Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!
For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
Thursday, September 26, 2013
Tuesday, September 24, 2013
New Security Onion Videos and Log Management class
The video from my recent BSidesAugusta presentation is now available:
http://www.youtube.com/watch?v=l7TSGHvsPJA
I also just published a series of walkthrough videos as well:
https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
http://www.youtube.com/watch?v=l7TSGHvsPJA
I also just published a series of walkthrough videos as well:
https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Saturday, September 14, 2013
Security Onion 12.04.3 ISO image now available
We have a new Security Onion 12.04.3 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of September 4, 2013!
Thanks
Thanks to the following for testing the new ISO image!
David Zawdie
Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.3 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
Known Issues
The ISO image included an older version of python-zmq introduced by the recent OnionSalt package:
http://securityonion.blogspot.com/2013/09/new-package-onionsalt-now-available-for.html
This can result in the following symptoms:
An updated version of python-zmq is available in our Stable repo that resolves these issues, so you'll want to install all available updates right after installing the ISO.
Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.3 ISO image. You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
I'm teaching SANS SEC434 Log Management In-Depth in Memphis TN in October. $200 discount if paid by Wednesday 9/18:
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Thanks
Thanks to the following for testing the new ISO image!
David Zawdie
Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.3 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
Known Issues
The ISO image included an older version of python-zmq introduced by the recent OnionSalt package:
http://securityonion.blogspot.com/2013/09/new-package-onionsalt-now-available-for.html
This can result in the following symptoms:
- When running Setup under certain conditions, salt-master will crash resulting in a bug report error in the status bar. You can simply ignore this bug report.
- salt-minions failing to reconnect to salt-master properly.
An updated version of python-zmq is available in our Stable repo that resolves these issues, so you'll want to install all available updates right after installing the ISO.
Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.3 ISO image. You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
I'm teaching SANS SEC434 Log Management In-Depth in Memphis TN in October. $200 discount if paid by Wednesday 9/18:
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Thursday, September 12, 2013
New package OnionSalt now available for configuration management
Mike Reeves created OnionSalt, a set of Salt configuration management scripts to manage lots of sensors from your master server. I've packaged OnionSalt and added support for it in Setup.
Please note that Salt is totally optional. If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you. Should you decide to install securityonion-onionsalt, you get the following features out of the box:
In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.
Thanks
Thanks to Mike Reeves for developing OnionSalt!
Thanks to the following for testing:
JP Bourget
David Zawdie
Warning
OnionSalt is still considered experimental. You'll want to test in a lab environment before deciding to deploy in production.
Installing
To read more about how to integrate OnionSalt into a new or existing Security Onion deployment, please see our Salt page:
https://code.google.com/p/security-onion/wiki/Salt
Screenshots
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Please note that Salt is totally optional. If you're happy with your current method of sensor management, then you don't have to install securityonion-onionsalt and nothing will change for you. Should you decide to install securityonion-onionsalt, you get the following features out of the box:
- manage user accounts, sudoers, and SSH keys from one location and have it replicate to all sensors
- have sensors check for new IDS rules every 15 minutes, copy files, and restart engines as necessary
In addition, Salt is a full configuration management system, so you can script anything that you want to deploy across your army of sensors.
Thanks
Thanks to Mike Reeves for developing OnionSalt!
Thanks to the following for testing:
JP Bourget
David Zawdie
Warning
OnionSalt is still considered experimental. You'll want to test in a lab environment before deciding to deploy in production.
Installing
To read more about how to integrate OnionSalt into a new or existing Security Onion deployment, please see our Salt page:
https://code.google.com/p/security-onion/wiki/Salt
Screenshots
 |
| Enabling Salt on Master Server via Advanced Setup |
 |
| After completing Setup, verifying that the Master can manage itself |
 |
| Enabling Salt on sensor1 via Advanced Setup |
 |
| After completing Setup, verifying that the Master can now manage both boxes |
 |
| Salt can run arbitrary commands on all boxes at once |
 |
| Adding johndoe to /opt/onionsalt/pillar/users/init.sls |
 |
| Adding johndoe's public key to /opt/onionsalt/salt/users/keys/ |
 |
| Running "sudo salt '*' state.highstate" to push accounts and keys to all boxes |
 |
| Verifying that we can now login using the new account/key |
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Tuesday, September 3, 2013
PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!
The following software was recently released:
PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/
Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html
Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/
I've packaged these new releases and the new packages have been tested by David Zawdie. Thanks, David!
UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion
Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
These updates will do the following:
You'll then need to do the following:
One change that I've made to our normal Snort config is the PF_RING clustermode. Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP. So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests. Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port. So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster. This results in more effective load balancing.
Screenshots
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/
Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html
Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/
I've packaged these new releases and the new packages have been tested by David Zawdie. Thanks, David!
UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion
Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
These updates will do the following:
- stop all NSM sensor processes
- terminate any remaining processes using PF_RING
- remove the existing PF_RING module
- build the new PF_RING module
- start all NSM sensor processes
- back up each of your existing snort.conf files to snort.conf.bak
- update Snort
- back up each of your existing suricata.yaml files to suricata.yaml.bak
- update Suricata
You'll then need to do the following:
- apply your local customizations to the new snort.conf or suricata.yaml files
- update ruleset and restart Snort/Suricata as follows:
sudo rule-updateNotes
One change that I've made to our normal Snort config is the PF_RING clustermode. Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP. So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests. Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port. So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster. This results in more effective load balancing.
Screenshots
 |
| "sudo soup" upgrade process |
 |
| PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 |
 |
| Updating ruleset and restarting Snort/Suricata using "sudo rule-update" |
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!