Monday, May 22, 2017

Only 3 weeks left to register for 4-day Security Onion Training in Alexandria VA!

Registration for our 4-day training in Alexandria VA closes on June 12, so there are only three weeks left to sign up!

For more details and to register, please see:
https://securityonionsolutions.com/onsitetraining

Friday, May 12, 2017

Only 1 month left to register for 4-day Security Onion Training in Alexandria VA!

Registration for our 4-day training in Alexandria VA closes on June 12, so there is only one month left to sign up!

For more details and to register, please see:
https://securityonionsolutions.com/onsitetraining

Monday, May 8, 2017

Only 1 week left for Early Bird discount for 4-day training in Augusta GA!

The earlybird discount for the 4-day training class in Augusta GA is still valid for one more week (expires on May 15).  When registering, please enter the following promotional code to receive your 15% discount!
earlybird

For more details and to register, please see:
https://securityonionsolutions.com/onsitetraining

Tuesday, April 18, 2017

Wes Lambert has joined Security Onion Solutions LLC as Senior Engineer

If you've been a part of the Security Onion community for any amount of time, chances are you've seen Wes Lambert answer questions, test new packages, and submit pull requests.  I'm excited to announce that Wes is now an official employee of Security Onion Solutions LLC.

Congratulations, Wes, and welcome aboard!

Friday, April 14, 2017

Security Onion Conference 2017 CFP

This year's Security Onion Conference will be held in Augusta, GA on Friday, September 15, 2017 (please mark your calendar!). Registration will open in June.

CFP

Want to speak at Security Onion Conference? We want to hear from you!

How are you...
...using Security Onion to fight evil?
...handling lots of traffic using Security Onion?
...integrating Security Onion with other technologies?
...automating common tasks with your own scripts?

Each talk should be 30 minutes with an additional 10 minutes for questions.

Submit your talk here: https://securityonion.net/cfp

Schedule

April 14 - CFP open
June 5 - CFP closes
June 29 - Speakers selected and notified
June 29 - Registration opens
September 11-14 - Security Onion 4-day training in Augusta
September 15 - Security Onion Conference
September 16 - BSides Augusta

Thursday, March 16, 2017

Towards ELK on Security Onion: A Technology Preview

Over the last few years, we've had lots of folks ask for ELK (Elasticsearch, Logstash, and Kibana) on Security Onion.  The time has come to begin working towards ELK on Security Onion!

In the grand tradition of "release early, release often", we're releasing a very early Technology Preview of what ELK on Security Onion might look like.  This Technology Preview consists of a script that will take a Security Onion VM in Evaluation Mode and convert it from ELSA to ELK.  We're releasing this now because we want to get your feedback as early as possible in this project.

Thanks
Special thanks to Justin Henderson for his Logstash configs and installation guide!
https://github.com/SMAPPER/Logstash-Configs

Special thanks to Phil Hagen for all his work on SOF-ELK!
https://github.com/philhagen/sof-elk

Warnings and Disclaimers

  • This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This script is a work in progress and is in constant flux.
  • This script is intended to build a quick prototype proof of concept so you can see what our ultimate ELK configuration might look like.  This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • This script is only designed for standalone boxes and does NOT support distributed deployments.
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Bring on the ELK
Enough disclaimers?  Let's do this!

Start with a disposable TEST VM with the following minimum requirements:

  • 2 CPU cores
  • 4GB RAM
  • 20GB virtual hard drive
  • (1) management interface with full Internet access
  • (1) sniffing interface (separate from management interface)
  • Security Onion 14.04.5.2 ISO image installed
  • Setup ran in Evaluation Mode

Download the script:
wget https://raw.githubusercontent.com/Security-Onion-Solutions/elk-test/master/securityonion_elsa2elk.sh
Run the script with sudo privileges:
sudo bash securityonion_elsa2elk.sh
Please read through all the WARNINGS and DISCLAIMERS and ONLY proceed if you agree.

The script will take at least 10 minutes depending on the speed of your hardware and Internet connection.

