Wednesday, November 15, 2017

securityonion-sostat - 20120722-0ubuntu0securityonion79 now available for Security Onion!

The following package is now available:
securityonion-sostat - 20120722-0ubuntu0securityonion79

This package should resolve the following issues:

Issue 1166: soup: if Elastic enabled, copy /etc/apt/preferences.d/securityonion-docker
https://github.com/Security-Onion-Solutions/security-onion/issues/1166

Issue 1149: soup: final message about snort/suricata/bro updates should only output if they are enabled
https://github.com/Security-Onion-Solutions/security-onion/issues/1149

Thanks
Thanks to Wes Lambert for testing this package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, November 13, 2017

Security Advisory for Xplico 1.2.0

Introduction
Mehmet D. İNCE discovered several vulnerabilities related to Xplico. He identified three different vulnerabilities, two classified as "High severity" and one as "Medium severity". The CVE number assigned for these vulnerabilities is CVE-2017-16666:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16666

We've resolved these issues in a new Xplico package:
xplico - 1.2.0ubuntu1securityonion9

Resolution
To resolve these issues, simply install the new Xplico package according to our normal update instructions:
https://securityonion.net/wiki/Upgrade

Mitigations
Since 2015, our Setup wizard has disabled Xplico by default when choosing the "Best Practices" option:
https://github.com/Security-Onion-Solutions/securityonion-setup/blob/dd9c8e098af3e6bc253570b75b789ff928c10323/debian/patches/streamline-Setup-with-new-defaults-and-add-new-Custom-option

Since March 2016, our Setup wizard locks down the host-based firewall to block remote connections to Xplico:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html

Additionally, we recently made some changes to make it easier to totally remove the Xplico package from your system:
http://blog.securityonion.net/2017/11/securityonion-nsmnow-admin-scripts.html
http://blog.securityonion.net/2017/11/securityonion-iso-20151016.html
http://blog.securityonion.net/2017/11/securityonion-setup-20120912.html

Future Security Onion ISO images will no longer include Xplico.

Thanks
Special thanks to Mehmet İNCE for responsibly disclosing this security issue per our Security page:
https://securityonion.net/security

Special thanks to Gianluca Costa for patching these issues so quickly!

Timeline
All times below are in Eastern time.
11/8/2017 2:32 AM - Received initial notification from Mehmet İNCE.
11/8/2017 6:30 AM - Confirmed receipt of email and confirmed issue.
11/8/2017 6:39 AM - Notified Gianluca Costa of Xplico.
11/13/2017 2:36 AM - Received patches from Gianluca Costa.
11/13/2017 8:56 AM - Built new Xplico package and sent to Mehmet İNCE for review.
11/13/2017 9:04 AM - Received confirmation from Mehmet İNCE.
11/13/2017 9:09 AM - Sent email to coordinate disclosure.

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion164 now available for Security Onion!

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion164 is now available and should resolve the following issues:

Issue 1162: NSM: Add new script to clear sensor backlog
https://github.com/Security-Onion-Solutions/security-onion/issues/1162

Issue 1167: NSM: need to handle /etc/init/securityonion.conf properly
https://github.com/Security-Onion-Solutions/security-onion/issues/1167

Issue 1168: NSM: check for /etc/init.d/xplico before trying to execute
https://github.com/Security-Onion-Solutions/security-onion/issues/1168

Thanks
Thanks to Wes Lambert for testing the new package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Thursday, November 9, 2017

securityonion-iso - 20151016-1ubuntu1securityonion3 now available for Security Onion!

securityonion-iso - 20151016-1ubuntu1securityonion3 is now available and should resolve the following issues:

Issue 1164: securityonion-iso: remove xplico dependency
https://github.com/Security-Onion-Solutions/security-onion/issues/1164

securityonion-iso is just a metapackage that installs other packages by listing them as dependencies.  In this case, xplico was a dependency and so installing securityonion-iso would automatically install xplico.

This new version of securityonion-iso no longer lists xplico as a dependency.  After installing this new version, you should then be able to remove xplico without it trying to remove securityonion-iso and the rest of your securityonion-* packages.

Thanks
Thanks to Wes Lambert for testing the new package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Wednesday, November 8, 2017

securityonion-setup - 20120912-0ubuntu0securityonion248 now available for Security Onion!

securityonion-setup - 20120912-0ubuntu0securityonion248 is now available and should resolve the following issues:

Issue 1161: so-email: fix any references to sosetup
https://github.com/Security-Onion-Solutions/security-onion/issues/1161

Issue 1163: Setup: disable Xplico when choosing Evaluation Mode
https://github.com/Security-Onion-Solutions/security-onion/issues/1163

Thanks
Thanks to Wes Lambert for testing the new package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Wednesday, November 1, 2017

Elastic Stack Beta Release and Security Onion 14.04.5.4 ISO Image!

