Friday, January 15, 2021

Upcoming Elastic Licensing Changes

Yesterday, Elastic announced some upcoming license changes:

https://www.elastic.co/blog/licensing-change

https://www.elastic.co/pricing/faq/licensing

We are looking into these changes and what they mean for the Security Onion community. We will provide more information when we have it.

Tuesday, December 29, 2020

Security Onion 2 in 2020 and 2021

As 2020 comes to a close, we want to thank you, our community, for your overwhelming response to Security Onion 2! Let’s talk about the journey of Security Onion 2 and the guiding principles that are going to carry us into the first half of 2021.

Since its release in October, Security Onion 2 has seen many improvements in reliability of the install process on a wider scope of hardware and configurations. Taking multiple Linux distributions, multiple kernel versions, and endless hardware configs, then making it all work with a single install script has been a hefty challenge. We have already successfully reduced installation issues and will continue to improve our setup process with every release.

Along with improving the reliability of the install process we have added several features to improve the usefulness of the product. Some of the major features delivered were:

  • Hunt interface specifically designed for threat hunting
  • Alerts module for managing and escalating alerts
  • Grid interface that allows visibility of all nodes in the grid
  • Multiple Elasticsearch clustering options

We have been delivering these features via our regular release cycle, which has been on a monthly cadence since RC1. We plan to keep that same pace in 2021, with the exception of January, when there will be no major feature releases. We will take some time to catch our breath as well as improve some of our testing capabilities. Currently, we dedicate at least a week for testing between feature freeze and production release. Much of this testing is done manually and the more of this that we can automate, the more time we can spend fixing bugs and bringing new features to Security Onion 2.

Here are our first three major feature goals for 2021:

  • bring playbook functionality directly into the Security Onion Console (SOC) web interface
  • bring case management functionality directly into SOC
  • continued improvement of our SOC Grid interface so that you can more easily manage and maintain your sensor grid

These features will not only simplify the user experience, but also reduce overall complexity. In order to accomplish these goals, you will also see us begin to add other features such as Role Based Access Control (RBAC). RBAC has been a highly requested feature and will enable better control of how data is presented to users in SOC. We have some other exciting features in this space which we will add to the roadmap as we finalize the design.

Again, we want to thank the community for your continued support in 2020. Security Onion remains free and open source because of you. Hardware appliances, training, and professional services drive our business and allow us to keep bringing you all these great features. We are really excited for what 2021 will bring! Have a safe and relaxing holiday season and a Happy New Year!


Wednesday, December 23, 2020

Security Onion 16.04.7.2 ISO image now available featuring Zeek 3.0.11, Suricata 5.0.5, Snort 2.9.17.0, Elastic 7.9.3, and more!

First, please note that Security Onion 16.04 reaches EOL in less than 4 months:
https://blog.securityonion.net/2020/12/4-month-eol-notice-for-security-onion.html

Instead of downloading this 16.04.7.2 ISO image, most users should be downloading the new Security Onion 2:
https://blog.securityonion.net/2020/12/security-onion-2321-now-available.html

Our Security Onion 16.04.7.2 ISO image is now available! This will most likely be the last Security Onion 16.04 ISO image!


Security Onion 16.04.7.2 Boot Menu

Major Changes Since Last 16.04 ISO Image

  • Zeek 3.0.11
  • Suricata 5.0.5
  • Snort 2.9.17.0
  • Elastic 7.9.3

Thanks

Thanks to Chris Morgret for testing this ISO image!

Package Updates

This release also includes the following updated packages:

pinguybuilder - 20180514-1ubuntu1securityonion25

These packages resolve the following issues:

pinguybuilder: increment version to 16.04.7.2 #1805
https://github.com/Security-Onion-Solutions/security-onion/issues/1805

Issues Resolved

For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/14

Release Notes

For more information about this release, please see:
https://docs.securityonion.net/en/16.04/release-notes.html

Installation Guide

We've updated the Installation guide to reflect the download locations for the new Security Onion 16.04 ISO image:
https://docs.securityonion.net/en/16.04/download.html

Existing Deployments

If you have existing Security Onion 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://docs.securityonion.net/en/16.04/upgrade.html

Documentation

You can find our documentation for Security Onion 16.04 here:
https://docs.securityonion.net/en/16.04/

Support

Need support for Security Onion 16.04?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Training

Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:
https://securityonionsolutions.com/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Thanks! 

