Thursday, June 27, 2013

8-hour Security Onion class in Augusta GA on Thursday August 1, 2013


Want to learn more about Security Onion?  Please make plans to attend the upcoming 8-hour class in Augusta GA on Thursday August 1, 2013!  For more details and to register, please see:

Tuesday, June 25, 2013

New securityonion-rule-update package distributes OSSEC local_rules.xml and allows for per-sensor NIDS/HIDS rule tuning

A new version of our securityonion-rule-update package is now available that distributes OSSEC's local_rules.xml from master server to slave sensors by default and also allows for NIDS/HIDS rule tuning per physical sensor.

This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output

NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor.  This new version of rule-update allows for ruleset tuning per physical sensor.  If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_NIDS_RULE_TUNING=true
The next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.

HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default.  If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration.  If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_HIDS_RULE_TUNING=true
What if I've already modified OSSEC's local_rules.xml on the sensor?  Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package.  If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml.  You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.

Thanks
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Github
Found bugs in rule-update or want to add new features?  rule-update is now on github:
https://github.com/Security-Onion/securityonion-rule-update

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, June 24, 2013

New securityonion-sguil-client package now available

I've patched the Sguil client to add "Copy IP Address" to the right-click context menu for IP addresses. So for example, if you find an interesting IP address in Sguil and want to search ELSA for that IP address, you can just right-click the IP address, select "Copy IP Address", select "SrcIP" or "DstIP", and then alt-tab to your ELSA window and paste it in.

Copy IP Address
Thanks
The new package has been tested by the following:
David Zawdie
Heine Lysemose

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, June 17, 2013

8-hour Security Onion class in Augusta GA on Thursday August 1, 2013

Want to learn more about Security Onion?  Please make plans to attend this 8-hour class in Augusta GA on Thursday August 1, 2013!

More details (including cost, location, and registration information) will be posted here soon.  Stay tuned for details!

UPDATE 2013/06/27

Registration is now live!
http://securityonion.eventbrite.com/

Saturday, June 15, 2013

New securityonion-rule-update package

Michal Purzynski fixed a bug in our securityonion-rule-update package (thanks Michal!).  The new package is now available in our stable repo.  If you're running Sourcefire VRT rules in a distributed deployment, we recommend updating to ensure that Shared Object (SO) rules get copied to your distributed sensors properly. 

Feedback
If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!


Monday, June 10, 2013

Security Onion 12.04.1 ISO image now available

We have a new Security Onion 12.04.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 5, 2013!  It also contains the two new pcap samples packages recently released:
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion.html
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion_27.html

Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.1 ISO image.  You can simply continue using the standard Ubuntu package management tools to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, June 7, 2013

New securityonion-pfring-module package now available

We recently released PF_RING 5.5.3 packages:
http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html

Shortly after releasing the packages, we determined that there was a bug in the kernel module.  The PF_RING team patched the kernel module and I've created a new securityonion-pfring-module package which is now available in our stable repo.

To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:
sudo apt-get update ; sudo apt-get install securityonion-pfring-module ; sudo apt-get dist-upgrade
For more information, please see our Upgrade page:
https://code.google.com/p/security-onion/wiki/Upgrade

The securityonion-pfring-module package will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module and insert it
  • start all NSM sensor processes

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!