After a minute or two, you should be able to access Kibana via the following URL:
https://localhost/app/kibana

You should see our new Security Onion login window.  Enter the same credentials that you use to login to Sguil and Squert.  This login window will provide single sign on for both Kibana and CapMe to allow seamless pivoting to full packet capture!

Once logged into Kibana, you will automatically start on our Overview dashboard and you will see links to other dashboards as well.  These dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.

As you search through the data in Kibana, you should see Bro logs, syslog, and Snort alerts.  Logstash should have parsed out most fields in most Bro logs and Snort alerts.

Notice that the search panels at the bottom of the dashboards display the source_ip and destination_ip fields with hyperlinks.  These hyperlinks will take you to a dashboard that will help you analyze the traffic relating to that particular IP address.

UID fields are also hyperlinked.  This hyperlink will start a new Kibana search for that particular UID.  In the case of Bro UIDs this will show you all Bro logs related to that particular connection.

Each log entry also has an _id field that is hyperlinked.  This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type!  This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log.  CapMe should try to do the following:

  • retrieve the _id from Elasticsearch
  • parse out timestamp
  • if Bro log, parse out the CID, otherwise parse out src IP, src port, dst IP, and dst port
  • query Elasticsearch for those terms and try to find the corresponding bro_conn log
  • parse out sensor name (hostname-interface)
  • send a request to sguild to request pcap from that sensor name

Previously, in Squert, you could pivot from an IP address to ELSA.  That pivot has been removed and replaced with a pivot to ELK.

Screenshots
Using wget to download the script


Running the script as root with "sudo bash securityonion_elsa2elk.sh"

TODO and HARDWARE REQUIREMENTS

Thanks to Justin Henderson and Phil Hagen!

WARNINGS and DISCLAIMERS

Instructions at end of script

New Security Onion login window (use your existing Sguil/Squert credentials) provides single sign on for both Kibana and CapMe

Overview Dashboard contains graphs and links to other dashboards

All of our dashboards include a search panel at the bottom so you can quickly drill into details

Indicator Dashboard is great for seeing the most interesting data types for a particular IP address

Notices Dashboard shows Bro Notices

NIDS Dashboards shows NIDS alerts from Snort or Suricata 
Bro_conn Dashboard allows you to slice and dice Bro's conn.log



Bro_dns Dashboard allows you to slice and dice Bro's dns.log

Bro_http Dashboard allows you to slice and dice Bro's http.log

Bro_ssl Dashboard allows you to slice and dice Bro's ssl.log

Scrolling down the Bro_http Dashboard, we see raw logs with hyperlinks to pivot to further information

Clicking the source IP address in the previous screenshot takes us to the Indicator Dashboard for the source IP

Clicking the destination IP address takes us to the Indicator Dashboard for the destination IP

Clicking the uid field takes us to the Indicator Dashboard for the Bro connection ID

Clicking the _id hyperlink takes us to CapMe to retrieve full packet capture for that stream

Feedback
We're releasing this now because we want to get your feedback as early as possible in this project.  Please try it out and send your feedback to our mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

What do you think?

What works well?

What needs to be improved?

Any questions or other comments?

Thanks in advance for any and all feedback!

UPDATE 2017-03-16 Fixed link to Justin Henderson's github repo

Tuesday, February 21, 2017

Suricata 3.2.1 now available for Security Onion!

Suricata 3.2.1 was recently released:
https://suricata-ids.org/2017/02/15/suricata-3-2-1-available/

I've packaged it and the following package is now available:
securityonion-suricata - 3.2.1-1ubuntu1securityonion1

This new package should resolve the following issue:

Suricata 3.2.1 #1081
https://github.com/Security-Onion-Solutions/security-onion/issues/1081

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your suricata.yaml file(s)
  • update ruleset and restart Suricata as follows:

    sudo rule-update

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Need Training?
We have 3-hour online training classes in March:
https://securityonionsolutions.com/onlinetraining

We also have 4-day onsite training classes in June and September, with an early bird discount for a limited time:
http://blog.securityonion.net/2017/02/early-bird-discounts-for-security-onion.html

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, February 20, 2017

Security Onion 14.04.5.2 ISO image now available!

