Friday, October 18, 2013

Security Onion class is 1 week away!

Only one week left until the 8-hour Security Onion class in Augusta GA!  We still have some seats available, so here's a discount code good for $50 off:
LastMinute51946

For more details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, October 15, 2013

Squert 1.1.5 package now available

Paul Halliday recently released Squert 1.1.5:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a walkthrough video of some of the new features recently added to Squert:
http://youtu.be/ZOsVw96XM8E

I've packaged Squert 1.1.5 and the package has been tested by the following (thanks!):
Pedro Simoes
JP Bourget
David Zawdie

Release Notes

  • Please note that /var/www/squert/.inc/config.php gets overwritten during the update process so if you had previously set sgUser and sgPass to enable transcripts and event classification, you'll need to re-apply those settings.
  • Please also note that you may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
  • Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline.  De-select UTC, then specify your local timezone offset.  Then click "Save" to save your preference into the database and click "Update" to refresh the page with the new timestamps.  See the "Time Selection" screenshot below.


Screenshots
Update Process

OSSEC events now render properly

Time Selection 

Country Mappings

Issues Resolved
Issue 387: Squert 1.1.5
https://code.google.com/p/security-onion/issues/detail?id=387

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Saturday, October 12, 2013

New securityonion-sostat package includes sostat-redacted

The securityonion-sostat package now includes a new script called sostat-redacted which runs sostat and pipes the output to sed, redacting any IPv4 addresses.  When you need help from our mailing list and we request that you send redacted sostat output, you can now use sostat-redacted to automatically redact the IPv4 addresses (although there may be additional sensitive info that you still need to redact).  Thanks to Steve Fennell for the suggestion!

sostat-redacted automatically redacts IPv4 addresses

Issues Resolved
Issue 402: Create sostat-redacted to automatically redact IP address from sostat output
https://code.google.com/p/security-onion/issues/detail?id=402

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Thursday, October 10, 2013

Suricata 1.4.6 package now available

Suricata 1.4.6 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/183--suricata-146-released

I've packaged Suricata 1.4.6 and the new package has been tested by David Zawdie and JP Bourget.

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

The Suricata update will do the following:

  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.6

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:
    sudo nsm_sensor_ps-restart --only-snort-alert

Update process
suricata -V
Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

New NSM/Setup Packages now available

New versions of the following packages are now available!
securityonion-nsmnow-admin-scripts
securityonion-setup

Issues Resolved

Issue 376: netsniff-ng: specify ring buffer size
When running Setup and choosing Advanced Setup, you can now specify netsniff-ng's ring buffer size.
https://code.google.com/p/security-onion/issues/detail?id=376

Issue 400: Add option to Advanced Setup to enable netsniff-ng mmap I/O
When running Setup and choosing Advanced Setup, you can now enable mmap I/O for netsniff-ng.
https://code.google.com/p/security-onion/issues/detail?id=400

Issue 394: syslog-ng memory leak
/etc/cron.d/sensor-newday was doing "syslog-ng reload" which was causing a memory leak.  It now does a full "syslog-ng restart" to avoid the memory leak.
https://code.google.com/p/security-onion/issues/detail?id=394

Issue 391: Setup should write log file to /tmp and then copy to /var/log/nsm/sosetup.log when done
While Setup is running, you can monitor /tmp/sosetup.log.  After Setup has completed, you can find the log at /var/log/nsm/sosetup.log.
https://code.google.com/p/security-onion/issues/detail?id=391

Issue 377: Move Argus config to argus.conf so that users can change without modifying NSM scripts
Each sensor will now have its own argus.conf at /etc/nsm/HOSTNAME-INTERFACE/argus.conf that you can use to customize your Argus configuration.
https://code.google.com/p/security-onion/issues/detail?id=377

Issue 401: ossec_agent.conf should set DAEMON to 0
The default ossec_agent.conf had DAEMON set to 1, but our NSM scripts expect spawned processes to NOT daemonize.  The NSM scripts now set DAEMON to 0 in ossec_agent.conf to avoid this.
https://code.google.com/p/security-onion/issues/detail?id=401

Screenshots

netsniff-ng ring buffer

netsniff-ng mmap I/O

Thanks
Thanks to Jon Schipp for his work on the netsniff-ng configuration!
Thanks to David Edelman for his work on the Argus configuration!
Thanks to JP Bourget and David Zawdie for testing the new packages!

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Saturday, October 5, 2013

Got DNS visibility?

Jaime Blasco recently wrote a great blog post on using DNS records to identify suspicious domains:
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

Here are some other great articles on the power of DNS visibility:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918

Got Security Onion?

If you currently don't have the kind of DNS visibility described above or are unable to effectively search your DNS logs for anomalies, get Security Onion today!
https://code.google.com/p/security-onion/wiki/Installation

Here's a quick video on using Security Onion to configure Bro and ELSA in minutes to give you DNS visibility and the ability to quickly search, summarize, and look for anomalies:
http://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Need Training?
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

Tuesday, October 1, 2013

New Video on OSSEC and ELSA

I just published a quick video on OSSEC and ELSA. In this video, you'll see how quickly you can configure OSSEC and ELSA using Security Onion.  We'll then use the ELSA web interface to hunt through OSSEC alerts and all logs received from all OSSEC agents.  Also note that you can send standard syslog to ELSA and query those logs as well.
http://www.youtube.com/watch?v=xlRESlq86JI

Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/