Tuesday, December 22, 2020

Security Onion 2.3.21 now available!

We recently released Security Onion 2.3:

https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.21, which resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

Please review the Known Issues list:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to perform a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2020/12/4-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training, including our new Developing Your Detection Playbook class!

http://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

Security Onion 2.3.21 ISO Boot Menu


ISO Installer

ISO Install Complete

Welcome to Setup

Choose the Setup type

Choose Standard or Airgap

Set hostname

Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Configure networking

Initialize networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

After rebooting and logging in, optionally run so-analyst-install

so-analyst-install complete

Enter username to login to GNOME

Enter password to login to GNOME

GNOME Desktop

Analyst Workstation includes Chromium, NetworkMiner, Wireshark, and many other analyst tools

Login to Security Onion Console (SOC)

SOC Overview Page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to view all alerts and logs

SOC's right-click menu has been updated and now includes a new Correlate option to find related logs

Correlate found several related logs

PCAP overview

Download the pcap and open directly in NetworkMiner for file extraction

PCAP transcript

All this in a minimal VM with only 4GB RAM!



Monday, December 21, 2020

Developing Your Detection Playbook with Security Onion 2 - On-Demand Training

This course is geared for those wanting to understand how to build a Detection Playbook with Security Onion 2. Students will gain both a theoretical and practical understanding of building detections in Security Onion, reinforced with real-life examples from network and host datasources.

Code ONION2021 is good for $50 off through March 1.

For more information and to register, please see:

https://onlinetraining.securityonionsolutions.com/courses/enrolled/1221556

Thursday, December 17, 2020

securityonion-web-page - 20141015-0ubuntu0securityonion110 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 4 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/12/4-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-web-page - 20141015-0ubuntu0securityonion110

This update resolves the following issue:

Update docs and cheat sheet for 16.04.7.2 #1806
https://github.com/Security-Onion-Solutions/security-onion/issues/1806

Thanks

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:

https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:

https://docs.securityonion.net/en/16.04/support.html

Thanks!


Wednesday, December 16, 2020

4 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html


Tuesday, December 15, 2020

securityonion-setup - 20120912-0ubuntu0securityonion330 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-setup - 20120912-0ubuntu0securityonion330

This update resolves the following issue:

sosetup-network: Empty hostname set when running automated installs #1783
https://github.com/Security-Onion-Solutions/security-onion/issues/1783

Thanks

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Snort 2.9.17.0 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-snort - 2.9.17.0-1ubuntu1securityonion1

This update resolves the following issues:

Snort 2.9.17.0 #1802
https://github.com/Security-Onion-Solutions/security-onion/issues/1802

Thanks

Thanks to the Snort team for Snort 2.9.17.0!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Monday, December 14, 2020

Suricata 5.0.5 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-suricata - 5.0.5-1ubuntu1securityonion2

This update resolves the following issues:

Suricata 5.0.5 #1651
https://github.com/Security-Onion-Solutions/security-onion/issues/1651

Thanks

Thanks to the Suricata team for Suricata 5.0.5!

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Solarwinds Supply Chain Attack

FireEye released a great blog post about the SolarWinds supply chain attack:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

They also published some countermeasures:
https://github.com/fireeye/sunburst_countermeasures

The countermeasures include NIDS rules, network based indicators, file hashes, and yara rules. Each of these are broken out into separate sections below. Each of the sections includes a very quick high-level overview for how you might use those indicators in your Security Onion 16.04 or Security Onion 2.3 deployment.

