Thursday, August 6, 2020

Thursday, July 30, 2020

Security Onion 2.0.3 RC1 Available for Testing!

We recently released Security Onion 2.0 RC1 versions 2.0.0, 2.0.1, and 2.0.2:

Elastic and Zeek had recent security updates and so we've built a new 2.0.3 release that includes these security updates:

Zeek 3.0.8 #1114

Elastic 7.8.1 #1105

This release also includes LVM partitioning in our ISO image!

Please note that this is still considered part of the Release Candidate 1 phase.

Thanks
Thanks to Elastic for Elastic 7.8.1!
Thanks to Zeek for Zeek 3.0.8!
Thanks to Mike Reeves and Jason Ertel for getting this security update published so quickly!

Existing Installations
If you have an existing 2.0 RC1 installation, please see the soup page on our documentation site:

New Installations
If you download our ISO image, you'll get the new 2.0.3 ISO image that already contains these fixes. If you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Zeek 3.0.8 now available for Security Onion 16.04!

Zeek 3.0.8 was recently released and is a security update:

The following updates are now available for Security Onion 16.04!

securityonion-bro - 3.0.8-1ubuntu1securityonion1 (Zeek 3.0.8)
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion25
securityonion-bro-scripts - 20121004-0ubuntu0securityonion108

These updates should resolve the following issue:

Zeek 3.0.8 #1779

Thanks
Thanks to the Zeek team for Zeek 3.0.8!
Thanks to Chris Morgret for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Wednesday, July 29, 2020

Elastic Stack 6.8.11 now available for Security Onion 16.04!


Elastic Stack 6.8.11 was recently released and is a security update:

The following updates are now available for Security Onion 16.04!

Elastic 6.8.11 Docker images
securityonion-elastic - 20190510-1ubuntu1securityonion95

These updates should resolve the following issues:

Elastic 6.8.11 #1778

Add ignore_failure to geoip processor calls #1776

Thanks
Thanks to the Elastic team for Elastic 6.8.11!
Thanks to Chris Morgret for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Friday, July 24, 2020

Security Onion 2.0.2 RC1 Available for Testing!

We recently released Security Onion 2.0 RC1 and 2.0.1:

2.0.1 introduced a sensoroni regression for some deployment types:

We've fixed the regression and are releasing 2.0.2.

Thanks to Mike Reeves and Jason Ertel for getting this regression resolved so quickly!

Existing Installations
If you have an existing 2.0 RC1 installation, please see the soup page on our documentation site:

New Installations
If you download our ISO image, you'll get the new 2.0.2 ISO image that already contains these fixes. If you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Thursday, July 23, 2020

Security Update for Security Onion 2.0 RC1

We recently released Security Onion 2.0 RC1:

Some community members quickly reported some issues (including 2 security issues) and we've released fixes:

Security Fix 1067: variables.txt from ISO install stays on disk for 10 days

Security Fix 1068: Remove user values from static.sls

Issue 1059: Fix distributed deployment sensor interval issue allowing PCAP

Issue 1058: Support for passwords that start with special characters

Thanks to Max Diorio and Reddit user TungstenCLXI for reporting these issues!

UPDATE 2020/07/23 4:53 PM
Looks like the sensor interval fix for distributed deployments introduced a regression for other installation types. We're working on this issue now:
https://github.com/Security-Onion-Solutions/securityonion/issues/1089

UPDATE 2020/07/24 12:14 PM
We've fixed the regression in 2.0.2:
https://blog.securityonion.net/2020/07/security-onion-202-rc1-available-for.html

Existing Installations
If you have an existing 2.0 RC1 installation, you'll want to run "sudo soup" as soon as possible. soup will then update itself and ask you to run soup again. On the second run, soup will update salt and your Docker images. Salt will then remove variables.txt and update static.sls.

Please note that Docker images may still show 2.0.0 (instead of 2.0.1) as they have simply been re-tagged.

