Security Onion

Tuesday, October 1, 2024

Did you know Security Onion appliances are the best way to run Security Onion?

As we continue our DidYouKnowSO series, did you know Security Onion appliances are the best way to run Security Onion?

In 2018, we announced Security Onion Solutions (SOS) appliances. Since that time, we've shipped appliances to customers around the globe to help them peel back the layers of their enterprise and make their adversaries cry.

Why should you purchase hardware appliances from Security Onion Solutions? Here are the top 5 reasons!

Eliminate the guesswork of buying the right hardware
You can run Security Onion on your own hardware, but you'll have to determine the answers to the following questions:
How many CPU cores?
How much RAM?
What kind of storage?
How much storage?
What kind of NIC?

Security Onion Solutions hardware is configured and built for specific roles and workloads. We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization.
Save time for you and your server team
If you run Security Onion on your own hardware, then you may need to configure your storage correctly and then you'll have to manually install Security Onion.

Security Onion Solutions appliances come with storage pre-configured and the Security Onion platform pre-loaded so that you can focus on your real job of monitoring and defending your enterprise.
Enhanced integration
Security Onion's SOC interface provides appliance-specific information directly in the user-interface. Use this information to monitor the appliance's health in real time. Also view the appliance front and rear panels, useful for walking through connectivity discussions with personnel in the data center. Only official Security Onion Solutions appliances are supported with this integration.
Get FULL support from ONE vendor
If you experience problems, it may be challenging in some cases to determine if the problem is due to hardware or software especially if hardware support is from one vendor and software support is from a different vendor.

Security Onion Solutions supports both the hardware and software components of our branded appliances. Security Onion software support includes configuration, deployment, tuning, and break fix support delivered remotely via email, phone, or video conference. Hardware support includes defective media retention (you keep and destroy bad hard drives) with next business day shipping on parts within the continental United States. On-site technicians can be coordinated for complex part repairs. We can quote 1-5 years of support, with higher discounts for longer support terms.
BY defenders FOR defenders
The Security Onion software platform is developed by defenders for defenders and our hardware appliances are no exception. We've designed the appliances that we would want to use in the trenches and we support you as fellow defenders.

Bonus reason - Support development of the free and open platform!
Security Onion has been a free and open platform since 2008. We've invested many years of development into making Security Onion even better at helping you peel back the layers of your enterprise and making your adversaries cry. If you purchase appliances from us, you are helping to cover the cost of developing and maintaining the Security Onion platform, now and in the future.

Don't delay, reserve your SOS appliances today!

https://securityonionsolutions.com/hardware

Sunday, September 29, 2024

Security Onion Conference cancelled due to Hurricane Helene damage

This is an update to yesterday's announcement:

https://blog.securityonion.net/2024/09/security-onion-training-class-starting.html

Due to the devastation by Hurricane Helene in Augusta GA, we have no choice but to cancel ALL Augusta Cyber Week activities including:

4-day Security Onion training class that was scheduled for Monday September 30
Security Onion Conference that was scheduled for Friday October 4
BSidesAugusta that was scheduled for Saturday October 5
all other related activities this week

It is unclear at this time if we will reschedule these events for a later date. We hope to provide more information soon.

Saturday, September 28, 2024

Security Onion Training Class starting on 9/30 is cancelled due to Hurricane Helene damage

Augusta GA has been hit hard by Hurricane Helene and power is out in most areas around the city. Unfortunately, we will have to cancel this week's Security Onion class that starts on Monday 9/30.

No decisions have been made yet regarding the Security Onion Conference on Friday 10/4, BSidesAugusta on Saturday 10/5, or other training classes this week. We hope to provide more updates soon.

Wednesday, September 25, 2024

Did you know Security Onion includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration?

Yesterday, we talked about how Security Onion is built BY defenders FOR defenders:

https://blog.securityonion.net/2024/09/did-you-know-security-onion-is-built-by.html

As defenders, we built the platform that we've always wanted! This includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration. These interfaces are streamlined and integrated to make you more effective and efficient as a defender!

