Thursday, March 21, 2019

4-day Security Onion Basic Training class in Costa Mesa CA with 10% discount!

In addition to our previously announced class in Columbia MD, we just scheduled a 4-day Security Onion training class in Costa Mesa CA!  Use promotional code marchmadness to get 10% off either of these classes through the end of March!  For more information about these onsite classes and to register, please see:
https://securityonionsolutions.com/onsitetraining

If you can't make it to either of these onsite classes, we have a new online training platform!
https://onlinetraining.securityonionsolutions.com/

For more information and other training options, please see:
https://securityonionsolutions.com

securityonion-sostat - 20120722-0ubuntu0securityonion123 now available for Security Onion!

securityonion-sostat - 20120722-0ubuntu0securityonion123 is now available and should resolve the following issues:

securityonion-sostat: implement better error handling for zero packet count #1464
https://github.com/Security-Onion-Solutions/security-onion/issues/1464

securityonion-sostat: awk division error when Bro doesn't report stats correctly #817
https://github.com/Security-Onion-Solutions/security-onion/issues/817

Thanks
Thanks to Wes Lambert for his work on these issues!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia, MD!  Use promotional code marchmadness for 10% off this class through the end of March!  If you can't make it to an onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Wednesday, March 13, 2019

securityonion-capme - 20121213-0ubuntu0securityonion75 now available for Security Onion!

securityonion-capme - 20121213-0ubuntu0securityonion75 is now available and should resolve the following issues:

securityonion-capme: allow start time to go back 50 years in callback.php #1473
https://github.com/Security-Onion-Solutions/security-onion/issues/1473

securityonion-capme: update mysql calls #1479
https://github.com/Security-Onion-Solutions/security-onion/issues/1479

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have 4-day Security Onion training classes coming up in Atlanta, Georgia and Columbia, MD!  If you can't make it to either of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Tuesday, March 12, 2019

Suricata 4.1.3 now available for Security Onion!

Suricata 4.1.3 was released recently:
https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/

We've packaged Suricata 4.1.3 and the following package is now available:
securityonion-suricata - 4.1.3-1ubuntu1securityonion1

This package should resolve the following issue:

Suricata 4.1.3 #1475
https://github.com/Security-Onion-Solutions/security-onion/issues/1475

Suricata 4.1.3
Thanks
Thanks to the Suricata team for Suricata 4.1.3!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have 4-day Security Onion training classes coming up in Atlanta, Georgia and Columbia, MD!  If you can't make it to either of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Monday, March 11, 2019

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion201 now available for Security Onion!

The following packages are now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion201

This should resolve the following issues:

NSM: when (re)starting Suricata, make sure stats.log has proper ownership #1477
https://github.com/Security-Onion-Solutions/security-onion/issues/1477

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to this onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Tuesday, February 26, 2019

securityonion-setup - 20120912-0ubuntu0securityonion293 now available for Security Onion!

The following packages are now available:
securityonion-setup - 20120912-0ubuntu0securityonion293

This should resolve the following issues:

Setup: postinst script should add MySQL LimitNOFILE setting if necessary #1443
https://github.com/Security-Onion-Solutions/security-onion/issues/1443

Setup: create desktop shortcut for CyberChef #1449
https://github.com/Security-Onion-Solutions/security-onion/issues/1449

securityonion-setup: change wiki links to docs #1450
https://github.com/Security-Onion-Solutions/security-onion/issues/1450

Setup: change Elastic Setup to Setup #1453
https://github.com/Security-Onion-Solutions/security-onion/issues/1453

Setup: disable Bro syslog.log by default in Production Mode #1457
https://github.com/Security-Onion-Solutions/security-onion/issues/1457

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to this onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated.
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Monday, February 25, 2019

Wazuh 3.8.2 now available for Security Onion!