For more information, please see the soup page on our documentation site:

New Installations
If you're doing a new installation and you download our ISO image, you'll get the new 2.0.1 ISO image that already contains these fixes. 

Otherwise, if you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Wednesday, July 22, 2020

Security Onion Documentation Changes

As we continue to transition from the traditional Security Onion 16.04 to the new Security Onion 2.0 (currently in Release Candidate phase), we've recently made some changes to our documentation hosted by the fine folks at ReadTheDocs:
When you're viewing the documentation at https://docs.securityonion.net, it will default to the traditional 16.04 version. If you want to switch to the new 2.0 documentation, you can do so in the lower left corner:


Please keep in mind that the 2.0 documentation is a work in progress and some pages may be incomplete or incorrect.  Please let us know if you see any issues.  Thanks!

Tuesday, July 21, 2020

Security Onion 2.0 Release Candidate 1 (RC1) Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:

Today, we are dropping the Hybrid Hunter code name and are proud to release Security Onion 2.0 RC1! It has some amazing new features and improvements!

Release Candidate
This is our first Release Candidate for 2.0, so we're getting closer to a final release, but we're not quite there yet. Please be reminded of the usual pre-release warnings and disclaimers:
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This configuration may change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Documentation
We've started migrating our documentation to 2.0:
However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Download
Once you've reviewed the documentation and are ready to download, you can find instructions here:
Changes from Previous Beta Releases
After installing Security Onion 2.0, you'll notice many changes from previous beta releases. One of the first changes you'll notice is that account creation and authentication is much more streamlined now. This includes the initial OS account and the individual web interface accounts. 

Another change is that so-import-pcap is back by popular demand! You can run through our installer choosing Eval or Standalone and then run "sudo so-import-pcap" and give it the full path to one or more pcap files. It will then provide a custom hyperlink to show you the resulting data in our new Hunt interface. Another utility that is back by popular demand is soup! Looking forward to RC2 and beyond, this should make it possible to perform in-place updates.

Finally, there are lots of little bug fixes and improvements and you can find more information in the detailed change list below!
  • Re-branded 2.0 to give it a fresh look
  • All documentation has moved to our docs site
  • soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date.
  • so-import-pcap is back! See the so-import-pcap docs here.
  • Fixed issue with so-features-enable
  • Users can now pivot to PCAP from Suricata alerts
  • ISO install now prompts users to create an admin/sudo user instead of using a default account name
  • The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
  • Fixed issue with disk cleanup
  • Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
  • Locked down access to certain SSL keys
  • Suricata logs now compress after they roll over
  • Users can now easily customize shard counts per index
  • Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
  • Elastic nodes are now “hot” by default, making it easier to add a warm node later
  • so-allow now runs at the end of an install so users can enable access right away
  • Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
    1-Low / 2-Medium / 3-High / 4-Critical
  • Initial implementation of alerting queues:
    • Low & Medium alerts are accessible through Kibana & Hunt
    • High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
  • ATT&CK Navigator is now a statically-hosted site in the nginx container
  • Playbook
    • All Sigma rules in the community repo (500+) are now imported and kept up to date
    • Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
    • Updated UI Theme
    • Once authenticated through SOC, users can now access Playbook with analyst permissions without login
  • Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
  • Fixed issue with Wazuh authd registration service port not being correctly exposed
  • Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
  • Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
  • Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
  • Added the ability to use custom Zeek scripts
  • Renamed “master server” to “manager node”
  • Improved unification of Zeek and Strelka file data

Known Issues

so-import-pcap currently doesn't check for sudo. If you get any errors, try running with sudo.

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

Josh Brower
Jason Ertel
Wes Lambert
Josh Patterson
Mike Reeves
Bryant Treacle
William Wernert

Screenshot Tour
ISO Boot Menu

OS account creation

Web account creation


Logging into Security Onion Console (SOC)

Security Onion Console (SOC)

Hunt

Pivot to PCAP from Hunt or Kibana

SOC Sensor Management

Downloads page includes links to Winlogbeat and osquery packages


SOC User Management

Kibana

Grafana

CyberChef

Playbook

Fleet

TheHive

ATT&CK Navigator


Monday, June 29, 2020

Security Onion Hybrid Hunter Beta 3, Community ID, and Sysmon!