We have a new Security Onion 14.04.5.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of January 30, 2017!

This resolves the following issue:

Issue 880: 14.04.5.2 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/880

This new ISO image has been tested by Wes Lambert.  Thanks, Wes!

New Installations
I've updated the Verify_ISO page for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Please remember to verify the signature of the downloaded ISO image using the instructions on that page.

Existing Deployments
If you have existing installations based on a previous 14.04 ISO image, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Release Notes
For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Security-Onion-14.04-Release-Notes

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Need Training?
We have 3-hour online training classes in March:
https://securityonionsolutions.com/onlinetraining

We also have 4-day onsite training classes in June and September, with an early bird discount for a limited time:
http://blog.securityonion.net/2017/02/early-bird-discounts-for-security-onion.html

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, February 13, 2017

Early Bird Discount for Security Onion 4-day Training Classes

Our wildly popular 4-day onsite training class has been scheduled for Alexandria VA in June and Augusta GA in September!

The following discount code is good for 15% off either of those classes for a limited time!
earlybird

For the Alexandria VA class, the earlybird discount code expires on March 15.

For the Augusta GA class, the earlybird discount code expires on May 15.

For more details and to register, please see:
https://securityonionsolutions.com/onsitetraining

If you can't attend the onsite classes, our next live session of online training will be March 13, 2017 through March 16, 2017.  For more details and to register, please see:
https://securityonionsolutions.com/onlinetraining

Monday, January 30, 2017

Xplico 1.2.0 now available for Security Onion!

Thanks to Github user "bugcrash" for finding and reporting several segmentation faults in Xplico!  These issues have been resolved in Xplico 1.2.0:
https://github.com/xplico/xplico/releases/tag/v1.2.0

I've packaged Xplico 1.2.0 and nDPI 1.8 and the following packages are now available in our stable repo:
securityonion-ndpi - 1.8-1ubuntu1securityonion1
xplico - 1.2.0ubuntu1securityonion5

These new packages should resolve the following issues:

Xplico 1.2.0 #863
https://github.com/Security-Onion-Solutions/security-onion/issues/863

Segmentation fault /opt/xplico/bin/msite #1041
https://github.com/Security-Onion-Solutions/security-onion/issues/1041

Segmentation fault /opt/xplico/bin/trigcap #1045
https://github.com/Security-Onion-Solutions/security-onion/issues/1045

Segmentation fault /opt/xplico/bin/mfile #1046
https://github.com/Security-Onion-Solutions/security-onion/issues/1046

Segmentation fault /opt/xplico/bin/mfbc #1047
https://github.com/Security-Onion-Solutions/security-onion/issues/1047

Segmentation fault /opt/xplico/bin/mwebymsg #1048
https://github.com/Security-Onion-Solutions/security-onion/issues/1048

Segmentation fault /opt/xplico/bin/mwmail #1049
https://github.com/Security-Onion-Solutions/security-onion/issues/1049

Segmentation fault /opt/xplico/bin/xplico #1050
https://github.com/Security-Onion-Solutions/security-onion/issues/1050

Segmentation fault /opt/xplico/bin/mpaltalk #1051
https://github.com/Security-Onion-Solutions/security-onion/issues/1051

These packages have been tested by Wes Lambert.  Thanks, Wes!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, January 24, 2017

Squert 1.6.4 now available for Security Onion!

