Friday, May 31, 2013

Suricata 1.4.2 package now available

Suricata 1.4.2 was recently released:
http://suricata-ids.org/2013/05/29/suricata-1-4-2-released/

I've packaged Suricata 1.4.2 and it has been tested by the following (thanks!):
David Zawdie

Upgrade Process

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get install securityonion-suricata
The Suricata update will do the following:

  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.2

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:

sudo nsm_sensor_ps-restart --only-snort-alert
sudo apt-get update && sudo apt-get install securityonion-suricata

suricata -V

Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Thursday, May 30, 2013

PF_RING 5.5.3 packages now available

PF_RING 5.5.3 was recently released:
http://www.ntop.org/pf_ring/pf_ring-5-5-3-released/

I've packaged PF_RING 5.5.3 and the packages have been tested by the following (thanks!):
David Zawdie
Matt Gregory

The new packages are now available in our stable repo.  To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:
sudo apt-get update ; sudo apt-get install securityonion-pfring-module ; sudo apt-get dist-upgrade
For more information, please see our Upgrade page:
https://code.google.com/p/security-onion/wiki/Upgrade

The securityonion-pfring-module package will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes

Update process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, May 28, 2013

New Setup package configures OSSEC to send alerts to ELSA

Previously, when a user ran Setup and enabled ELSA, they would be able to log into ELSA and view OSSEC *archive* logs (the raw logs received by OSSEC) but they wouldn't be able to view OSSEC *alerts* (created based on OSSEC's analysis of the incoming logs as configured by the OSSEC ruleset).  I've pushed a new Setup package that will configure OSSEC to send alerts to local syslog if the user enables ELSA.  The new package has been tested by Matt Gregory.  Thanks, Matt!

If you've already run Setup and would like to configure OSSEC to send alerts to ELSA, please see:
https://code.google.com/p/security-onion/wiki/OSSECalertsToELSA

Updating
If you're performing a new installation, it's important to update your packages right after you've completed the Ubuntu installer and BEFORE running Setup.  You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
Upgrade Process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

New NSM scripts package includes daily restart of Sguil agents

Under certain conditions, some Sguil agents may fail to reconnect to sguild properly.  I've added daily cronjobs to /etc/cron.d/sensor-newday to restart all Sguil agents to help alleviate this.

The new securityonion-nsmnow-admin-scripts package has been tested and confirmed by the following (thanks!):
David Zawdie
Matt Gregory

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
Upgrade Process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Snorby 2.6.2 package now available

Snorby 2.6.2 was recently released:
https://github.com/Snorby/snorby/blob/master/ChangeLog.md

I've packaged Snorby 2.6.2 and the new securityonion-snorby package has been tested and confirmed by the following (thanks!):
Matt Gregory
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time.  Please see the following for the recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

When the new securityonion-snorby package installs, it should restart Apache and, if Setup has already been run, it should run "bundle exec rake snorby:update" and restart the Snorby worker as follows (you can disregard any "Jammit Warning" messages).
Upgrade Process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, May 27, 2013

Snort 2.9.4.6 package now available

Snort 2.9.4.6 was recently released:
http://blog.snort.org/2013/04/snort-2946-has-been-released.html

I've packaged Snort 2.9.4.6 and and the new package has been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
Install Process

The Snort update will do the following:

  • back up each of your existing snort.conf file(s) to snort.conf.bak
  • update Snort to 2.9.4.6

If you're running Snort in production, then you'll need to do the following:

  • apply your local customizations to the new snort.conf file(s)
  • update ruleset and restart Snort as follows:
    sudo rule-update
sudo apt-get update && sudo apt-get dist-upgrade

snort -V
Apply any local customizations to snort.conf file(s) and then run "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

New pcap samples package securityonion-samples-markofu

Mark Hillick put together some pcap samples (thanks Mark!) and I've put them into a new package called securityonion-samples-markofu.  The package will install the pcaps to:
/opt/samples/markofu/

Installation
This package will be included in the upcoming 12.04.1 ISO image, but it's an optional package so it won't automatically install on existing installations.  If you'd like to install this package onto your existing installation, you can use the graphical Update Manager or the following one-liner:
sudo apt-get update && sudo apt-get install securityonion-samples-markofu

Screenshot
Installation
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

New pcap samples package securityonion-samples-pnsm

Richard Bejtlich put together some pcap samples (thanks Richard!) and I've put them into a new package called securityonion-samples-pnsm.  The package will install the pcaps to:
/opt/samples/pnsm/

Some of the pcaps have file extensions other than .pcap, so the default Ubuntu AppArmor policy won't allow tcpdump to read them.  This package will automatically update the AppArmor policy to fix this.

