Wednesday, February 10, 2016

securityonion-capme - 20121213-0ubuntu0securityonion32 resolves several security issues

John Menerick (https://github.com/lordappsec) found several issues in CapME (thanks, John!):
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/1
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/2
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/3
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/4
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/5
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/6
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/7
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/8
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/9
https://github.com/Security-Onion-Solutions/securityonion-capme/issues/10

I've updated CapME and the new version is as follows:

securityonion-capme - 20121213-0ubuntu0securityonion32

This new package should resolve the following issue:

Issue 856: securityonion-capme needs additional input validation in index.php
https://github.com/Security-Onion-Solutions/security-onion/issues/856

Wes Lambert tested this package.  Thanks, Wes!

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
The next round of online training sessions is coming up soon:
http://blog.securityonion.net/2016/02/next-round-of-security-onion-online.html

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Suricata 3.0 STABLE now available for Security Onion 14.04!

Suricata 3.0 STABLE was recently released:
http://suricata-ids.org/2016/01/27/suricata-3-0-available/

I've packaged Suricata 3.0 STABLE for Security Onion 14.04 and the new package is as follows:
securityonion-suricata - 3.0stable-1ubuntu1securityonion1

This resolves the following issue:

Issue 847: Suricata 3.0
https://github.com/Security-Onion-Solutions/security-onion/issues/847

Wes Lambert tested this package.  Thanks, Wes!

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your suricata.yaml file(s)
  • update ruleset and restart Suricata as follows:
    sudo rule-update

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
The next round of online training sessions is coming up soon:
http://blog.securityonion.net/2016/02/next-round-of-security-onion-online.html

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Wednesday, February 3, 2016

securityonion-setup - 20120912-0ubuntu0securityonion194 resolves two issues

securityonion-setup - 20120912-0ubuntu0securityonion194 is now available and resolves the following issues:

Setup: X11 error when running via ssh -X
https://github.com/Security-Onion-Solutions/security-onion/issues/846

Setup: master-only shouldn't show Snort/Bro in final confirmation screen
https://github.com/Security-Onion-Solutions/security-onion/issues/848

Wes Lambert tested this package.  Thanks, Wes!

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
The next round of online training sessions will be in February:
http://blog.securityonion.net/2016/02/next-round-of-security-onion-online.html

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Tuesday, February 2, 2016

Next Round of Security Onion Online Training Sessions - February 22 through February 25

The next round of online training sessions will be held Monday February 22 through Thursday February 25!

Please note that we'll be using the new Security Onion 14.04:
http://blog.securityonion.net/2016/01/security-onion-140431-iso-image-now.html

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

securityonion-capme - 20121213-0ubuntu0securityonion31 resolves an issue

securityonion-capme - 20121213-0ubuntu0securityonion31 is now available and resolves the following issue:

securityonion-capme: remove include config from callback
https://github.com/Security-Onion-Solutions/security-onion/issues/840

Wes Lambert tested this package.  Thanks, Wes!

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
The next round of online training sessions will be in February.  Please stay tuned for the announcement.

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Monday, February 1, 2016

securityonion-elsa - 1205chartsjsd3-1ubuntu1securityonion6 resolves issue with map dashboard

Brian Haugli found an issue when rendering ELSA dashboards with maps:

Issue 842: securityonion-elsa: map dashboard displays empty screen
https://github.com/Security-Onion-Solutions/security-onion/issues/842

Martin Holste fixed the bug and I've packaged the fix. The following packages are now available in our stable repo:
securityonion-elsa - 1205chartsjsd3-1ubuntu1securityonion6
securityonion-elsa-extras - 20151011-1ubuntu1securityonion27

Screenshots

Suppose you want to create an ELSA dashboard based on the "Connections - Groupby Resp Country" query:



Click the ELSA drop-down menu and then click Dashboards.  The Dashboards window appears:



Click "Create/import new dashboard".  "Create New Dashboard" window appears.  Specify your desired Title and Alias and then set Auth to "Any authenticated user":



Click the Submit button to return to the Dashboards window:



Click the Actions drop-down menu and then click Edit.  On the Edit page, click "Add Chart".  "Create New Chart" window appears.  Specify your desired Title, set Type to "Map", then add your Label and Query.  Note that the query specifically excludes results where the responder country code is null ("-"):


 Click the Submit button and then click "Finished Editing".  Dashboard appears:



Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
The next round of online training sessions will be in February.  Please stay tuned for the announcement.

