Upcoming Change to Elasticsearch Index Management for Multi-Node Deployments

Elasticsearch indices are managed by both the so-elasticsearch-indices-delete utility and Index Lifecycle Management (ILM). so-elasticsearch-indices-delete is primarily designed for single-node deployments (IMPORT, EVAL, and STANDALONE). Running it on a multi-node deployment with one or more search nodes has the possibility of getting into a corner case state where more data is deleted than intended. Because of this, we will disable this script on multi-node deployments in the upcoming 2.4.150 release. 

In the meantime, if you have a multi-node deployment then we HIGHLY recommend that you go ahead and manually disable this script. You can find this setting at Administration –> Configuration –> elasticsearch –> index_clean. You will also need to ensure that ILM is configured properly to delete indices before disk usage reaches the Elasticsearch watermark setting. Otherwise, Elasticsearch may stop ingesting new data.

For more information, please see:

https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Quick Malware Analysis: Kongtuke Web Inject pcap from 2025-04-04

Thanks to Brad Duncan for sharing this pcap from 2025-04-04 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.141:

https://blog.securityonion.net/2025/03/security-onion-24141-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.141 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's focus on just the alerts and we'll start with the CnC Checkin alert:

If we correlate this alert, then we see other alerts and logs that are associated:

Let's also pivot to PCAP to review the full TCP stream as a transcript:

Going back to the alerts, let's look at the Powershell User-Agent alerts:

For each of these four alerts, we'll correlate and then pivot to pcap. Starting with the first alert:

Pivoting to PCAP for the first Powershell alert:

Correlating the second Powershell alert:

Pivoting to PCAP for the second Powershell alert:

As we scroll down the PCAP transcript, we see the server responding with a powershell command:

We can send that Base64 string to CyberChef and decode it:

Correlating the third Powershell alert:

Pivoting to PCAP for the third Powershell alert:

Correlating the fourth Powershell alert:

Pivoting to PCAP for the fourth Powershell alert:

Now let's go back to alerts and look at the RAT SSL Cert alert:

Correlating we see the additional logs:

Pivoting to PCAP we can see some of the SSL Cert details:

Now let's review the Zeek network metadata:

We'll start with the software detected via user agent strings:

Next, we'll look at Zeek notices:

We'll then look at x509 logs related to SSL/TLS traffic:

Next, let's review HTTP logs:

Here are the files transferred via the network:

Here are the SSL/TLS connections:

Next, let's review the DNS lookups:

Finally, here are all of the network connections:

Security Onion 2.4.141 now available including several fixes!

We recently released Security Onion 2.4.140:

https://blog.securityonion.net/2025/03/security-onion-24140-now-available.html

Today, we are releasing Security Onion 2.4.141 which fixes a few issues:

https://docs.securityonion.net/en/2.4/release-notes.html

Known Issues

For a list of known issues, please see:

https://docs.securityonion.net/en/2.4/release-notes.html#known-issues

Existing 2.4 Installations

If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:

https://docs.securityonion.net/en/2.4/soup.html

Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible. This is especially important for releases that update components like Salt and Elastic.

New Installations

If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:

https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:

https://docs.securityonion.net/en/2.4/architecture.html

Documentation

You can find our online documentation here:

https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:

https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Security Onion Pro

We recently celebrated 10 years in business by announcing Security Onion Pro:

https://blog.securityonion.net/2024/07/celebrating-10-years-of-security-onion.html

Security Onion Pro includes many enterprise features that folks have been asking for:

• Active Query Management
• External API
• Open ID Connect (OIDC)
• Data at Rest Encryption
• FIPS for the OS
• DoD STIG for the OS
• External Notifications in SOC
• Time Tracking inside of Cases
• Guaranteed Message Delivery

You can read more about these enterprise features at:

https://securityonion.com/pro

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html