We're excited to announce that our Elastic stack integration has now reached Beta Release!  This Beta release includes a new 14.04.5.4 ISO image that contains these Beta components and all the latest Ubuntu and Security Onion updates as of October 31, 2017!

Previous Releases
To see our progress over the last few months, please see the previous announcements:
http://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html
http://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html
http://blog.securityonion.net/2017/07/towards-elastic-on-security-onion.html
http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html

Highlights of this Beta Release
  • Upgraded from Elastic 5.5.2 to 5.6.3
  • Each Docker container now runs using its own unique UID
  • Overview dashboard now shows total number of connected sensors
  • New Help dashboard includes introductory information and link to our Wiki
  • Hyperlinked more fields in Kibana dashboards for more pivoting capability
  • Added ability to automate setup of Elastic stack via sosetup.conf
  • Setup now automatically disables DomainStats if it detects whois failure
  • Setup now enforces minimum hardware requirements of 2 CPU cores and 8GB RAM
  • Lots of cleanup and fixes

Overview Dashboard now shows total number of connected sensors

Issues Resolved
Issue 1130: Elastic Stack Beta Release
https://github.com/Security-Onion-Solutions/security-onion/issues/1130

Issue 1094: 14.04.5.4 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/1094

Known Issues
As seen in the screenshot above, metric visualizations have unnecessary scroll bars.  This is a known issue in Kibana 5.6.3:
https://github.com/elastic/kibana/issues/13947

For this and other known issues, please see our RC1 list:
https://github.com/Security-Onion-Solutions/security-onion/issues/1132

Thanks
This new ISO image has been tested by Wes Lambert and Phil Plantamura.  Thanks, guys!

New Installations
We've updated the Verify_ISO page for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Please remember to verify the signature of the downloaded ISO image using the instructions on that page.

Please note! This ISO image includes the EXPERIMENTAL Elastic stack!

The Elastic components are included in the ISO image and Setup gives you an option of Stable Setup (ELSA) or Experimental Setup (Elastic). If you do not want to try the new Elastic stack, you can choose Stable Setup.  If you choose Experimental Setup, the usual disclaimers and warnings apply!
  • Experimental Setup is BLEEDING EDGE and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like.  This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Experimental Setup may result in nausea, vomiting, or a burning sensation.

For more about this Elastic Beta release, please see https://securityonion.net/wiki/elastic and the Screenshot tour at the bottom of this blog post.

Please note the following minimum hardware requirements for the Elastic stack:
  • 2 CPU cores
  • 8GB RAM

If you would prefer an ISO image with no Elastic components at all, you have a few options:



Existing Deployments
If you have existing ELSA installations based on a previous 14.04 ISO image, there is no need to download this new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you have existing Elastic installations (Technology Previews or Alpha), we don't officially support upgrading to newer releases.  However, if you're running Alpha, you can try the steps listed here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Alpha-to-Beta
If all else fails, you can perform a fresh installation using this Beta ISO image.

Release Notes
For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Security-Onion-14.04-Release-Notes

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
We have a 4-day Security Onion training class coming up in San Antonio, Texas!  For this and other training options, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Screenshot Tour
Security Onion 14.04.5.4 20171031 
Setup



Network Configuration

Stable Setup vs Experimental Setup

Experimental Setup - Warnings and Disclaimers

Evaluation Mode vs Production Mode

Monitor (Sniffing) Interface

Creating Username

Setting Password

Confirming Password
Confirming Options



Setup Complete
Single Sign On (SSO) for Squert, CapMe, and Kibana


Squert

CapMe

Overview

Help

Bro - Notices

ElastAlert

OSSEC Alerts

NIDS Alerts

Bro - Connections

Bro - DCE/RPC

Bro - DHCP

Bro - DNP3

Bro - DNS

Bro - Files

Bro - FTP

Bro - HTTP

Bro - Intel

Bro -IRC

Bro - Kerberos

Bro - Modbus

Bro - MySQL

Bro - NTLM

Bro - PE

Bro - RADIUS

Bro - RDP

Bro - RFB

Bro - SIP

Bro - SMB

Bro - SMTP

Bro - SNMP

Bro - Software

Bro - SSH

Bro - SSL

Bro - Syslog

Bro - Tunnels

Bro - Weird

Bro - X.509

Autoruns

OSSEC Logs

Sysmon

Firewall
Stats



Syslog

UPDATED 2017/11/18 - Updated Existing Deployments section to include link to Wiki article on upgrading from Alpha to Beta.