Registration Now Open for Augusta Cyber Week 2024!

Registration is now open for Augusta Cyber Week in beautiful Augusta GA from September 30, 2024 through October 5, 2024! This includes:

• 4-day Security Onion training
• 11th annual Security Onion Conference (SOCAugusta)
• 11th annual BSidesAugusta

These are separate events, but if you sign up for the 4-day training class, then you get a FREE non-transferable ticket to both Security Onion Conference and BSidesAugusta!

Even if you can't make the training class, you won't want to miss Security Onion Conference! It's our 11th annual conference and we are celebrating 10 years in business!

4-day Security Onion training:
https://bsidesaugusta.org/training/#so

11th Annual Security Onion Conference:
https://socaugusta2024.eventbrite.com/

11th Annual BSidesAugusta!
https://bsidesaugusta.org/

Hope to see you there!

Celebrating 10 Years of Security Onion Solutions and Announcing Security Onion Pro!

From Doug Burks, Founder and CEO of Security Onion Solutions: 

There’s an old saying that it takes ten years to be an overnight success. Thanks to our customers and community for ten successful years of Security Onion Solutions as a company! We’re celebrating our “overnight success” by announcing Security Onion Pro!

History

Security Onion Solutions is celebrating ten years as a company and our free and open Security Onion platform recently celebrated fifteen years!

https://blog.securityonion.net/2024/06/on-this-day-in-2009-very-first-version.html

After releasing that first version of Security Onion in 2009, the community steadily grew and more and more folks started using Security Onion in production. Over time, enterprise organizations started asking for training and professional services. So on July 7, 2014, I announced Security Onion Solutions as the company to provide those services: 

Customers started asking for hardware appliances so we announced Security Onion Solutions appliances in 2018:

Customers then asked for cloud images so we started offering them in 2021:

We’ve continued to listen to feedback and today we’re excited to announce the next step in our journey!

Security Onion Pro

Our customers have been asking for enterprise features so we’ve spent the last few years building them! We first mentioned this back in 2022:

https://blog.securityonion.net/2022/08/security-onion-enterprise-features-and.html

If you're looking to get the most out of Security Onion in your enterprise, you should consider Security Onion Pro. The Pro license not only adds additional enterprise features, but also adds many additional benefits as well!

Here are some enterprise features and benefits available with a Security Onion Pro license as of today:

• Open ID Connect (OIDC)
  SOC supports single sign-on (SSO) authentication via OpenID Connect (OIDC) to one of several OIDC-compatible identity providers. For example, users can login to Security Onion using an Active Directory user, a GitHub user, a Google account, an Auth0 account, etc. 
• Data at Rest Encryption
  Storage-level encryption for data residing in your Security Onion grid.
• DoD Security Technical Implementation Guide (STIG) Compliance for the OS
  Automatically apply STIGs to your Grid using OpenSCAP.  For more information about STIGs, please see https://public.cyber.mil/stigs/.
• Federal Information Processing Standards (FIPS) Compliance for the OS
  Support for enabling FIPS during OS installation. For more information about FIPS, please see https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards.
• External Notifications in SOC
  The Detections module, specifically Sigma rules, can be enabled to send outbound notifications when alerts are generated. By default, no outbound notifications are enabled in a Security Onion installation. However, with the Pro license applied to a grid, notifications can be quickly configured via the Configuration screen.
• Time Tracking inside of Cases
  When adding a comment to a Case, you can also specify how many hours you spent working on that activity. You can then see the total time spent by all analysts in the Summary in the upper-right corner of the Case.
• Guaranteed Message Delivery
  If you need guaranteed message delivery, then you can enable Kafka which replaces Redis and Logstash on the Security Onion Manager node and Receiver nodes.
• Higher Priority Service Level Agreements (SLAs)
  Receive faster service with the one business day initial response SLA included with Security Onion Pro. A four-business-hour initial response SLA is also available. 
• Health Checks
  Security Onion Pro includes two free 1-hour Health Checks per year.
• Offline Update Service Shipments
  If you have an airgap deployment, we can ship two free offline updates per year when requested.
• Professional Services and Support
  For customers running Security Onion on their hardware or smaller SOS appliances, Security Onion Pro includes twenty hours of professional services and support time. Services include architecture planning, deployment, tuning, break/fix support, parsing, and other services around Security Onion. Additional hours packages are available.
• Included with larger hardware appliances
  Security Onion Pro is included with many of our larger hardware appliance models, such as the SOS SN7200, SOS SNNV, and SOS GoFast, at no additional charge. See our full appliance list at https://securityonion.com/hardware.
• Coverage for all the nodes in your Grid
  The base license includes licensing for up to ten nodes, with additional node packs available for purchase.

In addition to the list above, we will be adding more to Security Onion Pro in the future!