NIDS Rules

https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules

This file contains NIDS rules. If you are currently running the Emerging Threats (ET) ruleset, it should be noted that it's possible that these NIDS rules will be merged into the ET ruleset soon. You might want to go ahead and add them manually for immediate coverage. If and when they are added to ET, you may then want to remove your local additions.

UPDATE 2020-12-14 2:38 PM Eastern
The ET ruleset now includes these rules, so ET ruleset users should get these automatically as part of their normal daily download:
http://lists.emergingthreats.net/pipermail/emerging-updates/2020-December/004981.html

Security Onion 16.04

Security Onion 2.3

Network Based Indicators

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

This file contains domain names and IP addresses.

Security Onion 16.04

Security Onion 2.3

File Hashes

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv

This file contains file hashes. 

Security Onion 16.04

Security Onion 2.3

Yara Rules


This file contains yara rules.

Security Onion 2.3

  • These yara rules have already been added to Florian Roth's signature-base Github repo as apt_solarwinds_sunburst.yar, so assuming your Security Onion 2.3 deployment has Internet access, it should have already downloaded apt_solarwinds_sunburst.yar as part of the normal daily download. 
  • Going forward, Strelka should scan any newly extracted files using these yara rules. 
  • You might want to retroactively scan previously extracted files by copying them to /nsm/strelka/ on a sensor.

Friday, December 11, 2020

Security Onion 2 and the Future of CentOS

Security Onion 2 currently supports both Ubuntu 18.04 and CentOS 7. The CentOS project recently made an announcement about their shift from CentOS Linux to CentOS Stream:
https://blog.centos.org/2020/12/future-is-centos-stream/

While the article talks about major changes for CentOS 8, it's important to note that CentOS 7 will continue to be supported. From the article:

Meanwhile, we understand many of you are deeply invested in CentOS Linux 7, and we’ll continue to produce that version through the remainder of the RHEL 7 life cycle.

Security Onion 2 will continue to support both CentOS 7 and Ubuntu 18.04 for the time being. We are monitoring this situation closely and when it comes time to migrate off of CentOS 7, we'll consider our options at that time including the new Rocky Linux:
https://rockylinux.org


Thursday, December 10, 2020

securityonion-sostat - 20120722-0ubuntu0securityonion148 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following update is now available for Security Onion 16.04!

securityonion-sostat - 20120722-0ubuntu0securityonion148

This update resolves the following issues:

soup: add EOL reminder #1803
https://github.com/Security-Onion-Solutions/security-onion/issues/1803

soup: work around Docker change #1804
https://github.com/Security-Onion-Solutions/security-onion/issues/1804

Thanks

Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Tuesday, December 1, 2020

Security Onion 2 Fundamentals for Analysts & Admins - Virtual Training - February 2021

Learn how to architect, manage, deploy, and effectively use Security Onion 2 in this 4-day course delivered virtually, February 2-5, 2021.

Use code earlybird by December 15 for 10% off!

For more information and to register, please see:
https://securityonionsolutions.com/training

Monday, November 30, 2020

Elastic Stack 7.9.3 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following updates are now available for Security Onion 16.04!

  • Elastic 7.9.3 Docker images
  • securityonion-capme - 20121213-0ubuntu0securityonion80
  • securityonion-elastic - 20190510-1ubuntu1securityonion124
  • securityonion-setup - 20120912-0ubuntu0securityonion329
  • securityonion-sostat - 20120722-0ubuntu0securityonion146
  • securityonion-web-page - 20141015-0ubuntu0securityonion109

These updates should resolve the following issues:

Elastic 7.9.3 #1782
https://github.com/Security-Onion-Solutions/security-onion/issues/1782

so-elastic-features - improve soup call #1789
https://github.com/Security-Onion-Solutions/security-onion/issues/1789

securityonion-elastic: Migrate indices.* settings for elasticsearch.yml #1786
https://github.com/Security-Onion-Solutions/security-onion/issues/1786

securityonion-elastic: update links to documentation #1801
https://github.com/Security-Onion-Solutions/security-onion/issues/1801

securityonion-sostat: update links to documentation #1794
https://github.com/Security-Onion-Solutions/security-onion/issues/1794

securityonion-web-page: update links to documentation #1799
https://github.com/Security-Onion-Solutions/security-onion/issues/1799