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Saturday, January 23, 2016

securityonion-setup - 20120912-0ubuntu0securityonion192 resolves an issue

Wes Lambert found an issue with the new version of Setup:

Issue 845: Setup: Production Mode - Custom - not enabling some services properly
https://github.com/Security-Onion-Solutions/security-onion/issues/845

securityonion-setup - 20120912-0ubuntu0securityonion192 resolves this issue.

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
We have online training classes starting next Monday:
http://blog.securityonion.net/2016/01/next-round-of-security-onion-online.html

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Friday, January 22, 2016

Security Onion 14.04.3.1 Screenshot Tour

Below is a quick screenshot tour of the new Security Onion 14.04.3.1 ISO image.

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are available in our CafePress store!

Training
We have online training classes starting next Monday:

Commercial Support
Need commercial support?  Please see:

Feedback
If you have any questions or problems, please use our security-onion mailing list:

Thanks!


ISO Boot Menu

Boot splash

Installer - Welcome

Installer - Preparing

Installer - Installation Type (now with LVM)

Installer - Verify disk changes

Installer - Time Zone

Installer - Keyboard Layout

Installer - hostname, username, and password

Installer - Copying files

Installer - Installation Complete

Installer - ready to reboot

GRUB Boot Menu

Login screen

Desktop

Installing updates with soup

Setup - Welcome

Setup - Network Interfaces
 
Setup - Management Interface 
Setup - IP Address for Management Interface

Setup - Monitor (sniffing) interfaces 
Setup - Monitor (sniffing) interfaces 
Setup - Verify Choices

Setup - Network Configuration Complete

Reboot and log back in

Run Setup Phase 2

Setup - Welcome

Setup - Skip Network Configuration

Setup - Evaluation Mode or Production Mode

Setup - Monitor (sniffing) interface

Setup - Username

Setup - Password

Setup - Confirm Password

Setup - Confirm Options

Setup - Progress Bar

Setup - Complete

Setup - sostat

Setup - Rules

Setup - links

Setup - commercial support

Verifying services 
Replaying pcaps to create traffic

Launching Squert web interface

Logging into Squert

Squert Main Page

Squert - drilling into a NIDS alert

Squert - viewing NIDS alert payload

Squert - viewing full packet capture

Squert - Geoip Mapping

Squert - Top Signatures

Squert - Top IP Addresses

Squert - Top Countries

Squert - Top Ports

Squert - Sankey Diagram

Logging into Sguil

Sguil - selecting networks (sensors)

Sguil RealTime Events tab

Sguil - pivoting from a NIDS alert to full packet capture

Pivoting from a NIDS alert and sending pcap to Wireshark

Pivoting from a NIDS alert and sending pcap to NetworkMiner

Pivoting from a NIDS alert and decoding gzip-encoded data using Bro

Logging into ELSA 
ELSA - Connections - Top SRC IPs

ELSA - Connections - Top DST IPs

ELSA - Connections - Top DST Ports

ELSA - Connections - Top Services

ELSA - Connections - Groupby Protocol

ELSA - Connections - Groupby Responder's Country Code

ELSA - DHCP - Top Assigned IPs

ELSA - DHCP - DHCP Servers


ELSA - DNS - Top Query Type

ELSA - DNS - Top Return Code

ELSA - Top nxdomain

ELSA - Files - MIME Types

ELSA - FTP - Top arg

ELSA - HTTP - Top DST Ports

ELSA - HTTP - Top MIME Types

ELSA - HTTP - Top User Agents

ELSA - HTTP - Top Sites

ELSA - HTTP - Sites hosting EXEs

ELSA - HTTP - Sites hosting CABs

ELSA - HTTP - Sites Hosting JARs

ELSA - HTTP - Sites hosting SWFs

ELSA - HTTP - Sites hosting ZIPs

ELSA - Kerberos - Top Services

ELSA - Notices - Top Notice Types 
ELSA - SMTP - Top Subjects

ELSA - Snort/Suricata - Top NIDS Alerts

ELSA - Software - Software Detected by Bro

ELSA - SSL - Top Hostnames