Thursday, April 1, 2021

Security Onion 2.3.40 Hotfix for Curator Closed Index Issue

If you're running Security Onion 2.3.40 on a standalone installation or a combined manager/search node, please see:

https://github.com/Security-Onion-Solutions/securityonion/discussions/3738

Security Onion Documentation printed book now updated for Security Onion 2.3.40!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.


Thanks to Richard Bejtlich for writing the inspiring foreword!


Proceeds go to the Rural Technology Fund!


This 20210326 edition has been updated for Security Onion 2.3.40 and includes a 40% discount code for our on-demand training!



This book covers the following Security Onion topics:
  • Getting Started
  • Security Onion Console (SOC)
  • Analyst VM
  • Network Visibility
  • Host Visibility
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tuning
  • Tricks and Tips
  • Utilities

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 40% discount code for our on-demand training.

Who should get this book?

You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

What is the difference between this edition and the previous edition?

This edition has been updated for Security Onion 2.3.40!

Where do we get it?

Monday, March 22, 2021

Security Onion 2.3.40 now available!

Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.40, which adds new features and resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes


Elastic 7.11.2

Elastic recently changed their licensing:
https://securityonion.net/elastic-license

Elastic 7.11.2 is available under the Elastic License. You will be prompted to accept the Elastic License for new installations or upgrades.

Accept the Elastic License

Our Elastic integration now uses Elastic Security for encryption. All Elastic communication will be encrypted with TLS/SSL. Enabling HTTPS encryption in Elastic automatically turns on Elastic authentication as well. To maintain the current functionality, we will enable anonymous access to Elasticsearch and Kibana. This anonymous access mimics the access controls of previous versions of Security Onion where access is controlled via the firewall for these services. If you are using any external services that are connecting directly to Elasticsearch on port 9200, then you will need to change those to use HTTPS when you upgrade to Security Onion 2.3.40.

You will also notice changes in Kibana. First, you will see several new menu options that come with the new Elastic License. You will also see in the upper right corner that you are logged in as the user "anonymous". In previous OSS versions of Kibana, you were logged in as anonymous by default, it just didn't display the user in the upper right corner.

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations, version 2.3.40 is now also available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210323

UPDATE 2021/03/23 2:06 PM Eastern
We've identified an issue with the 2.3.40 AMI that would prevent ssh access after reboot and so we have requested removal from the AWS Marketplace. This issue only affects the AWS AMI and should not affect any other installation method. You can use the 2.3.30 AMI and update via soup.

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade.

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2021/03/1-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion ISO Boot Menu

ISO Installation

ISO Installation Complete

After rebooting, login to start Setup

Setup Options

Choose the Setup Type

Choose Standard or Airgap

Accept the Elastic License

Specify hostname

Setup checks for the common hostname of "securityonion"

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Setup now allows you to configure for a proxy server

Initialize networking

Configure home network(s)

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to desktop

Enter password to login to desktop

Analyst desktop

Analyst install includes Chromium, NetworkMiner, Wireshark, and many other analysis tools

Log into Security Onion Console (SOC)

SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

Find an interesting stream and pivot to full packet capture

Switch to PCAP transcript mode

Download the PCAP and open directly in NetworkMiner for file extraction

All this in a minimal VM with only 4GB RAM!


Tuesday, March 16, 2021

1 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html


Monday, March 15, 2021

Security Onion 16.04.7.3 ISO image now available featuring Zeek 3.0.13, Suricata 5.0.6, Elastic 7.10.2, and more!

First, please note that Security Onion 16.04 reaches EOL next month:
https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

Instead of downloading this 16.04.7.3 ISO image, most users should be downloading the new Security Onion 2:
https://blog.securityonion.net/2021/03/security-onion-2330-now-available.html

Our Security Onion 16.04.7.3 ISO image is now available! This will most likely be the last Security Onion 16.04 ISO image!

Security Onion 16.04.7.3 Boot Menu

Major Changes Since Last 16.04 ISO Image

  • Zeek 3.0.13
  • Suricata 5.0.6
  • Elastic 7.10.2
  • CyberChef 9.24.1

Thanks

Thanks to Chris Morgret for testing this ISO image!

Package Updates

This release also includes the following updated packages:

  • pinguybuilder - 20180514-1ubuntu1securityonion26
  • securityonion-web-page - 20141015-0ubuntu0securityonion111

These packages resolve the following issues:

Update CyberChef to latest version #1819
https://github.com/Security-Onion-Solutions/security-onion/issues/1819

Update docs and cheat sheet for 16.04.7.3 #1814
https://github.com/Security-Onion-Solutions/security-onion/issues/1814

pinguybuilder: increment version to 16.04.7.3 #1815
https://github.com/Security-Onion-Solutions/security-onion/issues/1815

Issues Resolved

For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/15

Release Notes

For more information about this release, please see:
https://docs.securityonion.net/en/16.04/release-notes.html

Installation Guide

We've updated the Installation guide to reflect the download locations for the new Security Onion 16.04 ISO image:
https://docs.securityonion.net/en/16.04/download.html

Existing Deployments

If you have existing Security Onion 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://docs.securityonion.net/en/16.04/upgrade.html

Documentation

You can find our documentation for Security Onion 16.04 here:
https://docs.securityonion.net/en/16.04/

Support

Need support for Security Onion 16.04?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Training

Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:
https://securityonionsolutions.com/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!
https://securityonionsolutions.com/hardware

Thanks!

Thursday, March 4, 2021

Suricata 5.0.6 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 2 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-suricata - 5.0.6-1ubuntu1securityonion1

This update resolves the following issues:

Suricata 5.0.6 #1822
https://github.com/Security-Onion-Solutions/security-onion/issues/1822

Thanks

Thanks to the Suricata team for Suricata 5.0.6!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Wednesday, March 3, 2021

10% Early Bird discount for 4-day Security Onion 2 Fundamentals for Analysts and Admins Training Class

We've scheduled the next run of our 4-day Security Onion 2 Fundamentals for Analysts and Admins training class!

Use promo code earlybird by April 1 to receive 10% off!

For more details and to register, please see:
http://securityonionsolutions.com/livetraining

If you have any questions, please use the Contact link on the bottom of the Eventbrite page.

Thanks!



Tuesday, March 2, 2021

Security Onion 2.3.30 now available!

Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.30, which resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

A major focus in this release was automated testing:

  • Over 110,000 tests executed!
  • On nearly 1000 automated installations
  • Including 4 installation modes
  • Covering 3 distinct installation sources
  • Spanning 2 operating systems (Ubuntu, CentOS)
  • Between 2 network isolation modes
  • With 2 packet metadata processors
Security Issues

This release resolves a security issue:

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2021/02/2-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Detection Playbook class!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion 2.3.30 ISO Boot Menu

ISO Installation

ISO Installation Complete

After rebooting, login to start Setup

Setup Options

Choose the Setup type

Choose Standard or Airgap

Specify hostname

Setup now checks for the common hostname of "securityonion"

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Initialize networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to desktop

Enter password to login to desktop

Analyst desktop

Analyst Install includes Chromium, NetworkMiner, Wireshark, and many other analysis tools

Log into Security Onion Console (SOC)


SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

PCAP Overview

Download the pcap and open directly in NetworkMiner for file extraction

PCAP transcript

All this in a minimal VM with only 4GB RAM!