The following packages are now available:
Wazuh 3.8.2 (packaged as ossec-hids-server - 3.8.2.2ubuntu1securityonion1)
securityonion-ossec-rules - 20120726-0ubuntu0securityonion12

This should resolve the following issues:

Wazuh 3.8.2 #1422
https://github.com/Security-Onion-Solutions/security-onion/issues/1422

Wazuh email config not being migrated properly #1441
https://github.com/Security-Onion-Solutions/security-onion/issues/1441

securityonion-ossec-rules: ignore alerts on common files #1455
https://github.com/Security-Onion-Solutions/security-onion/issues/1455

Thanks
Thanks to the Wazuh team for Wazuh 3.8.2!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to this onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated.
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Thursday, February 21, 2019

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion200 now available for Security Onion!

The following packages are now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion200

This should resolve the following issues:

NSM: wipe Suricata stats.log using truncate rather than rm #1456
https://github.com/Security-Onion-Solutions/security-onion/issues/1456

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to this onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated.
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

CyberChef 8.23.4 now available for Security Onion!

CyberChef 8.23.4 was recently released:
https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md

securityonion-web-page - 20141015-0ubuntu0securityonion91 is now available and includes CyberChef 8.23.4.  This should resolve the following issues:

CyberChef 8.23.4 #1439
https://github.com/Security-Onion-Solutions/security-onion/issues/1439

securityonion-web-page: change wiki links to docs #1451
https://github.com/Security-Onion-Solutions/security-onion/issues/1451

CyberChef 8.23.4

Thanks
Thanks to the CyberChef team for CyberChef 8.23.4!
Thanks to Wes Lambert for testing this package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to this onsite class, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated.
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

securityonion-sostat - 20120722-0ubuntu0securityonion121 now available for Security Onion!

The following packages are now available:
securityonion-sostat - 20120722-0ubuntu0securityonion121

This should resolve the following issues:

securityonion-sostat: change wiki links to docs #1454
https://github.com/Security-Onion-Solutions/security-onion/issues/1454

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion training class coming up in Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've started moving our documentation to https://securityonion.net/docs!  Please let us know if anything needs to be updated.

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Monday, February 11, 2019

New Setup and NSM packages now available for Security Onion!

The following packages are now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion199
securityonion-setup - 20120912-0ubuntu0securityonion285

This should resolve the following issues:

Setup: update setup conf files #1417
https://github.com/Security-Onion-Solutions/security-onion/issues/1417

Setup: Fix bug where the regex in sed disables incorrect interfaces #1427
https://github.com/Security-Onion-Solutions/security-onion/issues/1427

Setup: add logger node to Bro node.cfg #1420
https://github.com/Security-Onion-Solutions/security-onion/issues/1420

Setup: configure Bro cluster mode for AF_PACKET #1421
https://github.com/Security-Onion-Solutions/security-onion/issues/1421

Setup: configure Suricata for AF_PACKET #1432
https://github.com/Security-Onion-Solutions/security-onion/issues/1432

NSM: Improve the method of updating thread count in suricata.yaml #1230
https://github.com/Security-Onion-Solutions/security-onion/issues/1230

NSM: support running Suricata using AF_PACKET #1431
https://github.com/Security-Onion-Solutions/security-onion/issues/1431

As an overview, these updates will cause new installations to configure Bro and Suricata to collect network traffic via AF_PACKET (instead of PF_RING as we've done for the last few years).  Installations already configured for PF_RING will continue to use PF_RING.  Please see the links above for background information and config changes.

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've started moving our documentation to https://securityonion.net/docs!  Please let us know if anything needs to be updated.

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, February 4, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion120 now available for Security Onion!

The following package is now available:
securityonion-sostat - 20120722-0ubuntu0securityonion120

This should resolve the following issues:

soup: create /etc/apt/apt.conf.d/10periodic #1423
https://github.com/Security-Onion-Solutions/security-onion/issues/1423

soup: output reminder to update remaining boxes in deployment #1424
https://github.com/Security-Onion-Solutions/security-onion/issues/1424

soup: check for lock #1428
https://github.com/Security-Onion-Solutions/security-onion/issues/1428

soup: node checking master for updates fails if master has 1 update #1434
https://github.com/Security-Onion-Solutions/security-onion/issues/1434

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, January 28, 2019

NetworkMiner 2.4.0 now available for Security Onion!

