Monday, August 24, 2015

New NSM and Setup packages

The recent Bro 2.4 package had new default settings for SpoolDir and LogDir in broctl.cfg which required updates to our NSM and Setup scripts.  Pete also submitted a pull request for the NSM scripts:
https://github.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/pull/2

Here are the updated packages:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion122
securityonion-setup - 20120912-0ubuntu0securityonion157
These new packages resolve the following issues:

Issue 797: NSM: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/797

Issue 799: NSM: add stderr redirect to stdout on adduser
https://github.com/Security-Onion-Solutions/security-onion/issues/799

Issue 800: Setup: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/800

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 20, 2015

New securityonion-libcapture-tiny-perl package avoids conflict with x2go

Users trying to install x2go have reported conflicts with our securityonion-libcapture-tiny-perl package.  I've updated this package to avoid these conflicts.  The new package version is:
securityonion-libcapture-tiny-perl - 0.22-0ubuntu0securityonion1

This new package resolves the following issue:

Issue 728: securityonion-libcapture-tiny-perl should Provides: libcapture-tiny-perl
https://github.com/Security-Onion-Solutions/security-onion/issues/728

This new package has been tested by Tommy Dew and James Taylor (thanks!).

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, August 19, 2015

New rule-update and Setup packages

You may have previously experienced intermittent issues when the daily cron job runs rule-update to update your NIDS ruleset.  Because all Security Onion sensors around the world run their cron job at the same time, this was causing high load on the rule sites and some downloads would occasionally fail.  I've modified rule-update to avoid this issue and the changes are as follows:

  • no changes when running interactively from a shell (sudo rule-update)
  • no changes for sensor-only installations that have salt enabled as they don't use rule-update anyway
  • when running from a cron job:
    • if running on a master server, rule-update will sleep for a random number of minutes (up to 50) to avoid overwhelming rule update sites
    • if running on a sensor with salt disabled, rule-update will sleep for 60 minutes to allow the master server time to download the rules so that the sensor can then scp them

Here are the updated packages:
securityonion-rule-update - 20120726-0ubuntu0securityonion29
securityonion-setup - 20120912-0ubuntu0securityonion156

These new packages resolve the following issues:

Issue 724: /etc/cron.d/rule-update should avoid overwhelming rule sites
https://github.com/Security-Onion-Solutions/security-onion/issues/724

Issue 791: sosetup: change rule-update verbiage
https://github.com/Security-Onion-Solutions/security-onion/issues/791

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, August 18, 2015

Snort 2.9.7.5 now available for Security Onion!

Snort 2.9.7.5 was recently released:
http://blog.snort.org/2015/07/snort-2975-is-now-available-on-snortorg.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.5-0ubuntu0securityonion1
securityonion-daq - 2.0.6-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 784: Snort 2.9.7.5
https://github.com/Security-Onion-Solutions/security-onion/issues/784

Issue 788: DAQ 2.0.6
https://github.com/Security-Onion-Solutions/security-onion/issues/788

These new packages have been tested by James Taylor and Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, August 17, 2015

Snorby 2.6.3 package now available (final update before it is removed from Security Onion)

Snorby 2.6.3 was recently released to resolve some XSS issues:
https://github.com/Snorby/snorby/commit/5a3a33cf496b66be7ef4bd7d3cce0a996e1d2112

I've packaged Snorby 2.6.3 and the new package version is as follows:
securityonion-snorby - 20150704-0ubuntu0securityonion5

This new package has been tested by James Taylor.  Thanks, James!

PLEASE NOTE!  This will most likely be our last Snorby package update.  The creator and lead developer of Snorby has left the project and so Snorby is now considered unmaintained.  Snorby will be removed from Security Onion in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to go ahead and disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

Issues Resolved

Issue 766: Snorby 2.6.3
https://github.com/Security-Onion-Solutions/security-onion/issues/766

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 6, 2015

Monday, August 3, 2015

Bro 2.4 now available for Security Onion!

