Thursday, July 25, 2013

Security Onion 12.04.2 ISO image now available

We have a new Security Onion 12.04.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of July 17, 2013!

Thanks
Thanks to the following for testing the new ISO image!
David Zawdie
JP Bourget

Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.2 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.2 ISO image.  You can simply continue using the standard Ubuntu package management tools to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Monday, July 22, 2013

New securityonion-sguil-server package changes CapMe to use Bro transcript option

A new version of our securityonion-sguil-server package is now available that changes the CapMe web interface to render transcripts using the new Bro transcript option:
http://securityonion.blogspot.com/2013/07/new-securityonion-sguil-client-and.html

This update resolves the following issue:
Issue 367: CapMe should use the new Bro transcript option

Thanks
Thanks to David Zawdie for testing the new package!

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart sguild:
sudo nsm_server_ps-restart

Screenshots
New Bro option unzips any gzip encoded server responses
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Monday, July 15, 2013

New securityonion-sguil-client and securityonion-sguil-server packages include Bro Transcript functionality

New versions of our securityonion-sguil-client and securityonion-sguil-server packages are now available that add a new "Bro" option to the Sguil client's right-click context menu.  This option will run the pcap through a Bro script that will mimic the existing tcpflow transcript option but with a couple of very important changes:

  • any gzipped server responses are automatically unzipped
  • transcripts are rendered for not only tcp but also udp traffic


This update resolves the following issue:
Issue 347: New Sguil client transcript option to run through tcpudpflow.bro

Thanks
Thanks to Scott Runnels for his work on the Bro script and changes to the sguil packages!
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart sguild:
sudo nsm_server_ps-restart

Screenshots
Upgrade Process

Restarting sguild

Existing Transcript option

Existing Transcript option doesn't handle gzip encoded server responses
New Bro option

New Bro option unzips any gzip encoded server responses

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Saturday, July 13, 2013

New NSM and Setup packages allow you to enable/disable sensor services

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to enable/disable sensor services.  When you run Setup, choosing "Quick Setup" will still default to running all sensor services, but if you choose "Advanced Setup", you'll be prompted to select which sensor processes to enable/disable:

IDS Engine

Bro

http_agent

Argus 

Prads

Full Packet Capture

Your choices are then written into configuration files as follows:
/etc/nsm/securityonion.conf
BRO_ENABLED=yes
/etc/nsm/HOSTNAME-INTERFACE/sensor.conf
PCAP_ENABLED="yes"
PCAP_AGENT_ENABLED="yes"
SNORT_AGENT_ENABLED="yes"
IDS_ENGINE_ENABLED="yes"
BARNYARD2_ENABLED="yes"
PRADS_ENABLED="yes"
SANCP_AGENT_ENABLED="yes"
PADS_AGENT_ENABLED="yes"
ARGUS_ENABLED="yes"
HTTP_AGENT_ENABLED="yes"
Disabling Services after Setup
If you've already run Setup and want to disable a certain sensor service, you can simply stop the running service and then change the corresponding config value from "yes" to "no" to prevent it from restarting the next time the NSM scripts are run.

For example, suppose you access Bro's HTTP logs via ELSA, so you want to disable http_agent to prevent those HTTP logs from being duplicated into the Sguil database.  You would first stop the running http_agent service:
sudo nsm_sensor_ps-stop --only-http-agent
You would then edit /etc/nsm/HOSTNAME-INTERFACE/sensor.conf and change:
HTTP_AGENT_ENABLED="yes"
to:
HTTP_AGENT_ENABLED="no"
to prevent http_agent from restarting the next time the NSM scripts are run.  A quick way to do this for all /etc/nsm/*/sensor.conf files on one box is to use the sed command as follows:
sudo sed -i 's|HTTP_AGENT_ENABLED="yes"|HTTP_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
Example Screenshots
Stopping the running service

Disabling the service

Service now disabled
Issues Resolved
These updates resolve the following issues:
Issue 312: Update NSM scripts to allow $SERVICE=yes/no in securityonion.conf and/or sensor.conf
Issue 313: Update Setup so that Advanced Setup asks about enabling/disabling individual services
Issue 268: Update NSM scripts so that OSSEC and Bro sections respect --sensor-name option
Issue 351: Update /etc/init/securityonion.conf to start Xplico (controlled by user in /etc/nsm/securityonion.conf)

Thanks
Thanks to Karolis Cepulis for submitting a patch for Issue 268!
Thanks to the following for testing the new packages!
Matt Gregory
Michal Purzynski

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Thursday, July 11, 2013

New securityonion-bro-scripts and securityonion-capme packages

A new version of our securityonion-bro-scripts package is now available that extends Bro's conn.log to include the hostname and interface that saw the connection.  In addition, a new version of our securityonion-capme package automatically determines if you're pivoting from ELSA and, if so, queries Bro's conn.log via ELSA for the source and destination IP/port.  It then parses the hostname/interface out of the result to locate the pcap and render the transcript.  The net result of these changes is that pivoting to CapMe from ELSA no longer depends on the prads session data in the Sguil sancp table.

