Only one week left until the 8-hour Security Onion class in Augusta GA! We still have some seats available, so here's a discount code good for $50 off:
LastMinute51946
For more details and to register, please see:
https://securityonion20131026.eventbrite.com/
Friday, October 18, 2013
Tuesday, October 15, 2013
Squert 1.1.5 package now available
Paul Halliday recently released Squert 1.1.5:
http://www.squertproject.org/
https://github.com/int13h/squert
He also recorded a walkthrough video of some of the new features recently added to Squert:
http://youtu.be/ZOsVw96XM8E
I've packaged Squert 1.1.5 and the package has been tested by the following (thanks!):
Pedro Simoes
JP Bourget
David Zawdie
Release Notes
Screenshots
Issues Resolved
Issue 387: Squert 1.1.5
https://code.google.com/p/security-onion/issues/detail?id=387
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
http://www.squertproject.org/
https://github.com/int13h/squert
He also recorded a walkthrough video of some of the new features recently added to Squert:
http://youtu.be/ZOsVw96XM8E
I've packaged Squert 1.1.5 and the package has been tested by the following (thanks!):
Pedro Simoes
JP Bourget
David Zawdie
Release Notes
- Please note that /var/www/squert/.inc/config.php gets overwritten during the update process so if you had previously set sgUser and sgPass to enable transcripts and event classification, you'll need to re-apply those settings.
- Please also note that you may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
- Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline. De-select UTC, then specify your local timezone offset. Then click "Save" to save your preference into the database and click "Update" to refresh the page with the new timestamps. See the "Time Selection" screenshot below.
 |
| Update Process |
 |
| OSSEC events now render properly |
 |
| Time Selection |
 |
| Country Mappings |
Issues Resolved
Issue 387: Squert 1.1.5
https://code.google.com/p/security-onion/issues/detail?id=387
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
Saturday, October 12, 2013
New securityonion-sostat package includes sostat-redacted
The securityonion-sostat package now includes a new script called sostat-redacted which runs sostat and pipes the output to sed, redacting any IPv4 addresses. When you need help from our mailing list and we request that you send redacted sostat output, you can now use sostat-redacted to automatically redact the IPv4 addresses (although there may be additional sensitive info that you still need to redact). Thanks to Steve Fennell for the suggestion!
Issues Resolved
Issue 402: Create sostat-redacted to automatically redact IP address from sostat output
https://code.google.com/p/security-onion/issues/detail?id=402
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
 |
| sostat-redacted automatically redacts IPv4 addresses |
Issues Resolved
Issue 402: Create sostat-redacted to automatically redact IP address from sostat output
https://code.google.com/p/security-onion/issues/detail?id=402
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
Thursday, October 10, 2013
Suricata 1.4.6 package now available
Suricata 1.4.6 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/183--suricata-146-released
I've packaged Suricata 1.4.6 and the new package has been tested by David Zawdie and JP Bourget.
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
The Suricata update will do the following:
If you're running Suricata in production, then you'll need to do the following:
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/183--suricata-146-released
I've packaged Suricata 1.4.6 and the new package has been tested by David Zawdie and JP Bourget.
Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
The Suricata update will do the following:
- back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
- update Suricata to 1.4.6
If you're running Suricata in production, then you'll need to do the following:
- apply your local customizations to the new suricata.yaml
- restart Suricata as follows:
sudo nsm_sensor_ps-restart --only-snort-alert
 |
| Update process |
 |
| suricata -V |
 |
| Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert" |
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
New NSM/Setup Packages now available
New versions of the following packages are now available!
securityonion-nsmnow-admin-scripts
securityonion-setup
Issues Resolved
Issue 376: netsniff-ng: specify ring buffer size
When running Setup and choosing Advanced Setup, you can now specify netsniff-ng's ring buffer size.
https://code.google.com/p/security-onion/issues/detail?id=376
Issue 400: Add option to Advanced Setup to enable netsniff-ng mmap I/O
When running Setup and choosing Advanced Setup, you can now enable mmap I/O for netsniff-ng.
https://code.google.com/p/security-onion/issues/detail?id=400
Issue 394: syslog-ng memory leak
/etc/cron.d/sensor-newday was doing "syslog-ng reload" which was causing a memory leak. It now does a full "syslog-ng restart" to avoid the memory leak.
https://code.google.com/p/security-onion/issues/detail?id=394
Issue 391: Setup should write log file to /tmp and then copy to /var/log/nsm/sosetup.log when done
While Setup is running, you can monitor /tmp/sosetup.log. After Setup has completed, you can find the log at /var/log/nsm/sosetup.log.
