Tuesday, December 31, 2013

New NSM and Setup packages available

I've updated our NSM and Setup packages to resolve a few issues:

Issue 429: nsm_server_clear needs latest Squert database updates
https://code.google.com/p/security-onion/issues/detail?id=429

Issue 451: nsm_sensor_clean should purge old files in /nsm/bro/extracted
https://code.google.com/p/security-onion/issues/detail?id=451

Issue 454: Disabling PADS agent blocks PRADS and results in no SANCP
records flowing
https://code.google.com/p/security-onion/issues/detail?id=454
(thanks to Kevin Branch for the patch)

Issue 435: Setup should allow you to set PF_RING min_num_slots
https://code.google.com/p/security-onion/issues/detail?id=435

Issue 446: Setup should delete /var/lib/sphinxsearch/data/binlog*
https://code.google.com/p/security-onion/issues/detail?id=446

Issue 452: Setup phase 2 should populate sniffing interfaces from
/etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=452

Issue 439: /etc/cron.d/sensor-newday updates
https://code.google.com/p/security-onion/issues/detail?id=439

Issue 440: BPF JIT addition to /etc/sysctl.d/10-securityonion.conf
https://code.google.com/p/security-onion/issues/detail?id=440

The new packages are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion66
securityonion-setup - 20120912-0ubuntu0securityonion92

They have been tested by the following (thanks!):
David Zawdie

Setup now selects interfaces based on /etc/network/interfaces
If you allow Setup to configure /etc/network/interfaces, then it will use that information later to automatically select the proper interface(s) for monitoring:

PF_RING min_num_slots
Setup now creates /etc/modprobe.d/pf_ring.conf to set parameters for the PF_RING kernel module.  If you run Quick Setup, it will just use the default value of 4096 for min_num_slots.  However, if you choose Advanced Setup, you will have the opportunity to change that default value.

If you've already run Setup and want to modify min_num_slots, you can manually create /etc/modprobe.d/pf_ring.conf.  For example, to increase min_num_slots to 65534, do the following:
echo "options pf_ring transparent_mode=0 min_num_slots=65534" | sudo tee /etc/modprobe.d/pf_ring.conf
After creating /etc/modprobe.d/pf_ring.conf, you'll need to reload the PF_RING module as follows (or just reboot):
sudo nsm_sensor_ps-stop
sudo rmmod pf_ring
sudo nsm_sensor_ps-start
Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, December 30, 2013

New securityonion-sostat package available

I've packaged a new version of sostat that resolves a few issues:

Issue 437: sostat: more detailed interface stats via ip(8)
https://code.google.com/p/security-onion/issues/detail?id=437

Issue 457: sostat: add /proc/net/pf_ring/info
https://code.google.com/p/security-onion/issues/detail?id=457

Issue 458: sostat: include pf_ring Slots
https://code.google.com/p/security-onion/issues/detail?id=458

Issue 459: sostat: netsniff-ng loss output incorrect when running BPF
https://code.google.com/p/security-onion/issues/detail?id=459

The version number of the new package is securityonion-sostat - 20120722-0ubuntu0securityonion12 and it has been tested by the following (thanks!):
David Zawdie

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, December 20, 2013

New securityonion-setup package available

I've packaged a new version of Setup that resolves a couple of issues:

Issue 436: sosetup-network: replace ifconfig with iproute2's ip tool
https://code.google.com/p/security-onion/issues/detail?id=436
This patch from Jon Schipp updates sosetup-network so that it uses "ip" instead of "ifconfig".

Issue 441: sosetup-network shouldn't stop network-manager
https://code.google.com/p/security-onion/issues/detail?id=441
The last release of sosetup added a new question to sosetup-network to allow you to modify /etc/network/interfaces and then have the choice to not immediately reboot. If you did this over "ssh -X" it would stop Network Manager which would drop your ssh connection before it could ask if you want to reboot. It should no longer try to stop Network Manager so you should see the final reboot question when running over ssh.

