Thursday, June 10, 2021

Security Onion 2.3.52 Hotfix available!

Security Onion Solutions recently released Security Onion 2.3.52. Today, we are releasing a hotfix (SALTYSOUP) that resolves an issue that some users experienced when trying to update older installations. The conditions for the issue are as follows:

  • Security Onion 2.3.21 or lower
  • CentOS-based installation (using CentOS ISO image or our Security Onion ISO image)
  • Internet-connected (not airgapped)
If your installation meets that criteria and you had an issue running "soup", you should be able to run it successfully now.

Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations, version 2.3.52 is available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210610

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Wednesday, June 9, 2021

Security Onion Conference 2021 Save the Date and CFP

This year's Security Onion Conference is currently scheduled to be held in person in Augusta, GA on Friday, October 1, 2021 (please mark your calendar!). Registration will open August 2.

CFP

Want to speak at Security Onion Conference? We want to hear from you!

How are you...

...using Security Onion to find evil?

...handling lots of traffic using Security Onion?

...consuming host telemetry with Security Onion?

...integrating Security Onion with other technologies?

...automating common tasks with your own scripts?

...using Security Onion in a unique way?

Each talk should be 30 minutes with an additional 10 minutes for questions.

Submit your talk here!

https://securityonion.net/cfp

Schedule

June 9 - CFP open

July 15 - CFP closes

July 28 - Speakers selected and notified

August 2 - Registration opens

September 27 - September 30 - Security Onion 4-day training in Augusta

October 1 - Security Onion Conference

October 2 - BSidesAugusta

Previous Conferences

Want to see talks from previous Security Onion Conferences?

https://securityonion.net/conf

Monday, June 7, 2021

Upcoming Security Onion 2.3.60 Release

The Security Onion Solutions team has been working hard the past few months to bring some exciting features to the release of Security Onion 2.3.60. As we get closer to this release, we’d like to share some of the major changes that you will notice.

Elastic 7.13.2

We are pleased to announce that Elastic 7.13.2 will be included in the 2.3.60 release. This version of Elastic enables us to utilize some of the newer features in the Elastic stack that will improve the overall user experience. 

Elastic Authentication

New installations of Security Onion 2.3.60 will utilize Elastic authentication by default. This will allow you to log into Kibana using your Security Onion Console (SOC) credentials. These credentials are synced between Kibana and SOC.

For existing installations, once you run soup to upgrade to Security Onion 2.3.60, you will then be able to enable Elastic authentication manually.  All SOC users are required to change their passwords in order to sync with Kibana, so if users do not change their password they will have access to SOC but will not be able to log into Kibana.

Filebeat Module Support

Starting in Security Onion 2.3.60, we are enabling all Filebeat module pipelines. This will make it much easier for you to send additional log types to Security Onion and get them parsed and indexed properly. We will continue to use the existing Security Onion taxonomy for Zeek, Wazuh, Suricata and osquery logs but will be migrating it in a future release for full Elastic Common Schema (ECS) compliance.

Connectivity Changes

New installations of Security Onion 2.3.60 will not have any anonymous access to Elasticsearch or Kibana. Existing installations will allow anonymous connections until you manually enable Elastic authentication. Once this happens all unauthenticated access will be denied.

ETA

We don't have a specific release date for Security Onion 2.3.60 yet, but we are working as hard as we can to get this release ready. Stay tuned!

Security Onion 2.3.52 Now Available!

Recently, Security Onion Solutions released Security Onion 2.3.50:
https://blog.securityonion.net/2021/04/security-onion-2350-now-available.html

Today, we are releasing Security Onion 2.3.52 which fixes some important issues:
https://docs.securityonion.net/en/2.3/release-notes.html#changes


Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

If you'd like a printed version of our documentation, please see:
https://securityonion.net/book

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations on AWS, version 2.3.52 will soon be available on AWS Marketplace:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210521

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Friday, May 21, 2021

Security Onion 2.3.51 Now Available!

Recently, Security Onion Solutions released Security Onion 2.3.50:
https://blog.securityonion.net/2021/04/security-onion-2350-now-available.html

Today, we are releasing Security Onion 2.3.51 which fixes some important issues:
https://docs.securityonion.net/en/2.3/release-notes.html#changes


Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

If you'd like a printed version of our documentation, please see:
https://securityonion.net/book

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations on AWS, version 2.3.51 will soon be available on AWS Marketplace:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210521

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Monday, May 17, 2021

Security Onion Documentation printed book now updated for Security Onion 2.3.50!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.


Thanks to Richard Bejtlich for writing the inspiring foreword!