Installation
This package will be included in the upcoming 12.04.1 ISO image, but it's an optional package so it won't automatically install on existing installations.  If you'd like to install this package onto your existing installation, you can use the graphical Update Manager or the following one-liner:
sudo apt-get update && sudo apt-get install securityonion-samples-pnsm

Screenshot
Installation
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, May 13, 2013

Upcoming Events in May and June

I'll be speaking on "Enterprise Log Collection and Analysis using Security Onion, OSSEC, and ELSA" at the Augusta Linux User Group meeting on Thursday 5/16:
http://www.meetup.com/Augusta-Linux-User-Group/

I'll also be presenting Security Onion at BSides Charlotte on 6/8:
http://bsidesclt.org/

Hope to see you there!

New Setup package avoids bug when monitoring multiple interfaces

A new Setup package is now available that avoids a bug when monitoring multiple interfaces. When you choose Advanced Setup, the Bro CPU Cores screen will still ask you how many CPU cores you'd like to use for Bro, but it now also includes the following note:
Please note there is a bug in Bro 2.1 when monitoring multiple interfaces with PF_RING that results in traffic loss. If you're monitoring multiple interfaces, we'll configure Bro to disable PF_RING load balancing to avoid this issue. We'll record your desired number of PF_RING CPU cores for when Bro 2.2 is released.
This resolves the following issue:
Issue 317: Setup should disable Bro's PF_RING load balancing config when monitoring multiple NICs

The new package has been tested by Matt Gregory.  Thanks, Matt!

Updating
If you're performing a new installation, it's important to update your packages right after you've completed the Ubuntu installer and BEFORE running Setup.  You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, May 3, 2013

New ELSA and Sphinx packages now available


Scott Runnels has been hard at work updating our ELSA packages and building our own custom Sphinx package!  These new packages should resolve the following issues:

Issue 290: Update ELSA to r713
Issue 289: ELSA - include YUI library
Issue 300: /etc/elsa_web.conf needs 127.0.0.1 to have ports defined as well
Issue 298: Build new sphinx package with --enable-id64 compile-time option
Issue 324: sphinx should check for proper permissions before starting
Issue 299: sphinx.conf - swap "3307" with "9312"
Issue 327: Remove sphinx default cronjob as it is unnecessary and can cause issues

The new packages have been tested by the following (thanks!):
Brad Shoop
David Zawdie
Matt Gregory

UPDATE 5/3 21:18 - We have reports of issues with the sphinxsearch upgrade.  Please do not upgrade until we've determined the root cause.

UPDATE 5/4 00:05 - We've determined the root cause and are trying to determine the best fix.

UPDATE 5/4 13:00 - We're currently building a new package.  Will update later today after it has finished building and has been tested.

UPDATE 5/5 08:24 - The new sphinxsearch package has had some initial testing which appears to be successful. If you can test it in a non-production environment, we'd appreciate any feedback on our mailing list.

UPDATE 5/7 07:21 - Added the "Cleaning Up Perl Processes" and "Rebuilding Indexes" sections below.

UPDATE 5/7 09:45 - Added the "Known Issues" section below.

Updating
The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade

Warning
Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time.  If so, please cancel the update and use our recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

Cleaning Up Perl Processes
One of the issues fixed in this release was the extra perl processes occurring as a result of the ELSA LiveTail feature.  LiveTail has been disabled in these new packages, but you may still have some extra perl processes hanging around from before the upgrade.  You can resolve this by rebooting (Ubuntu recently released some kernel updates so you may need to do this anyway) or by doing the following:
sudo service syslog-ng stop && sudo pkill -9 perl && sudo service syslog-ng start
Rebuilding Indexes
Another issue fixed in this release is that sphinxsearch is now compiled with id64. Previously, we were using the stock Ubuntu package of sphinxsearch which used the CRC32 algorithm and could result in keyword collisions, meaning that you get results that don't actually match what you were searching for. To ensure that all of your indexes are using the new id64 support, you should reindex as follows (note this may take anywhere from minutes to hours):
sudo indexer --rotate --all
Known Issues
If you access ELSA from a browser whose local timezone is not UTC *and* you haven't enabled the use_utc setting in your ELSA Preferences, then each search rolls the From time back the same number of hours as the UTC offset.  For example, suppose your local workstation is set to Eastern time and you login to ELSA and notice that the From defaults to:
2013-05-05 18:01:50

When you then perform a search, the From changes to:
2013-05-05 14:01:50

The workaround is to enable the use_utc setting in your ELSA Preferences (which is probably a good idea anyway to ensure that your timestamps in ELSA match your timestamps in Sguil/Squert/Snorby):
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Preferences

Screenshots
Upgrade Process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!