Thursday, March 4, 2021

Suricata 5.0.6 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 2 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-suricata - 5.0.6-1ubuntu1securityonion1

This update resolves the following issues:

Suricata 5.0.6 #1822
https://github.com/Security-Onion-Solutions/security-onion/issues/1822

Thanks

Thanks to the Suricata team for Suricata 5.0.6!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Wednesday, March 3, 2021

10% Early Bird discount for 4-day Security Onion 2 Fundamentals for Analysts and Admins Training Class

We've scheduled the next run of our 4-day Security Onion 2 Fundamentals for Analysts and Admins training class!

Use promo code earlybird by April 1 to receive 10% off!

For more details and to register, please see:
http://securityonionsolutions.com/livetraining

If you have any questions, please use the Contact link on the bottom of the Eventbrite page.

Thanks!



Tuesday, March 2, 2021

Security Onion 2.3.30 now available!

Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.30, which resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

A major focus in this release was automated testing:

  • Over 110,000 tests executed!
  • On nearly 1000 automated installations
  • Including 4 installation modes
  • Covering 3 distinct installation sources
  • Spanning 2 operating systems (Ubuntu, CentOS)
  • Between 2 network isolation modes
  • With 2 packet metadata processors
Security Issues

This release resolves a security issue:

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion 2.3.30 ISO Boot Menu

ISO Installation

ISO Installation Complete

After rebooting, login to start Setup

Setup Options

Choose the Setup type

Choose Standard or Airgap

Specify hostname

Setup now checks for the common hostname of "securityonion"

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Initialize networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to desktop

Enter password to login to desktop

Analyst desktop

Analyst Install includes Chromium, NetworkMiner, Wireshark, and many other analysis tools

Log into Security Onion Console (SOC)


SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

PCAP Overview

Download the pcap and open directly in NetworkMiner for file extraction

PCAP transcript

All this in a minimal VM with only 4GB RAM!


Thursday, February 25, 2021

Zeek 3.0.13 now available for Security Onion 16.04!

Zeek 3.0.13 was recently released and is a security update:
https://github.com/zeek/zeek/releases/tag/v3.0.13

The following updates are now available for Security Onion 16.04!

  • securityonion-bro - 3.0.13-1ubuntu1securityonion1 (Zeek 3.0.13)
  • securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion33
  • securityonion-bro-scripts - 20121004-0ubuntu0securityonion112

These updates should resolve the following issue:

Zeek 3.0.13 #1821
https://github.com/Security-Onion-Solutions/security-onion/issues/1821

Thanks

Thanks to the Zeek team for Zeek 3.0.13!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Monday, February 22, 2021

Elastic Stack 7.10.2 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 2 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

Also please keep in mind that this is the last Elastic release under the Apache license. For more information about Elastic license changes, please see:
https://blog.securityonion.net/2021/02/elastic-license-changes-and-security.html

The following updates are now available for Security Onion 16.04!

  • securityonion-elastic - 20190510-1ubuntu1securityonion135
  • Elastic 7.10.2 Docker images

These updates should resolve the following issues:

Elastic 7.10.2 #1809
https://github.com/Security-Onion-Solutions/security-onion/issues/1809

Update Kibana dashboard hyperlinks to new url format #1810
https://github.com/Security-Onion-Solutions/security-onion/issues/1810

Delete old Logstash templates #1811
https://github.com/Security-Onion-Solutions/security-onion/issues/1811

Update Apache proxy for Elastic 7.10.2 #1812
https://github.com/Security-Onion-Solutions/security-onion/issues/1812

Update Kibana settings for 7.10.2 #1813
https://github.com/Security-Onion-Solutions/security-onion/issues/1813

Update Elastic auth settings for Elastic 7.10.2 #1817
https://github.com/Security-Onion-Solutions/security-onion/issues/1817

Test Elastic 7.10.2 #1816
https://github.com/Security-Onion-Solutions/security-onion/issues/1816

Thanks

Thanks to the Elastic team for Elastic 7.10.2!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Wednesday, February 17, 2021

Snort 3 and Security Onion 2

Recently, the Snort team released Snort 3! We want to congratulate them on bringing their product to market after much anticipation from the community. We're long-time Snort fans here. Like many of you, we understand Snort's value in the open source network IDS community and, yes, many of our team have lots of cute cushy pigs on our desks!