The version number of the new package is securityonion-setup - 20120912-0ubuntu0securityonion90 and it has been tested by the following (thanks!):
Scott Runnels
Matt Gregory
JP Bourget

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, December 18, 2013

New securityonion-elsa-extras package available

Scott Runnels has fixed a couple of bugs in the recent securityonion-elsa-extras package.  The updated package version is:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion25

Issues Resolved

Issue 438: /etc/cron.d/elsa updates
https://code.google.com/p/security-onion/issues/detail?id=438

Issue 442: securityonion-elsa-extras: fix BRO_NOTICE parsers
https://code.google.com/p/security-onion/issues/detail?id=442

Issue 444: securityonion-elsa-extras: wrong mysql directory in /etc/elsa_node.conf
https://code.google.com/p/security-onion/issues/detail?id=444

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Update process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, December 10, 2013

Bro 2.2 and ELSA 1.5 packages now available

We have some new packages available for Bro 2.2 and ELSA 1.5!
ELSA 1.5 with support for Bro 2.2 and more log types
Release Notes

IMPORTANT! If you are upgrading a distributed deployment, it is vitally important that you upgrade the master before upgrading the sensors!  After upgrading the master and all sensors, if the ELSA web interface doesn't show all of your nodes properly, you may need to do the following:

  • restart autossh on each sensor:
    sudo pkill -USR1 autossh
  • stop/start (NOT restart) starman on each sensor:
    sudo service starman stop
    sudo service starman start
  • restart Apache on your master server:
    sudo service apache2 restart

If you have email configured on your sensor and you start getting lots of email from the ELSA cron job, you can fix it by changing the last line of /etc/cron.d/elsa as follows (moving 2>&1 to the end of the line):
* * * * * root perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
If you had previously installed the APT1 scripts per http://blog.securityonion.net/2013/02/seth-halls-bro-module-for-apt1-detection.html, the update will detect this and automatically enable the new version of the APT1 scripts.  If you would like to manually enable the APT1 scripts, do the following:
sudo sed -i 's|#@load apt1|@load apt1|g' /opt/bro/share/bro/site/local.bro
sudo broctl check && sudo broctl install && sudo broctl restart
The new version of Setup asks if you want to configure Bro to extract files (EXEs by default).  If you've already run Setup and want to enable file extraction, do the following:
sudo sed -i 's|#@load file-extraction|@load file-extraction|g' /opt/bro/share/bro/site/local.bro
sudo broctl check && sudo broctl install && sudo broctl restart
The new version of Setup configures Snorby to allow you to pivot from an IP address in Snorby to an ELSA query for that IP address.  If you've already run Setup and want to add this capability to Snorby, click Administration and then click Lookup Sources and add the following (also see screenshot in the Screenshots section):
https://elsa.ip.addr.ess:3154/?query_string="${ip}"%20groupby:program

Issues Resolved

Issue 362: sguil-db-purge - add DAYSTOREPAIR option
https://code.google.com/p/security-onion/issues/detail?id=362

Issue 395: Bro 2.2
https://code.google.com/p/security-onion/issues/detail?id=395

Issue 426: Update http_agent for Bro 2.2
https://code.google.com/p/security-onion/issues/detail?id=426

Issue 420: Setup should no longer disable Bro PF_RING since it should
work in 2.2
https://code.google.com/p/security-onion/issues/detail?id=420

Issue 424: Setup should write out changes to /etc/network/interfaces
and then prompt for reboot
https://code.google.com/p/security-onion/issues/detail?id=424

Issue 415: Setup should ask user about DAYSTOKEEP and DAYSTOREPAIR
https://code.google.com/p/security-onion/issues/detail?id=415

Issue 396: Setup should give the option of enabling file extraction in Bro
https://code.google.com/p/security-onion/issues/detail?id=396

Issue 433: Setup should configure Snorby to pivot from an IP address to ELSA
https://code.google.com/p/security-onion/issues/detail?id=433

Issue 431: Update APT1 scripts for Bro 2.2
https://code.google.com/p/security-onion/issues/detail?id=431

Issue 350: Modify Sguil client to allow pivoting directly to ELSA query
https://code.google.com/p/security-onion/issues/detail?id=350

Issue 346: New ELSA packages
https://code.google.com/p/security-onion/issues/detail?id=346

Issue 343: Add more Bro logs to ELSA
https://code.google.com/p/security-onion/issues/detail?id=343

