Wednesday, April 23, 2014

Only 1 week left to register for Security Onion class in Houston TX!

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!

The registration deadline is April 30, so there is only 1 week left to register!

Here's a discount code good for $100 off:
lastminute52949

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Tuesday, April 22, 2014

New securityonion-setup package

I've updated our securityonion-setup package to resolve an issue.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion103

This new package has been tested by the following (thanks!):
David Vasil
David Zawdie

Issues Resolved
Issue 524: Setup should test connection to master server using ssh instead of nc
https://code.google.com/p/security-onion/issues/detail?id=524

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only a few days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, April 21, 2014

New securityonion-onionsalt package

I've updated our securityonion-onionsalt package to improve NIDS and HIDS updates.  Please see the updated OnionSalt page on our Wiki:
https://code.google.com/p/security-onion/wiki/Salt

The updated package version is as follows:
securityonion-onionsalt - 20130817-0ubuntu0securityonion10

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved
Issue 519: onionsalt: improve ids/bro/ossec updates
https://code.google.com/p/security-onion/issues/detail?id=519

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Only a few days left to sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, April 16, 2014

Only 2 weeks left to register for Security Onion class in Houston TX!

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!

The registration deadline is April 30, so there are only 2 weeks left to register!

Here's a discount code good for $100 off:
lastminute52949

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Tuesday, April 15, 2014

New securityonion-nsmnow-admin-scripts package resolves several issues

I've updated our securityonion-nsmnow-admin-scripts package to resolve several issues.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion72

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie
inuk-x

Issues Resolved

Issue 501: /etc/init/securityonion.conf needs to check that variables were only declared once
https://code.google.com/p/security-onion/issues/detail?id=501

Issue 516: Update sysctl settings
https://code.google.com/p/security-onion/issues/detail?id=516

Issue 518: NSM scripts: run "broctl install" when (re)starting Bro
https://code.google.com/p/security-onion/issues/detail?id=518

Issue 520: Configure /etc/ssh/sshd_config with ClientAliveInterval 60 and ClientAliveCountMax 3
https://code.google.com/p/security-onion/issues/detail?id=520

Issue 521: Replace test.com domain in /etc/nsm/ossec/ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=521

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, April 2, 2014

Tuesday, April 1, 2014

New securityonion-web-page package adds a BRO_FTP query and some BRO_INTEL queries

I've updated our securityonion-web-page package to add a BRO_FTP query and also some BRO_INTEL queries for our recently added BRO_INTEL parsers:
http://blog.securityonion.net/2014/03/new-securityonion-elsa-extras-and.html

The updated package version is as follows:
securityonion-web-page - 20120722-0ubuntu0securityonion21

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 506: securityonion-web-page: add FTP command query
https://code.google.com/p/security-onion/issues/detail?id=506

Issue 507: securityonion-web-page: add queries for BRO_INTEL
https://code.google.com/p/security-onion/issues/detail?id=507

Screenshots
FTP: Top Commands - group all FTP logs by FTP command

Drilling into FTP STOR command to look for data exfil
Intel: Top SRC IPs - group all Intel logs by source IP address 
Intel: Top DST IPs - group all Intel logs by destination IP address 

Intel: Top DST Ports - group all Intel logs by destination port

Intel: Top Indicators - group all Intel logs by indicator

Intel: Top Indicator Types - group all Intel logs by indicator type

Intel: Top Sources - group all Intel logs by source

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, March 31, 2014

New securityonion-setup package

I've updated our Setup package to resolve a few issues.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion101

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 485: sosetup-network: mention MTU and other custom config can be
manually added to /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=485

Issue 499: sosetup-network: fix backup path in /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=499

Issue 511: sosetup-network: management interface selection should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=511

Issue 489: sosetup: capture rmmod output
https://code.google.com/p/security-onion/issues/detail?id=489

Issue 479: sosetup: should verify that it can resolve server hostname
before trying to connect
https://code.google.com/p/security-onion/issues/detail?id=479

Issue 496: sosetup: VRT policy screen should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=496

Issue 514: sosetup: fix df /nsm check
https://code.google.com/p/security-onion/issues/detail?id=514

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 20, 2014

New securityonion-elsa-extras and securityonion-elsa-node-perl packages

Scott Runnels has updated two of our ELSA packages to resolve a couple of issues.  Thanks, Scott!