Setup: do not write interfaces if we lack valid contents #1784
https://github.com/Security-Onion-Solutions/security-onion/issues/1784

securityonion-setup: update links to documentation #1800
https://github.com/Security-Onion-Solutions/security-onion/issues/1800

Known Issues

If you get errors in logstash.log like:

 "reason"=>"Failed to parse mapping [doc]: mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]"}}}}}

then you may have an old Logstash template and may need to do the following on any node that is running Logstash:

          sudo so-logstash-stop   

curl -XDELETE localhost:9200/_template/logstash 

curl -XDELETE localhost:9200/_template/logstash-*

sudo so-logstash-start

For more information, please see:
https://groups.google.com/g/security-onion/c/6p6Jkr91-kM 

If that doesn't resolve the issue, you may have custom templates in /etc/logstash/custom/ that need to be updated. You’ll need to copy from source and modify as needed.

Thanks

  • Thanks to the Elastic team for Elastic 7.9.3!
  • Thanks to Pete Nelson for submitting fixes for both so-elastic-features and sosetup-network!
  • Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration

Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration:

https://github.com/Security-Onion-Solutions/securityonion/security/advisories/GHSA-h5v3-qxcr-8cfc


Thursday, November 19, 2020

Security Onion 2.3.10 now available!

We recently released Security Onion 2.3:


Today, we are releasing Security Onion 2.3.10, which resolves a few issues:


Documentation

We've started migrating our documentation to 2.3:


However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues


New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:


Existing 2.x Installations

If you have an existing 2.3 GA installation, please see:


If you have an existing 2.x Release Candidate (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:


Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:


Questions or Problems

If you have questions or problems, please see our community support forum guidelines:


You can then find the community support forum at:


Screenshot

Security Onion 2.3.10 ISO Boot Menu

For a full screenshot tour, please see the Security Onion 2.3 blog post:


Monday, November 16, 2020

New Security Onion 2 Training Available: Security Onion 2 in Production!

Security Onion 2 in Production is now available! In this course, you will learn more about architecting, operating and maintaining production Security Onion 2 distributed architectures.

From course author Josh Brower:

"Having spent a number of years myself in IT Infrastructure & Operations, I know the amount of effort it takes to architect, install, configure, and maintain technology stacks - which is why I think this course is really important – I think it will make your Security Onion deployment and long term maintenance of your grid smoother and much more straightforward."

For a limited time only, use the following Coupon Code for $50 off!

ONION2020

For more details and to register, please see:

https://onlinetraining.securityonionsolutions.com/p/security-onion-in-production

5 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html


Friday, October 30, 2020

Docker Hub Rate Limits Effective November 1, 2020

Introduction

Docker has announced rate limits for Docker pulls that go into effect November 1, 2020. We suspect that most Security Onion users will NOT notice this change. Additional details are below. We are monitoring this situation closely and will send out additional information as necessary.

Docker Hub Rate Limits

From https://www.docker.com/blog/docker-hub-image-retention-policy-delayed-and-subscription-updates/:

"Anonymous free users will be limited to 100 pulls per six hours, and authenticated free users will be limited to 200 pulls per six hours. Docker Pro and Team subscribers can pull container images from Docker Hub without restriction as long as the quantities are not excessive or abusive."

For more information, please see:

https://www.docker.com/increase-rate-limits

https://docs.docker.com/docker-hub/download-rate-limit/

https://www.docker.com/pricing/resource-consumption-updates

When does Security Onion do a Docker Pull?

During installation, Security Onion should only do a "docker pull" if performing a network installation (since ISO installations already have the Docker images).

After installation, Security Onion should only do a "docker pull" when you run soup and soup downloads updated Docker images.

The rest of this blog post will focus on soup updating Docker images.