Issue 434: nsm_sensor_ps-start shouldn't call sensor_cleandisk anymore
https://code.google.com/p/security-onion/issues/detail?id=434

New/Updated packages
securityonion-bro - 2.2-0ubuntu0securityonion9
securityonion-bro-scripts - 20121004-0ubuntu0securityonion17
securityonion-elsa - 1090-1ubuntu0securityonion11
securityonion-elsa-extras - 20131117-1ubuntu0securityonion19
securityonion-elsa-node-perl - 20130819-0ubuntu0securityonion2
securityonion-elsa-web-perl - 20131029-0ubuntu0securityonion0ubuntu1
securityonion-http-agent - 0.3.1-0ubuntu0securityonion3
securityonion-libapache-logformat-compiler-perl - 0.13-0ubuntu0securityonion1
securityonion-libcapture-tiny-perl - 0.22-0ubuntu0securityonion0
securityonion-libclass-method-modifiers-perl - 2.04-1ubuntu0securityonion1
securityonion-libcookie-baker-perl - 0.01-1ubuntu0securityonion1
securityonion-libdevel-stacktrace-perl - 1.30-1ubuntu0securityonion0
securityonion-libexception-class-perl - 1.37-1ubuntu0securityonion1
securityonion-libextutils-config-perl - 0.007-1ubuntu0securityonion0
securityonion-libextutils-helpers-perl - 0.021-1ubuntu0securityonion0
securityonion-libextutils-installpaths-perl - 0.009-1ubuntu0securityonion0
securityonion-liblog-log4perl-appender-socket-unix-perl - 1.04-1ubuntu0securityonion0
securityonion-liblog-syslog-constants-perl - 1.02-1ubuntu0securityonion0
securityonion-liblog-syslog-fast-perl - 0.61-1ubuntu0securityonion1
securityonion-libmoo-perl - 1.003-1ubuntu0securityonion1
securityonion-libmoox-types-mooselike-numeric-perl - 1.01-1ubuntu0securityonion1
securityonion-libmoox-types-mooselike-perl - 0.25-1ubuntu0securityonion0
securityonion-libplack-middleware-xforwardedfor-perl - 0.1030-1ubuntu0securityonion0
securityonion-librole-tiny-perl - 1.003-1ubuntu0securityonion1
securityonion-libtest-name-fromline-perl - 0.11-1ubuntu0securityonion1
securityonion-libtest-time-perl - 0.04-1ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion64
securityonion-setup - 20120912-0ubuntu0securityonion89
securityonion-sguil-client - 0.8.0-0ubuntu0securityonion15
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion7

The new packages have been tested by the following (thanks!):
Heine Lysemose
JP Bourget
Matt Gregory
David Zawdie

Screenshots
Bro update

ELSA update

ELSA update with support for more Bro logs

http_agent update

New Sguil client supports pivoting from IP address to ELSA query

Pivoting from Sguil/Snorby to ELSA

Manually adding ELSA as a Lookup Source after running Setup

Pivoting from Snorby to ELSA
New Setup screen for DAYSTOKEEP

New Setup screen for DAYSTOREPAIR

New Setup screen for enabling Bro file extraction
ELSA query for BRO_SOFTWARE

ELSA query for BRO_FILES

ELSA query for BRO_NOTICE

ELSA query for BRO_WEIRD
Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, November 15, 2013

New sostat package available

I found and fixed a couple of bugs in the recent sostat package.  The updated package version is:
securityonion-sostat - 20120722-0ubuntu0securityonion11

Issues Resolved
Issue 423: Bugs in broctl netstats percentage calculation

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:

Feedback
If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, November 13, 2013

New Snort, NSM, and sostat packages available

The following software was recently released:

Snort 2.9.5.5
http://blog.snort.org/2013/09/snort-2955-is-now-available-on-snortorg.html

I've packaged Snort 2.9.5.5 and also updated the NSM and sostat packages.  The updated package versions are as follows:
securityonion-daq - 2.0.1-0ubuntu0securityonion2
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion62
securityonion-snort - 2.9.5.5-0ubuntu0securityonion1
securityonion-sostat - 20120722-0ubuntu0securityonion10