Bro 2.4 was recently released:
http://blog.bro.org/2015/06/bro-24-released.html

I've packaged Bro 2.4 and updated the securityonion-bro-scripts, securityonion-elsa-extras, and securityonion-capme packages.  The new packages are as follows:
securityonion-bro - 2.4-0ubuntu0securityonion2
securityonion-bro-scripts - 20121004-0ubuntu0securityonion43
securityonion-elsa-extras - 20131117-1ubuntu0securityonion99
securityonion-capme - 20121213-0ubuntu0securityonion23  
These packages resolve the following issues:

Issue 743: Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/743

Issue 752: securityonion-bro-scripts: update sensortab.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/752

Issue 753: securityonion-bro-scripts: update shellshock module for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/753

Issue 754: securityonion-bro-scripts: update extract.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/754

Issue 762: securityonion-elsa-extras: update bro_conn parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/762

Issue 765: securityonion-elsa-extras: update bro_intel parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/765

Issue 768: securityonion-elsa-extras: update bro_ssl parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/768

Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/774

Issue 773: securityonion-elsa-extras: add Windows and Cisco parsers from Brian Kellogg
https://github.com/Security-Onion-Solutions/security-onion/issues/773

Issue 793: CapMe: Update for Bro 2.4 conn.log
https://github.com/Security-Onion-Solutions/security-onion/issues/793

These packages have been tested by the following (thanks!):
James Taylor
Jay Swan
Heine Lysemose
Tommy Dew
Brian Kellogg

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

UPDATED 2015-08-10 to add securityonion-capme required due to new field in Bro conn.log.

Wednesday, July 29, 2015

New securityonion-web-page package resolve two issues

I've updated the securityonion-web-page package to resolve two issues.  The new package version is as follows:
securityonion-web-page - 20141015-0ubuntu0securityonion27

Issues Resolved

Issue 767: securityonion-web-page: add SSL Top Subjects query
https://github.com/Security-Onion-Solutions/security-onion/issues/767

Issue 775: securityonion-web-page: add groupby:site to ELSA HTTP SQL Injection query
https://github.com/Security-Onion-Solutions/security-onion/issues/775

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, July 28, 2015

New securityonion-setup package allows you to disable Snorby

I've updated the Setup package to resolve several issues, including allowing you to disable Snorby.  It should work as follows:

  • choosing Quick Setup still defaults to enabling Snorby automatically.  It will automatically set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in /etc/nsm/HOSTNAME-INTERFACE/barnyard2-1.conf.
  • choosing Advanced Setup and then Server will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf.  Otherwise, it will set SNORBY_ENABLED=no.
  • choosing Advanced Setup and then Standalone will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in all /etc/nsm/*/barnyard*.conf files.  If you instead choose no, it will set SNORBY_ENABLED=no and disable (comment out) the snorby output in all /etc/nsm/*/barnyard*.conf files.
  • choosing Sensor will check /etc/nsm/securityonion.conf on the master server to see if SNORBY_ENABLED=no and, if so, disable (comment out) the Snorby output in all /etc/nsm/*/barnyard*.conf files.

Snorby is going away in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

The new package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion155

Issues Resolved

Issue 769: sosetup: allow user to enable/disable Snorby
https://github.com/Security-Onion-Solutions/security-onion/issues/769

Issue 596: sosetup: sensor should stop/disable Apache and Snorby worker
https://github.com/Security-Onion-Solutions/security-onion/issues/596

Issue 693: sosetup: improve input validation for email address
https://github.com/Security-Onion-Solutions/security-onion/issues/693

Issue 764: sosetup: fix typo in sosetup.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/764

Issue 605: sosetup: replace tmp with mktemp
https://github.com/Security-Onion-Solutions/security-onion/issues/605

Issue 771: sosetup: comment out 2 examples in top.sls
https://github.com/Security-Onion-Solutions/security-onion/issues/771

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, July 10, 2015

Registration for the 2015 Security Onion Conference is now open

Registration for the 2015 Security Onion Conference in Augusta GA is now open!
http://security-onion-conference-2015.eventbrite.com/

New securityonion-sguil-agent-ossec package resolves an issue

Brian Kellogg sent in a patch for the securityonion-sguil-agent-ossec package to parse syslog IP addresses.  Thanks, Brian!