This update resolves the following issue:
Issue 348: Update CapME with a new option to query Bro conn.log via ELSA

Thanks
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie
Michal Purzynski

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart Bro:
sudo broctl restart
Screenshots
Upgrade Process
Restarting Bro using "sudo broctl restart"
When pivoting from ELSA, CapMe now defaults to searching ELSA instead of the sancp table
CapMe Transcript
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Wednesday, July 10, 2013

New securityonion-sguil-db-purge package terminates orphaned sguild processes

A new version of our securityonion-sguil-db-purge package is now available that will automatically terminate any orphaned sguild processes.

This update resolves the following issue:
Issue 359: nsm_server_ps-restart --if-stale leaves orphaned sguild processes

Thanks
Thanks to David Zawdie for testing the new package!

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

Tuesday, July 9, 2013

New NSM and Setup packages allow for changing the default 90% disk usage threshold

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to change our default 90% disk usage threshold.  When you run Setup, it will still default to purging old logs when disk usage hits 90%.  Choosing "Advanced Setup" will prompt you to specify your own disk usage threshold:
Advanced Setup prompts for disk usage threshold
This setting is then written into /etc/nsm/securityonion.conf as CRIT_DISK_USAGE, where it is sourced by /usr/sbin/nsm_sensor_clean when the hourly cronjob runs.

If you've already run Setup and want to change the default 90% disk usage threshold, you can simply set the value in /etc/nsm/securityonion.conf.

These updates resolve the following issues:
Issue 315: Update NSM scripts so that WARN_DISK_USAGE and CRIT_DISK_USAGE are configurable by user
Issue 358: Update Setup so that Advanced Setup asks about CRIT_DISK_USAGE

Thanks
Thanks to Karolis Cepulis for the nsm_sensor_clean patch!
Thanks to David Zawdie for testing the new package!

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!

Monday, July 8, 2013

Suricata 1.4.3 package now available

Suricata 1.4.3 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/178-suricata-143-released

I've packaged Suricata 1.4.3 and the new package has been tested by the following (thanks!):
David Zawdie

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

The Suricata update will do the following:

  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.3

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:

sudo nsm_sensor_ps-restart --only-snort-alert

Upgrading Suricata
suricata -V
Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, July 3, 2013

New NSM and Setup packages allow for changing the default netsniff-ng PCAP size

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to change our default 150MB netsniff-ng PCAP size.  When you run Setup, it will still default to 150MB.  Choosing "Advanced Setup" will prompt you to specify your own PCAP_SIZE:
Advanced Setup prompts for PCAP size
This PCAP_SIZE option is then placed into /etc/nsm/HOSTNAME-INTERFACE/sensor.conf where it is sourced by the NSM scripts when they start netsniff-ng.

If you've already run Setup and want to change the default 150MB PCAP size, you can add the PCAP_SIZE option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf.  Please note that netsniff-ng accepts the following units for PCAP_SIZE:
KiB
MiB
GiB

So if you want to increase your PCAPs to 500MB, you would add the following option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf:
PCAP_SIZE=500MiB

Then restart netsniff-ng as follows:
sudo nsm_sensor_ps-restart --only-pcap
Also, I've seen some intermittent cases where pcap_agent fails to start right after running Setup, so I've added a 5-second delay between starting netsniff-ng and starting pcap_agent to help ensure that netsniff-ng is fully initialized.

These updates resolve the following issues:
Issue 341: nsm_sensor_ps-start needs "sleep 5s" between netsniff-ng and pcap_agent
Issue 314: Update NSM scripts so that netsniff-ng pcap size is configurable by user

Thanks
Thanks to JP Bourget for the NSM/Setup patches for setting the PCAP size!
Thanks to the following for testing the new package:
Matt Gregory
Liam Randall
David Zawdie

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!