One of our guiding principles for Security Onion is to encourage, foster, and champion free and open security tools with the goal of providing defenders necessary tools to win. Snort has been one of those tools since Security Onion’s inception in 2008 and is still in our most recent Security Onion 16.04 release. When we released Security Onion 2 in October 2020, it did not include Snort since much has changed in the last decade. We added Suricata to produce NIDS alerts as well as network metadata (previously only provided by Zeek/Bro), all in one multi-threaded application. Security Onion moved away from the unsigned kernel module PF_RING to AF_PACKET, which made integration with Snort 2 a significant challenge. Snort 3 continued in development for a fair bit of time, and represents a fundamental shift in how Snort and, by extension, its rules, work. With the explosive growth of Security Onion 2, our internal road map is stacked with priority items and so we’re not able to integrate Snort 3 right now. However, once we free up some cycles, we will see what it would take to integrate Snort 3.

We strive to bring the best product to market in order to shift the advantage from the adversaries to you in our user community. To that end, improvement of the user experience with data remains our current priority. As always, we value your input. Reach out to us on our Community Support Forum if you have questions or additional feedback.

Tuesday, February 16, 2021

2 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Monday, February 8, 2021

Elastic License Changes and Security Onion

Elastic License Changes

Elastic has finalized their new Elastic License v2:
https://www.elastic.co/blog/elastic-license-v2
https://www.elastic.co/licensing/elastic-license

For additional background, please see:
https://www.elastic.co/blog/licensing-change
https://www.elastic.co/pricing/faq/licensing
https://www.elastic.co/blog/license-change-clarification
https://www.elastic.co/blog/why-license-change-AWS

To summarize those articles, Elastic is changing their licensing and the Elastic Stack will no longer be available under the Apache license. Basic usage continues to be free, but source code will be dual licensed as either SSPL or Elastic License and binary packages will only be available under the Elastic License.

Here are some important points from https://www.elastic.co/blog/elastic-license-v2:

The Elastic License v2 (ELv2) is a very simple, non-copyleft license, allowing for the right to "use, copy, distribute, make available, and prepare derivative works of the software” and has only three high-level limitations. You cannot:

Provide the products to others as a managed service 

Circumvent the license key functionality or remove/obscure features protected by license keys 

Remove or obscure any licensing, copyright, or other notices

Security Onion and the Elastic Stack

Up until now, Security Onion has distributed the Apache-licensed version of the Elastic Stack by default and provided an option for users to accept the Elastic License and switch to the Features version. Starting in Elastic 7.11, there will be no more Apache version and so we will be distributing the Elastic version under the Elastic License.

We expect that the majority of our users will accept the Elastic License. Those that do will get more features than they previously had under the Apache license.

For those that can't accept the Elastic License or would prefer an open source license, we plan to investigate open source forks as they become available. If we find a suitable open source fork, then we will consider making it an option to users so that you can either accept our default of Elastic License or switch to an open source license.

Next Steps

We are planning releases for both Security Onion 16.04 and Security Onion 2 to include Elastic 7.10.2, which is currently the last version of the Elastic Stack available under the Apache license. We will then start working on integrating Elastic 7.11 into Security Onion 2 under the Elastic License.

Examples

  • If you're currently running Security Onion 16.04, then this shouldn't affect you immediately. Currently, we don't have any plans to make any Elastic licensing changes to Security Onion 16.04 since it reaches End of Life on 4/16/2021. However, you should plan to upgrade to Security Onion 2 soon.
  • If you're running Security Onion 2 using the current default of Apache-licensed Elastic, then a future update will ask if you want to accept the new Elastic License and, if so, you will then have the option to continue as a free user or upgrade to an Elastic paid plan.
  • If you're currently running Security Onion 2 and have manually switched to Elastic Features, then a future update will ask if you want to accept the new Elastic License and you can continue operating as you are today, either as a free user or upgrading to an Elastic paid plan.

Q&A

Does this Elastic License change affect Security Onion 16.04 or Security Onion 2?

This Elastic License change primarily affects Security Onion 2. Since Security Onion 16.04 reaches End of Life on 4/16/2021, we are planning for it to remain on Elastic 7.10.2 which is still under the Apache license. Once Elastic 7.11 is released, we will then start working towards integrating that into Security Onion 2.