To learn more about Security Onion Pro, please see:

https://securityonion.com/pro

Community

Just because we’re adding enterprise features does not mean that we’re forgetting about our community! 

Our team worked for nine months on developing our new Detections interface and released the first version of that in 2.4.70:

https://blog.securityonion.net/2024/05/security-onion-2470-now-available.html

After release, we listened to feedback from the community about Detections and incorporated that feedback into 2.4.80:

https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html

We have lots more improvements coming to the community version! It’s also important to note that existing community features will remain available to the community with no data limits and no evaluation period. Our continuing mission is to shift the advantage to defenders!

Thanks

Thanks again to our customers and community for your support throughout the years!

FAQ

What is Security Onion Pro?

Security Onion Pro includes all the features in our standard Security Onion platform and adds enterprise features and premium support.

What enterprise features are included in Security Onion Pro?

Security Onion Pro includes the following enterprise features:

• Open ID Connect (OIDC) authentication for Security Onion Console
• Data-at-Rest Encryption (LUKS)
• DoD Security Technical Implementation Guide (STIG) Compliance for the OS
• Federal Information Processing Standards (FIPS) Compliance for the OS
• External Notifications in Security Onion Console
• Time tracking inside of Cases
• Guaranteed Message Delivery (Kafka)

What kind of support is included in Security Onion Pro?

Security Onion Pro includes premium support:

• two free 1-hour health checks per year
• offline update service shipments
• architecture planning
• deployment
• tuning
• break/fix support
• parsing
• and other services around Security Onion

How do I purchase Security Onion Pro?

You can purchase Security Onion Pro by going to https://securityonion.com/pro and clicking the Purchase button to reach out to our Sales team.

If I purchase Security Onion Pro, do I have to rebuild my existing deployment?

In most cases, you can simply add the Security Onion Pro license key to your existing deployment to enable the enterprise features. An exception would be things like disk encryption that must be enabled during installation.

If I buy a Security Onion Solutions appliance, do I automatically get Security Onion Pro?

Security Onion Pro is included with many of our larger hardware appliance models, such as the SOS SN7200, SOS SNNV, and SOS GoFast, at no additional charge. See our full appliance list at https://securityonion.com/hardware.

If I am a free user and won’t be purchasing Security Onion Pro, will there be any changes?

No, you can continue using the existing Security Onion features that you use today.

How do I get more information about Security Onion Pro?

You can read more about Security Onion Pro at https://securityonion.com/pro. 

Security Onion and RegreSSHion CVE-2024-6387

A vulnerability was recently announced in OpenSSH:

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

https://linux.oracle.com/cve/CVE-2024-6387.html

https://linux.oracle.com/errata/ELSA-2024-4312.html

https://linux.oracle.com/errata/ELSA-2024-12468.html

First, it's important to note the following from https://isc.sans.edu/diary/SSH+regreSSHion+Remote+Code+Execution+Vulnerability+in+OpenSSH/31046:

Exploitation for AMD64 appears to be not practical at this time.

It's also important to note that we don't recommend exposing your Security Onion SSH port to the Internet.

If your Security Onion deployment has Internet access and you have automatic OS updates enabled (which is the default setting), then it should automatically install the latest openssh packages with the patches for this vulnerability. If your Security Onion deployment is an airgap deployment, then the latest openssh packages will be included in the next ISO release.

You can use salt to query your deployment and see what version is installed across your grid:

sudo salt \* cmd.run 'rpm -qa |grep openssh-server'

On Internet-connected deployments, the current version at time of writing should be:

openssh-server-8.7p1-38.0.2.el9_4.1.x86_64

You can also use Osquery Manager to check your grid:

select * from rpm_packages where name = "openssh-server"

You can then expand the source field and verify that it shows at least:

openssh-8.7p1-38.0.2.el9_4.1.src.rpm

Security Onion Documentation printed book now updated for Security Onion 2.4.80!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recently released Security Onion 2.4.80!

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This edition has been updated for Security Onion 2.4.80 and includes a 20% discount code for our on-demand training and certification!

This book covers the following Security Onion topics:

• First Time Users
• Getting Started
• Security Onion Console (SOC)
• Security Onion Desktop
• Network Visibility
• Additional Network Visibility
• Host Visibility
• Third Party Integrations
• Rules
• Logs
• Updating
• Accounts
• Services
• Customizing for Your Environment
• Tricks and Tips
• Utilities
• Help

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print. It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else! Proceeds go to the Rural Technology Fund! Finally, the printed book includes a 20% discount code for our on-demand training and certification.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.4.80!

