Monday, September 16, 2019

Second Edition of Security Onion Documentation printed book now available!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This second edition has been updated for our latest ISO image release and now includes a 10% discount code for our online training!






This book covers the following Security Onion topics:

  • Getting Started
  • Analyst Tools
  • Network Visibility
  • Host Visibility
  • Elastic Stack
  • Updating
  • Customizing for your Environment
  • Tuning
  • Tricks and Tips
  • Services
  • Utilities
  • Help
  • Integrations


Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 10% discount code for our online training.

Who should get this book?

You should get this book if you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

How often will the book be updated?

Currently, we plan to release a new edition of the book every time we release a new version of our ISO image.

What is the difference between this edition and the previous edition?

This edition has been updated for our latest ISO image release and now includes a 10% discount code for our online training!

Where do we get it?

The following URL will always take you to the latest version of the printed book at Amazon:
https://securityonion.net/book

Monday, September 9, 2019

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion205 now available for Security Onion!

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion205 is now available for Security Onion!  This should resolve the following issue:

NSM: nsm_server_user-add should require usernames to be alphanumeric #1627
https://github.com/Security-Onion-Solutions/security-onion/issues/1627

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Conference
Only a few weeks left to register for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Thursday, September 5, 2019

securityonion-setup - 20120912-0ubuntu0securityonion314 now available for Security Onion!

securityonion-setup - 20120912-0ubuntu0securityonion314 is now available for Security Onion!  This should resolve the following issue:

Setup: improve removal of Elastic auth files #1632
https://github.com/Security-Onion-Solutions/security-onion/issues/1632

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Conference
Only a few weeks left to register for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Tuesday, September 3, 2019

Bro 2.6.4 now available for Security Onion!

Bro 2.6.4 is now available for Security Onion!  The new package versions are as follows:

securityonion-bro - 2.6.4-1ubuntu1securityonion1
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion13
securityonion-bro-scripts - 20121004-0ubuntu0securityonion73

Bro 2.6.4
These packages should resolve the following issue:

Bro 2.6.4 #1628
https://github.com/Security-Onion-Solutions/security-onion/issues/1628

Thanks
Thanks to the Bro/Zeek team for Bro 2.6.4!
Thanks to Wylie Bayes for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Conference
Only a few weeks left to register for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Wednesday, August 28, 2019

Security Onion 16.04.6.2 now available featuring Elastic 6.8.2, Wazuh 3.9.5, CyberChef 9.2.0, Bro 2.6.3, Snort 2.9.13.0, and more!

Security Onion 16.04.6.2 is now available!

Security Onion 16.04.6.2

Major Changes Since Last ISO Image

  • Elastic 6.8.2
  • Wazuh 3.9.5
  • CyberChef 9.2.0
  • Bro 2.6.3
  • Snort 2.9.13.0
  • PulledPork 0.7.3
  • Users can now run Setup interactively via GUI or CLI
  • Users can now optionally switch from open source Elastic Stack to Elastic Features using so-elastic-features
  • Users can now optionally enable native Elastic auth using so-elastic-auth (which automatically runs so-elastic-features and then configures all processes for native Elastic auth)
  • so-import-pcap has been overhauled!
  • fixed lots of bugs!

sosetup-minimal
sosetup-minimal will run the normal sosetup and then reconfigure the Elastic Stack to run in minimal mode.  This minimal mode is designed to minimize RAM and CPU usage.  This means that sosetup-minimal can run Evaluation Mode in only 4GB RAM!  However, please note that the minimal Logstash config is intended to only do a basic parsing of NIDS alerts and JSON-formatted Bro logs so it won't support additional logs like sysmon and autoruns by default.  It also doesn't do additional decoration or augmentation like domainstats or freqserver. You can see an example of sosetup-minimal in the Screenshot Tour at the end of this blog post.

Thanks
Thanks to Josh Brower for testing this ISO image!

Package Updates
This release also includes the following updated packages:
pinguybuilder - 20180514-1ubuntu1securityonion19
securityonion-iso - 20151016-1ubuntu1securityonion33

These packages resolve the following issues:

pinguybuilder: increment version to 16.04.6.2 #1624
https://github.com/Security-Onion-Solutions/security-onion/issues/1624

so-iso-build: purge /var/ossec/queue/diff #1543
https://github.com/Security-Onion-Solutions/security-onion/issues/1543

Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/7

Release Notes
For more information about this release, please see:
https://securityonion.net/docs/release-notes.html

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://securityonion.net/docs/installation.html

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://securityonion.net/docs/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://securityonion.net/docs/upgrading-from-14.04-to-16.04.html

Conference
Only a few weeks left to register for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Screenshot Tour
ISO Boot Menu

Once the Live Desktop appears, double-click the Install icon and follow the prompts

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup

Setup can now run interactively via CLI and sosetup-minimal can be used to minimize RAM and CPU usage

Welcome to Setup

Configure network interfaces

If your hostname is securityonion, Setup gives you the opportunity to rename it

Configure your network interfaces, reboot, then log back in

Launch Setup again and skip network configuration to go to service configuration

sosetup-minimal can run Evaluation Mode in 4GB RAM

Confirm sniffing interface

Create username

Create Password

Confirm Password

Confirm all options

Please wait while Setup configures your system

Setup complete

Desktop no longer prompts to run Setup and includes icons for analyst applications 
The README shortcut includes links to the cheat sheet and online and offline documentation



CyberChef 9.2.0

Single Sign On (SSO) for Squert, CapMe, and Kibana

sosetup-minimal can run Evaluation Mode in only 4GB RAM

Review IDS alerts using Squert

Retrieve full packet capture with CapMe

Kibana Overview Dashboard

Help

Bro Notices

HIDS Alerts from OSSEC/Wazuh

NIDS Alerts from Snort or Suricata

Bro Connections

Bro DCERPC

Bro DHCP

Bro DNP3

Bro DNS

Bro Files

Bro FTP

Bro HTTP

Bro Intel

Bro IRC

Bro Kerberos

Bro Modbus

Bro MySQL

Bro NTLM

Bro PE

Bro RADIUS

Bro RDP

Bro RFB

Bro SIP

Bro SMB

Bro SMTP

Bro SNMP

Bro Software

Bro SSH

Bro SSL

Bro Syslog

Bro Tunnels

Bro Weird

Bro X.509

OSSEC (Wazuh)

Syslog