Pete Nelson submitted a pull request to improve Squert's ip2c cron job.  I've merged this pull request and also fixed an error when trying to remove comments.  The new package version is as follows:
securityonion-squert - 20161212-1ubuntu1securityonion12

This should resolve the following issues:

Issue 1066: Squert: error when removing comment
https://github.com/Security-Onion-Solutions/security-onion/issues/1066

Issue 1067: Squert: ip2c avoid hard loop when file unavailable
https://github.com/Security-Onion-Solutions/security-onion/issues/1067

This package has been tested by Wes Lambert and Pete Nelson.  Thanks, guys!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

You may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, January 23, 2017

securityonion-elsa-extras - 20151011-1ubuntu1securityonion49 resolves an issue with recent MySQL updates

Ubuntu released new MySQL packages recently:
https://www.ubuntu.com/usn/usn-3174-1/

These packages contain some changes which prevented ELSA from creating new database tables.  I've updated our securityonion-elsa-extras package to set the newly required MySQL permissions and the new package version is as follows:
securityonion-elsa-extras - 20151011-1ubuntu1securityonion49

This should resolve the following issue:

securityonion-elsa-extras: new MySQL packages require changes to elsa user #1065
https://github.com/Security-Onion-Solutions/security-onion/issues/1065

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Friday, January 20, 2017

Latest MySQL packages may impact ELSA databases

Ubuntu released new MySQL packages yesterday:
https://www.ubuntu.com/usn/usn-3174-1/

These packages contain some changes which may impact ELSA databases.  It is recommended to not install these updates until we can confirm the extent of the changes and any workarounds necessary.

Updates will be posted here as they become available.

UPDATE 2017/01/20 5:00 PM Eastern:
A preliminary ELSA package update has been submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/xHmKLB8kNJg/discussion

UPDATE 2017/01/21 6:09 PM Eastern:
Adding a link to Issue 1065 for tracking:
https://github.com/Security-Onion-Solutions/security-onion/issues/1065

UPDATE 2017/01/23 6:13 AM Eastern:
Published updated ELSA package:
http://blog.securityonion.net/2017/01/securityonion-elsa-extras-20151011.html

Thursday, January 19, 2017

NetworkMiner 2.1 now available for Security Onion!

NetworkMiner 2.1 was released recently:
http://www.netresec.com/?page=Blog&month=2017-01&post=NetworkMiner-2-1-Released

I've packaged NetworkMiner 2.1 and the new package version is as follows:
securityonion-networkminer - 20170112-1ubuntu1securityonion1

This should resolve the following issue:

Issue 1060: NetworkMiner 2.1
https://github.com/Security-Onion-Solutions/security-onion/issues/1060

This package has been tested by Wes Lambert and Erik Hjelmvik.  Thanks, guys!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Wednesday, January 18, 2017

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion155 resolves an issue

The following package is now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion155

This new package should resolve the following issue:

NSM: avoid loading IDS rules twice #1062
https://github.com/Security-Onion-Solutions/security-onion/issues/1062

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, January 17, 2017

Save the Date: Security Onion Conference 2017

Last year's Security Onion Conference was an overwhelming success!  Videos, slides, and pictures can be found here:
https://securityonion.net/conference

This year's Security Onion Conference will be held in Augusta GA on Friday September 15, 2017 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

We'll publish more details about the Security Onion Conference as they are finalized.

New ELSA packages add support for Bro rfb.log

The following packages are now available:
securityonion-elsa-extras - 20151011-1ubuntu1securityonion48
securityonion-web-page - 20141015-0ubuntu0securityonion72

These new packages should resolve the following issues:

Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log
https://github.com/Security-Onion-Solutions/security-onion/issues/1036

Issue 1037: securityonion-web-page: add ELSA queries for Bro rfb.log
https://github.com/Security-Onion-Solutions/security-onion/issues/1037

These packages have been tested by Wes Lambert.  Thanks, Wes!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, January 16, 2017

securityonion-http-agent - 0.3.1-0ubuntu0securityonion7 resolves an issue

The following package is now available:
securityonion-http-agent - 0.3.1-0ubuntu0securityonion7

This new package should resolve the following issue:

securityonion-http-agent: update for Bro 2.5 #1058
https://github.com/Security-Onion-Solutions/security-onion/issues/1058

This package has been tested by Wes Lambert and Patrick Schilling.  Thanks, guys!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Thursday, January 12, 2017

securityonion-onionsalt - 20140917-0ubuntu0securityonion21 resolves an issue

The following package is now available:
securityonion-onionsalt - 20140917-0ubuntu0securityonion21

