Monday, February 23, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Houston TX

The third run of our newly expanded 4-day Security Onion class will be in Houston TX!

If you register before March 6, you can use the following discount code for $500 off!
early-bird-91418

For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/

Monday, February 16, 2015

Security Onion 12.04.5.1 ISO image now available

We have a new Security Onion 12.04.5.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 5, 2015!

It should also resolve the following issues:

Issue 632: ISO: add bridge-utils
https://code.google.com/p/security-onion/issues/detail?id=632

Issue 601: ISO: add foremost
https://code.google.com/p/security-onion/issues/detail?id=601

Issue 614: ISO: add securityonion-samples-shellshock
https://code.google.com/p/security-onion/issues/detail?id=614

Issue 662: ISO: add securityonion-samples-mta
https://code.google.com/p/security-onion/issues/detail?id=662

Issue 675: ISO: add xfsprogs
https://code.google.com/p/security-onion/issues/detail?id=675

Issue 602: 12.04.5.1 ISO image
https://code.google.com/p/security-onion/issues/detail?id=602

In short, it's the best release ever!

This new ISO image has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
~eundv
Eddy Simons

Training
This new ISO image will be used in our upcoming classes:
Atlanta - https://security-onion-class-20150309.eventbrite.com/
Seattle - https://security-onion-class-20150316.eventbrite.com/
Houston - https://security-onion-class-20150512.eventbrite.com/
Online - https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5: 02a49a06a55df8997669b4df9f1048a0
SHA1: 3cf32398d2859d0ca4009cdf13df0bb4f4ab98d9

Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5.1 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Tuesday, February 10, 2015

ISO Testers wanted!

We have a new 12.04.5.1 ISO image ready for testing that will be used in the upcoming 4-day classes in Atlanta and Seattle.  If you have some time and can help us test in the next day or two, please join our security-onion-testing group and follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/82sgMwnrLxA/discussion

Thanks!

Monday, February 9, 2015

Save the Date: Security Onion Conference 2015

Last year's Security Onion Conference was an overwhelming success!

This year's Security Onion Conference will be held in Augusta GA on Friday September 11 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

Friday, February 6, 2015

Next session of Security Onion 101

The first two sessions of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Monday, March 2.

For more details and to register, please use the following link (then click "read more..." for full description):
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New securityonion-et-rules package

I've updated our securityonion-et-rules package in preparation for our upcoming 12.04.5.1 ISO image.  This is a static set of free NIDS rules from Emerging Threats that is only used if you have LOCAL_NIDS_RULE_TUNING=yes in /etc/nsm/securityonion.conf (most users should have LOCAL_NIDS_RULE_TUNING=no which causes PulledPork to download updated rules from the Internet).

This package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 683: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=683

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Thursday, February 5, 2015

Bro 2.3.2 now available!

Bro 2.3.2 was recently released:
http://blog.bro.org/2015/01/bro-232-release.html

I've packaged Bro 2.3.2 and updated the securityonion-bro-scripts package.  The new packages are as follows:
 securityonion-bro - 2.3.2-0ubuntu0securityonion1
 securityonion-bro-scripts - 20121004-0ubuntu0securityonion39

These packages resolve the following issues:

Issue 680: Bro 2.3.2
https://code.google.com/p/security-onion/issues/detail?id=680

These packages have been tested by David Zawdie and Kevin Branch (thanks!).

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Release Notes
After updating to the new packages, you should restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Wednesday, February 4, 2015

New NSM and ossec_agent.tcl packages resolve several issues

Brian Kellogg submitted a patch for ossec_agent.tcl that allows you to enable or disable DNS lookups.  Thanks, Brian!  I've packaged this and also updated the NSM package to resolve several issues.

The new packages are as follows:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion114
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion7

These new packages should resolve the following issues:

Issue 684: NSM: nsm_server_ps-start needs to create /var/log/sguild/ if it doesn't already exist
https://code.google.com/p/security-onion/issues/detail?id=684

Issue 686: NSM: nsm_server_ps-start needs to set permissions on /var/log/nsm/so-elsa/ properly
https://code.google.com/p/security-onion/issues/detail?id=686

Issue 687: NSM: nsm_sensor_ps-start should set permissions on /var/log/nsm/HOSTNAME-INTERFACE/ properly
https://code.google.com/p/security-onion/issues/detail?id=687

Issue 689: NSM: add USE_DNS option to ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=689

Issue 688: ossec_agent: add option to disable DNS lookups
https://code.google.com/p/security-onion/issues/detail?id=688

These new packages have been tested by David Zawdie (thanks!).

