Attention Shmoocon attendees and Nova Hackers!

Only 2 days left to vote for 2011 Toolsmith Tool of the Year!  If you're a fan of Security Onion, please vote!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120125 now available!

Security Onion 20120125 is now available!  This resolves the following issues:
Issue 203: New users should have a more sensible default for Sguil client fonts
Issue 204: /usr/local/sbin/nsm_server_del: line 192: [: eq: binary operator expected
Issue 206: /usr/local/sbin/nsm_sensor_clean should purge old Bro logs
Issue 207: Re-install /etc/skel/.bashrc to enable bash coloring
Issue 208: Need a new ISO for NoVA Hackers presentation

New Users
New users can download and install the 20120125 ISO image using the instructions here.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Upcoming Security Onion Presentations

I'll be giving a Shmoocon Firetalk on Saturday 1/28 at 7:40 PM:
http://www.novainfosecportal.com/2012/01/25/shmoocon-2012-firetalks-%E2%80%93-update-5-schedule/

I'll also be presenting Security Onion at the NoVA Hackers Shmoocon Epilogue on Monday 1/30 at 8:00 PM:
http://novahackers.blogspot.com/2012/01/shmoocon-epilogue-speakers-and-location.html

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion Success Stories 2012

Last year, I received a few success stories from satisfied Security Onion users:
http://securityonion.blogspot.com/2011/05/security-onion-success-stories.html

Please share your Security Onion success story in the comments below!


If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120124 now available!

Security Onion 20120124 is now available!  This resolves the following issue:
Issue 140: OSSEC agent needs to be integrated into NSM scripts

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade Process

sudo service nsm status

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120123 now available!

Security Onion 20120123 is now available!  This resolves the following issues:

Issue 191: Update NSM scripts to control Bro
Issue 202: If user selects only one interface, configure Bro as standalone

Notes
If you're only monitoring a single network interface, this update will configure Bro for standalone mode which will greatly increase performance!


New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade Process

NSM scripts now control Bro

Thanks
Thanks to Seth Hall of the Bro project for his tuning suggestion!
Thanks to Richard Bejtlich for his suggestion of updating the NSM scripts to control Bro!

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120119 now available!

Security Onion 20120119 is now available!  This resolves the following issues:
Issue 154: Track pulledpork download status
Issue 160: PulledPork should be using https for ET and ETPRO downloads
Issue 198: Suricata 1.2.1
Issue 200: PulledPork isn't handling so_rules properly
Issue 201: snorby-db-fix is causing problems with large/busy snorby databases

For more information about Suricata 1.2.1, please see:
http://www.openinfosecfoundation.org/index.php/component/content/article/144-suricata-12-available
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12
http://www.suricata-ips.net/index.php/component/content/article/145-suricata-121-available

Please also note that the new suricata.yaml will overwrite your existing suricata.yaml.  Your existing suricata.yaml will be backed up to /nsm/backup/20120119/NAME_OF_SENSOR/.  Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/suricata.yaml.


New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade begins

Upgrade runs pulledpork_update.sh to update rules

pulledpork_update.sh restarts barnyard2 and the IDS engine

Thanks
Thanks to the Suricata team for their hard work on Suricata 1.2.1!
Thanks to Scott Runnels for his assistance in testing this release!

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion Presentation at NoVA Hackers

I'll be presenting Security Onion at the NoVA Hackers Shmoocon Epilogue:
http://novahackers.blogspot.com/2012/01/shmoocon-epilogue-speakers-and-location.html

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120116 now available!

Security Onion 20120116 is now available!  This resolves the following issue:

Issue 170: Snort 2.9.2

For more information about Snort 2.9.2, please see:

Snort 2.9.2: SCADA Preprocessors

http://www.snort.org/docs

http://manual.snort.org

Please note that if you are using the Registered (30-day delay) VRT ruleset you may need to wait until the rules are released for Snort 2.9.2.

Please also note that the new snort.conf will overwrite your existing snort.conf.  Your existing snort.conf will be backed up to /nsm/backup/20120116/NAME_OF_SENSOR/.  Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

New Users

New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade script installs Snort 2.9.2 and launches PulledPork

Once PulledPork completes, barnyard2 and Snort are restarted

Thanks

Thanks to the Snort team for their hard work on Snort 2.9.2!

Thanks to Scott Runnels for his assistance in testing this release!

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120114 now available!

Security Onion 20120114 is now available!  This resolves the following issue:

Issue 190: typo in /etc/cron.d/bro

New Users

New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120113 now available!

Security Onion 20120113 is now available!  This resolves the following issues:

Issue 147: Bro 2.0 integration

Issue 185: Syntax error clearing sensor data

Note that this is just the initial integration of Bro. In the future, we'll switch Sguil's http_agent to use Bro's http.log and we'll also look at using Barnyard2 to send IDS alerts to Bro to give it a better understanding of your network.

New Users

New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

sudo broctl status

Current Bro logs can be found in /nsm/bro/logs/current

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120107 now available!

Security Onion 20120107 is now available!  This resolves the following issue:

Issue 184: reference.config needs to be updated

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120106 now available!

Security Onion 20120106 is now available!  This resolves the following issues:

Issue 152: etherape

Issue 158: whois

Issue 178: nsm_sensor_ps-status shouldn't delete stale PID files

Issue 179: NSM watchdog should put timestamps in log file

Issue 180: vim

Issue 181: nsm_sensor_ps-restart should rotate current log file to TIMESTAMP

Issue 182: Setup needs to make sure MySQL is running if user chooses Server

Issue 183: Need to periodically remove invalid data from snorby database

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html