Thursday, April 26, 2012

Security Onion 20120427 now available!


Security Onion 20120427 is now available!  This resolves the following issues:
Issue 245: Snort 2.9.2.2
Issue 259: Update Security Onion logo

Please note that if you are using the VRT ruleset and are a free "Registered User" (instead of a paid "Subscriber"), then you may need to wait until the 30-day wait period has elapsed to get the new 2.9.2.2 rules.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Please note that the new snort.conf will overwrite your existing snort.conf.  Your existing snort.conf will be backed up to /nsm/backup/20120427/NAME_OF_SENSOR/.  Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

Screenshots
Upgrade Process
Upgrade Process (cont.)
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Sourcefire for Snort 2.9.2.2!
Thanks to Jack Blanchard for the updated Security Onion logo!
Thanks to the following for their help in testing this release!
Heine Lysemose
Tom De Vries
Eric Ooi
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Wednesday, April 25, 2012

Security Onion 20120425 now available!


Security Onion 20120425 is now available!  This resolves the following issues:
Issue 155: Modify Setup script so that IDS Engine choice is a list instead of Yes or No default
Issue 250: Setup needs to delete /var/www/squert/.scripts/Ip2c/*.md5 before running ip2c.tcl
Issue 251: /var/www/squert/.scripts/Ip2c/ip2c.tcl needs to run once a week
Issue 256: Update Setup to allow running multiple times in sensor-->server config
Issue 257: Setup should create snort.stats if user chooses Suricata

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Paul Halliday for his suggestions for Squert!
Thanks to the following for their help in testing this release!
Scott Runnels
David Zawdie
Karolis

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, April 23, 2012

Security Onion 20120423 now available!


Security Onion 20120423 is now available!  This resolves the following issues:
Issue 248: sostat doesn't handle single-digit date properly
Issue 258: sostat should display the size of each pcap directory

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Stephane Chazelas for his contributions to sostat!
Thanks to the following for their help in testing this release!
Eric Ooi
Scott Runnels
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Friday, April 20, 2012

Security Onion 20120418 now available!


Security Onion 20120418 is now available!  This resolves the following issue:
Issue 254: tcpflow 1.1.1 connection counter breaks Sguil's transcript window

Notes
This update installs the new tcpflow 1.2.6 at /usr/local/bin/tcpflow and a shim at /usr/bin/tcpflow.  The shim is just a bash script that runs the following:
/usr/local/bin/tcpflow -T%A.%a-%B.%b $@

The new version of tcpflow has a new output format so we execute the shim to call tcpflow with the correct -T options to produce the original tcpflow format that Sguil is expecting.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to the following for their help in testing this release!
Sunil Gupta
Heine Lysemose
Tom De Vries

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Friday, April 13, 2012

Security Onion 20120412 now available!


Security Onion 20120412 is now available!  This resolves the following issues:
Issue 226: Rename bro workers
Issue 255: Add /etc/cron.d/nsm-watchdog back to nsmnow-admin-scripts package

Notes
Users with two or more interfaces will notice that the Bro worker configuration in /usr/local/etc/node.cfg has changed.  Instead of worker-1, worker-2, etc., they now follow our normal naming convention (so-eth0, so-eth1, etc.).  For users with only one interface, there will be no changes to the Bro configuration since the standalone Bro configuration doesn't have named workers.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Karolis Cepulis for identifying the missing /etc/cron.d/nsm-watchdog file!
Thanks to the following for their help in testing this release!
Scott Burkhart
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Thursday, April 5, 2012

Security Onion 20120405 now available!


Security Onion 20120405 is now available!  This resolves the following issue:
Issue 219: Default Web page

Notes
After this upgrade, you will have a new default web page for the Apache web server at https://localhost.  This new page contains links to Squert, Snorby, and Xplico on the local server.  It also contains links to the Security Onion blog, wiki, etc.

The existing README.html on user desktops will be replaced with a link to this page.

Any Firefox profiles that are still set to the default home page will be set to https://localhost.

PLEASE close any running instances of Firefox BEFORE running the upgrade to make sure that the home page gets set properly and not overwritten by the running Firefox instance.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Eric Ooi for his work on the new web page and the Tools page in our Wiki!
Thanks to the following for their help in testing this release!
Joe Stevensen
Scott Burkhart
David Zawdie
Eric Ooi
Victor Julien

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html