Wednesday, June 29, 2011

Security Onion 20110628 now available

Security Onion 20110628 is now available!  This release fixes two minor issues with the OSSEC Sguil agent.

Existing Security Onion users can perform an in-place upgrade to version 20110628 using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Wednesday, June 22, 2011

Security Onion and UTC

Sguil uses UTC.  It does this for a few reasons:
  1. UTC avoids any timewarps when changing from standard time to daylight saving time and vice versa.
  2. UTC allows for correlation when sensors are in different time zones.
Because Sguil uses UTC, it is recommended to set your Security Onion timezone to UTC.  Here's how:
echo "Etc/UTC" | sudo tee /etc/timezone
sudo dpkg-reconfigure --frontend noninteractive tzdata
For more information, please see:

Friday, June 17, 2011

Security Onion 20110614

Security Onion 20110614 is now available!  This upgrade fixes a few issues with downloading rules and adds some new menu entries to make rule editing a little easier.  For more information, please see Issue 111.


In-place Upgrade
Existing Security Onion users can perform an in-place upgrade to version 20110614 using the following commands:
wget http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh
sudo bash security-onion-upgrade.sh
Screenshots
New menu entries

Clicking "Disable Downloaded Rules" opens disablesid.conf in a text editor

Clicking "Rule update" will run PulledPork and restart Barnyard2/Snort

Monday, June 13, 2011

Security Onion 20110607 featuring Sguil 0.8, Squert 0.8.3, and more polish!

Update:  Looks like the Security Onion 20110607 files haven't fully replicated to all Sourceforge mirrors yet. If you're having trouble downloading, please try later today.


Update 2011/06/14 6:00 AM: Sourceforge is reporting that the Security Onion 20110607 files have replicated to at least 15 mirrors now.

Security Onion 20110607 is now available!  New features in this release are as follows:

  • Sguil 0.8 (now with more shininess and anti-aliased fonts!)
  • Squert 0.8.3 (now with user authentication!)
  • new tcl/tk packages (resolves a scaling issue when running in VMWare and allows for the anti-aliased fonts mentioned above)
  • httpry
  • a new Setup script (adds support for Sguil 0.8 and Squert 0.8.3 and also provides more information once Setup completes)


New Users
New users can download the latest ISO image from here.  It should be noted that pentest tools have been removed from this ISO.  This includes metasploit, john, ophcrack, and steghide.  For more information, please see Issue 106.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade to version 20110607 using the following commands:
wget http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh
sudo bash security-onion-upgrade.sh
It will then upgrade your box to the latest tcl/tk, Sguil, Squert, and Setup script.  If you have an existing Sguil database, it will run the Sguil DB upgrade, which will ask:
Do you want to continue? y
Database password: Press Enter to accept the default of "null" (unless you've changed the MySQL root password)
DB schema needs to be updated: Press Enter to accept the default of "y"
Path to update...Press Enter to accept the default
Please test the upgrade on test machines before upgrading your production machines.

Screenshots

Upgrade process



 Sguil login window

Squert login window 

Saturday, June 4, 2011

Security Onion featured in SANS Student Project

Security Onion was featured in a SANS Student Project.  Russ McRee, Beth Binde, and Terrence O’Connor recently published Assessing Outbound Traffic to Uncover Advanced Persistent Threat.  Great paper!