The new package version is as follows:
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion16

Issues Resolved
ossec_agent: Add source of syslog as destination IP for Sguil alert #760
https://github.com/Security-Onion-Solutions/security-onion/issues/760

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, July 9, 2015

New securityonion-tcpudpflow package resolves an issue

I've updated the securityonion-tcpudpflow package to improve the formatting of the Bro transcript option when processing UDP (primarily DNS) traffic.  The new package version is as follows:
securityonion-tcpudpflow - 001-0ubuntu0securityonion3

Screenshots
The Bro transcript option now clearly shows 3 separate sections: "Bro UDP output from SRC", "Bro UDP output from DST", and "Bro DNS analyzer output"

Issues Resolved
securityonion-tcpudpflow: remove connection_state_remove event handler #761
https://github.com/Security-Onion-Solutions/security-onion/issues/761

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, July 8, 2015

New sostat package resolves an issue

I've updated the sostat package to resolve an issue.  The new package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion35

Issues Resolved
Issue 763: sostat: show last update
https://github.com/Security-Onion-Solutions/security-onion/issues/763

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, July 6, 2015

Security Onion 12.04.5.2 ISO image now available

We have a new Security Onion 12.04.5.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 17, 2015!

This resolves the following issue:

Issue 733: 12.04.5.2 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/733

This new ISO image has been tested by the following (thanks!):
Shane Castle
James Taylor
Robert Bardo
Jeff Tehovnik
Jay Holmes
LeeJR

Training
This new ISO image will be used in our upcoming class in the Washington DC area:
http://security-onion-class-20150810.eventbrite.com/

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.2 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5 e35846293dcecf76e5b8d39f6d48c9de
SHA1 a8c04e9bde175425835537cb3d9b336e2614a363
SHA256 53a775a746bf64ea5b3b689aded3f0b288bc86de5e7cd1057358307b93bc6b5f

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.2 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Monday, June 29, 2015

OSSEC 2.8.2 now available!

OSSEC 2.8.2 was recently released:
http://www.ossec.net/?p=1198

I've packaged OSSEC 2.8.2 and the new package version is as follows:

ossec-hids-server - 2.8.2-ubuntu10securityonion2

The new package has been tested by the following (thanks!):
James Taylor
Shane Castle

Issues Resolved

Issue 745: OSSEC 2.8.2
https://github.com/Security-Onion-Solutions/security-onion/issues/745

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, June 19, 2015

New Setup package resolves an issue

I've updated our Setup package and the new package is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion142

This new package resolves the following issue:

Issue 744: sosetup: Restart Apache to activate new ELSA apikey
https://github.com/Security-Onion-Solutions/security-onion/issues/744

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 18, 2015

New NSM package resolves an issue

Pete sent a patch for the nsm-watchdog cron job that should help avoid a race condition.  I've applied the patch and the new package is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion120

This new package resolves the following issue:

Issue 751: NSM: change watchdog run time to avoid race condition
https://github.com/Security-Onion-Solutions/security-onion/issues/751

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

4-day Security Onion Training in the Washington DC area

The next run of our expanded 4-day Security Onion class will be in the Washington DC area in August!

For more details and to register, please see:
http://security-onion-class-20150810.eventbrite.com/

Wednesday, June 17, 2015

New ELSA packages resolve three issues

ELSA 1205 packages were recently released:
http://blog.securityonion.net/2015/06/elsa-1205-now-available.html

A few issues were found so I've built these new packages:

securityonion-elsa - 1205-1ubuntu0securityonion5
securityonion-elsa-extras - 20131117-1ubuntu0securityonion91

These new packages resolve the following issues:

Issue 746: ELSA 1205 package enabled perl module on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/746

Issue 747: ELSA 1205 package duplicated syslog-ng.conf entries on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/747

Issue 748: ELSA 1205 package didn't add the pid column to the query_log table for upgrades
https://github.com/Security-Onion-Solutions/security-onion/issues/748

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

New tcltls package resolves OpenSSL issue

Recent OpenSSL changes prevented the default Debian/Ubuntu tcltls package from working properly, so I've built a new one:
tcltls - 1.5.0.dfsg-10build1securityonion2

This new package resolves the following issue:

Issue 749: Update tcl-tls package and replace DH512 key with DH2048
https://github.com/Security-Onion-Solutions/security-onion/issues/749

This new package has been tested by the following (thanks!):
Shane Castle
James Taylor
Larry Layten
hakawarrior

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you continue to have issues with the Sguil client/agents connecting to sguild, you may need to restart services:
sudo service nsm restart

and/or reboot:
sudo reboot

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 11, 2015

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

UPDATE 2015/06/17 08:52
All clear! You may safely resume your normal "soup" updates! New tcl-tls package resolves the OpenSSL issue:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

