Wednesday, October 18, 2017

Bro 2.5.2 now available for Security Onion!

Bro 2.5.2 was released recently:
http://blog.bro.org/2017/10/bro-252-242-release-security-update.html
https://www.bro.org/download/NEWS.bro.html
https://www.bro.org/download/CHANGES.bro.txt

The following packages are now available:

securityonion-bro - 2.5.2-1ubuntu1securityonion2
securityonion-bro-scripts - 20121004-0ubuntu0securityonion51

These new packages should resolve the following issues:

Issue 1144: Bro 2.5.2
https://github.com/Security-Onion-Solutions/security-onion/issues/1144

Thanks
Thanks to the Bro team for Bro 2.5.2!
Thanks to Wes Lambert for testing these new packages!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
We have a 4-day Security Onion training class coming up in San Antonio, Texas!  For this and other training options, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, October 16, 2017

Security Advisory for Security Onion Elastic Alpha

Applicability
This security advisory only applies to Security Onion Elastic Alpha.  If you're running the stable version of Security Onion (ELSA instead of Elastic), this does not apply to you.  Since this advisory only applies to Security Onion Elastic Alpha, please be reminded of the usual warnings and disclaimers:

  • Experimental Setup is ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like. This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Experimental Setup may result in nausea, vomiting, or a burning sensation.

Introduction
Security Onion Elastic Alpha runs the Elastic stack (Elasticsearch, Logstash, and Kibana).  UFW, the host-based firewall, is configured to only allow connections to port 22 by default.  Apache is configured as a proxy to authenticate users before accessing Kibana.  Therefore, the original intention of the design was that a user would run Setup and then run so-allow to allow their workstation IP to connect over the network to port 443 where Apache was proxying Kibana and requiring authentication.  However, due to incorrect Docker parameters, Kibana and Elasticsearch ports were being published directly to the network allowing users to bypass both the UFW firewall and the Apache proxy and access Kibana and Elasticsearch directly with no authentication.  This has been corrected in the lastest securityonion-elastic package (securityonion-elastic - 20171011-1ubuntu1securityonion1).

Resolution
If you're running the stable version of Security Onion (ELSA instead of Elastic), there is nothing to do.

If you're running Security Onion Elastic Alpha and you've already run Setup, please run the following:
sudo soup
sudo so-elastic-restart
If you haven't yet run Setup and are planning to choose the Experimental option to enable the Elastic stack, just make sure that you run "sudo soup" before running Setup.

Discussion
Previously, our so-elastic-start script would start containers using a --publish parameter like this (in the case of Kibana):
--publish 5601:5601

If you were to then examine the host-based firewall configuration, you would see that only port 22 is open by default:


However, if you were to port scan the box remotely, you would see more than port 22 open:


Now let's install the new securityonion-elastic package (securityonion-elastic - 20171011-1ubuntu1securityonion1):
sudo soup

This new package starts containers using a --publish parameter that only publishes to localhost like this (in the case of Kibana):
--publish 127.0.0.1:5601:5601

securityonion-elastic - 20171011-1ubuntu1securityonion1 makes the following changes:

  • so-kibana publishes port 5601 to 127.0.0.1 only
  • so-elasticsearch publishes ports 9200 and 9300 to 127.0.0.1 only
  • so-logstash publishes ports 6050, 6051, 6052, and 6053 to 127.0.0.1 only
  • so-freqserver no longer publishes port 10004
  • so-domainstats no longer publishes port 20000



Now we need to restart the Docker containers:
sudo so-elastic-restart

Finally, we re-run the remote port scan to verify that only port 22 is open:


More Information
For more information, please see:
http://blog.viktorpetersson.com/post/101707677489/the-dangers-of-ufw-docker
https://github.com/moby/moby/issues/4737

Thanks
Special thanks to Todd Carlson for responsibly disclosing this security issue per our Security page:
https://securityonion.net/security

Timeline
All times below are in Eastern time.
10/10/2017 10:02 PM - Received initial notification from Todd Carlson.
10/11/2017 8:35 AM - Confirmed receipt of email, confirmed issue, and committed initial fix.
10/11/2017 9:52 AM - Built new securityonion-elastic package and asked Todd to test and confirm.
10/12/2017 8:18 PM - Received confirmation from Todd that the new package resolved the issue.
10/16/2017 7:20 AM - Pushed new securityonion-elastic package to stable repo.

Wednesday, October 4, 2017

securityonion-sostat - 20120722-0ubuntu0securityonion77 now available for Security Onion!

The following package is now available:
securityonion-sostat - 20120722-0ubuntu0securityonion77

This package should resolve the following issues:

Issue 1129: sostat: replace localhost:9200 with $ELASTICSEARCH variables sourced from /etc/nsm/securityonion.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/1129

Issue 1133: sostat: silence progress output for curl requests
https://github.com/Security-Onion-Solutions/security-onion/issues/1133

Issue 1136: sostat: provide Docker container interface correlation
https://github.com/Security-Onion-Solutions/security-onion/issues/1136

Issue 1137: soup: remove "One or more docker images have been updated."
https://github.com/Security-Onion-Solutions/security-onion/issues/1137

Thanks
Thanks to Wes Lambert for his work on this new package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
We have a 4-day Security Onion training class coming up in San Antonio, Texas!  For this and other training options, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!