Want to learn more about Security Onion? Please make plans to attend the upcoming 8-hour class in Augusta GA on Thursday August 1, 2013! For more details and to register, please see:
Thursday, June 27, 2013
Tuesday, June 25, 2013
New securityonion-rule-update package distributes OSSEC local_rules.xml and allows for per-sensor NIDS/HIDS rule tuning
A new version of our securityonion-rule-update package is now available that distributes OSSEC's local_rules.xml from master server to slave sensors by default and also allows for NIDS/HIDS rule tuning per physical sensor.
This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output
NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor. This new version of rule-update allows for ruleset tuning per physical sensor. If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default. If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration. If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package. If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml. You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.
Thanks
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Github
Found bugs in rule-update or want to add new features? rule-update is now on github:
https://github.com/Security-Onion/securityonion-rule-update
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output
NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor. This new version of rule-update allows for ruleset tuning per physical sensor. If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_NIDS_RULE_TUNING=trueThe next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.
HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default. If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration. If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_HIDS_RULE_TUNING=trueWhat if I've already modified OSSEC's local_rules.xml on the sensor? Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package. If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml. You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.
Thanks
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Github
Found bugs in rule-update or want to add new features? rule-update is now on github:
https://github.com/Security-Onion/securityonion-rule-update
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Monday, June 24, 2013
New securityonion-sguil-client package now available
I've patched the Sguil client to add "Copy IP Address" to the right-click context menu for IP addresses. So for example, if you find an interesting IP address in Sguil and want to search ELSA for that IP address, you can just right-click the IP address, select "Copy IP Address", select "SrcIP" or "DstIP", and then alt-tab to your ELSA window and paste it in.
Thanks
The new package has been tested by the following:
David Zawdie
Heine Lysemose
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
 |
| Copy IP Address |
The new package has been tested by the following:
David Zawdie
Heine Lysemose
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Monday, June 17, 2013
8-hour Security Onion class in Augusta GA on Thursday August 1, 2013
Want to learn more about Security Onion? Please make plans to attend this 8-hour class in Augusta GA on Thursday August 1, 2013!
More details (including cost, location, and registration information) will be posted here soon. Stay tuned for details!
UPDATE 2013/06/27
Registration is now live!
http://securityonion.eventbrite.com/
UPDATE 2013/06/27
Registration is now live!
http://securityonion.eventbrite.com/
Saturday, June 15, 2013
New securityonion-rule-update package
Michal Purzynski fixed a bug in our securityonion-rule-update package (thanks Michal!). The new package is now available in our stable repo. If you're running Sourcefire VRT rules in a distributed deployment, we recommend updating to ensure that Shared Object (SO) rules get copied to your distributed sensors properly.
Feedback
If you have any questions or problems, please use our mailing list:
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Monday, June 10, 2013
Security Onion 12.04.1 ISO image now available
We have a new Security Onion 12.04.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 5, 2013! It also contains the two new pcap samples packages recently released:
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion.html
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion_27.html
Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.1 ISO image. You can simply continue using the standard Ubuntu package management tools to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion.html
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion_27.html
Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.1 ISO image. You can simply continue using the standard Ubuntu package management tools to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Friday, June 7, 2013
New securityonion-pfring-module package now available
We recently released PF_RING 5.5.3 packages:
http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html
Shortly after releasing the packages, we determined that there was a bug in the kernel module. The PF_RING team patched the kernel module and I've created a new securityonion-pfring-module package which is now available in our stable repo.
To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:
https://code.google.com/p/security-onion/wiki/Upgrade
The securityonion-pfring-module package will do the following:
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html
Shortly after releasing the packages, we determined that there was a bug in the kernel module. The PF_RING team patched the kernel module and I've created a new securityonion-pfring-module package which is now available in our stable repo.
To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:
sudo apt-get update ; sudo apt-get install securityonion-pfring-module ; sudo apt-get dist-upgradeFor more information, please see our Upgrade page:
https://code.google.com/p/security-onion/wiki/Upgrade
The securityonion-pfring-module package will do the following:
- stop all NSM sensor processes
- terminate any remaining processes using PF_RING
- remove the existing PF_RING module
- build the new PF_RING module and insert it
- start all NSM sensor processes
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!