Does this Elastic License change mean that Elastic now costs money?

No, if you accept the Elastic License, then you can continue using Elastic for free with the basic feature set.

Which Security Onion components are changing license?

Elastic components are changing to the Elastic License. All other Security Onion components remain under their existing open source licenses.

Is the Elastic License an OSI-approved open source license?

No, the Elastic License is not an OSI-approved open source license. This applies to both Elastic License v1 and Elastic License v2.

Is SSPL an OSI-approved open source license?

No, SSPL is not an OSI-approved open source license. 

Does SSPL apply to Security Onion?

No, SSPL only applies if you are working directly with the dual-licensed Elastic source code and explicitly choose SSPL instead of the Elastic license. Security Onion distributes binary packages, which will only be under the Elastic License and not SSPL.

Is Security Onion allowed to distribute Elastic under the Elastic License?

In 2019, Security Onion Solutions signed an agreement with Elastic allowing us to distribute Elastic Features under Elastic License v1. The new Elastic License v2 explicitly allows for distribution.

What if I have additional questions?

If you have questions specific to Security Onion 2, you can use our community discussions site:

https://securityonion.net/discuss

If you have questions specific to the Elastic License or SSPL, Elastic has published the following email address:

elastic_license@elastic.co


UPDATE 2021/02/10 - Improved the answer to "Does SSPL apply to Security Onion?"

Wednesday, January 27, 2021

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo

Yesterday, Qualys announced the discovery of a vulnerability in sudo:
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Updated sudo packages are now available and we recommend that users install them as soon as possible. Please note that some Linux distributions may backport patches without incrementing the version number, so "sudo --version" may return the same version number even after you install the updated package.

Security Onion 16.04

If you're still running Security Onion 16.04, an updated sudo package is now available for Ubuntu 16.04 and you can install it with the standard update command:

sudo soup

As a reminder, please keep in mind that Security Onion 16.04 reaches End of Life in less than 3 months:
https://blog.securityonion.net/2021/01/3-month-eol-notice-for-security-onion.html

Security Onion 2

Updated sudo packages are now available for both Ubuntu 18.04 and CentOS 7. If you accepted the default option of automatic OS patching, then your installation has likely already updated. If you did not accept the automatic OS patch schedule, then you can manually install the update using the standard distribution update mechanism as follows.

If you installed using our Security Onion 2 ISO image or manually installed on CentOS 7:

sudo yum -y update 

If you manually installed on Ubuntu 18.04:

sudo apt update && sudo apt dist-upgrade


Thursday, January 21, 2021

3 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Tuesday, January 19, 2021

Security Onion Documentation printed book now available for Security Onion 2!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This 20210107 edition has been updated for Security Onion 2 and includes a 30% discount code for our on-demand training!






This book covers the following Security Onion topics:

  • Getting Started
  • Security Onion Console (SOC)
  • Analyst VM
  • Network Visibility
  • Host Visibility
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tuning
  • Tricks and Tips
  • Utilities

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 30% discount code for our on-demand training.

Who should get this book?

You should get this book if you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2!

Where do we get it?

The following URL will always take you to the latest version of the printed book at Amazon:

https://securityonion.net/book

Friday, January 15, 2021

Upcoming Elastic Licensing Changes

On Thursday 1/14/2021, Elastic announced some upcoming license changes:

https://www.elastic.co/blog/licensing-change

https://www.elastic.co/pricing/faq/licensing

On Tuesday 1/19/2021, Elastic released this additional information:

https://www.elastic.co/blog/license-change-clarification

https://www.elastic.co/blog/why-license-change-AWS

We are currently waiting for Elastic to finalize their changes to the Elastic license. We will provide more information when we have it.

Tuesday, December 29, 2020

Security Onion 2 in 2020 and 2021

As 2020 comes to a close, we want to thank you, our community, for your overwhelming response to Security Onion 2! Let’s talk about the journey of Security Onion 2 and the guiding principles that are going to carry us into the first half of 2021.

Since its release in October, Security Onion 2 has seen many improvements in reliability of the install process on a wider scope of hardware and configurations. Taking multiple Linux distributions, multiple kernel versions, and endless hardware configs, then making it all work with a single install script has been a hefty challenge. We have already successfully reduced installation issues and will continue to improve our setup process with every release.

