Thursday, February 15, 2018

Suricata 4.0.4 now available for Security Onion!

Suricata 4.0.4 is now available!

Issues Resolved
Suricata 4.0.4 #1177
https://github.com/Security-Onion-Solutions/security-onion/issues/1177

Thanks
Thanks to the Suricata team for all their work on Suricata!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Wednesday, February 14, 2018

securityonion-sostat - 20120722-0ubuntu0securityonion88 now available for Security Onion!

securityonion-sostat - 20120722-0ubuntu0securityonion88 is now available!

Issues Resolved
Issue 1206: sostat: improve ELSA buffers check
https://github.com/Security-Onion-Solutions/security-onion/issues/1206

Thanks
Thanks to Ian Brown for submitting the pull request!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, February 12, 2018

Squert 1.7.1 now available for Security Onion!

Squert 1.7.1 is now available!

Issues Resolved
Issue 1203: Squert: render payload for bro_agent
https://github.com/Security-Onion-Solutions/security-onion/issues/1203

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, February 5, 2018

Elastic Stack 6.1.3 Docker images now available for Security Onion!

Elastic Stack 6.1.3 was release last week with some important fixes:
https://www.elastic.co/blog/kibana-6-1-3-and-5-6-7-released

We've built new Docker images and they are now available for updating.

Issues Resolved
Issue 1201: Elastic Stack 6.1.3
https://github.com/Security-Onion-Solutions/security-onion/issues/1201

Thanks
Thanks to Wes Lambert for testing these Docker images!

Updating
If you're not running the Elastic stack, this update does not apply to you.

If you're running Elastic Stack Release Candidate 1, you can follow our standard update instructions:
https://securityonion.net/wiki/Upgrade

If you're running an older version of the Elastic Stack, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-RC1

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions offers onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Friday, February 2, 2018

Monday, January 29, 2018

Security Onion Elastic Stack Release Candidate 1 and Security Onion 14.04.5.7 ISO Image!

We're excited to announce that our Elastic stack integration has now reached Release Candidate 1 (RC1)!  RC1 includes a new 14.04.5.7 ISO image that contains these RC1 components and all the latest Ubuntu and Security Onion updates as of January 26, 2018!

Previous Releases
To see our progress over the last few months, please see the previous announcements:
http://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html
http://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html
http://blog.securityonion.net/2017/07/towards-elastic-on-security-onion.html
http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html
http://blog.securityonion.net/2017/11/elastic-stack-beta-release-and-security.html
http://blog.securityonion.net/2017/11/elastic-stack-beta-2-release-and.html
http://blog.securityonion.net/2017/12/security-onion-elastic-stack-beta-3.html

RC1 Highlights

  • Upgraded from Elastic 5.6.5 to 6.1.2
  • Setup now includes an option for a forward-only sensor that doesn't run any Elastic components locally.  Instead, syslog-ng forwards all logs to the master server via ssh tunnel.  To try this option, run Setup, choose Experimental Setup, Production Mode, Sensor, Custom, enable Elastic Stack, forward to master server.
  • lots of cleanup and fixes

Elastic Stack 6.1.2
Issues Resolved
Issue 1179: Elastic Stack Release Candidate 1
https://github.com/Security-Onion-Solutions/security-onion/issues/1179

Issue 1184: 14.04.5.7 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/1184

This new ISO image has been tested by Wes Lambert.  Thanks, Wes!

Known Issues
For known issues, please see the todo list for our next release:
https://github.com/Security-Onion-Solutions/security-onion/issues/1198

Thanks
Special thanks to the following for their contributions to our Elastic Stack integration!

  • Elastic.co
  • Justin Henderson
  • Mark Baggett

New Installations
We've updated the Verify_ISO page for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Please remember to verify the signature of the downloaded ISO image using the instructions on that page.

Please note! This ISO image includes the EXPERIMENTAL Elastic stack!

The Elastic components are included in the ISO image and Setup gives you an option of Stable Setup (ELSA) or Experimental Setup (Elastic). If you do not want to try the new Elastic stack, you can choose Stable Setup.  If you choose Experimental Setup, the usual disclaimers and warnings apply!

  • Experimental Setup is BLEEDING EDGE and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like.  This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Experimental Setup may result in nausea, vomiting, or a burning sensation.

For more about Elastic Release Candidate 1, please see https://securityonion.net/wiki/elastic and the Screenshot tour at the bottom of this blog post.

Please note the following minimum hardware requirements for the Elastic stack:

  • 2 CPU cores
  • 8GB RAM

If you would prefer an ISO image with no Elastic components at all, you have a few options:

  • Install the older Security Onion 14.04.5.2 ISO image and then run "sudo soup"

OR


Feedback
We want to hear from you!  What works well?  What could be improved?  Please send feedback to our mailing list and include "Elastic RC1" in the Subject:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Existing Deployments
If you have existing ELSA installations based on a previous 14.04 ISO image, there is no need to download this new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you have existing Elastic installations (Technology Previews, Alpha, or Beta), we don't officially support upgrading to newer releases, but you can try the steps listed here:
https://securityonion.net/wiki/elastic-rc1

Release Notes
For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Security-Onion-14.04-Release-Notes

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
We offer onsite and online training!  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Screenshot Tour

Security Onion 14.04.5.7 20180126 
Welcome to Setup


Network Configuration

Stable Setup vs Experimental Setup

Experimental Setup - Warnings and Disclaimers

Evaluation Mode vs Production Mode

Monitor (Sniffing) Interface

Creating Username

Creating Password

Confirming Password

Confirming Options

Setup Complete

Single Sign On (SSO) for Squert, CapMe, and Kibana

Squert

CapMe

Kibana Overview Dashboard

Help

Bro Notices

ElastAlert

OSSEC HIDS Alerts

NIDS Alerts from Snort or Suricata

Bro - Connections

Bro - DCE/RPC

Bro - DHCP

Bro - DNP3

Bro - DNS

Bro - Files

Bro - FTP

Bro - HTTP

Bro - Intel

Bro - IRC

Bro - Kerberos

Bro - Modbus

Bro - MySQL 
Bro - NTLM


Bro - PE

Bro - RADIUS

Bro - RDP

Bro - RFB

Bro - SIP

Bro - SMB

Bro - SMTP 
Bro - SNMP


Bro - Software

Bro - SSH

Bro - SSL

Bro - Syslog

Bro - Tunnels

Bro - Weird

Bro - X.509

Autoruns

Beats

OSSEC

Sysmon

Domain Stats

Firewall

Frequency Analysis

Stats

Syslog