Please let us know if there are other topics you'd like us to cover in future videos!

securityonion-sostat - 20120722-0ubuntu0securityonion145 now available for Security Onion!

The following updates are now available for Security Onion!

securityonion-sostat - 20120722-0ubuntu0securityonion145

These updates should resolve the following issues:

sostat: fix Suricata AF_PACKET packet loss calculation #1774

Thanks
Thanks to Bryant Treacle for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Wednesday, June 17, 2020

Security Onion Hybrid Hunter 1.4.0 - Beta 3 Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:

Today we are proud to release Security Onion "Hybrid Hunter” 1.4.0 AKA Beta 3 and it has some amazing new features and improvements!

In this release, we continue to embrace Community ID as a way to correlate different data types.  Both Zeek and Suricata can natively generate Community ID values, but what about tools that don't natively support Community ID?  We sponsored the development of an Elasticsearch Ingest Processor that can automatically generate Community ID values for ANY logs that contain the necessary IP address and port information.  This means that you can now easily pivot from, for example, Suricata alerts to Zeek logs to Sysmon logs and vice versa.  

From an interface perspective, we've updated our Kibana dashboards and Hunt interface to make better use of those Community ID values.  Hunt also includes a new Auto Hunt toggle that will automatically submit your hunt query after changing filters or groupings.

Finally, there are lots of little bug fixes and improvements and you can find more details in the bullet points below!

Hunt now shows Community ID by default and includes a new Auto Hunt feature


To read more and download Hybrid Hunter, please see:

If you have any questions about Hybrid Hunter, please post a message on our reddit community and prefix the title with [Hybrid Hunter]!

Major Highlights in this Release

Changes:

  • Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local.
  • The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier.
  • Users can now change their own password in SOC.
  • Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc.
  • Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history.
  • Zeek 3.0.7
  • Elastic 7.7.1
  • Suricata can now be used for meta data generation.
  • Suricata eve.json has been moved to /nsm to align with storage of other data.
  • Suricata will now properly rotate its logs.
  • Grafana dashboards now work properly in standalone mode.
  • Kibana Dashboard updates including osquery, community_id.
  • New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields.
  • Community_id generated for additional logs: Zeek HTTP/SMTP, Sysmon shipped with Osquery or Winlogbeat.
  • Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore.
  • Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to.
  • Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon.
  • SOC Downloads section now includes a link to the supported version of Winlogbeat.
  • Basic syslog ingestion capability now included.
  • Elasticsearch index name transition fixes for various components.
  • Updated URLs for pivot fields in Kibana.
  • Instances of hive renamed to thehive.

Known Issues:

  • When prompted for hostname, please only enter the hostname itself and NOT a fully qualified domain name! There should be no dots or other special characters.
  • The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
  • You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
  • Navigator is currently not working when using hostname to access SOC. IP mode works correctly.
  • Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
  • The osquery MacOS package does not install correctly.

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

Josh Brower
Jason Ertel
Wes Lambert
Josh Patterson
Mike Reeves
William Wernert

Thursday, June 11, 2020

Zeek 3.0.7 now available for Security Onion!

The following updates are now available for Security Onion!

securityonion-bro - 3.0.7-1ubuntu1securityonion1 (Zeek 3.0.7)
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion24
securityonion-bro-scripts - 20121004-0ubuntu0securityonion107

These updates should resolve the following issues:

Zeek 3.0.7 #1770

Thanks
Thanks to the Zeek team for Zeek 3.0.7!
Thanks to Wes Lambert and Bryant Treacle for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Monday, June 8, 2020

Elastic 6.8.10 now available for Security Onion!


The following updates are now available for Security Onion!