Release Notes
After updating to the new packages, the next time that the NSM scripts start ossec_agent.tcl, they will add a new USE_DNS option to /etc/nsm/ossec/ossec_agent.conf and default it to 0 (disabled).  This results in much better performance for ossec_agent.tcl.

If you need to revert to the previous behavior of DNS lookups enabled and don't mind the additional lookup delay, you can change USE_DNS to 1 (enabled) and then restart ossec_agent.tcl:
sudo nsm_sensor_ps-restart --only-ossec-agent
Also note that these packages move ossec_agent.tcl to /usr/bin/.

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Tuesday, February 3, 2015

New ELSA packages parse additional fields out of Bro dns.log

Pietro Delsante contributed some updated parsers for Bro and BIND DNS logs (thanks, Pietro!) and I've updated the securityonion-elsa-extras package with these new parsers.  I've also updated the securityonion-web-page package to include some new ELSA queries for these newly exposed BRO_DNS fields.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15

These new packages should resolve the following issues:

Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668

Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696

Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670

Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685

These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).

Screenshots

Update process

DNS - Top Query Class

DNS - Top Query Type

DNS - Top Return Code


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Monday, February 2, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Seattle WA

The second run of our newly expanded 4-day Security Onion class will be in Seattle WA!

If you register before February 20, you can use the following discount code for $500 off!
early-bird-51414

For more details and to register, please see:
https://security-onion-class-20150316.eventbrite.com

Thursday, January 29, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Atlanta GA

Our Security Onion onsite class is expanding to 4 days!  This first 4-day session will be in Atlanta GA.

If you register before February 13, you can use the following discount code for $500 off!
early-bird-41173

For more details and to register, please see:
https://security-onion-class-20150309.eventbrite.com

Tuesday, January 27, 2015

New NSM/setup/sostat packages

I've updated the NSM, setup, and sostat packages and the new package versions are as follows:
 securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion110
 securityonion-setup - 20120912-0ubuntu0securityonion130
 securityonion-sostat - 20120722-0ubuntu0securityonion32

These new packages have been tested by the following (thanks!):
David Zawdie
Mike Pilkington

Issues Resolved

Issue 663: sosetup: sosetup.conf SGUIL_CLIENT_PASSWORD_1 should say Sguil/Squert/ELSA/Snorby
https://code.google.com/p/security-onion/issues/detail?id=663

Issue 664: sosetup: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=664

Issue 666: sostat: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=666

Issue 665: NSM: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=665

Issue 676: NSM: run Sguil as non-root user
https://code.google.com/p/security-onion/issues/detail?id=676

Issue 671: NSM: /etc/cron.d/sensor-clean needs 2>&1
https://code.google.com/p/security-onion/issues/detail?id=671

Release Notes
If you normally restart Bro with "sudo broctl restart", this will restart Bro as root.  To restart Bro as a non-root user, please use "sudo nsm_sensor_ps-restart --only-bro" instead.

Screenshots
Update Process

After updating, stop all processes with "sudo service nsm stop" and then...

...restart all processes with "sudo service nsm start" so that they will now be running as a non-root user

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, January 26, 2015

New version of sguil-db-purge helps prevent Sguil uncategorized events from getting out of control

We have a new version of sguil-db-purge which should help prevent your Sguil uncategorized events from getting out of control.  sguil-db-purge now adds a new configuration parameter to /etc/nsm/securityonion.conf called UNCAT_MAX (and sets it to 100000 by default).  If the number of Sguil uncategorized events is higher than UNCAT_MAX, then sguil-db-purge will categorize the oldest events until UNCAT_MAX is reached.

I've packaged this new version and it has been tested by David Zawdie (thanks!).

The new package version is:
 securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion10

Issues Resolved

Issue 672: sguil-db-purge: check for UNCAT_MAX
https://code.google.com/p/security-onion/issues/detail?id=672

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshots

The next time sguil-db-purge runs, it adds UNCAT_MAX=100000 to /etc/nsm/securityonion.conf

If there are less than UNCAT_MAX uncategorized events, no action is necessary

If we set UNCAT_MAX to a number smaller than our number of uncategorized events...

...then sguil-db-purge categorizes the oldest events until we get down to UNCAT_MAX


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Friday, January 23, 2015

Next session of Security Onion 101

The first run of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Thursday, February 5.  It will be later in the day to be more convenient for folks on the US West Coast.

For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Tuesday, January 20, 2015

New salt and securityonion-onionsalt packages

SaltStack has updated their salt packages and I've updated our securityonion-onionsalt packages.

