Monday, February 11, 2019

New Setup and NSM packages now available for Security Onion!

The following packages are now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion199
securityonion-setup - 20120912-0ubuntu0securityonion285

This should resolve the following issues:

Setup: update setup conf files #1417
https://github.com/Security-Onion-Solutions/security-onion/issues/1417

Setup: Fix bug where the regex in sed disables incorrect interfaces #1427
https://github.com/Security-Onion-Solutions/security-onion/issues/1427

Setup: add logger node to Bro node.cfg #1420
https://github.com/Security-Onion-Solutions/security-onion/issues/1420

Setup: configure Bro cluster mode for AF_PACKET #1421
https://github.com/Security-Onion-Solutions/security-onion/issues/1421

Setup: configure Suricata for AF_PACKET #1432
https://github.com/Security-Onion-Solutions/security-onion/issues/1432

NSM: Improve the method of updating thread count in suricata.yaml #1230
https://github.com/Security-Onion-Solutions/security-onion/issues/1230

NSM: support running Suricata using AF_PACKET #1431
https://github.com/Security-Onion-Solutions/security-onion/issues/1431

As an overview, these updates will cause new installations to configure Bro and Suricata to collect network traffic via AF_PACKET (instead of PF_RING as we've done for the last few years).  Installations already configured for PF_RING will continue to use PF_RING.  Please see the links above for background information and config changes.

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've started moving our documentation to https://securityonion.net/docs!  Please let us know if anything needs to be updated.

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, February 4, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion120 now available for Security Onion!

The following package is now available:
securityonion-sostat - 20120722-0ubuntu0securityonion120

This should resolve the following issues:

soup: create /etc/apt/apt.conf.d/10periodic #1423
https://github.com/Security-Onion-Solutions/security-onion/issues/1423

soup: output reminder to update remaining boxes in deployment #1424
https://github.com/Security-Onion-Solutions/security-onion/issues/1424

soup: check for lock #1428
https://github.com/Security-Onion-Solutions/security-onion/issues/1428

soup: node checking master for updates fails if master has 1 update #1434
https://github.com/Security-Onion-Solutions/security-onion/issues/1434

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, January 28, 2019

NetworkMiner 2.4.0 now available for Security Onion!

NetworkMiner 2.4.0 was released recently:
https://www.netresec.com/?page=Blog&month=2019-01&post=NetworkMiner-2-4-Released

NetworkMiner 2.4.0 is now available in the following package:
securityonion-networkminer - 20180410-1ubuntu1securityonion6

This should resolve the following issue:

NetworkMiner 2.4 #1416
https://github.com/Security-Onion-Solutions/security-onion/issues/1416

NetworkMiner 2.4.0

Thanks
Thanks to Erik Hjelmvik for NetworkMiner 2.4.0!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Friday, January 25, 2019

Security Onion Hybrid Hunter 1.0.6 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.6 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

  • Added Osquery rule packs from Palantir.
  • Fully integrated Fleet support. You can now pivot from Kibana directly to the Fleet interface to interact directly with hosts via the LiveQuery hyperlinks.

For more information, please see the Changelog:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Changelog

Kolide Fleet Query Packs

Osquery Dashboard


Wednesday, January 23, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion116 now available for Security Onion!

The following are now available for Security Onion:
securityonion-sostat - 20120722-0ubuntu0securityonion116

This should resolve the following issues:

soup: fix docker updates #1419
https://github.com/Security-Onion-Solutions/security-onion/issues/1419

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Monday, January 14, 2019

securityonion-iso - 20151016-1ubuntu1securityonion31 now available for Security Onion!

The following are now available for Security Onion:
securityonion-iso - 20151016-1ubuntu1securityonion31

This should resolve the following issues:

so-iso-build: wipe ossec syscheck files #1414
https://github.com/Security-Onion-Solutions/security-onion/issues/1414

so-iso-build: disable bro and ossec_agent #1415
https://github.com/Security-Onion-Solutions/security-onion/issues/1415

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

pinguybuilder - 20180514-1ubuntu1securityonion15 now available for Security Onion!

The following are now available for Security Onion:
pinguybuilder - 20180514-1ubuntu1securityonion15

This should resolve the following issues:

pinguybuilder: increment version to 16.04.5.6 #1399
https://github.com/Security-Onion-Solutions/security-onion/issues/1399

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Security Onion 16.04.5.6 now available featuring Suricata 4.1.2, Wazuh 3.7.2, CyberChef 8.18.1, Bro 2.6.1, Elastic 6.5.4, JA3, HASSH, and more!

Security Onion 16.04.5.6 is now available!


Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/5

Release Notes
For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/16.04.5.6

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-14.04-to-16.04

Thanks
Thanks to Wes Lambert for testing this new ISO image!

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Screenshot Tour
ISO Boot Menu

Once the Live Desktop appears, double-click the Install icon

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup 
Setup Wizard


Configure network interfaces, reboot, then log back in

You are then prompted to run Setup again to continue to the second phase of Setup

Skip network configuration to go to service configuration

Evaluation Mode vs Production Mode

Monitoring Interface Selection

Create username

Create password

Confirm password

Confirm all options

Setup complete

Desktop no longer prompts to run Setup

/usr/sbin/so-* scripts

CyberChef 8.18.1

Single Sign On (SSO for Squert, CapMe, and Kibana

Reviewing IDS alerts using Squert

Retrieving full packet capture with CapMe 
Kibana Overview


If you want to change from dark dashboards to light, you can run so-elastic-configure-kibana-dashboards-light

Light dashboards

If you want to switch back to dark dashboards, you can run so-elastic-configure-kibana-dashboards-dark

Back to dark dashboards

Help

Bro Notices

ElastAlert

HIDS Alerts from OSSEC (Wazuh)

NIDS Alerts from Snort or Suricata

Bro Connections

Bro DCE/RPC

Bro DHCP

Bro DNP3

Bro DNS

Bro Files

Bro FTP

Bro HTTP

Bro Intel

Bro IRC

Bro Kerberos

Bro Modbus

Bro MySQL

Bro NTLM

Bro PE

Bro RADIUS

Bro RDP

Bro RFB

Bro SIP

Bro SMB

Bro SMTP

Bro SNMP

Bro Software

Bro SSH

Bro SSL

Bro Syslog

Bro Tunnels

Bro Weird

Bro X.509

Autoruns

Beats

OSSEC

Sysmon

Firewall

Frequency Analysis

Syslog