for Firewall logs
and Windows Processes
https://github.com/Security-Onion-Solutions/security-onion/issues/710
Since ELSA is now parsing firewall logs and Windows processes, we provide some additional ELSA queries to slice and dice those logs.  See screenshots below.

Screenshots
Host Logs - Windows Processes

Firewall - Top SRC IPs Allowed

Firewall - Top DST IPs Allowed

Firewall - Top SRC IPs Denied

Firewall - Top DST IPs Denied


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes and also a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 30, 2015

Snort 2.9.7.2 now available!

Snort 2.9.7.2 was recently released:
http://blog.snort.org/2015/03/snort-2972-has-been-released.html

I've updated our Snort package:
securityonion-snort - 2.9.7.2-0ubuntu0securityonion2

This new package resolves the following issue:

Issue 702: Snort 2.9.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/702

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:


  • re-apply any local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 23, 2015

New NSM and Setup packages

I've updated our NSM and Setup packages to resolve a few issues and these new packages have been tested by Pete Nelson (thanks!).

The new package version are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion116
securityonion-setup - 20120912-0ubuntu0securityonion131

Issues Resolved

Issue 691: NSM: chown -R $BRO_USER:$BRO_GROUP /nsm/bro >/dev/null 2>&1
https://code.google.com/p/security-onion/issues/detail?id=691

Issue 698: NSM: nsm_server_del line 170 echo_msg 0 "Deleting server:
$SERVER_NAME"
https://code.google.com/p/security-onion/issues/detail?id=698

Issue 699: NSM: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=699

Issue 700: Setup: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=700

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes next week and a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

New Online Training Sessions

The next round of online training sessions will be held next week!  In addition to Security Onion 101, we're also offering two new online classes:

  • 201 - Best Practices for Standalone Production Sensors
  • 202 - Case Studies

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

As a reminder, we also have seats available for our 4-day onsite class in Houston TX!
https://security-onion-class-20150512.eventbrite.com/

Wednesday, March 11, 2015

Add your own custom ELSA queries to our ELSA query menu

BBCan177 submitted a patch (thanks!) that allows you to add your own custom ELSA queries to our ELSA query menu:



I've added the patch to our securityonion-web-page package and the updated package has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-web-page - 20141015-0ubuntu0securityonion18

Issues Resolved

Issue 696: ELSA custom menu
https://code.google.com/p/security-onion/issues/detail?id=696

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 4-day classes coming up in Seattle and Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, March 2, 2015

Suricata 2.0.7

Suricata 2.0.7 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/204-suricata-207-available

I've packaged Suricata 2.0.7 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.7-0ubuntu0securityonion1

Issues Resolved

Issue 695: Suricata 2.0.7
https://code.google.com/p/security-onion/issues/detail?id=695

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak.  You'll then need to do the following:

  • re-apply any local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
  • sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 4-day classes coming up in Atlanta, Seattle, and Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, February 23, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Houston TX

The third run of our newly expanded 4-day Security Onion class will be in Houston TX!

If you register before March 6, you can use the following discount code for $500 off!
early-bird-91418

For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/

Monday, February 16, 2015

Security Onion 12.04.5.1 ISO image now available

We have a new Security Onion 12.04.5.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 5, 2015!

It should also resolve the following issues:

Issue 632: ISO: add bridge-utils
https://code.google.com/p/security-onion/issues/detail?id=632

Issue 601: ISO: add foremost
https://code.google.com/p/security-onion/issues/detail?id=601

Issue 614: ISO: add securityonion-samples-shellshock
https://code.google.com/p/security-onion/issues/detail?id=614

Issue 662: ISO: add securityonion-samples-mta
https://code.google.com/p/security-onion/issues/detail?id=662

Issue 675: ISO: add xfsprogs
https://code.google.com/p/security-onion/issues/detail?id=675

Issue 602: 12.04.5.1 ISO image
https://code.google.com/p/security-onion/issues/detail?id=602

In short, it's the best release ever!

This new ISO image has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
~eundv
Eddy Simons

Training
This new ISO image will be used in our upcoming classes:
Atlanta - https://security-onion-class-20150309.eventbrite.com/
Seattle - https://security-onion-class-20150316.eventbrite.com/
Houston - https://security-onion-class-20150512.eventbrite.com/
Online - https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5: 02a49a06a55df8997669b4df9f1048a0
SHA1: 3cf32398d2859d0ca4009cdf13df0bb4f4ab98d9

Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5.1 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Tuesday, February 10, 2015

ISO Testers wanted!

We have a new 12.04.5.1 ISO image ready for testing that will be used in the upcoming 4-day classes in Atlanta and Seattle.  If you have some time and can help us test in the next day or two, please join our security-onion-testing group and follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/82sgMwnrLxA/discussion

Thanks!

Monday, February 9, 2015

Save the Date: Security Onion Conference 2015

Last year's Security Onion Conference was an overwhelming success!

This year's Security Onion Conference will be held in Augusta GA on Friday September 11 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

Friday, February 6, 2015

Next session of Security Onion 101

The first two sessions of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Monday, March 2.