Security Onion 16.04

Security Onion 16.04 installations include a total of 7 Docker images. If you run soup on an older version of Security Onion 16.04 and it pulls updated Docker images, then that would be 7 docker pulls. This wouldn't come anywhere near the rate limit of 100 pulls per six hours. However, if you have a distributed deployment with multiple nodes all behind a single NAT IP address, then it's possible to start approaching that rate limit. If you experience the rate limit, there are a couple of possible solutions. The first option is to authenticate to Docker to increase the rate limit. The second option is to upgrade to Security Onion 2 which should be less likely to hit the rate limit as we'll describe in the next section. Upgrading to Security Onion 2 is a good idea anyway since Security Onion 16.04 reaches End Of Life in April 2021.

Security Onion 2

Security Onion 2 distributes all components via Docker images. Depending on installation type, that could be upwards of 30 Docker images. If you run soup on an older version of Security Onion 2 and it pulls updated Docker images, then that could be up to 30 docker pulls. Even in the case of a distributed deployment with multiple nodes all behind a single NAT IP address, the default configuration is for the manager to update the Docker images for the entire deployment so it should only be 30 docker pulls for the entire deployment. Therefore, Security Onion 2 should be less likely to hit the rate limit than Security Onion 16.04.

Conclusion

We suspect that most Security Onion users will NOT notice this change. We are monitoring this situation closely and will send out additional information as necessary. If you have any questions or concerns, please reach out to the appropriate community support forum as described here:
https://blog.securityonion.net/2020/10/community-support-forum-changes-for.html

Thursday, October 29, 2020

Tuesday, October 27, 2020

Are You Seeing What I Am Netsyncing? Analyzing Netsync Activity with Security Onion 2

This blog post was written by Wes Lambert (@therealwlambert), with the assistance of Andrew Schwartz (@4ndr3w6S). Additional thanks go to Doug Burks (@dougburks) and Phil Plantamura (@philplantamura) for their invaluable feedback and review.

Continuing on the excellent work done by Andrew and the TrustedSec team (The Tale Of The Lost, But Not Forgotten, Undocumented Netsync: Part 2) this post is a network-based analysis of the Netsync attack via Mimikatz. Keep in mind, this analysis does not include that of host-based technologies, or the data captured/generated by them, although said data could provide even greater context and investigational capability when utilized with Security Onion.

To read the full article, please see:



Monday, October 26, 2020

Security Onion 2.3.2 now available!

We recently released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.2, which resolves a few issues:
https://docs.securityonion.net/en/2.3/release-notes.html#changes

Documentation

We've started migrating our documentation to 2.3:
https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html

Existing 2.x Installations

If you have an existing 2.3 GA installation, please see:
https://docs.securityonion.net/en/2.3/soup.html

If you have an existing 2.x Release Candidate (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:
https://securityonion.net/discuss

Screenshot

Security Onion 2.3.2 ISO Boot Menu

For a full screenshot tour, please see the Security Onion 2.3 blog post:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Thursday, October 22, 2020

Security Onion 2.3.1 now available!

We recently released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.1, which resolves a few issues:
https://docs.securityonion.net/en/2.3/release-notes.html#changes

Documentation

We've started migrating our documentation to 2.3:
https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html

Existing 2.x Installations

If you have an existing 2.3 GA installation, please see:
https://docs.securityonion.net/en/2.3/soup.html

If you have an existing 2.x Release Candidate (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:
https://securityonion.net/discuss

Screenshot

Security Onion 2.3.1 ISO Boot Menu

For a full screenshot tour, please see the Security Onion 2.3 blog post:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Wednesday, October 21, 2020

6 month EOL notice for Security Onion 16.04

Last Friday, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html


Monday, October 19, 2020

Community Support Forum changes for Security Onion

Last Friday, we released Security Onion 2!
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

With that release comes some exciting new changes for our community support forums!

Effective immediately:

Please keep in mind that all community support is considered best effort. If you need private or priority support, please consider purchasing support from Security Onion Solutions:
https://securityonionsolutions.com/support/

Thanks!