NetworkMiner 2.4.0 was released recently:
https://www.netresec.com/?page=Blog&month=2019-01&post=NetworkMiner-2-4-Released

NetworkMiner 2.4.0 is now available in the following package:
securityonion-networkminer - 20180410-1ubuntu1securityonion6

This should resolve the following issue:

NetworkMiner 2.4 #1416
https://github.com/Security-Onion-Solutions/security-onion/issues/1416

NetworkMiner 2.4.0

Thanks
Thanks to Erik Hjelmvik for NetworkMiner 2.4.0!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Friday, January 25, 2019

Security Onion Hybrid Hunter 1.0.6 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.6 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

  • Added Osquery rule packs from Palantir.
  • Fully integrated Fleet support. You can now pivot from Kibana directly to the Fleet interface to interact directly with hosts via the LiveQuery hyperlinks.

For more information, please see the Changelog:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Changelog

Kolide Fleet Query Packs

Osquery Dashboard


Wednesday, January 23, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion116 now available for Security Onion!

The following are now available for Security Onion:
securityonion-sostat - 20120722-0ubuntu0securityonion116

This should resolve the following issues:

soup: fix docker updates #1419
https://github.com/Security-Onion-Solutions/security-onion/issues/1419

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, January 14, 2019

securityonion-iso - 20151016-1ubuntu1securityonion31 now available for Security Onion!

The following are now available for Security Onion:
securityonion-iso - 20151016-1ubuntu1securityonion31

This should resolve the following issues:

so-iso-build: wipe ossec syscheck files #1414
https://github.com/Security-Onion-Solutions/security-onion/issues/1414

so-iso-build: disable bro and ossec_agent #1415
https://github.com/Security-Onion-Solutions/security-onion/issues/1415

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

pinguybuilder - 20180514-1ubuntu1securityonion15 now available for Security Onion!

The following are now available for Security Onion:
pinguybuilder - 20180514-1ubuntu1securityonion15

This should resolve the following issues:

pinguybuilder: increment version to 16.04.5.6 #1399
https://github.com/Security-Onion-Solutions/security-onion/issues/1399

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Security Onion 16.04.5.6 now available featuring Suricata 4.1.2, Wazuh 3.7.2, CyberChef 8.18.1, Bro 2.6.1, Elastic 6.5.4, JA3, HASSH, and more!

Security Onion 16.04.5.6 is now available!


Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/5

Release Notes
For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/16.04.5.6

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-14.04-to-16.04

Thanks
Thanks to Wes Lambert for testing this new ISO image!

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Screenshot Tour
ISO Boot Menu

Once the Live Desktop appears, double-click the Install icon

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup 
Setup Wizard


Configure network interfaces, reboot, then log back in

You are then prompted to run Setup again to continue to the second phase of Setup

Skip network configuration to go to service configuration

Evaluation Mode vs Production Mode

Monitoring Interface Selection

Create username

Create password

Confirm password

Confirm all options

Setup complete

Desktop no longer prompts to run Setup

/usr/sbin/so-* scripts

CyberChef 8.18.1

Single Sign On (SSO for Squert, CapMe, and Kibana

Reviewing IDS alerts using Squert

Retrieving full packet capture with CapMe 
Kibana Overview


If you want to change from dark dashboards to light, you can run so-elastic-configure-kibana-dashboards-light

Light dashboards

If you want to switch back to dark dashboards, you can run so-elastic-configure-kibana-dashboards-dark

Back to dark dashboards

Help

Bro Notices

ElastAlert

HIDS Alerts from OSSEC (Wazuh)

NIDS Alerts from Snort or Suricata

Bro Connections

Bro DCE/RPC

Bro DHCP

Bro DNP3

Bro DNS

Bro Files

Bro FTP

Bro HTTP

Bro Intel

Bro IRC

Bro Kerberos

Bro Modbus

Bro MySQL

Bro NTLM

Bro PE

Bro RADIUS

Bro RDP

Bro RFB

Bro SIP

Bro SMB

Bro SMTP

Bro SNMP

Bro Software

Bro SSH

Bro SSL

Bro Syslog

Bro Tunnels

Bro Weird

Bro X.509

Autoruns

Beats

OSSEC

Sysmon

Firewall

Frequency Analysis

Syslog