Thursday, September 26, 2013

Security Onion Training in Augusta GA on Saturday October 26

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!

For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, September 24, 2013

New Security Onion Videos and Log Management class

The video from my recent BSidesAugusta presentation is now available:
http://www.youtube.com/watch?v=l7TSGHvsPJA

I also just published a series of walkthrough videos as well:
https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Saturday, September 14, 2013

Security Onion 12.04.3 ISO image now available

We have a new Security Onion 12.04.3 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of September 4, 2013!

Thanks
Thanks to the following for testing the new ISO image!
David Zawdie

Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.3 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

Known Issues
The ISO image included an older version of python-zmq introduced by the recent OnionSalt package:
http://securityonion.blogspot.com/2013/09/new-package-onionsalt-now-available-for.html

This can result in the following symptoms:

  • When running Setup under certain conditions, salt-master will crash resulting in a bug report error in the status bar.  You can simply ignore this bug report.
  • salt-minions failing to reconnect to salt-master properly.

An updated version of python-zmq is available in our Stable repo that resolves these issues, so you'll want to install all available updates right after installing the ISO.

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.3 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
I'm teaching SANS SEC434 Log Management In-Depth in Memphis TN in October.  $200 discount if paid by Wednesday 9/18:
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Thursday, September 12, 2013

New package OnionSalt now available for configuration management

Mike Reeves created OnionSalt, a set of Salt configuration management scripts to manage lots of sensors from your master server.  I've packaged OnionSalt and added support for it in Setup.

Please note that Salt is totally optional.  If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you.  Should you decide to install securityonion-onionsalt, you get the following features out of the box:

  • manage user accounts, sudoers, and SSH keys from one location and have it replicate to all sensors
  • have sensors check for new IDS rules every 15 minutes, copy files, and restart engines as necessary


In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.

Thanks
Thanks to Mike Reeves for developing OnionSalt!
Thanks to the following for testing:
JP Bourget
David Zawdie

Warning
OnionSalt is still considered experimental.  You'll want to test in a lab environment before deciding to deploy in production.

Installing
To read more about how to integrate OnionSalt into a new or existing Security Onion deployment, please see our Salt page:
https://code.google.com/p/security-onion/wiki/Salt

Screenshots
Enabling Salt on Master Server via Advanced Setup

After completing Setup, verifying that the Master can manage itself

Enabling Salt on sensor1 via Advanced Setup

After completing Setup, verifying that the Master can now manage both boxes

Salt can run arbitrary commands on all boxes at once
Adding johndoe to /opt/onionsalt/pillar/users/init.sls

Adding johndoe's public key to /opt/onionsalt/salt/users/keys/

Running "sudo salt '*' state.highstate" to push accounts and keys to all boxes

Verifying that we can now login using the new account/key

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, September 3, 2013

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/

Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html

Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
Notes
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

Screenshots
"sudo soup" upgrade process

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!