This new package should resolve the following issue:

Issue 1018: salt: use /etc/sudoers.d/ instead of directly editing /etc/sudoers
https://github.com/Security-Onion-Solutions/security-onion/issues/1018

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Wednesday, January 11, 2017

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion154 resolves an issue

The following package is now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion154

This new package should resolve the following issue:

Issue 1055: NSM: fix spelling error
https://github.com/Security-Onion-Solutions/security-onion/issues/1055

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, January 10, 2017

securityonion-rule-update - 20151201-1ubuntu1securityonion10 resolves an issue

The following package is now available:
securityonion-rule-update - 20151201-1ubuntu1securityonion10

This new package should resolve the following issue:

Issue 1054: securityonion-rule-update: Restore stdout/stderr redirect in crontab
https://github.com/Security-Onion-Solutions/security-onion/issues/1054

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, January 9, 2017

securityonion-sostat - 20120722-0ubuntu0securityonion69 resolves an issue

The following package is now available:
securityonion-sostat - 20120722-0ubuntu0securityonion69

This new package should resolve the following issues:

sostat: update location of sostat-interface in /var/ossec/etc/ossec.conf #1056
https://github.com/Security-Onion-Solutions/security-onion/issues/1056

sostat: sostat-redacted - change "Port" to "Port " #1057
https://github.com/Security-Onion-Solutions/security-onion/issues/1057

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Wednesday, January 4, 2017

Pulledpork, rule-update, and several other updates available for Security Onion!

The following packages are now available:
securityonion-menu - 20121026-0ubuntu0securityonion2
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion153
securityonion-pulledpork - 0.7.2-1ubuntu1securityonion4
securityonion-rule-update - 20151201-1ubuntu1securityonion9
securityonion-setup - 20120912-0ubuntu0securityonion233
securityonion-sguild-add-user - 20120726-0ubuntu0securityonion3
securityonion-sostat - 20120722-0ubuntu0securityonion67
securityonion-squert-cron - 20120722-0ubuntu0securityonion11
securityonion-sudoers - 20161221-1ubuntu1securityonion3

These new packages should resolve the following issues:

Issue 1017: PulledPork 0.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/1017

Issue 1034: securityonion-rule-update: update for PulledPork 0.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/1034

Issue 1035: Setup: update for PulledPork 0.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/1035

Issue 1040: securityonion-sudoers: remove secure_path
https://github.com/Security-Onion-Solutions/security-onion/issues/1040

Issue 1043: NSM: create /usr/sbin/broctl
https://github.com/Security-Onion-Solutions/security-onion/issues/1043

Issue 1044: sostat: use full path for bro-cut
https://github.com/Security-Onion-Solutions/security-onion/issues/1044

Issue 1042: Move scripts from /usr/bin/ to /usr/sbin/
https://github.com/Security-Onion-Solutions/security-onion/issues/1042

These packages have been tested by Wes Lambert and Rob Bardo.  Thanks!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Release Notes
If you're behind a proxy, you may need to pass the -W option to PulledPork:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Proxy#pulledpork

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

UPDATE 2017-01-09: Added Release Notes regarding PulledPork's -W option.

Tuesday, January 3, 2017

Snort 2.9.9.0 now available for Security Onion!

Snort 2.9.9.0 was recently released:
http://blog.snort.org/2016/12/snort-2990-has-been-released.html

I've packaged it and the following package is now available:
securityonion-snort - 2.9.9.0-1ubuntu1securityonion1

This new package should resolve the following issue:

Issue 1031: Snort 2.9.9.0
https://github.com/Security-Onion-Solutions/security-onion/issues/1031

This package has been tested by Wes Lambert.  Thanks, Wes!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf file(s)
  • update ruleset and restart Snort as follows:
    sudo rule-update

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Training
Security Onion Solutions provides onsite, online, and on-demand training.  For more information, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!