UPDATE 2015/06/12 7:18
Please see the following mailing list thread for updated information:
https://groups.google.com/d/topic/security-onion/E7HdGGUuq6c/discussion

New securityonion-nsmnow-admin-scripts package resolves an issue

If you're running salt, you may have noticed that if you run a command like this:
sudo salt '*' cmd.run 'service nsm status'
you get some garbled output as the bash color codes aren't interpreted by salt.  I've updated the NSM scripts to only output these color codes if they are running on a tty.  The result looks much better:



The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion119

Issues Resolved

Issue 732: NSM: only output color codes if running on a tty
https://github.com/Security-Onion-Solutions/security-onion/issues/732

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, June 10, 2015

ELSA 1205 now available!

I've updated our packages to reflect the latest version of ELSA:

securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25

These new packages resolve the following issues:

Issue 657: ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/657
This version of ELSA fixes many bugs in our previous version of ELSA.

Issue 447: ELSA syslog-ng.conf rewrite r_pipes
https://github.com/Security-Onion-Solutions/security-onion/issues/447
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.

Issue 512: ELSA syslog-ng.conf filter f_bro_headers
https://github.com/Security-Onion-Solutions/security-onion/issues/512
Syslog-ng will now filter out headers in Bro logs.

Issue 726: ELSA syslog-ng.conf - add filesystem destinations
https://github.com/Security-Onion-Solutions/security-onion/issues/726
Syslog-ng will now output some logs to their standard filesystem locations.  This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.

Issue 674: ELSA - update bro_notice parser to parse src and dst fields
https://github.com/Security-Onion-Solutions/security-onion/issues/674
Syslog-ng will now parse src and dst fields out of Bro Notices.

Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/722
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.

Issue 723: CapMe: Update for new ELSA API
https://github.com/Security-Onion-Solutions/security-onion/issues/723
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.

Issue 500: sosetup: restart starman
https://github.com/Security-Onion-Solutions/security-onion/issues/500
When running Setup and choosing sensor-only, starman should now restart properly.

Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
https://github.com/Security-Onion-Solutions/security-onion/issues/504
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.

Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/547
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.

Issue 740: sosetup: sensor should use sudo to restart apache on master
https://github.com/Security-Onion-Solutions/security-onion/issues/740
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.

Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
https://github.com/Security-Onion-Solutions/security-onion/issues/741
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.

These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Screenshots
Update process

"About ELSA" now shows ELSA Rev 1205

New ELSA Query "HTTP: Sites Hosting JARs"

New ELSA Query "HTTP: Sites Hosting ZIPs"

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Bro Scanning Notices should now be parsed correctly

CapME now uses the ELSA JSON API and provides better error handling

Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, June 9, 2015

Next Round of Online Training Sessions - 6/29 through 7/2

The next round of online training sessions will be held Monday 6/29 through Thursday 7/2!

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Snort 2.9.7.3 now available!

Snort 2.9.7.3 was recently released:
http://blog.snort.org/2015/05/snort-2973-is-now-available.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.3-0ubuntu0securityonion3
securityonion-daq - 2.0.5-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 730: Snort 2.9.7.3
https://github.com/Security-Onion-Solutions/security-onion/issues/730

Issue 731: Snort DAQ 2.0.5
https://github.com/Security-Onion-Solutions/security-onion/issues/731

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
  • sudo rule-update



Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, June 8, 2015

New securityonion-suricata package resolves an issue

We recently released a securityonion-suricata package for Suricata 2.0.8:
http://blog.securityonion.net/2015/05/suricata-208.html

An issue was found in the packaging:
https://groups.google.com/d/topic/security-onion/1MmmmO2XOyc/discussion

I've updated the securityonion-suricata package to resolve this issue.

The new package version is:
securityonion-suricata - 2.0.8-0ubuntu0securityonion2

Issues Resolved

Issue 742: securityonion-suricata package missing debian/install
https://github.com/Security-Onion-Solutions/security-onion/issues/742

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, May 21, 2015

New securityonion-sguil-agent-ossec package resolves three issues

Brian Kellogg sent some patches for our ossec_agent for Sguil and I've updated the package.  The new package has been tested by David Zawdie and Brian Kellogg (thanks!).

