Friday, September 23, 2011

Security Onion 20110922 now available!

Security Onion 20110922 is now available!  This update resolves Issue 126.  It also spawns instances of httpry and httpry_agent for each monitored interface.  Thanks go to Jason Bittel for his work on httpry and Paul Halliday for his work on httpry_agent!

Please note!
httpry is going to be logging all HTTP traffic on every monitored interface and httpry_agent is going to be inserting those HTTP logs into the MySQL database so they can be queried in Sguil and SQueRT.  This may increase the load on your sensors and/or MySQL server.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
 Screenshots

Upgrade Process



httpry events are autocategorized so as not to clutter the main Sguil window

If you're responding to an incident for an IP address, search for the IP and you'll see the httpry events are prefixed with "URL"


Clicking on a URL event will show further information in the Detail pane

Right-clicking on the Alert ID allows you to pull the entire transcript




SQueRT has an httpry search that will show all httpry logs



Tuesday, September 20, 2011

Security Onion 20110920 now available!


Security Onion 20110920 is now available!  This update enables IP-to-country mapping in the SQueRT web interface (great for showing off to executives)!

Please note!
This upgrade will make changes to the database and therefore it is recommended to backup your MySQL database and/or test the upgrade on a non-production system before deploying to production.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
 Screenshots
Upgrade Process

SQueRT IP-to-country mapping

Monday, September 19, 2011

Security Onion 20110919 now available!

Security Onion 20110919 is now available!  This update does the following:

    • Updates the NSMnow admin scripts to support argus.
    • Starts argus on all monitored interfaces.

    Each argus instance will log to the following location:
    /nsm/sensor_data/NAME-OF-SENSOR/argus/YYYY-MM-DD.log

    In-place Upgrade
    Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
    sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"


    Screenshots
    Upgrade script installs new NSM scripts and starts argus on all monitored interfaces (eth0, eth1, and eth2 in this case)

    Running argus processes
    Argus processes log to /nsm/sensor_data/NAME-OF-SENSOR/argus/YYYY-MM-DD.log


    Running one of the argus clients (ranonymize, to anonymize my IP addresses) on the argus logs

    Friday, September 16, 2011

    Security Onion 20110915 now available!

    Security Onion 20110915 is now available!  This update does the following:
    In-place Upgrade
    Existing Security Onion users can perform an in-place upgrade using the following command 
    (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

    sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
    Screenshots
    New Argus menu

    Thursday, September 15, 2011

    Security Onion 20110914 now available!

    Security Onion 20110914 is now available!  This will update the Setup script to use the new config file format and install a daily script to purge old alerts from the database.


    PLEASE NOTE!
    sguil-db-purge is scheduled to run every day at 5:01 AM. It will do the following:
    • stop sguild
    • purge old events from the database
    • repair the remaining MySQL tables
    • start sguild
    The default retention policy for the purge is 365 days. If you would like to change this value, please change the DAYSTOKEEP variable in /etc/nsm/securityonion.conf.

    The daily cron job logs its output to /var/log/nsm/sguil-db-purge.log.


    Since the purge script will be making changes to the database, it is recommended to backup your MySQL database and/or test the purge script on a non-production system before deploying to production.


    In-place Upgrade
    Existing Security Onion users can perform an in-place upgrade using the following command 
    (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

    sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
    Screenshots
    Upgrade process


    Purge script

    Wednesday, September 14, 2011

    Security Onion 20110913 now available!

    Security Onion 20110913 is now available!  This update upgrades the SQueRT web interface to version 0.9.3b.  Thanks go to Paul Halliday at http://www.squertproject.org/ for all of his hard work on this new version of SQueRT!


    In-place Upgrade
    Existing Security Onion users can perform an in-place upgrade using the following command 
    (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

    sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

    Screenshots



    SQueRT Summary Tab

    More screenshots can be found at the SQueRT screenshots page.



    Monday, September 12, 2011

    Security Onion 20110909 now available

    Security Onion 20110909 is now available!  This upgrade adds some new menu entries to make IDS tuning a little easier.  

    • The "IDS Rules" menu now has a new entry called "Add Local Rules" which will open /etc/nsm/rules/local.rules for editing using the "mousepad" GUI editor.  You can then add any rules that you want to maintain locally (outside of the downloaded VRT or Emerging Threats rulesets).
    • A new menu called "IDS Config" was added with a new menu entry called "Configure IDS engine(s)".  This will list all of the IDS engines on your system and allow you to choose one to configure.  It will then open the proper config file for whatever IDS engine you're running.  After you save and close the config file, it will offer to restart the IDS engine for you.


      • Example #1
        • Suppose you're currently running Snort and you choose eth0.  The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth0/snort.conf for editing using the "mousepad" GUI editor.
      • Example #2
        • Suppose you're currently running Suricata and you choose eth1.  The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth1/suricata.yaml for editing using the "mousepad" GUI editor.

    In-place Upgrade
    Existing Security Onion users can perform an in-place upgrade using the following command 
    (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

    sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
    Screenshots


    New "Add Local Rules" menu entry under "IDS Rules"

    Clicking the above menu entry opens /etc/nsm/rules/local.rules for editing

    New "IDS Config" menu with "Configure IDS engine(s)" menu entry

    "Configure IDS engine(s)" allows you to pick which engine to configure

    Selecting an engine opens that engine's config file for editing

    After saving and closing the config file, you will have the option to restart the engine