The updated packages are as follows:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion41
securityonion-elsa-node-perl - 20130819-0ubuntu0securityonion3

These new packages have been tested by the following (thanks!):
David Zawdie
Matt Gregory
JP Bourget

Issues Resolved
Issue 502: securityonion-elsa-node-perl: add libtext-csv-perl as a dependency
https://code.google.com/p/security-onion/issues/detail?id=502

Issue 503: securityonion-elsa-extras: parsers for BRO_INTEL feed
https://code.google.com/p/security-onion/issues/detail?id=503

Screenshots

Show all entries in Bro's intel.log grouped by indicator

Drilling into an indicator

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, March 12, 2014

New securityonion-sostat package

Jon Schipp submitted some patches for soup (thanks Jon!) and I updated sostat to resolve a few issues.  The new package is securityonion-sostat - 20120722-0ubuntu0securityonion21 and it has been tested by Matt Gregory and David Zawdie (thanks!).

Issues Resolved
Issue 481: soup: Add skip interactive option
https://code.google.com/p/security-onion/issues/detail?id=481

Issue 494: sostat should display ELSA v_indexes
https://code.google.com/p/security-onion/issues/detail?id=494

Issue 497: sostat should ignore "Cannot set NIC flags!" in netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=497

Issue 508: sostat should include full process output but exclude usernames
https://code.google.com/p/security-onion/issues/detail?id=508

Screenshots
sostat now includes ELSA Index Date Range

soup now has options

sostat now includes expanded process output but excludes usernames

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, March 11, 2014

New securityonion-rule-update package

I've updated our securityonion-rule-update package to resolve an issue.  The new package is securityonion-rule-update - 20120726-0ubuntu0securityonion12 and it has been tested by David Zawdie (thanks!).

Issues Resolved
Issue 505: rule-update: check to see if barnyard and IDS engine are enabled
https://code.google.com/p/security-onion/issues/detail?id=505

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, March 10, 2014

New securityonion-web-page package updates OSSEC and DNS Queries

I've updated our securityonion-web-page package to resolve a few issues.  The new package is securityonion-web-page -20120722-0ubuntu0securityonion19 and it has been tested by Matt Gregory (thanks!).

Issues Resolved
Issue 495: securityonion-web-page: OSSEC logs query should exclude MARK
https://code.google.com/p/security-onion/issues/detail?id=495

Issue 498: securityonion-web-page: add DNS IXFR query
https://code.google.com/p/security-onion/issues/detail?id=498

Release Notes
Previously, we added a "DNS - Zone Transfers" query that would look for full zone transfers (AXFR):
http://blog.securityonion.net/2014/02/new-securityonion-web-page-package-adds_19.html

This new package updates that query to also look for incremental zone transfers (IXFR) and group the results by the source IP address:
class=BRO_DNS proto="tcp" "axfr" OR "ixfr" groupby:srcip

The "Host Logs - All OSSEC Logs" query should now exclude any OSSEC --MARK-- logs as follows:
class=none program="ossec_archive" "2014" -"packets_received" -"--MARK--"

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 6, 2014

Expanded 2-Day Security Onion Training Class in Houston TX 5/8 - 5/9

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!  If you sign up before March 31, you can use the following promo code for $100 off!
earlybird46099

For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Friday, February 28, 2014

Security Onion 12.04.4 ISO image now available

We have a new Security Onion 12.04.4 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 21, 2014!