New packages:
python-urllib3 - 1.7.1-2~precise+1
python-requests_2.0.0-1
salt - 2014.7.0+ds-2precise3
securityonion-onionsalt - 20140917-0ubuntu0securityonion19

These new packages have been tested by the following (thanks!):
Ryan Peck
David Zawdie

Issues Resolved
Issue 642: Update Salt packages/scripts to 2014.7.0
https://code.google.com/p/security-onion/issues/detail?id=642

Issue 619: Onionsalt: backup /opt/onionsalt/pillar/top.sls
https://code.google.com/p/security-onion/issues/detail?id=619

Issue 661: Onionsalt: replicate /usr/local/lib/snort_dynamicrules/
https://code.google.com/p/security-onion/issues/detail?id=661

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Suricata 2.0.6

Suricata 2.0.6 was recently released:
http://suricata-ids.org/2015/01/15/suricata-2-0-6-available/

I've packaged Suricata 2.0.6 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.6-0ubuntu0securityonion1

Issues Resolved

Issue 673: Suricata 2.0.6
https://code.google.com/p/security-onion/issues/detail?id=673

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak.  You'll then need to do the following:

  • re-apply any local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Wednesday, January 14, 2015

First Online Training Session is next Thursday, January 22

Many folks have asked about online training.  Our first online training session will be a 3-hour introduction to Security Onion and will be next Thursday, January 22.

For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Monday, January 12, 2015

New securityonion-samples packages

I've added some new securityonion-samples packages:

securityonion-samples-mta - 20150103-0ubuntu0securityonion1
(from http://malware-traffic-analysis.net/, thanks Brad!)

securityonion-samples-shellshock - 20140926-0ubuntu0securityonion1
(from https://github.com/broala/bro-shellshock, thanks Seth!)

These new packages should resolve the following issue:

Issue 667: New packages for shellshock and malware-traffic-analysis samples
https://code.google.com/p/security-onion/issues/detail?id=667

Screenshots
Installing new samples packages

/opt/samples/mta/ directory

/opt/samples/shellshock/ directory

Using tcpreplay to replay shellshock traffic

ELSA showing Bro notice for ShellShock Exploit

Using tcpreplay to replay malware-traffic-analysis traffic

Sguil alerts from malware-traffic-analysis traffic


Installing
The new packages are now available in our stable repo.  You'll need to use "sudo apt-get install" to install them as shown in the screenshot above.

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Wednesday, January 7, 2015

New ELSA packages parse country code out of Bro conn.log

I've updated the ELSA packages to parse the responder country code out of the Bro conn.log.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion53
securityonion-web-page - 20141015-0ubuntu0securityonion13

These new packages should resolve the following issues:

Issue 656: ELSA: update parser for bro_conn to parse country code
https://code.google.com/p/security-onion/issues/detail?id=656

Issue 659: securityonion-web-page: add ELSA query for bro_conn groupby:resp_country_code
https://code.google.com/p/security-onion/issues/detail?id=659

These new packages have been tested by David Zawdie (thanks!).

Screenshots
Update process

Connections - Groupby Resp Country: group connections by responder country code

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Tuesday, January 6, 2015

New NSM and Setup packages resolve several issues

I've updated the NSM and Setup packages to resolve several issues.  The new packages are as follows:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion99
securityonion-setup - 20120912-0ubuntu0securityonion127

These new packages should resolve the following issues:

Issue 658: NSM: fix umask on Snort unified2 output
https://code.google.com/p/security-onion/issues/detail?id=658

Issue 548: NSM: run barnyard2 as non-root user
https://code.google.com/p/security-onion/issues/detail?id=548

Issue 649: nsm_all_del_quick: check for /etc/nsm/servertab and /etc/nsm/sensortab before trying to read
https://code.google.com/p/security-onion/issues/detail?id=649

Issue 598: so-snorby-wipe
https://code.google.com/p/security-onion/issues/detail?id=598

Issue 610: NSM: ossec_agent alert level should be configurable
https://code.google.com/p/security-onion/issues/detail?id=610

Issue 660: Setup: add OSSEC_AGENT_LEVEL to /etc/nsm/securityonion.conf
https://code.google.com/p/security-onion/issues/detail?id=660


These new packages have been tested by David Zawdie (thanks!).

