Monday, July 31, 2017

securityonion-setup - 20120912-0ubuntu0securityonion237 now available for Security Onion!

The following package is now available:
securityonion-setup - 20120912-0ubuntu0securityonion237

This package should resolve the following issue:

Issue 1113: so-allow/disallow: fix wrong number of arguments error
https://github.com/Security-Onion-Solutions/security-onion/issues/1113

Thanks
Thanks to Wes Lambert for submitting the pull request and testing the new package!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 15 in beautiful Augusta, GA!
https://securityonion.net/conference

Training
We have a 4-day Security Onion training class right before the Security Onion Conference in Augusta GA.  For this and other training options, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Friday, July 28, 2017

Towards Elastic on Security Onion: Technology Preview 3 (TP3)

UPDATED 2017/11/01! We've released a newer version!
http://blog.securityonion.net/2017/11/elastic-stack-beta-release-and-security.html

We recently announced the first two technology previews of the Elastic stack on Security Onion:
http://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html
http://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html

We've made more progress, so it's time for our third technology preview (TP3)!

Changes from the last Technology Preview

  • upgraded from Elastic 5.4.0 to 5.5.0
  • added containers for ElastAlert, Curator, DomainStats, and FreqServer
  • each container logs to its own log directory in /var/log/
  • securityonion_elastic.sh now supports new installations in addition to upgrading ELSA installations
  • new and updated dashboards
  • added parsers for pfSense, sysmon, and autoruns logs
  • sostat now provides status for Elastic stack
  • Indicator dashboard now only searches the last 24 hours by default for better performance
Highlights of This Release




Endpoint Visibility - Autoruns

Endpoint Visibility - Autoruns (continued)
Endpoint Visibility - Autoruns (continued)
Endpoint Visibility - Sysmon
Endpoint Visibility - Sysmon (continued)
Firewall Logs

DNS Frequency Analysis

SSL Frequency Analysis

For more screenshots, please see the full Screenshot Tour at the end of this blog post.


Warnings and Disclaimers

  • This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This script is a work in progress and is in constant flux.
  • This script is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like.  This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • This script is only designed for standalone boxes and does NOT support distributed deployments.
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Enough disclaimers?  Let's do this!

Hardware Requirements

Start with a disposable TEST VM with the following minimum requirements:

  • 2 CPU cores
  • 8GB RAM
  • 20GB virtual hard drive
  • (1) management interface with full Internet access
  • (1) sniffing interface (separate from management interface)

Choose ELSA Migration or New Installation

Previous technology previews used a script called securityonion_elsa2elastic.sh which only supported migrating from an existing ELSA installation.  That script is now deprecated.  This technology preview now uses a script called securityonion_elastic.sh which supports not only migrating from an existing ELSA installation but also configuring new installations.

Scenario #1 - Migrate from ELSA to Elastic (as in previous Technology Previews)

  • Install Security Onion 14.04.5.2 ISO image
  • Run through existing version of Setup choosing Evaluation Mode to enable ELSA
  • Download the script:

    wget https://raw.githubusercontent.com/Security-Onion-Solutions/elastic-test/master/securityonion_elastic.sh
  • Run the script with sudo privileges:

    sudo bash securityonion_elastic.sh
  • Please read through all the WARNINGS and DISCLAIMERS and ONLY proceed if you agree.
  • The script will take at least 10 minutes depending on the speed of your hardware and Internet connection. 
  • Proceed to the Kibana section below.


Scenario #2 - Fresh Elastic installation
  • Install Security Onion 14.04.5.2 ISO image
  • Download the script:

    wget https://raw.githubusercontent.com/Security-Onion-Solutions/elastic-test/master/securityonion_elastic.sh
  • Run the script with sudo privileges:

    sudo bash securityonion_elastic.sh
  • Please read through all the WARNINGS and DISCLAIMERS and ONLY proceed if you agree.
  • This will in turn download the Elastic components and then prompt you to run Setup.
  • Run through both phases of Setup (configure network interfaces, reboot, and then run Setup again choosing Evaluation Mode).
  • Once Setup has completed, create some test data:

    sudo so-test


Accessing Kibana
Once you've completed the migration or installation as described above, open the Chromium web browser and go to:

https://localhost/app/kibana

You should then see our new Security Onion login window.  Enter the same credentials that you use to login to Sguil/Squert.  This login window will provide single sign on for Kibana, Squert, and CapMe to allow seamless pivoting to full packet capture!

Once logged into Kibana, you will automatically start on our Overview dashboard and you will see links to other dashboards as well.  As you search through the data in Kibana, you should see Bro logs,  syslog, and Snort alerts.  Logstash should have parsed out most fields in most Bro logs and Snort alerts.  Notice that the search panels at the bottom of the dashboards display the source_ip and destination_ip fields with hyperlinks.  These hyperlinks will take you to a dashboard that will help you analyze the traffic relating to that particular IP address.  UID fields are also hyperlinked.  Clicking on a UID hyperlink will start a new Kibana search for that particular UID.  In the case of Bro UIDs this will show you all Bro logs related to that particular connection.  Each log entry also has an _id field that is hyperlinked.  This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type!  This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log.