The new packages have been tested by the following (thanks!):
JP Bourget
David Zawdie
Matt Gregory

Issues Resolved

Issue 405: Optimize network buffers
https://code.google.com/p/security-onion/issues/detail?id=405
This update creates a new file called /etc/sysctl.d/10-securityonion.conf which increases some kernel network buffers.  The settings will be applied at the next boot, or you can apply them immediately with "sudo sysctl -p /etc/sysctl.d/10-securityonion.conf"

Issue 407: Increase frequency of /etc/cron.d/sensor-clean
https://code.google.com/p/security-onion/issues/detail?id=407
/etc/cron.d/sensor-clean now runs every 5 minutes.  This should help avoid the disk filling up between hourly purges for some users.

Issue 419: Delete Snorby pid file at boot
https://code.google.com/p/security-onion/issues/detail?id=419
/etc/init/securityonion.conf now deletes /opt/snorby/tmp/pids/delayed_job.pid before starting the Snorby worker to avoid issues in case the pid file was empty.

Issue 408: Add "broctl netstats" to sostat
https://code.google.com/p/security-onion/issues/detail?id=408

Issue 410: sostat should display the count of days archived in pcap and Bro logs
https://code.google.com/p/security-onion/issues/detail?id=410

Issue 417: sostat - remove $HOSTNAME-
https://code.google.com/p/security-onion/issues/detail?id=417

Issue 422: Bro average packet loss in sostat
https://code.google.com/p/security-onion/issues/detail?id=422

Issue 398: Snort 2.9.5.5
https://code.google.com/p/security-onion/issues/detail?id=398

Updating

The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

The Snort update will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:
  • apply your local customizations to the new snort.conf
  • update ruleset and restart Snort using "sudo rule-update"
Screenshots

"sudo soup" update process

Snort 2.9.5.5

Updating ruleset and restarting Snort using "sudo rule-update"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, October 18, 2013

Security Onion class is 1 week away!

Only one week left until the 8-hour Security Onion class in Augusta GA!  We still have some seats available, so here's a discount code good for $50 off:
LastMinute51946

For more details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, October 15, 2013

Squert 1.1.5 package now available

Paul Halliday recently released Squert 1.1.5:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a walkthrough video of some of the new features recently added to Squert:
http://youtu.be/ZOsVw96XM8E

I've packaged Squert 1.1.5 and the package has been tested by the following (thanks!):
Pedro Simoes
JP Bourget
David Zawdie

Release Notes

  • Please note that /var/www/squert/.inc/config.php gets overwritten during the update process so if you had previously set sgUser and sgPass to enable transcripts and event classification, you'll need to re-apply those settings.
  • Please also note that you may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
  • Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline.  De-select UTC, then specify your local timezone offset.  Then click "Save" to save your preference into the database and click "Update" to refresh the page with the new timestamps.  See the "Time Selection" screenshot below.


Screenshots
Update Process

OSSEC events now render properly

Time Selection 

Country Mappings

Issues Resolved
Issue 387: Squert 1.1.5
https://code.google.com/p/security-onion/issues/detail?id=387

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Saturday, October 12, 2013

New securityonion-sostat package includes sostat-redacted

The securityonion-sostat package now includes a new script called sostat-redacted which runs sostat and pipes the output to sed, redacting any IPv4 addresses.  When you need help from our mailing list and we request that you send redacted sostat output, you can now use sostat-redacted to automatically redact the IPv4 addresses (although there may be additional sensitive info that you still need to redact).  Thanks to Steve Fennell for the suggestion!

sostat-redacted automatically redacts IPv4 addresses

Issues Resolved
Issue 402: Create sostat-redacted to automatically redact IP address from sostat output
https://code.google.com/p/security-onion/issues/detail?id=402

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Thursday, October 10, 2013

Suricata 1.4.6 package now available

Suricata 1.4.6 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/183--suricata-146-released

I've packaged Suricata 1.4.6 and the new package has been tested by David Zawdie and JP Bourget.

