Thursday, March 29, 2012

Security Onion 20120329 now available!


Security Onion 20120329 is now available!  This resolves the following issues:

Issue 114: Provide single location for configuring BPF filters
Issue 224: typo in nsm_sensor-ps-start
Issue 242: Set Suricata runmode to autofp
Issue 243: Remove VLAN setting from pcap_agent.conf


Notes
As you can see in the screenshot below, this update will create a bpf.conf file for each sensor interface on your system.  For example, if you have two sensor interfaces (eth0 and eth1), you'll now have two bpf.conf files:
/etc/nsm/$HOSTNAME-eth0/bpf.conf
/etc/nsm/$HOSTNAME-eth1/bpf.conf

The NSM scripts now pass the "-F /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to Snort and Suricata and "-f /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to daemonlogger.  However, Suricata's afpacket mode currently doesn't support bpf.  I've created Suricata feature request #440 for this.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to the following for their help in testing this release!
Craig Shannon
Scott Runnels

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, March 26, 2012

Security Onion 20120326 now available!


Security Onion 20120326 is now available!  This resolves the following issues:

Issue 197: Snort 2.9.2.1
Issue 218: /etc/nsm/gen-msg.map out of date

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Please note that the new snort.conf will overwrite your existing snort.conf.  Your existing snort.conf will be backed up to /nsm/backup/20120326/NAME_OF_SENSOR/.  Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

Screenshots

Upgrade Process

Upgrade Process (cont.)

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Sourcefire for Snort 2.9.2.1!
Thanks to the following for their help in testing this release!
Craig Shannon
Heine Lysemose

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Thursday, March 22, 2012

Security Onion 20120321 now available!


Security Onion 20120321 is now available!  This resolves the following issues:

Issue 237: Snorby 2.5.1 - This is a bugfix release.  It fixes several issues in Snorby 2.5.0.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Dustin Webber for the quick bugfixes in Snorby 2.5.1!
Thanks to the following for their help in testing this release!
Scott Runnels
Heine Lysemose

Help Wanted!
Security Onion needs help in the following areas:

  • assisting users on the mailing list and in IRC
  • quality assurance and testing new releases
  • documentation
  • package maintainers

If Security Onion has provided value to you and/or your organization, please consider giving back to the community by donating your time to the above needs!  If interested, please contact me via email (I won't publish it here, but you can find it on our mailing list).  Thanks!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Tuesday, March 20, 2012

Security Onion Documentation Updates


I spent some time this morning creating and updating several pages on the Security Onion Wiki:

Installation Procedure
http://code.google.com/p/security-onion/wiki/Installation

FAQ
http://code.google.com/p/security-onion/wiki/FAQ

Email Configuration
http://code.google.com/p/security-onion/wiki/Email

Passwords
http://code.google.com/p/security-onion/wiki/Passwords

Help
http://code.google.com/p/security-onion/wiki/Help

If you see any changes that need to be made or documentation that needs to be added, please write it up and we'll get it posted!


Help Wanted
Security Onion needs help in the following areas:

  • assisting users on the mailing list and in IRC
  • quality assurance and testing new releases
  • documentation
  • package maintainers

If Security Onion has provided value to you and/or your organization, please consider giving back to the community by donating your time to the above needs!  If interested, please contact me via email.  Thanks!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, March 19, 2012

Security Onion 20120312 now available!


Security Onion 20120312 is now available!  This resolves the following issues:

Issue 233: Snorby 2.5.0
Our original Snorby package was a good way of getting it deployed quickly.  However, the time has come to break the monolithic package up into separate packages:
1.  securityonion-ruby contains Ruby 1.9.2-p290 and replaces the existing system-wide Ruby 1.8 (/usr/bin/ruby).
2.  securityonion-snorby contains /usr/local/share/snorby (Snorby 2.5.0 and all required gems using "bundle install --deployment").
3.  securityonion-passenger allows us to run Snorby under Apache instead of using Ruby's "thin" web server.
These separate packages will make our Snorby implementation faster, more standardized, more secure, and more maintainable.  In addition, this update brings the newly-released Snorby 2.5.0, which has many features and bugfixes!

Issue 235: Need statistics/diagnostics script
/usr/bin/sostat is a simple bash script which collects details about your system and its processes.  When asking for help on the mailing list, we may ask you to run "sudo sostat" and copy the output to your email so that we can have some data to help us diagnose your issue.  We also recommend running sostat in a daily cronjob and having it send you an email for review.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Dustin Webber for his hard work on Snorby 2.5.0!
Thanks to the following for their help in testing this release!
Scott Runnels
Liam Randall
Eric Ooi
Heine Lysemose
Marshal Graham

Help Wanted
Security Onion needs help in the following areas:
  • assisting users on the mailing list and in IRC
  • quality assurance and testing new releases
  • documentation
  • package maintainers
If Security Onion has provided value to you and/or your organization, please consider giving back to the community by donating your time to the above needs!  If interested, please contact me via email.  Thanks!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Tuesday, March 13, 2012

Security Onion and Ubuntu's MySQL 5.1 update

Ubuntu just released new MySQL packages.  A few things to be aware of for Security Onion users:

  • The update will stop MySQL in order to perform the update.  If sguild is running at the time, it will terminate as soon as MySQL stops.  Once you've successfully completed the update and MySQL is back up and running, you should run the following on your Security Onion server to start sguild:
sudo nsm_server_ps-start
  • When updating a Security Onion SENSOR (that sends its alerts to a separate Security Onion server), the update will try to start MySQL, but it will hang since port 3306 is already in use (being forwarded to the server over SSH).  You can simply kill the startup since MySQL is currently not used on Security Onion sensors.  On subsequent reboots, MySQL will startup, but when /etc/init/securityonion.conf executes, it will stop MySQL and bring up the SSH tunnel with port 3306 forwarded to the server.
If you have any questions or problems, please send a detailed email to our mailing list.  Thanks!

Thursday, March 1, 2012

SANS is coming to Augusta GA in June!

SANS is coming to Augusta GA in June!  Doug Burks will be teaching SANS SEC503: Intrusion Detection In-Depth and Mark Baggett will be teaching SANS SEC560: Network Penetration Testing.

UPDATE: You can save $500 if you register for one of these classes by May 2. In addition, ISSA members are eligible for a 10% discount! The discount code was sent to the ISSA Members mailing list. If you are a member and you didn't receive the discount code, please contact a Chapter Officer. If you're not already an ISSA member, please consider joining so that you will be eligible for this and other discounts in the future.


For more information, please see:
http://augusta.issa.org/drupal/SANS-Augusta-2012
http://www.sans.org/augusta-2012-cs/

Security Onion 20120229 now available!


Security Onion 20120229 is now available!  This resolves the following issues:

Issue 220: Add mon to /usr/local/bin/setup
Issue 231: Snorby delayed_job running in development mode


New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Rhoda Dendron for reporting the missing mon interface in Setup!
Thanks to Heine Lysemose for reporting the Snorby development mode issue!
Thanks to the following for their help in testing this release!
Scott Runnels
Liam Randall
Eric Ooi
Heine Lysemose

Search This Blog

Featured Post

Security Onion 2.4.50 now available including some new features and lots of bug fixes!

Security Onion 2.4.50 is now available! It includes some new features for our fellow defenders and lots of bug fixes! https://docs.securityo...

Popular Posts

Blog Archive