Alerts:

Dashboards:

Hunt:

Cases:

Detections:

PCAP:

Grid Health:

Configuration:

Tuesday, September 24, 2024

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) with FTP EXFIL PCAP from 2024-09-17

Thanks to Brad Duncan for sharing this pcap from 2024-09-17 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html

If you'd like to follow along, you can do the following:

install Security Onion 2.4.100 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
import the pcap using the SOC Grid interface:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
optionally enable the DNS lookups feature:
https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, we look at just the NIDS alerts generated by Suricata:

Let's drill into the Snake keylogger alert:

This looks interesting so let's pivot to PCAP:

We can switch to ASCII transcript to make it more readable:

Now let's review the protocol metadata provided by Zeek:

We start with the Software dashboard where we see an interesting browser user agent string:

Next, let's review the X.509 dashboard:

and the associated SSL/TLS dashboard:

Next, we'll look at the DNS dashboard:

Looking at the HTTP dashboard, we see the interesting browser user agent we saw earlier on the Software dashboard:

Looking at the Files dashboard, we can see files being transferred by both HTTP and FTP:

Let's review the FTP dashboard. Here we see a couple of files being transferred:

At the bottom of the FTP dashboard, we can see the 2 FTP STOR transactions where files are being exfiltrated:

If we pivot to PCAP, we can see the FTP CONTROL channel:

To see the FTP DATA channel, we can switch to the Connections dashboard:

Pivoting to PCAP, we see one of the exfil files contains the user's browser cookies:

And the second exfil file contains the user's saved passwords:

Monday, September 23, 2024

Did you know Security Onion is built BY defenders FOR defenders?

In 2008, Doug Burks started the Security Onion project to help his fellow defenders. He is former Deputy CSO of Mandiant, former CISO of Morris Communications, and has been doing detection and response since the early 2000s for Department of Defense, Department of Energy, and several private companies in various industries. In 2010, he became SANS GSE #24:

https://blog.securityonion.net/2010/10/congratulations-to-latest-sans-gses.html

https://www.giac.org/certified-professional/Doug-Burks/117421

Today, our engineering team has several collective decades of defensive experience and we use that experience to build the platform that we always wanted as defenders. In addition, our instructors use their experience as defenders when teaching our classes and our support team uses their experience as defenders when supporting our customers.

From all our defenders to all of you defenders out there, thanks for what you do and happy hunting!

10% Discount for Security Onion Pro for a Limited Time Only!

We recently celebrated the 10th birthday of Security Onion Solutions by announcing Security Onion Pro!

https://blog.securityonion.net/2024/07/celebrating-10-years-of-security-onion.html

As we continue to celebrate our 10th birthday, we'd like to offer you a special gift!

Here's a 10% discount code for new purchases of Security Onion Pro:

SOPRO-20240923

Please note:

This discount is for new purchases of Security Onion Pro only.
This discount is only valid through November 15, 2024.
This discount is not valid with any other discount or offer.

For more information about how you can take your game to the next level with Security Onion Pro, please see https://securityonion.com/pro.

For more details and to reach out to our Sales team, please go to https://securityonion.com/pro, click the Purchase Pro button, and make sure you mention the discount code above!

Friday, September 20, 2024

Did you know Security Onion scales from small virtual machines all the way up to large enterprise deployments of hundreds of nodes and thousands of endpoint agents?

A minimal Security Onion installation is an IMPORT installation and can be used to import PCAP or EVTX files in a minimal VM with as little as 4GB RAM:

On the opposite end of the architecture spectrum, a distributed deployment consists of:

a manager node
one or more forward nodes running Suricata and Zeek to analyze network traffic and generate NIDS alerts and protocol metadata logs
one or more search nodes running Elasticsearch to store and search logs
optional receiver nodes for load balancing and pipeline redundancy
optional Intrusion Detection Honeypot (IDH) nodes for deception

This is a scalable model and can support hundreds of nodes and thousands of endpoints running the Elastic Agent.

For more information, please see the Architecture section of our documentation:

https://docs.securityonion.net/en/2.4/architecture.html

Thursday, September 19, 2024

Did you know Security Onion works on both Internet-connected and airgap networks?

Did you know Security Onion works on both Internet-connected and airgap networks? Our ISO image includes everything you need to run without Internet access. Make sure that you choose the Airgap option during Setup:

If your network has Internet access but has overly restrictive proxies, firewalls, or other network devices that might prevent Security Onion from connecting to certain Internet sites, then you may want to consider the Airgap option as everything will install from the ISO image itself.

For more information, please see the Airgap section of our documentation:

https://docs.securityonion.net/en/2.4/airgap.html

Wednesday, September 18, 2024

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) INFECTION, SMTP EXFIL pcap from 2024-09-16

Thanks to Brad Duncan for sharing this pcap from 2024-09-16 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.