Friday, October 16, 2020

Security Onion 2 Has Reached General Availability (GA)!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

After 4 Technology Preview releases, 4 Alpha releases, and 3 Beta releases, we dropped the Hybrid Hunter code name and announced 2.0 (RC1), 2.1 (RC2), and 2.2 (RC3). This has been our most ambitious project to date, taking over 34 months and resulting in a whopping 5,034 git commits. Today, we are proud to announce that Security Onion 2.3 has reached General Availability (GA)! 

Changes from Security Onion 16.04

Here are some of the major differences of the new Security Onion 2.3 compared to Security Onion 16.04:

  • Features a new web interface called Security Onion Console (SOC) that includes native alert management, threat hunting, and pcap retrieval
  • Adds TheHive, Strelka, support for Sigma rules, Grafana/InfluxDB (independent health monitoring/alerting), Fleet (osquery management), and Playbook (detection playbook tool).
  • Moves from Ubuntu packages to containers
  • Supports both CentOS 7 and Ubuntu 18.04
  • Changes pcap collection tool from netsniff-ng to Google Stenographer
  • Upgrade to Elastic Stack 7.x and support the Elastic Common Schema (ECS)
  • Completely replaces unsigned kernel module PF_RING with AF_PACKET
  • Suricata completely replaces Snort. (We may elect to add Snort back after Snort 3.0 is officially released.)
  • Removes Sguil, Squert, capME, and PHP
  • Storage Nodes are now known as Search Nodes
  • The first node in a distributed deployment is now called a Manager

Changes from Security Onion 2.2 RC3

If you tried out Security Onion 2.2 RC3, you will notice some changes in this release.

This release features a brand new web interface for alerts. This includes NIDS alerts from Suricata, HIDS alerts from Wazuh, Playbook alerts, and YARA matches from Strelka. This interface is specifically designed to help you triage alerts as quickly as possible. Slice and dice your alerts with multiple views and then pivot to full packet capture or our Hunt interface to investigate IP addresses or other items of interest. Once you've made a determination about an alert, you can either acknowledge it or escalate it to TheHive to create a case.

Next, we've continued to iterate on Hunt, improving its default queries and default pivot actions. Hunt now supports more customization as well.

Finally, we've continued to improve support for airgap deployments. Airgap deployments now include a local copy of the documentation. Also, airgap deployments now support updates using the latest ISO image.

Documentation

We've started migrating our documentation to 2.3:

https://docs.securityonion.net/en/2.3/

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then.

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Existing Installations

If you have an existing 2.x (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Questions or Problems

If you have questions or problems, please see our new community support forum:

https://docs.securityonion.net/en/2.3/community-support.html

Known Issues

https://docs.securityonion.net/en/2.3/release-notes.html#known-issues

Changes from Previous Releases

https://docs.securityonion.net/en/2.3/release-notes.html#changes

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • Bryant Treacle
  • William Wernert

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

ISO Boot Menu

ISO Installer

ISO Install Complete

Welcome to Setup

Choose the Setup type
Set hostname


Select management NIC

Configure management NIC

Configure networking

Configure networking

Configure networking

Configure networking

Configure networking

Configure HOME_NET

Create user account

Set password

Confirm password

Choose how you want to access the web interface

Optionally run so-allow

Specify IP address or range to allow through firewall

Confirm options

Setup complete

Optionally enable Analyst Workstation with so-analyst-install

Enter username to login to GNOME

Enter password to login to GNOME

GNOME Desktop

Analyst Workstation includes Chromium, NetworkMiner, and Wireshark

Login to Security Onion Console (SOC)

SOC Overview page

Use so-import-pcap to import one or more pcap files

Use the hyperlink provided by so-import-pcap to review all alerts and logs

New Alerts interface

Use the Quick Action Bar to pivot to the PCAP page for full packet capture

PCAP Overview

PCAP transcript

Download the pcap and open in NetworkMiner for file extraction

All this in a minimal VM with only 4GB RAM!