https://code.google.com/p/security-onion/issues/detail?id=391
Issue 377: Move Argus config to argus.conf so that users can change without modifying NSM scripts
Each sensor will now have its own argus.conf at /etc/nsm/HOSTNAME-INTERFACE/argus.conf that you can use to customize your Argus configuration.
https://code.google.com/p/security-onion/issues/detail?id=377
Issue 401: ossec_agent.conf should set DAEMON to 0
The default ossec_agent.conf had DAEMON set to 1, but our NSM scripts expect spawned processes to NOT daemonize. The NSM scripts now set DAEMON to 0 in ossec_agent.conf to avoid this.
https://code.google.com/p/security-onion/issues/detail?id=401
Screenshots
Thanks
Thanks to Jon Schipp for his work on the netsniff-ng configuration!
Thanks to David Edelman for his work on the Argus configuration!
Thanks to JP Bourget and David Zawdie for testing the new packages!
Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
securityonion-nsmnow-admin-scripts
securityonion-setup
Issues Resolved
Issue 376: netsniff-ng: specify ring buffer size
When running Setup and choosing Advanced Setup, you can now specify netsniff-ng's ring buffer size.
https://code.google.com/p/security-onion/issues/detail?id=376
Issue 400: Add option to Advanced Setup to enable netsniff-ng mmap I/O
When running Setup and choosing Advanced Setup, you can now enable mmap I/O for netsniff-ng.
https://code.google.com/p/security-onion/issues/detail?id=400
Issue 394: syslog-ng memory leak
/etc/cron.d/sensor-newday was doing "syslog-ng reload" which was causing a memory leak. It now does a full "syslog-ng restart" to avoid the memory leak.
https://code.google.com/p/security-onion/issues/detail?id=394
Issue 391: Setup should write log file to /tmp and then copy to /var/log/nsm/sosetup.log when done
While Setup is running, you can monitor /tmp/sosetup.log. After Setup has completed, you can find the log at /var/log/nsm/sosetup.log.
https://code.google.com/p/security-onion/issues/detail?id=391
Issue 377: Move Argus config to argus.conf so that users can change without modifying NSM scripts
Each sensor will now have its own argus.conf at /etc/nsm/HOSTNAME-INTERFACE/argus.conf that you can use to customize your Argus configuration.
https://code.google.com/p/security-onion/issues/detail?id=377
Issue 401: ossec_agent.conf should set DAEMON to 0
The default ossec_agent.conf had DAEMON set to 1, but our NSM scripts expect spawned processes to NOT daemonize. The NSM scripts now set DAEMON to 0 in ossec_agent.conf to avoid this.
https://code.google.com/p/security-onion/issues/detail?id=401
Screenshots
 |
| netsniff-ng ring buffer |
 |
| netsniff-ng mmap I/O |
Thanks
Thanks to Jon Schipp for his work on the netsniff-ng configuration!
Thanks to David Edelman for his work on the Argus configuration!
Thanks to JP Bourget and David Zawdie for testing the new packages!
Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
Training
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
Saturday, October 5, 2013
Got DNS visibility?
Jaime Blasco recently wrote a great blog post on using DNS records to identify suspicious domains:
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records
Here are some other great articles on the power of DNS visibility:
http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/
https://blog.damballa.com/archives/1834/trackback
http://isc.sans.edu/diary.html?storyid=13918
Got Security Onion?
If you currently don't have the kind of DNS visibility described above or are unable to effectively search your DNS logs for anomalies, get Security Onion today!
https://code.google.com/p/security-onion/wiki/Installation
Here's a quick video on using Security Onion to configure Bro and ELSA in minutes to give you DNS visibility and the ability to quickly search, summarize, and look for anomalies:
http://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
Need Training?
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records
Here are some other great articles on the power of DNS visibility:
http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/
https://blog.damballa.com/archives/1834/trackback
http://isc.sans.edu/diary.html?storyid=13918
Got Security Onion?
https://code.google.com/p/security-onion/wiki/Installation
http://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe
Need Training?
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
Tuesday, October 1, 2013
New Video on OSSEC and ELSA
I just published a quick video on OSSEC and ELSA. In this video, you'll see how quickly you can configure OSSEC and ELSA using Security Onion. We'll then use the ELSA web interface to hunt through OSSEC alerts and all logs received from all OSSEC agents. Also note that you can send standard syslog to ELSA and query those logs as well.
http://www.youtube.com/watch?v=xlRESlq86JI
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/
http://www.youtube.com/watch?v=xlRESlq86JI
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology. Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks
Want to learn more about Security Onion? Sign up for the upcoming 8-hour class in Augusta GA! Be one of the first 10 students to sign up and you can register at the discounted Early Bird price! For full details and to register, please see:
https://securityonion20131026.eventbrite.com/