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

The Suricata update will do the following:

  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.6

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:
    sudo nsm_sensor_ps-restart --only-snort-alert

Update process
suricata -V
Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

New NSM/Setup Packages now available

New versions of the following packages are now available!
securityonion-nsmnow-admin-scripts
securityonion-setup

Issues Resolved

Issue 376: netsniff-ng: specify ring buffer size
When running Setup and choosing Advanced Setup, you can now specify netsniff-ng's ring buffer size.
https://code.google.com/p/security-onion/issues/detail?id=376

Issue 400: Add option to Advanced Setup to enable netsniff-ng mmap I/O
When running Setup and choosing Advanced Setup, you can now enable mmap I/O for netsniff-ng.
https://code.google.com/p/security-onion/issues/detail?id=400

Issue 394: syslog-ng memory leak
/etc/cron.d/sensor-newday was doing "syslog-ng reload" which was causing a memory leak.  It now does a full "syslog-ng restart" to avoid the memory leak.
https://code.google.com/p/security-onion/issues/detail?id=394

Issue 391: Setup should write log file to /tmp and then copy to /var/log/nsm/sosetup.log when done
While Setup is running, you can monitor /tmp/sosetup.log.  After Setup has completed, you can find the log at /var/log/nsm/sosetup.log.
https://code.google.com/p/security-onion/issues/detail?id=391

Issue 377: Move Argus config to argus.conf so that users can change without modifying NSM scripts
Each sensor will now have its own argus.conf at /etc/nsm/HOSTNAME-INTERFACE/argus.conf that you can use to customize your Argus configuration.
https://code.google.com/p/security-onion/issues/detail?id=377

Issue 401: ossec_agent.conf should set DAEMON to 0
The default ossec_agent.conf had DAEMON set to 1, but our NSM scripts expect spawned processes to NOT daemonize.  The NSM scripts now set DAEMON to 0 in ossec_agent.conf to avoid this.
https://code.google.com/p/security-onion/issues/detail?id=401

Screenshots

netsniff-ng ring buffer

netsniff-ng mmap I/O

Thanks
Thanks to Jon Schipp for his work on the netsniff-ng configuration!
Thanks to David Edelman for his work on the Argus configuration!
Thanks to JP Bourget and David Zawdie for testing the new packages!

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Saturday, October 5, 2013

Got DNS visibility?

Jaime Blasco recently wrote a great blog post on using DNS records to identify suspicious domains:
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

Here are some other great articles on the power of DNS visibility:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918

Got Security Onion?

If you currently don't have the kind of DNS visibility described above or are unable to effectively search your DNS logs for anomalies, get Security Onion today!
https://code.google.com/p/security-onion/wiki/Installation

Here's a quick video on using Security Onion to configure Bro and ELSA in minutes to give you DNS visibility and the ability to quickly search, summarize, and look for anomalies:
http://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Need Training?
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, October 1, 2013

New Video on OSSEC and ELSA

I just published a quick video on OSSEC and ELSA. In this video, you'll see how quickly you can configure OSSEC and ELSA using Security Onion.  We'll then use the ELSA web interface to hunt through OSSEC alerts and all logs received from all OSSEC agents.  Also note that you can send standard syslog to ELSA and query those logs as well.
http://www.youtube.com/watch?v=xlRESlq86JI

Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Thursday, September 26, 2013

Security Onion Training in Augusta GA on Saturday October 26

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!

For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, September 24, 2013

New Security Onion Videos and Log Management class

The video from my recent BSidesAugusta presentation is now available:
http://www.youtube.com/watch?v=l7TSGHvsPJA

I also just published a series of walkthrough videos as well:
https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Saturday, September 14, 2013

Security Onion 12.04.3 ISO image now available

We have a new Security Onion 12.04.3 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of September 4, 2013!

Thanks
Thanks to the following for testing the new ISO image!
David Zawdie

Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.3 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

Known Issues
The ISO image included an older version of python-zmq introduced by the recent OnionSalt package:
http://securityonion.blogspot.com/2013/09/new-package-onionsalt-now-available-for.html

This can result in the following symptoms:

  • When running Setup under certain conditions, salt-master will crash resulting in a bug report error in the status bar.  You can simply ignore this bug report.
  • salt-minions failing to reconnect to salt-master properly.

An updated version of python-zmq is available in our Stable repo that resolves these issues, so you'll want to install all available updates right after installing the ISO.

