Friday, December 23, 2011

Security Onion 20111222 now available!

Security Onion 20111222 is now available!  This resolves the following issue:
Issue 51: Snorby

Snorby is a modern web interface for Network Security Monitoring:
The new hotness
A few things to note:

  • The Snorby database is totally separate from the Sguil database.  This means that you will have a separate user account to log into Snorby.  It also means that any events that you classify in Snorby are not reflected back into the Sguil database.
  • A new output is added to the barnyard2 configuration to send events to the Snorby database.  Remote sensors establish an SSH tunnel to the server to encrypt the MySQL traffic.
  • This is just the initial integration of Snorby.  In the future we'll add things like full packet capture support and Dustin's new unified2 library.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

The Setup wizard has been updated to support Snorby.  You will create a username for Sguil/Squert and a separate username for Snorby (your email address).  The password that you enter will be used for both Sguil/Squert and Snorby.
Updated Setup Wizard

Entering email address for Snorby

Same password will be used for both Sguil/Squert and Snorby

Double-click the Snorby desktop shortcut

Login using the email address and password you specified in Setup

If necessary, generate some IDS alerts using "curl"

View your IDS alerts on the Events tab

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L > ~/ && bash ~/"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

If you have one or more slave sensors reporting to a central master server, always upgrade the master first!

Since Snorby and Sguil have separate databases, your existing Sguil credentials will not allow you to log into Snorby.  The in-place upgrade process will generate a username and random password for your initial Snorby login.  You should immediately login with your temporary credentials and change them.

Completing upgrade of an existing system

Double-click the Snorby desktop shortcut or use the URL shown in the upgrade

Login using the credentials shown in the upgrade

Click "Settings" to change your username/password

Set your new credentials

Login using your new credentials

If necessary, generate some alerts with "curl"
View your IDS alerts on the Events tab

If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!

Merry Christmas!


kushida said...

Christmas came early! This has been on my Security Onion wish list for a while. Sweet and much thanks!

Mark M said...

Doug you rock! Great job as usual and another awesome addition to Security Onion!
Mark M

Anonymous said...

wow i just came across this site today for the first time. downloading my onion right now! can't wait to try it. thanks Doug!!