Thursday, December 29, 2011

Security Onion 20111229 now available!


Security Onion 20111229 is now available!  This resolves the following issues:
Issue 109:  Optional PADS or PRADS
Issue 115:  edit nsm_sensor_edit
Issue 162:  Process watchdog
Issue 164:  No sensor status info then server is down
Issue 173:  nsm_sensor_clean cronjob should output date to logfile

Thanks to Karolis for his work on integrating PADS into the distro!

Notes
  • The PADS configuration file (/etc/nsm/SENSOR-NAME/pads.conf) contains a "network" variable which defaults to:
    192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
    You will need to change this variable if you're monitoring public IP space.
  • The new process watchdog runs every 5 minutes and will restart any sensor process that has crashed.  It will move the process's old log file to PROCESS.log.TIMESTAMP so that you can determine why the process crashed. 
New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

PADS events in Sguil

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Tuesday, December 27, 2011

Security Onion 20111228 now available!


Security Onion 20111228 is now available!  This resolves the following issue:
Issue 151: NetworkMiner

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

NetworkMiner menu entry


If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html


Security Onion 20111227 now available!


Security Onion 20111227 is now available!  This resolves the following issue:
Issue 172: Snorby Export-to-PDF results in error

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process
If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Friday, December 23, 2011

Security Onion 20111222 now available!


Security Onion 20111222 is now available!  This resolves the following issue:
Issue 51: Snorby

Snorby is a modern web interface for Network Security Monitoring:
The new hotness
A few things to note:

  • The Snorby database is totally separate from the Sguil database.  This means that you will have a separate user account to log into Snorby.  It also means that any events that you classify in Snorby are not reflected back into the Sguil database.
  • A new output is added to the barnyard2 configuration to send events to the Snorby database.  Remote sensors establish an SSH tunnel to the server to encrypt the MySQL traffic.
  • This is just the initial integration of Snorby.  In the future we'll add things like full packet capture support and Dustin's new unified2 library.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

The Setup wizard has been updated to support Snorby.  You will create a username for Sguil/Squert and a separate username for Snorby (your email address).  The password that you enter will be used for both Sguil/Squert and Snorby.
Updated Setup Wizard

Entering email address for Snorby

Same password will be used for both Sguil/Squert and Snorby

Double-click the Snorby desktop shortcut

Login using the email address and password you specified in Setup

If necessary, generate some IDS alerts using "curl http://testmyids.com"

View your IDS alerts on the Events tab


In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).


If you have one or more slave sensors reporting to a central master server, always upgrade the master first!

Since Snorby and Sguil have separate databases, your existing Sguil credentials will not allow you to log into Snorby.  The in-place upgrade process will generate a username and random password for your initial Snorby login.  You should immediately login with your temporary credentials and change them.


Completing upgrade of an existing system

Double-click the Snorby desktop shortcut or use the URL shown in the upgrade

Login using the credentials shown in the upgrade

Click "Settings" to change your username/password

Set your new credentials

Login using your new credentials

If necessary, generate some alerts with "curl http://testmyids.com"
View your IDS alerts on the Events tab

If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Merry Christmas!

Tuesday, December 20, 2011

Wednesday, December 14, 2011

Security Onion 20111214 now available!


Security Onion 20111214 is now available!  This resolves the following issue:

The previous purging method only removed old pcaps from the dailylogs directories.  The new method removes old pcaps but also purges old argus, httpry, and unified2 files.  

For those running multiple sensors on the same /nsm, the previous purging method would have deleted all pcaps from the first sensor before beginning to purge the second sensor.  The new method tries to delete more evenly across the sensors.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process
Purging
/etc/cron.d/sensor-clean contains a cronjob that runs the purge hourly.  You can manually run the purge as follows:
sudo /usr/local/sbin/nsm --sensor --clean
sudo /usr/local/sbin/nsm --sensor --clean

Monday, December 12, 2011

Security Onion 20111213 now available!


Security Onion 20111213 is now available!  This resolves the following issues:
Issue 168: Suricata 1.1.1

If you are already using Suricata and have customized your suricata.yaml file, please note that it will be backed up to /nsm/backup/20111213/NAME-OF-SENSOR/ and then overwritten with the new config file.  Please copy any of your customizations (HOME_NET, etc.) from /nsm/backup/20111127/NAME-OF-SENSOR/suricata.yaml to the production copy /etc/nsm/NAME-OF-SENSOR/suricata.yaml.

As noted here, Suricata includes some anomaly detection in the form of decoder-events.rules and stream-events.rules.  These two rulesets have been disabled in this update.  You can manually re-enable them if desired.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Switching to Suricata
If you're currently running Snort and would like to switch to Suricata, use the following commands to stop Snort, change the ENGINE variable in the config file, and then run PulledPork to download the Suricata-specific ruleset (if running Emerging Threats rules):
sudo nsm_sensor_ps-stop --only-snort-alert
sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf
sudo /usr/local/bin/pulledpork_update.sh 

Screenshots
Upgrade Process

Thursday, December 1, 2011

Security Onion 20111202 now available!


Security Onion 20111202 is now available!  This resolves the following issue:
Issue 139: Squert needs HTTPS

This update will convert Squert and Xplico to HTTPS.  It will also automatically update any Squert/Xplico shortcuts contained within the Security Onion installation to use HTTPS.  If you have any Squert/Xplico bookmarks on any other computers in your network, you should just need to change them from HTTP to HTTPS.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Security Onion 20111201 now available!


Security Onion 20111201 is now available!  This resolves the following issues:
Issue 157: Update pulledpork.conf.master with new local_rules declaration
Issue 159: NSM scripts are storing initial Sguil credentials in /etc/nsm/securityonion/server.conf

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process