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.3 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
I'm teaching SANS SEC434 Log Management In-Depth in Memphis TN in October.  $200 discount if paid by Wednesday 9/18:
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Thursday, September 12, 2013

New package OnionSalt now available for configuration management

Mike Reeves created OnionSalt, a set of Salt configuration management scripts to manage lots of sensors from your master server.  I've packaged OnionSalt and added support for it in Setup.

Please note that Salt is totally optional.  If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you.  Should you decide to install securityonion-onionsalt, you get the following features out of the box:

  • manage user accounts, sudoers, and SSH keys from one location and have it replicate to all sensors
  • have sensors check for new IDS rules every 15 minutes, copy files, and restart engines as necessary


In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.

Thanks
Thanks to Mike Reeves for developing OnionSalt!
Thanks to the following for testing:
JP Bourget
David Zawdie

Warning
OnionSalt is still considered experimental.  You'll want to test in a lab environment before deciding to deploy in production.

Installing
To read more about how to integrate OnionSalt into a new or existing Security Onion deployment, please see our Salt page:
https://code.google.com/p/security-onion/wiki/Salt

Screenshots
Enabling Salt on Master Server via Advanced Setup

After completing Setup, verifying that the Master can manage itself

Enabling Salt on sensor1 via Advanced Setup

After completing Setup, verifying that the Master can now manage both boxes

Salt can run arbitrary commands on all boxes at once
Adding johndoe to /opt/onionsalt/pillar/users/init.sls

Adding johndoe's public key to /opt/onionsalt/salt/users/keys/

Running "sudo salt '*' state.highstate" to push accounts and keys to all boxes

Verifying that we can now login using the new account/key

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, September 3, 2013

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/

Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html

Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
Notes
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

Screenshots
"sudo soup" upgrade process

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, August 27, 2013

New Squert 1.1 and other packages

Paul Halliday recently released Squert 1.1:
http://www.squertproject.org/

I've packaged Squert 1.1 and updated a few other packages at the same time.  The following updated packages are now available:
securityonion-et-rules
securityonion-rule-update
securityonion-setup
securityonion-squert
securityonion-squert-cron

These packages should resolve the following issues:

Issue 240: Squert 1.1
https://code.google.com/p/security-onion/issues/detail?id=240

Issue 366: Setup doesn't need to prompt if there is no Internet connection
https://code.google.com/p/security-onion/issues/detail?id=366

Issue 371: sosetup-network should require the user to choose static/DHCP for management interface
https://code.google.com/p/security-onion/issues/detail?id=371

Issue 373: Setup doesn't correctly configure VRT+ETNOGPL
https://code.google.com/p/security-onion/issues/detail?id=373

Issue 380: Update securityonion-et-rules package and include tarball
https://code.google.com/p/security-onion/issues/detail?id=380

Issue 381: Update Setup so that if no Internet access, run pulledpork -n
https://code.google.com/p/security-onion/issues/detail?id=381

Notes
Please note that Squert now has the ability to retrieve transcripts and categorize events, but you'll need to edit /var/www/squert/.inc/config.php and insert your Sguil username/password to enable this functionality.

Thanks
Thanks to the following for testing the new packages:
David Zawdie
JP Bourget

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshots
Squert 1.1

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, August 19, 2013

New securityonion-bro-scripts package fixes a race condition

A new version of our securityonion-bro-scripts package is now available that fixes a possible race condition.

This update resolves the following issue:
Issue 374: Update hostname.bro and interface.bro

Thanks
Thanks to Jon Siwek for the new Bro scripts!
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart Bro:
sudo broctl restart

Screenshots
Under certain conditions, the old Bro scripts would fail to determine the hostname and interface...

...resulting in Bro's conn.log containing an invalid "sensorname" field (should be hostname-interface)

Installing new securityonion-bro-scripts package

Restarting Bro

Bro now properly determines hostname and interface resulting in...
...conn.log having the correct sensorname (hostname-interface)


Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Search This Blog

Featured Post

1-month End Of Life (EOL) reminder for Security Onion 2.3

In October of last year, we announced the End Of Life (EOL) date for Security Onion 2.3: https://blog.securityonion.net/2023/10/6-month-eol-...

Popular Posts

Blog Archive