Proceeds go to the Rural Technology Fund!


This 20210511 edition has been updated for Security Onion 2.3.50 and includes a 40% discount code for our on-demand training!


This book covers the following Security Onion topics:

  • Getting Started
  • Security Onion Console (SOC)
  • Analyst VM
  • Network Visibility
  • Host Visibility
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tuning
  • Tricks and Tips
  • Utilities


Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 40% discount code for our on-demand training.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.3.50!

Where do we get it?

https://securityonion.net/book

Thursday, May 6, 2021

Security Onion 2.3.50 Hotfix available!

Security Onion Solutions recently announced the release of Security Onion 2.3.50 which brings a ton of great fixes and features to the community. There have been many occasions where we have wanted to deploy small updates to Security Onion 2 but due to how the platform is built this was difficult to do… until now! Today we are announcing the introduction of hotfixes in Security Onion 2. This hotfix (GRIDFIX) addresses the following issues: 

  • Mixed or capital cased grid members will show up properly in the Grid view.
  • SOC will need to be restarted to remove the duplicate entries - so-soc-restart.
  • Raid status for Security Onion Solutions appliances should now properly update.

For those of you who have grids with capabilities to connect to the Internet for updates you can simply run “soup” on the manager and it will automatically apply the latest hotfix. Hotfixes will typically include updates to the salt code and small configuration changes that we want to get out to you without having to do a full release update. Any changes to docker containers will follow our normal release process and the version number will change. You will notice that the version numbers after a hotfix has been applied stays the same. The application of the hotfix is tracked on the manager in the /etc/sohotfix file. For more information, please see our soup documentation:
https://securityonion.net/docs/soup

If you are an airgap user we want you to know we have not forgotten about you. You too will be able to apply hotfixes starting in Security Onion 2.3.60. Users will see a couple of new commands for applying hotfixes. The first command so-airgap-hotfixdownload will be run from a computer with Internet access. This will download the hotfix and drop it into a tarball that you will then need to sneakernet over to your airgapped manager. Once you have copied that sohotfix.tar to a location on the manager you will run so-airgap-hotfixapply /path/to/sohotfix.tar and it will apply the hotfix. For more information, please see our airgap documentation:
https://securityonion.net/docs/airgap

We hope you are as excited as we are for this new functionality and look forward to continuing to bring cool and innovative features to the Security Onion Platform.

Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations, version 2.3.50 is now also available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210428

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Wednesday, April 28, 2021

Security Onion 2.3.50 now available!

Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.50, which adds new features and resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations, version 2.3.50 is now also available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210428

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Starting in this release, Security Onion Console (SOC) automatically recognizes our official appliances:

Security Onion Console running on an SOS4000 appliance

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion ISO Boot Menu

ISO Installation

ISO Installation Complete

After rebooting, login to start Setup

Setup Options

Choose the Setup type

Accept the Elastic License

Choose Standard or Airgap

Specify hostname

Setup checks for the common hostname of "securityonion"

Optionally enter a short description for the node

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Initialize networking

Select direct connection to Internet or specify proxy

Configure home network(s)

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally configure ntp servers

Optionally configure ntp servers

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to desktop

Enter password to login to desktop

Analyst desktop

Analyst install includes Chromium, NetworkMiner, Wireshark, and many other analysis tools

Log into Security Onion Console (SOC)

SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

Find an interesting stream and pivot to full packet capture

Switch to PCAP transcript mode

Download the PCAP and open directly in NetworkMiner for file extraction

All this in a minimal VM with only 4GB RAM!


Friday, April 16, 2021

Security Onion 16.04 has reached End Of Life

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Security Onion 16.04 has now reached End Of Life. If you still have existing installations of Security Onion 16.04, please upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Thursday, April 1, 2021

Security Onion 2.3.40 Hotfix for Curator Closed Index Issue

If you're running Security Onion 2.3.40 on a standalone installation or a combined manager/search node, please see:

https://github.com/Security-Onion-Solutions/securityonion/discussions/3738

Security Onion Documentation printed book now updated for Security Onion 2.3.40!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.


Thanks to Richard Bejtlich for writing the inspiring foreword!


Proceeds go to the Rural Technology Fund!


This 20210326 edition has been updated for Security Onion 2.3.40 and includes a 40% discount code for our on-demand training!



This book covers the following Security Onion topics:
  • Getting Started
  • Security Onion Console (SOC)
  • Analyst VM
  • Network Visibility
  • Host Visibility
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tuning
  • Tricks and Tips
  • Utilities

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 40% discount code for our on-demand training.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.3.40!

Where do we get it?