Where do we get it?

https://securityonion.com/book

Quick Malware Analysis: DARKGATE pcap from 2024-05-14

Thanks to Brad Duncan for sharing this pcap from 2024-05-14 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap on the NEW Security Onion 2.4.80:

https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.80 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's look at just the alerts:

Drilling into the Darkgate HTTP POST alerts and pivoting to the full TCP stream we see:

Switching to the ASCII transcript makes it easy to see what was POSTed and how the server responded:

Going back to the alerts, we drill into the first Powershell alert and then pivot to the ASCII transcript:

We can send the TCP stream to CyberChef to carve out the zip file:

Back at the alerts, we drill into the second Powershell alert and we can see the actual Powershell command used to download the zip file shown above, extract it, and then execute the script contained inside:

Now let's look at the protocol metadata:

HTTP:

Software:

File transfers:

DNS lookups:

Invalid SSL/TLS certs:

SSL/TLS metadata:

X.509 certificates:

Connections:

Security Onion 2.4.80 now available including improvements to our new Detections interface and much more!

Security Onion 2.4.80 is now available! 

Security Onion is a cybersecurity platform built by defenders for defenders. Recently, we released Security Onion 2.4.70 which was the culmination of several MONTHS of thinking through the defender workflow specifically around detection engineering. This resulted in a new interface called Detections that makes it super simple to tune your NIDS rules for Suricata, Sigma rules for ElastAlert, and YARA rules for Strelka. 

Since 2.4.70, we've listened to your feedback about Detections and made lots of improvements including syntax highlighting and much more!

We also continue to look for ways to help our fellow defenders when it comes to process logs. In previous versions, we added SOC actions for "Process Info" and "Process Ancestors". In this release, we've expanded on this with two more actions called "Process and Child Info" and "Process All Info":

Here's how these four process actions relate to each other:

• Clicking the Process Info option will show all logs that include this process’s entity_id in the process.entity_id field.
• Clicking the Process and Child Info option will show all logs that include this process’s entity_id in either the process.entity_id or process.parent.entity_id fields (depending on the process, this may show the same logs as the Process Info option or it may show more).
• Clicking the Process All Info option will show all logs that include this process’s entity_id in any field (depending on the process, this may show the same logs as the Process and Child Info option or it may show more).
• Clicking the Process Ancestors option will show all parent processes for the selected process.

Please note that these actions will only display on the Actions menu if you click on a specific log type:

• The first three Process actions will only appear if you click on a log that contains the process.entity_id field. 
• The Process Ancestors action will only appear if you click on a log that contains the process.Ext.ancestry field.

There are many more features and fixes included in this release! For a complete list of all changes, please see the Release Notes:

https://docs.securityonion.net/en/2.4/release-notes.html#changes

Known Issues

For a list of known issues, please see:

https://docs.securityonion.net/en/2.4/release-notes.html#known-issues

About Security Onion

Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management. 

For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture, and file analysis. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management. 

Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!

Documentation

You can find our online documentation here:

https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

New Installations

If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:

https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:

https://docs.securityonion.net/en/2.4/architecture.html

Existing 2.4 Installations

If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:

https://docs.securityonion.net/en/2.4/soup.html

Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible.

If you haven't already upgraded to 2.4.70 then, in preparation for the new Detections module, the following will be completed during soup:

• Playbook Plays will be backed up to /nsm/backup/detections-migration/ and any active Elastalert rules will be backed up and removed.
• Suricata tuning configurations will be backed to /nsm/backup/detections-migration/ and any thresholds will be migrated over to the new Detections module.

2.3 EOL

As a reminder, Security Onion 2.3 reached End Of Life (EOL) on April 6, 2024:

https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

• Josh Brower
• Jason Ertel
• Wes Lambert
• Corey Ogburn
• Josh Patterson
• Mike Reeves

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:

https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Coming Soon: Security Onion Pro

Next month, we plan to officially announce Security Onion Pro which includes many enterprise features that folks have been asking for:

• Open ID Connect (OIDC)
• Data at Rest Encryption
• FIPS for the OS
• DoD STIG for the OS
• External Notifications in SOC
• Time Tracking inside of Cases
• Guaranteed Message Delivery

You can read more about these enterprise features in the documentation:

https://docs.securityonion.net/en/2.4/pro.html

We'll provide more information next month, but if you'd like to go ahead and start a discussion with our sales team you can reach them using any of the contact forms at https://securityonionsolutions.com.

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Cloud Installations

For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!

AWS Marketplace and Documentation:

https://securityonion.net/aws/?ref=_ptnr_soc_blog_240529

https://docs.securityonion.net/en/2.4/cloud-amazon.html

Azure Marketplace and documentation:

https://securityonion.net/azure

https://docs.securityonion.net/en/2.4/cloud-azure.html

GCP Marketplace and documentation:

https://securityonion.net/google

https://docs.securityonion.net/en/2.4/cloud-google.html

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html