Changes since 12.04.3 ISO

The new 12.04.4 ISO image has all Ubuntu and Security Onion updates as of 2/21 including:

  • Linux kernel 3.2.0-59
  • Snort 2.9.5.6
  • Suricata 1.4.7
  • Bro 2.2
  • ELSA 1.5
  • Squert 1.2.0
  • CapMe
  • securityonion-web-page (ELSA query page at https://onion/elsa)
  • Setup
  • sostat
  • NSM scripts
  • ET ruleset (/etc/nsm/rules/downloaded.rules)

Changes in the ISO Image Itself

The new 12.04.4 ISO image resolves a few issues in the ISO image itself:

  • boot menu: the Install option never really worked right and has now been removed so that folks will choose one of the Live options that allow them to Install but also allow them to check hardware and read the README
  • boot menu: added "nomodeset" option since some folks needed that to boot on certain video chipsets
  • after choosing an option on the boot menu, the Xubuntu boot progress indicator has been replaced with a Security Onion boot progress indicator
  • unnecessary shortcuts have been removed from the Live desktop so that users don't try to run Setup before running the Installer
  • previously, if you ran "sudo service nsm status" before running Setup, you'd get an error message.  This has been resolved.
  • salt-master and salt-minion were previously enabled on ISO boot, which resulted in lots of DNS lookups for "salt".  They are now disabled by default (you can still enable them during Setup of course).
  • byobu is now included by default:
    https://help.ubuntu.com/community/Byobu

In short, it's the best release ever!

Screenshots
Boot menu (Install option has been removed and replaced with "nomodeset" option)

Security Onion boot progress indicator

Removed extraneous icons from Live desktop 

Byobu is now installed by default

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.4 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.  Here's the MD5 for this release:
4107d6b6c469b27014da7ce26f249e5e

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.4 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Thanks

Thanks to George Jones for creating the torrent for the new ISO image!

Thanks to the following for testing the new ISO image!
Matt Gregory
David Zawdie
Heine Lysemose
JP Bourget

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Training
There will be a 2-day Security Onion class in Houston on May 8-9.  Stay tuned for further details!

Friday, February 21, 2014

New securityonion-squert package updates to Squert 1.2.0

Paul Halliday recently released Squert 1.2.0:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a couple of videos showcasing some of the new features recently added to Squert:
Changes v1.1.6: http://www.youtube.com/watch?v=_eheJv0MJDY
Changes v1.1.9: http://www.youtube.com/watch?v=QkgrigopfQA

I've packaged Squert 1.2.0 as securityonion-squert - 20140216-0ubuntu0securityonion2 and the package has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
Matt Gregory

Issues Resolved

Issue 448: When changing time zone in Squert, it needs to revert to UTC when requesting transcripts
https://code.google.com/p/security-onion/issues/detail?id=448

Release Notes

  • When you update the package, it will copy new files into place and then display "Updating database".  Please do not cancel or interrupt this process.
  • You no longer have to hardcode your Sguil credentials in config.php.
  • You may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
  • Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline.  De-select UTC, then specify your local timezone offset.  Then click the "save TZ" button to save your preference into the database and click "Update" to refresh the page with the new timestamps.

Screenshots
Do not cancel or interrupt the database update

Events tab

GeoIP mapping

Pivoting on an event and requesting a TCP transcript with the TX button

Summary tab

Views tab

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, February 20, 2014

New securityonion-capme package checks for active pcap_agent

I've updated the securityonion-capme package to check for active pcap_agents.  This will provide a more helpful error message for folks who forgot to enable netsniff-ng and pcap_agent and then tried to pivot to CapMe for full packet capture.

The updated package version is securityonion-capme - 20121213-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

Issues Resolved

Issue 475: CapMe? should check for active pcap_agent
https://code.google.com/p/security-onion/issues/detail?id=475

Screenshots
CapMe checks for active pcap_agent

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, February 19, 2014

New securityonion-web-page package adds ELSA query to show DNS zone transfers

I've updated the securityonion-web-page package to add an ELSA query that will show DNS zone transfers.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose

Issues Resolved

Issue 487: securityonion-web-page: add DNS zone transfer query
https://code.google.com/p/security-onion/issues/detail?id=487

Screenshots

DNS: Zone Transfers - shows any DNS AXFR requests over TCP

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, February 13, 2014

New securityonion-elsa-extras package properly randomizes apikey on master server

Scott Runnels has updated the securityonion-elsa-extras package to properly randomize the ELSA apikey on the master server.  Thanks, Scott!