Screenshots
Run "sudo nsm_sensor_ps-restart" to restart ossec_agent, snort, and barnyard2

/etc/nsm/securityonion.conf now contains OSSEC_AGENT_LEVEL

Snort unified2 output now has proper permissions

Barnyard2 is now running as a non-root user
 
If you need to wipe the alerts in the Snorby database, you can now use so-snorby-wipe

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, January 5, 2015

Suricata 2.0.5

Suricata 2.0.5 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/201-suricata-205-available

I've packaged Suricata 2.0.5 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.5-0ubuntu0securityonion1

Issues Resolved

Issue 655: Suricata 2.0.5
https://code.google.com/p/security-onion/issues/detail?id=655

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak.  You'll then need to do the following:

  • re-apply any local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:

sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, December 8, 2014

New version of securityonion-rule-update resolves two issues

I've updated the securityonion-rule-update package to resolve two issues:

Issue 639: rule-update should disable Suricata rules if running Snort
https://code.google.com/p/security-onion/issues/detail?id=639

Issue 650: rule-update: wipe snort_dynamicrules directory
https://code.google.com/p/security-onion/issues/detail?id=650

 The new package version is as follows:

securityonion-rule-update - 20120726-0ubuntu0securityonion23

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, December 3, 2014

ELSA now parses Bro's RADIUS, SNMP, and X.509 logs

I've added ELSA parsers for Bro RADIUS, SNMP, and X.509 logs.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion50
securityonion-web-page - 20141015-0ubuntu0securityonion10

These new packages should resolve the following issues:

Issue 513: securityonion-elsa-extras: when adding sources to
syslog-ng.conf, do not search-and-replace using "log"
https://code.google.com/p/security-onion/issues/detail?id=513

Issue 575: ELSA: parsers for new Bro logs added in Bro 2.3
https://code.google.com/p/security-onion/issues/detail?id=575

Issue 578: securityonion-web-page: add ELSA queries for new Bro 2.3 logs
https://code.google.com/p/security-onion/issues/detail?id=578

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Screenshots
Update Process 

X.509 logs grouped by Certificate Key Length

X.509 logs grouped by Certificate Key Algorithm

X.509 logs grouped by Certificate Signature Algorithm

X.509 logs grouped by Certificate Key Type

SNMP logs grouped by Community
RADIUS logs grouped by username


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, December 2, 2014

New Sguil client resolves an issue

Scott F. found an issue in the Sguil client:
https://groups.google.com/d/topic/security-onion/P57oKu02tI4/discussion

I've updated the Sguil client with Bamm's patch and the new version
numbers are as follows:
securityonion-sguil-client - 20141004-0ubuntu0securityonion9
securityonion-sguil-sensor - 20141004-0ubuntu0securityonion9
securityonion-sguil-server - 20141004-0ubuntu0securityonion9
(since client, sensor, and server all come from the same tarball, a change in one causes a full rebuild of all 3 packages)

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

These packages should resolve the following issue:
https://code.google.com/p/security-onion/issues/detail?id=646

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, December 1, 2014

Snort 2.9.7 and Daq 2.0.4 now available!

Snort 2.9.7 and Daq 2.0.4 were recently released:
http://blog.snort.org/2014/10/snort-297-has-been-released.html

I've updated our packages:
securityonion-daq - 2.0.4-0ubuntu0securityonion2
securityonion-pfring-daq - 20121107-0ubuntu0securityonion9
securityonion-snort - 2.9.7.0-0ubuntu0securityonion4

These new packages should resolve the following issues:

Issue 636: Snort 2.9.7.0
https://code.google.com/p/security-onion/issues/detail?id=636

Issue 637: Snort DAQ 2.0.4
https://code.google.com/p/security-onion/issues/detail?id=637

Issue 648: Rebuild securityonion-pfring-daq for new DAQ
https://code.google.com/p/security-onion/issues/detail?id=648

The new packages have been tested by the following (thanks!):
Eddy Simons
Ronny Vaningh
David Zawdie

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:

  • re-apply any local customizations to your snort.conf files
  • update ruleset and restart Snort/Suricata as follows:
sudo rule-update
If you get an error like the following:
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/chat.so" version 1.0 compiled with dynamic engine library version 2.1 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.4.
then please see:
https://code.google.com/p/security-onion/wiki/FAQ#I_just_updated_Snort_and_it's_now_saying_'ERROR:_The_d

Screenshots
"sudo soup" will ask you to check/update your snort.conf file(s)

"sudo rule-update" will download the updated ruleset and restart Snort

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Cyber Monday discount for 3-day Security Onion training in Augusta GA

Today is Cyber Monday, so here is a discount code good for $400 off the 3-day Security Onion training in Augusta GA!

cyber-monday-4443

This discount is good through Friday December 5!