The new package version is:
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion15

Issues Resolved

Issue 705: ossec_agent: improvements from Brian Kellogg
https://github.com/Security-Onion-Solutions/security-onion/issues/705

Issue 716: ossec_agent: tighten regex to only look for -> anchored to hostname or IP
https://github.com/Security-Onion-Solutions/security-onion/issues/716

Issue 717: ossec_agent: send alerts to sguild immediately instead of waiting for next alert
https://github.com/Security-Onion-Solutions/security-onion/issues/717

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, May 20, 2015

New NSM package resolves three issues

I've updated our NSM package and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion118

Issues Resolved

Issue 241: NSM scripts should have a timeout period when stopping services
https://github.com/Security-Onion-Solutions/security-onion/issues/241

Issue 392: Patch for lib-nsm-common-utils from Mark Seiden
https://github.com/Security-Onion-Solutions/security-onion/issues/392

Issue 714: nsm_server_user-disable
https://github.com/Security-Onion-Solutions/security-onion/issues/714

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, May 19, 2015

Sphinxsearch 2.1.9

I've updated our Sphinxsearch package to 2.1.9 and it has been tested by David Zawdie (thanks!).

The new package version is:
sphinxsearch - 2.1.9-release-0ubuntu15~precise

Issues Resolved
Issue 718: Sphinx 2.1.9
https://github.com/Security-Onion-Solutions/security-onion/issues/718

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, May 18, 2015

Suricata 2.0.8

Suricata 2.0.8 was recently released:
http://suricata-ids.org/2015/05/06/suricata-2-0-8-available/

I've packaged Suricata 2.0.8 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.8-0ubuntu0securityonion1

Issues Resolved

Issue 725: Suricata 2.0.8
https://github.com/Security-Onion-Solutions/security-onion/issues/725

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak and migrate the HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:


  • re-apply any other local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes this week:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Saturday, May 9, 2015

Testers Needed!

We have lots of new packages queued up for release, but we need your help testing them!

If you're not already a member of our security-onion-testing group, please join and then click the following links for testing guidelines.

ELSA rev1205
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion

Suricata 2.0.8
https://groups.google.com/d/topic/security-onion-testing/WKeR1RViDlc/discussion

ossec_agent
https://groups.google.com/d/topic/security-onion-testing/N5gpeSHmIlk/discussion

Sphinxsearch 2.1.9
https://groups.google.com/d/topic/security-onion-testing/VWjichsRqPw/discussion

NSM
https://groups.google.com/d/topic/security-onion-testing/-cbA8FgH7lg/discussion

Setup
https://groups.google.com/d/topic/security-onion-testing/PBY2wJH9ruo/discussion

As you test each package, please add your test results to the thread.

Thanks in advance for your time and effort!

Friday, May 1, 2015

Security Onion Conference 2015 CFP

Security Onion Conference 2015 will be held in Augusta GA on Friday September 11 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

If you have a topic you'd like to present at this year's conference, please submit here:
https://docs.google.com/forms/d/1AnREgxc4rMqqWX6pVwG2zaTQ5U2jPGUH02Wq74IiiUU

We want to hear from you!  

How are you...
...using Security Onion to fight evil?
...handling lots of traffic using Security Onion?
...integrating Security Onion with other technologies?
...automating common tasks with your own scripts?

Each talk should be 30-35 minutes with an additional 10 minutes for questions.

May 1 - CFP Open
June 1 - CFP Closed
July 1 - Speakers selected and notified

UPDATE 2015-07-10 Registration is now open!
http://security-onion-conference-2015.eventbrite.com/

Tuesday, April 28, 2015

New securityonion-rule-update package

securityonion-rule-update - 20120726-0ubuntu0securityonion28 is now available and should resolve the following issue:

Issue 715: securityonion-rule-update: sensor-only boxes running salt shouldn't try to copy /etc/cron.d/rule-update
https://github.com/Security-Onion-Solutions/security-onion/issues/715

The new package has been tested by Ryan Peck (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, April 23, 2015

Security Onion Training in May

Only 2 weeks left to register for the upcoming 4-day Security Onion class in Houston TX which will be held May 12-15.  Here's a discount code good for $400 off!
sos20150423

For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/

If you can't make it to Houston, we also have online training sessions May 19-22:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Wednesday, April 22, 2015

New securityonion-rule-update package

securityonion-rule-update - 20120726-0ubuntu0securityonion27 is now available and should resolve the following issues:

Issue 681: rule-update: wipe snort_dynamicrules directory on sensor
https://github.com/Security-Onion-Solutions/security-onion/issues/681

Issue 677: rule-update: create /usr/local/lib/snort_dynamicrules/ if it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/677

Issue 678: rule-update: /etc/cron.d/rule-update should have 2>&1
https://github.com/Security-Onion-Solutions/security-onion/issues/678

Issue 697: rule-update: log snorby reference table update to barnyard2-snorby.log
https://github.com/Security-Onion-Solutions/security-onion/issues/697

Issue 679: rule-update: run pulledpork as unprivileged user
https://github.com/Security-Onion-Solutions/security-onion/issues/679

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, April 21, 2015

New securityonion-sostat package

securityonion-sostat - 20120722-0ubuntu0securityonion34 is now available and should resolve the following issues:

Issue 692: sostat: list number of ELSA buffers in queue and warn if higher than 20
https://github.com/Security-Onion-Solutions/security-onion/issues/692

Issue 701: sostat: include number of CPU cores
https://github.com/Security-Onion-Solutions/security-onion/issues/701

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, April 20, 2015

New securityonion-sguil-db-purge package

securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion12 is now available and should resolve the following issue:

Issue 711: Add "date" command to /usr/bin/sguil-db-purge
https://github.com/Security-Onion-Solutions/security-onion/issues/711

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, April 3, 2015

Security Onion 301: Best Practices for Distributed Deployments

Our next online class has been scheduled!  "Security Onion 301: Best Practices for Distributed Deployments" will be Tuesday, April 21.  For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Tuesday, March 31, 2015

Four package updates

I've updated four packages to resolve a few issues and these new packages have been tested by Josh Brower (thanks!).

The new package version are as follows:
securityonion-setup - 20120912-0ubuntu0securityonion132
securityonion-sostat - 20120722-0ubuntu0securityonion33
securityonion-web-page - 20141015-0ubuntu0securityonion22
securityonion-elsa-extras - 20131117-1ubuntu0securityonion58

Issues Resolved

Issue 703: Move from Google Code to Github
https://github.com/Security-Onion-Solutions/security-onion/issues/703
Security Onion has moved to Github, so some of the hyperlinks in Setup and sostat had to be updated.

Issue 706: Add Josh Brower's ELSA parsers for process logs and sysmon
https://github.com/Security-Onion-Solutions/security-onion/issues/706
If you have Windows machines with OSSEC agents on them and process auditing enabled, ELSA now parses those "new process" logs.

Issue 709: Add fear.nothing's ELSA parsers for pfSense
https://github.com/Security-Onion-Solutions/security-onion/issues/709
If you're running pfSense firewalls and send their logs to Security Onion via syslog, ELSA will now parse them.

Issue 710: securityonion-web-page: add ELSA queries for Firewall logs
and Windows Processes
https://github.com/Security-Onion-Solutions/security-onion/issues/710
Since ELSA is now parsing firewall logs and Windows processes, we provide some additional ELSA queries to slice and dice those logs.  See screenshots below.

Screenshots
Host Logs - Windows Processes

Firewall - Top SRC IPs Allowed

Firewall - Top DST IPs Allowed

Firewall - Top SRC IPs Denied

Firewall - Top DST IPs Denied


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes and also a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 30, 2015

Snort 2.9.7.2 now available!

Snort 2.9.7.2 was recently released:
http://blog.snort.org/2015/03/snort-2972-has-been-released.html

I've updated our Snort package:
securityonion-snort - 2.9.7.2-0ubuntu0securityonion2

This new package resolves the following issue:

Issue 702: Snort 2.9.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/702

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:


  • re-apply any local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 23, 2015

New NSM and Setup packages

I've updated our NSM and Setup packages to resolve a few issues and these new packages have been tested by Pete Nelson (thanks!).

The new package version are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion116
securityonion-setup - 20120912-0ubuntu0securityonion131

Issues Resolved

Issue 691: NSM: chown -R $BRO_USER:$BRO_GROUP /nsm/bro >/dev/null 2>&1
https://code.google.com/p/security-onion/issues/detail?id=691

Issue 698: NSM: nsm_server_del line 170 echo_msg 0 "Deleting server:
$SERVER_NAME"
https://code.google.com/p/security-onion/issues/detail?id=698

Issue 699: NSM: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=699

Issue 700: Setup: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=700

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes next week and a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!