The updated package version is securityonion-elsa-extras - 20131117-1ubuntu0securityonion36 and it has been tested by the following (thanks!):
Michal Purzynski
David Zawdie

Issues Resolved
Issue 478: securityonion-elsa-extras: randomize API key in master's elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=478

Release Notes
When the new package installs, it will check /etc/elsa_web.conf to see if you have an apikey set to the default of "1".  If so, it will automatically replace that default apikey with a properly randomized apikey.  You'll then need to restart Apache to make the change take effect:
sudo service apache2 restart

Please be reminded that the management interface of your master server (where the ELSA web interface runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
https://code.google.com/p/security-onion/wiki/Firewall

Screenshots
BEFORE new package - apikey defaulted to 1

Installing new package, which will automatically check for default apikey and randomize if necessary

AFTER new package - apikey is now properly randomized 
Restarting Apache to make change in /etc/elsa_web.conf take effect

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, February 12, 2014

Table of Contents added to Wiki

I've added a Table of Contents page to our Wiki and made it the Sidebar for all pages in the Wiki. You can see it on the left side of the screenshot below. Hopefully, this helps organize our various Wiki pages in a more logical manner and helps you find what you're looking for faster.

Table of Contents added as Sidebar
Please take a look and let us know what you think!

https://code.google.com/p/security-onion/wiki/TableOfContents

Tuesday, February 11, 2014

New securityonion-setup package resolves several issues

I've updated the securityonion-setup package to resolve several issues.  The updated package version is securityonion-setup - 20120912-0ubuntu0securityonion99 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie
JP Bourget

Issue 463: sosetup: prompt for ELSA log_size_limit
https://code.google.com/p/security-onion/issues/detail?id=463

Issue 470: sosetup: Add verbiage to ELSA screen about running on sensors
https://code.google.com/p/security-onion/issues/detail?id=470

Issue 474: sosetup: increase default query_timeout in /etc/elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=474

Issue 388: sosetup: configure MySQL to create an innodb file per table to prevent ibdata1 growing indefinitely
https://code.google.com/p/security-onion/issues/detail?id=388

Issue 416: sosetup: increase default MySQL open-files-limit
https://code.google.com/p/security-onion/issues/detail?id=416

Screenshots

Setup now prompts for ELSA log_size_limit

Setup sets ELSA log_size_limit as requested by user

Setup now sets ELSA query_timeout to 10000

Setup now configures MySQL with better defaults

MySQL now creates an innodb file per table

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, February 10, 2014

New securityonion-sostat package provides more data for monitoring ELSA

I've updated the securityonion-sostat package to redact IPv6/MAC addresses and also increase verbosity for monitoring ELSA.  The updated package version is securityonion-sostat - 20120722-0ubuntu0securityonion20 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie

Issue 471: sostat-redacted should redact IPv6 and MAC addresses
https://code.google.com/p/security-onion/issues/detail?id=471
(thanks to Steve Fennell and BBCan177 for the patches!)

Issue 476: sostat: add verbosity for troubleshooting ELSA
https://code.google.com/p/security-onion/issues/detail?id=476

Screenshots
sostat-redacted now redacts IPv4, IPv6, and MAC addresses

Additional ELSA info from a master server

Additional ELSA info from a sensor

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Saturday, February 8, 2014

New securityonion-web-page package adds ELSA query to show connections grouped by node

I've updated the securityonion-web-page package to add an ELSA query that will group connections by node.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion15 and it has been tested by the following (thanks!):
JP Bourget

Issues Resolved

Issue 477: ELSA menu should include BRO_CONN groupby:node
https://code.google.com/p/security-onion/issues/detail?id=477

Screenshots

Connections: Grouped by Node - shows how many connections each sensor is seeing


Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, January 21, 2014

Snort 2.9.5.6 and Suricata 1.4.7 packages now available!