For more information and to register, please see:

Monday, November 17, 2014

New NSM package resolves 5 issues

I've updated our NSM package and the new package version is:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion91

Issues Resolved

Issue 620: NSM: stop netsniff-ng only after checking all interfaces for pcaps to delete
https://code.google.com/p/security-onion/issues/detail?id=620

Issue 647: NSM: rotate netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=647

Issue 597: nsm_all_del_quick: delete /nsm/bro/logs and /nsm/bro/extracted
https://code.google.com/p/security-onion/issues/detail?id=597

Issue 595: NSM: prevent Bro version warning
https://code.google.com/p/security-onion/issues/detail?id=595

Issue 611: nsm_sensor_clean: replace server with sensor
https://code.google.com/p/security-onion/issues/detail?id=611


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Thanks
Thanks to the following for testing!
Joe Lane
Ronny Vaningh
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, November 11, 2014

Argus 3.0.8 packages now available!

Argus 3.0.8 was recently released:
http://qosient.com/argus/

I've updated our Argus packages and the new package versions are as follows:

securityonion-argus-server - 3.0.8-0ubuntu0securityonion1
securityonion-argus-clients - 3.0.8-0ubuntu0securityonion2

Issues Resolved

Issue 382: Update Argus packages
https://code.google.com/p/security-onion/issues/detail?id=382

Release Notes
Please note that raips and raplot are no longer installed by default and this is by design according to Carter Bullard:
http://article.gmane.org/gmane.network.argus/10830

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Thanks
Thanks to the following for testing!
Eddy Simons
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

$400 Early Bird discount for 3-day Security Onion Training Class in Augusta GA

Our 3-day Security Onion training class will be in Augusta GA next month.  If you register by Friday November 21, you can use the following discount code for $400 off!

early-bird-57912

For more details and to register, please see:
https://security-onion-class-20141215.eventbrite.com/

If you have any questions, please use the Contact link on the bottom of the Eventbrite page.

Wednesday, October 29, 2014

Sguil 0.9 and Squert 1.5.0 now available!

Sguil 0.9 and Squert 1.5.0 were recently released:
http://sourceforge.net/p/sguil/mailman/message/32230854/
http://www.squertproject.org/summaryofchangesforsquertversion130
http://www.squertproject.org/summaryofchangesforsquertversion140
http://www.squertproject.org/summaryofchangesforsquertversion150

I've updated our packages to include both of these releases.  The new package versions are as follows:

securityonion-capme - 20121213-0ubuntu0securityonion20
securityonion-http-agent - 0.3.1-0ubuntu0securityonion6
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion88
securityonion-ossec-rules - 20120726-0ubuntu0securityonion4
securityonion-setup - 20120912-0ubuntu0securityonion125
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion4
securityonion-sguil-client - 20141004-0ubuntu0securityonion7
securityonion-sguil-sensor - 20141004-0ubuntu0securityonion7
securityonion-sguil-server - 20141004-0ubuntu0securityonion7
securityonion-squert - 20141015-0ubuntu0securityonion3

Issues Resolved

Issue 287: Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=287

Issue 622: Update http_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=622

Issue 623: Update ossec_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=623

Issue 624: Update CapMe for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=624

Issue 625: Update NSM for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=625

Issue 626: Update Setup for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=626

Issue 491: Squert 1.5.0
https://code.google.com/p/security-onion/issues/detail?id=491

Issue 638: securityonion-ossec-rules: add rule to ignore Squert POST
https://code.google.com/p/security-onion/issues/detail?id=638

Release Notes
Please note that the Squert interface has changed quite a bit from the previous version.  In particular:

  • To drill into an event to see the payload of the event, click on the value in the Status (ST) column.
  • To generate a full pcap transcript, click on the value in the "Event ID" column.


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating packages using "sudo soup"

The new OSSEC rules package will prompt you to restart OSSEC

The new securityonion-sguil-sensor package will prompt you to restart sensor services

The new securityonion-sguil-server package will update your database and import your autocat rules

The new securityonion-sguil-server package will then prompt you to restart server services

The new securityonion-squert package will update your database

Restarting OSSEC using "sudo service ossec-hids-server restart"

Restarting server and sensor processes using "sudo service nsm restart"
The Sguil client is now updated to 0.9...

...and includes an AutoCat Rule Builder...

...and an AutoCat Viewer 
Squert has been updated to 1.5.0


Squert Event tab

In Squert, you can now pivot to ELSA

Pivoting from IP address in Squert to an ELSA query for the IP

Squert now allows you to color code IP addresses

Color-coded IP address

Squert AutoCat Viewer

Squert Summary tab including GeoIP mapping

Squert Views tab with Sankey Diagram


Thanks
Thanks to the following for testing!
Eddy Simons
Mike Pilkington
Landon Lewis
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!