Elastic 6.8.10 Docker images
securityonion-elastic - 20190510-1ubuntu1securityonion94

These updates should resolve the following issues:

Elastic 6.8.10 #1765

Thanks
Thanks to the Elastic team for Elastic 6.8.10!
Thanks to Bryant Treacle, John Bernal, and Chris Morgret for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Webinars
We've got several webinars scheduled this month!  Hope to see you there!

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Thursday, May 28, 2020

Community Webinars featuring Security Onion

Thanks to all who attended the Zeek webinar on May 27! For those weren't able to join, the recording should be available soon and we will share the link when it is available. There may also be a follow-up Zeek webinar and we'll post those details when finalized.

UPDATE 2020/06/05 - The follow-up Zeek webinar has been confirmed and added to the list below!

UPDATE 2020/06/09 - The Zeek webinar recording has been posted!
Here are some other upcoming webinars you don't want to miss!

Wed, June 10, 2020
Correlating Host & Network Data w/ Community ID in Sec Onion Hybrid Hunter

Thur, June 11, 2020
Ask The Zeeksperts (follow up to previous Zeek From Home webinar)
https://corelight.zoom.us/webinar/register/5915913046898/WN_Bc8HGitBQImZU3B5vCtAow

Wed, June 17, 2020
Peel Back the Layers of Your Enterprise with Elastic and Security Onion Hybrid Hunter Beta

Hope to see you at one or more of these webinars!

Wednesday, May 20, 2020

Security Onion Hybrid Hunter 1.3.0 - Beta 2 Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

Today we are proud to release Security Onion "Hybrid Hunter” 1.3.0 AKA Beta 2 and it has some amazing new features and improvements!

The biggest new feature in this release is a brand new web interface for hunting through your logs. Once you've logged into the Security Onion Console, click the Hunt link and then choose one of the many pre-defined queries in the drop-down or write your own using Onion Query Language (OQL).  OQL is based on standard Lucene query syntax and allows you to optionally specify one or more fields to group by. For a few examples, check out the screenshot tour at the bottom of this blog post. This is the first public release of this new interface and we are firm believers in "release early, release often". We have lots of ideas for the future of this tool, but we want to hear your ideas as well.

This release also includes a new Standalone installation option that runs all of the major components on one box. It's similar to Eval mode but has more capabilities beyond just doing a quick evaluation.

Finally, this update includes lots of improvements for parsers, visualizations, dashboards, and Elastic Common Schema (ECS) support. We've done lots of testing along the way and we're ready for you to do some testing and let us know what you think!

To read more and download Hybrid Hunter, please see:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

If you have any questions about Hybrid Hunter, please post a message on our reddit community and prefix the title with [Hybrid Hunter]!
https://www.reddit.com/r/securityonion/


Major Highlights in this Release

Changes:

  • New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries!
  • Improved ECS support.
  • Complete refactor of the setup to make it easier to follow.
  • Improved setup script logging to better assist on any issues.
  • Setup now checks for minimal requirements during install.
  • Updated Cyberchef to version 9.20.3.
  • Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
  • Updated Redis to 5.0.9 and switched to alpine to reduce container size.
  • Updated Salt to 2019.2.5
  • Updated Grafana to 6.7.3.
  • Zeek 3.0.6
  • Suricata 4.1.8
  • Fixes so-status to now display correct containers and status.
  • local.zeek is now controlled by a pillar instead of modifying the file directly.
  • Renamed so-core to so-nginx and switched to alpine to reduce container size.
  • Playbook now uses MySQL instead of SQLite.
  • Sigma rules have all been updated.
  • Kibana dashboard improvements for ECS.
  • Fixed an issue where geoip was not properly parsed.
  • ATT&CK Navigator is now it's own state.
  • Standalone mode is now supported.
  • Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.

Known Issues:

  • The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
  • You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
  • Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them.
  • Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
  • The osquery MacOS package does not install correctly.


Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • William Wernert


Screenshots