The following software was recently released:

Snort 2.9.5.6
http://blog.snort.org/2013/11/snort-2956-is-now-available-on-snortorg.html

Suricata 1.4.7
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/184--suricata-147-released

I've packaged these new releases and the new packages have been tested by JP Bourget and David Zawdie.  Thanks, guys!

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:


  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:


  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:
    sudo rule-update

Release Notes
Snort is now compiled with --enable-sourcefire.

Screenshots
"sudo soup" upgrade process
Snort 2.9.5.6 and Suricata 1.4.7

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Sunday, January 12, 2014

New securityonion-sostat package available

I've packaged a new version of sostat that resolves the following issue:

Issue 461: sostat: improve pf_ring output
https://code.google.com/p/security-onion/issues/detail?id=461

The version number of the new package is securityonion-sostat - 20120722-0ubuntu0securityonion13 and it has been tested by the following (thanks!):
David Zawdie

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshot
PF_RING section of sostat output

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Saturday, January 11, 2014

New securityonion-web-page package adds SSH country and status links

I've updated our recently released securityonion-web-page package to add links that will group SSH connections by country and status.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion14.

Issues Resolved

Issue 469: securityonion-web-page: add SSH queries for country and status
https://code.google.com/p/security-onion/issues/detail?id=469

Screenshots
SSH: Top Countries - SSH connections grouped by country code

SSH: Status - Bro heuristically determines if an SSH login attempt succeeded

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, January 10, 2014

New securityonion-web-page package fixes the ELSA Tunnel query

I've updated our recently released securityonion-web-page package to fix the ELSA Tunnel query.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion13.

Issues Resolved

Issue 466: securityonion-web-page: change elsa/menu.php to fix Tunnel query
https://code.google.com/p/security-onion/issues/detail?id=466

Screenshots
Tunnels: Top Tunnels shows the tunnels detected by ELSA

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, January 8, 2014

New securityonion-web-page package available

I've updated our securityonion-web-page package.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion12 and has been tested by David Zawdie.

Issues Resolved

Issue 455: securityonion-web-page: update hyperlink
https://code.google.com/p/security-onion/issues/detail?id=455

Issue 456: securityonion-web-page: add example ELSA queries
https://code.google.com/p/security-onion/issues/detail?id=456

This package adds a new URL (https://your.security.onion.hostname/elsa/) that includes a menu on the left with some common ELSA queries.

Screenshots
Connections: Top SRC IPs - Top Source IP Addresses in Bro's conn.log

Connections: Top DST Ports - Top Destination Ports in Bro's conn.log

Connections: Top Services - Top Services Identified in Bro's conn.log

Connections: Port 53 groupby Service - Top Services Identified on Port 53 in Bro's conn.log

DHCP: Top Assigned IPs - Top Assigned IP Addresses seen in Bro's dhcp.log

DNS: Top Requests - Top DNS Requests seen in Bro's dns.log

DNS: Top nxdomain - Top nxdomain Responses seen in Bro's dns.log

Files: MIME Types - Top MIME Types seen in Bro's files.log

Files: Sources - Top Protocol Sources in Bro's files.log

FTP: Top arg - FTP Transactions in Bro's ftp.log

Host Logs: OSSEC Alerts - HIDS Alerts from OSSEC

Host Logs: All OSSEC Logs - Raw Logs from OSSEC (not HIDS Alerts)

Host Logs: Syslog-NG - Standard Syslog received by Syslog-NG

Host Logs: Syslog Detected by Bro - Syslog detected by Bro and logged to syslog.log

HTTP: Top User Agents - Top HTTP User Agents in Bro's http.log

HTTP: Top Sites - Top HTTP Sites in Bro's http.log

HTTP: Sites hosting EXEs - Sites hosting EXEs in Bro's http.log

Notice: Top Notice Types - Top Notice Types found in Bro's notice.log

SMTP: Top Subjects - Top Email Subject Lines in Bro's smtp.log

Snort/Suricata: Top Snort Alerts - Top IDS Alerts from Snort or Suricata

Sortware: Software Detected by Bro - Top Software Types found in Bro's software.log

Weird: Top Weird Types - Top Traffic Anomalies found in Bro's weird.log


Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!