Along with improving the reliability of the install process we have added several features to improve the usefulness of the product. Some of the major features delivered were:

  • Hunt interface specifically designed for threat hunting
  • Alerts module for managing and escalating alerts
  • Grid interface that allows visibility of all nodes in the grid
  • Multiple Elasticsearch clustering options

We have been delivering these features via our regular release cycle, which has been on a monthly cadence since RC1. We plan to keep that same pace in 2021, with the exception of January, when there will be no major feature releases. We will take some time to catch our breath as well as improve some of our testing capabilities. Currently, we dedicate at least a week for testing between feature freeze and production release. Much of this testing is done manually and the more of this that we can automate, the more time we can spend fixing bugs and bringing new features to Security Onion 2.

Here are our first three major feature goals for 2021:

  • bring playbook functionality directly into the Security Onion Console (SOC) web interface
  • bring case management functionality directly into SOC
  • continued improvement of our SOC Grid interface so that you can more easily manage and maintain your sensor grid

These features will not only simplify the user experience, but also reduce overall complexity. In order to accomplish these goals, you will also see us begin to add other features such as Role Based Access Control (RBAC). RBAC has been a highly requested feature and will enable better control of how data is presented to users in SOC. We have some other exciting features in this space which we will add to the roadmap as we finalize the design.

Again, we want to thank the community for your continued support in 2020. Security Onion remains free and open source because of you. Hardware appliances, training, and professional services drive our business and allow us to keep bringing you all these great features. We are really excited for what 2021 will bring! Have a safe and relaxing holiday season and a Happy New Year!


Wednesday, December 23, 2020

Security Onion 16.04.7.2 ISO image now available featuring Zeek 3.0.11, Suricata 5.0.5, Snort 2.9.17.0, Elastic 7.9.3, and more!

First, please note that Security Onion 16.04 reaches EOL in less than 4 months:
https://blog.securityonion.net/2020/12/4-month-eol-notice-for-security-onion.html

Instead of downloading this 16.04.7.2 ISO image, most users should be downloading the new Security Onion 2:
https://blog.securityonion.net/2020/12/security-onion-2321-now-available.html

Our Security Onion 16.04.7.2 ISO image is now available! This will most likely be the last Security Onion 16.04 ISO image!


Security Onion 16.04.7.2 Boot Menu

Major Changes Since Last 16.04 ISO Image

  • Zeek 3.0.11
  • Suricata 5.0.5
  • Snort 2.9.17.0
  • Elastic 7.9.3

Thanks

Thanks to Chris Morgret for testing this ISO image!

Package Updates

This release also includes the following updated packages:

pinguybuilder - 20180514-1ubuntu1securityonion25

These packages resolve the following issues:

pinguybuilder: increment version to 16.04.7.2 #1805
https://github.com/Security-Onion-Solutions/security-onion/issues/1805

Issues Resolved

For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/14

Release Notes

For more information about this release, please see:
https://docs.securityonion.net/en/16.04/release-notes.html

Installation Guide

We've updated the Installation guide to reflect the download locations for the new Security Onion 16.04 ISO image:
https://docs.securityonion.net/en/16.04/download.html

Existing Deployments

If you have existing Security Onion 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://docs.securityonion.net/en/16.04/upgrade.html

Documentation

You can find our documentation for Security Onion 16.04 here:
https://docs.securityonion.net/en/16.04/

Support

Need support for Security Onion 16.04?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Training

Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:
https://securityonionsolutions.com/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Thanks! 

Tuesday, December 22, 2020

Security Onion 2.3.21 now available!

We recently released Security Onion 2.3:

https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.21, which resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2020/12/4-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Developing Your Detection Playbook class!

http://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion 2.3.21 ISO Boot Menu


ISO Installer

ISO Install Complete

Welcome to Setup

Choose the Setup type

Choose Standard or Airgap

Set hostname

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Configure networking

Initialize networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to GNOME

Enter password to login to GNOME

GNOME Desktop

Analyst Workstation includes Chromium, NetworkMiner, Wireshark, and many other analyst tools

Login to Security Onion Console (SOC)

SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

SOC's right-click menu has been updated and now includes a new Correlate option to find related logs

Correlate found several related logs

PCAP overview

Download the pcap and open directly in NetworkMiner for file extraction

PCAP transcript

All this in a minimal VM with only 4GB RAM!