Previously, in Squert and Sguil, you could pivot from an IP address to ELSA.  Those pivots have been removed and replaced with a pivot to Kibana.

For screenshots, please see the Screenshot Tour at the bottom of this post.

Thanks
Special thanks to Justin Henderson for his work on the domainstats and freqserver integration in this release!

More Information
For more information about our Elastic integration, please see the Elastic page on our Wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic

TODO
For the current TODO list, please see:
https://github.com/Security-Onion-Solutions/security-onion/issues/1095

Feedback
We're releasing this now because we want to get your feedback as early as possible in this project.  Please try it out and send your feedback to our mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

What do you think?

What works well?

What needs to be improved?

Any questions or other comments?

Thanks in advance for any and all feedback!

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Need Security Onion Training?
We offer both onsite and online training (although please note that Elastic will not be added to training classes until we reach a stable release):
https://securityonionsolutions.com/onsitetraining
https://securityonionsolutions.com/ondemandtraining

Conference
Our annual Security Onion Conference will be Friday September 15, 2017:
https://securityonion.net/conference

Hope to see you there!

Screenshot Tour
Overview Dashboard


Bro Notices Dashboard 
HIDS Alerts Dashboard (OSSEC)



NIDS Alerts Dashboard (Snort/Suricata)

Bro Connections Dashboard

Bro DCE/RPC Dashboard

Bro DHCP Dashboard

Bro DNP3 Dashboard

Bro DNS Dashboard 
Bro Files Dashboard



Bro FTP Dashboard

Bro HTTP Dashboard

Bro Intel Dashboard

Bro IRC Dashboard

Bro Kerberos Dashboard

Bro Modbus Dashboard

Bro MySQL Dashboard

Bro NTLM Dashboard

Bro PE Dashboard

Bro RADIUS Dashboard

Bro RDP Dashboard

Bro RFB Dashboard

Bro SIP Dashboard

Bro SMB Dashboard

Bro SMTP Dashboard

Bro SNMP Dashboard

Bro Software Dashboard

Bro SSH Dashboard

Bro SSL Dashboard

Bro Tunnels Dashboard 
Bro Weird Dashboard



Bro X.509 Dashboard

Autoruns Dashboard

Autoruns Dashboard (continued)

Autoruns Dashboard (continued) 

OSSEC Logs Dashboard 
Sysmon Dashboard



Sysmon Dashboard (continued)

Firewall Dashboard (pfSense logs)

Stats Dashboard

UPDATED 2017/07/29 - Added hyperlinks to wiki pages for Elastic, Curator, DomainStats, ElastAlert, and FreqServer.

Monday, July 17, 2017

Suricata 3.2.3 now available for Security Onion!

Suricata 3.2.3 was recently released:
https://suricata-ids.org/2017/07/13/suricata-3-2-3-available/

The following package is now available:
securityonion-suricata - 3.2.3-1ubuntu1securityonion1

This package should resolve the following issue:

Suricata 3.2.3 #1112
https://github.com/Security-Onion-Solutions/security-onion/issues/1112

Thanks
Thanks to the Suricata team for Suricata 3.2.3!
Thanks to Wes Lambert for testing the new package!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 15 in beautiful Augusta, GA!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, July 10, 2017

securityonion-setup - 20120912-0ubuntu0securityonion236 now available for Security Onion!

The following package is now available:
securityonion-setup - 20120912-0ubuntu0securityonion236

This package should resolve the following issue:

Issue 1111: so-allow analyst mode should add IP address to OSSEC whitelist
https://github.com/Security-Onion-Solutions/security-onion/issues/1111

Thanks
Thanks to Wes Lambert for submitting the pull request and testing the new package!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 15 in beautiful Augusta, GA!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Wednesday, July 5, 2017

Bro 2.5.1 now available for Security Onion!

Bro 2.5.1 was released recently:
http://blog.bro.org/2017/06/bro-251-released.html
https://www.bro.org/download/NEWS.bro.html
https://www.bro.org/download/CHANGES.bro.txt

The following packages are now available:

securityonion-bro - 2.5.1-1ubuntu1securityonion2
securityonion-bro-scripts - 20121004-0ubuntu0securityonion50

These new packages should resolve the following issues:

Issue 1109: Bro 2.5.1
https://github.com/Security-Onion-Solutions/security-onion/issues/1109

Issue 1052: Segmentation fault /opt/bro/bin/capstats
https://github.com/Security-Onion-Solutions/security-onion/issues/1052

Thanks
Thanks to Github user "bugcrash" for finding and reporting a segmentation fault in /opt/bro/bin/capstats!
Thanks to the Bro team for Bro 2.5.1!
Thanks to Wes Lambert for testing these new packages!

Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 15 in beautiful Augusta, GA!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!