For more details and to register, please use the following link (then click "read more..." for full description):
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New securityonion-et-rules package

I've updated our securityonion-et-rules package in preparation for our upcoming 12.04.5.1 ISO image.  This is a static set of free NIDS rules from Emerging Threats that is only used if you have LOCAL_NIDS_RULE_TUNING=yes in /etc/nsm/securityonion.conf (most users should have LOCAL_NIDS_RULE_TUNING=no which causes PulledPork to download updated rules from the Internet).

This package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 683: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=683

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Thursday, February 5, 2015

Bro 2.3.2 now available!

Bro 2.3.2 was recently released:
http://blog.bro.org/2015/01/bro-232-release.html

I've packaged Bro 2.3.2 and updated the securityonion-bro-scripts package.  The new packages are as follows:
 securityonion-bro - 2.3.2-0ubuntu0securityonion1
 securityonion-bro-scripts - 20121004-0ubuntu0securityonion39

These packages resolve the following issues:

Issue 680: Bro 2.3.2
https://code.google.com/p/security-onion/issues/detail?id=680

These packages have been tested by David Zawdie and Kevin Branch (thanks!).

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Release Notes
After updating to the new packages, you should restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Wednesday, February 4, 2015

New NSM and ossec_agent.tcl packages resolve several issues

Brian Kellogg submitted a patch for ossec_agent.tcl that allows you to enable or disable DNS lookups.  Thanks, Brian!  I've packaged this and also updated the NSM package to resolve several issues.

The new packages are as follows:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion114
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion7

These new packages should resolve the following issues:

Issue 684: NSM: nsm_server_ps-start needs to create /var/log/sguild/ if it doesn't already exist
https://code.google.com/p/security-onion/issues/detail?id=684

Issue 686: NSM: nsm_server_ps-start needs to set permissions on /var/log/nsm/so-elsa/ properly
https://code.google.com/p/security-onion/issues/detail?id=686

Issue 687: NSM: nsm_sensor_ps-start should set permissions on /var/log/nsm/HOSTNAME-INTERFACE/ properly
https://code.google.com/p/security-onion/issues/detail?id=687

Issue 689: NSM: add USE_DNS option to ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=689

Issue 688: ossec_agent: add option to disable DNS lookups
https://code.google.com/p/security-onion/issues/detail?id=688

These new packages have been tested by David Zawdie (thanks!).

Release Notes
After updating to the new packages, the next time that the NSM scripts start ossec_agent.tcl, they will add a new USE_DNS option to /etc/nsm/ossec/ossec_agent.conf and default it to 0 (disabled).  This results in much better performance for ossec_agent.tcl.

If you need to revert to the previous behavior of DNS lookups enabled and don't mind the additional lookup delay, you can change USE_DNS to 1 (enabled) and then restart ossec_agent.tcl:
sudo nsm_sensor_ps-restart --only-ossec-agent
Also note that these packages move ossec_agent.tcl to /usr/bin/.

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Tuesday, February 3, 2015

New ELSA packages parse additional fields out of Bro dns.log

Pietro Delsante contributed some updated parsers for Bro and BIND DNS logs (thanks, Pietro!) and I've updated the securityonion-elsa-extras package with these new parsers.  I've also updated the securityonion-web-page package to include some new ELSA queries for these newly exposed BRO_DNS fields.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15

These new packages should resolve the following issues:

Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668

Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696

Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670

Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685

These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).

Screenshots

Update process

DNS - Top Query Class

DNS - Top Query Type

DNS - Top Return Code


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Monday, February 2, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Seattle WA

The second run of our newly expanded 4-day Security Onion class will be in Seattle WA!

If you register before February 20, you can use the following discount code for $500 off!
early-bird-51414

For more details and to register, please see:
https://security-onion-class-20150316.eventbrite.com

Thursday, January 29, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Atlanta GA

Our Security Onion onsite class is expanding to 4 days!  This first 4-day session will be in Atlanta GA.

If you register before February 13, you can use the following discount code for $500 off!
early-bird-41173

For more details and to register, please see:
https://security-onion-class-20150309.eventbrite.com

Tuesday, January 27, 2015

New NSM/setup/sostat packages

I've updated the NSM, setup, and sostat packages and the new package versions are as follows:
 securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion110
 securityonion-setup - 20120912-0ubuntu0securityonion130
 securityonion-sostat - 20120722-0ubuntu0securityonion32

These new packages have been tested by the following (thanks!):
David Zawdie
Mike Pilkington

Issues Resolved

Issue 663: sosetup: sosetup.conf SGUIL_CLIENT_PASSWORD_1 should say Sguil/Squert/ELSA/Snorby
https://code.google.com/p/security-onion/issues/detail?id=663

Issue 664: sosetup: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=664

Issue 666: sostat: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=666

Issue 665: NSM: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=665

Issue 676: NSM: run Sguil as non-root user
https://code.google.com/p/security-onion/issues/detail?id=676

Issue 671: NSM: /etc/cron.d/sensor-clean needs 2>&1
https://code.google.com/p/security-onion/issues/detail?id=671

Release Notes
If you normally restart Bro with "sudo broctl restart", this will restart Bro as root.  To restart Bro as a non-root user, please use "sudo nsm_sensor_ps-restart --only-bro" instead.

Screenshots
Update Process

After updating, stop all processes with "sudo service nsm stop" and then...

...restart all processes with "sudo service nsm start" so that they will now be running as a non-root user

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!