Wednesday, January 5, 2011

Security Onion 20110101

Security Onion Live 20110101 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here:

If you have any problems or would like to request new features, please submit an issue here:

Changelog
  • All Xubuntu 10.04 updates as of release date.
  • Snort updated to 2.9.0.3.
  • Suricata updated to 1.1beta1.
  • Barnyard2 updated to 1.9 Stable.
  • Vortex updated to 2.9.0.
  • Installed OSSEC for host-based intrusion detection.
  • Installed Squert web interface for Sguil.
  • Installed Armitage GUI interface for Metasploit.
  • Many improvements to Setup script for user-friendliness and capability.

Please note!
In previous releases of Security Onion, Snort and Sguil were automatically configured for eth0.  This is no longer the case.  The Setup script on the Desktop is now used to choose your IDS engine, select the network interfaces it should listen on, and start the Sguil services.

What is Security Onion?
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.

What can it be used for?
  • The Security Onion LiveDVD can be used for Intrusion Detection. Simply boot the DVD, double-click the Setup desktop shortcut, and follow the prompts. Once Setup completes, then double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts. (This is fine for temporary or demo environments, but production environments should not run from the LiveDVD environment. See installation information below.)
  • The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
  • The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and choose the Install option in the Boot Menu or boot into the full live Desktop and double-click the Install desktop shortcut. Once you've completed the installation process and have rebooted into your new installation, you will want to install any available Ubuntu updates and then double-click the Setup desktop shortcut to configure Security Onion.

System Requirements

512MB RAM is a minimum. 1GB or more is recommended.

Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue dkms driftnet dsniff flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf irb john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdl-ruby libdumbnet-dev libiconv-ruby liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libopenssl-ruby libpcap-dev libpcre3-dev libreadline6-dev libreadline-ruby libsqlite3-dev libsqlite3-ruby libssl-dev libyaml-dev libyaml-ruby md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ri ruby rubygems scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev

Extra Packages installed from other sources
Snort
Suricata
Vortex IDS
Bro IDS
ABCIP
Dumbpig
NSMnow (includes Sguil, Barnyard2, Sancp, etc)
OSSEC
Squert
Xplico
hogger
SnortValidator
Metasploit

Disclaimer of Warranty
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Limitation of Liability
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9 comments:

Richard Bejtlich said...

Doug, is there a recommended way to upgrade from an existing SecurityOnion installation (i.e., installed to HDD setup)? Thank you.

Doug Burks said...

Hi Richard,

Unfortunately, there is no in-place upgrade path at the present time. You'll have to do a complete installation from the new ISO.

I've created Issue 68 to add this as an option in the future:
http://code.google.com/p/security-onion/issues/detail?id=68

Regards,
Doug Burks

Richard Bejtlich said...

Ok, thanks Doug!

Doug Burks said...

There is now an upgrade script that will do an in-place upgrade from 20110101 to 20110116. For more information, please see:
http://securityonion.blogspot.com/2011/01/security-onion-20110116.html

Patrick said...

Doug this is amazing!!!!!....I have been searching for days on how to combine snort and ossec along with reporting options. Thank you so much for all you have done with this project.

PS...is it possible to update individual programs within Security onion?

Doug Burks said...

Hi Patrick,

Thanks for using Security Onion!

Yes, it's possible to update individual programs within Security Onion. What particular programs are you wanting to update?

Thanks,
Doug Burks

Patrick said...

Wow Doug that was a fast response!!..For example when snort comes out with a new release or something like that....

Doug Burks said...

Yes, I'm going to try to keep up with the latest Snort releases. So whenever a new version of Snort comes out, keep an eye on this blog for an upgrade script that will install that new version of Snort for you. You may want to join the Security Onion mailing list to make sure you are notified.

Patrick said...

DONE!!!!....I'm on the list!

you are the Man... Doug!!

Thanks