Tuesday, January 21, 2014

Snort 2.9.5.6 and Suricata 1.4.7 packages now available!

The following software was recently released:

Snort 2.9.5.6
http://blog.snort.org/2013/11/snort-2956-is-now-available-on-snortorg.html

Suricata 1.4.7
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/184--suricata-147-released

I've packaged these new releases and the new packages have been tested by JP Bourget and David Zawdie.  Thanks, guys!

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:


  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:


  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:
    sudo rule-update

Release Notes
Snort is now compiled with --enable-sourcefire.

Screenshots
"sudo soup" upgrade process
Snort 2.9.5.6 and Suricata 1.4.7

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Sunday, January 12, 2014

New securityonion-sostat package available

I've packaged a new version of sostat that resolves the following issue:

Issue 461: sostat: improve pf_ring output
https://code.google.com/p/security-onion/issues/detail?id=461

The version number of the new package is securityonion-sostat - 20120722-0ubuntu0securityonion13 and it has been tested by the following (thanks!):
David Zawdie

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshot
PF_RING section of sostat output

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Saturday, January 11, 2014

New securityonion-web-page package adds SSH country and status links

I've updated our recently released securityonion-web-page package to add links that will group SSH connections by country and status.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion14.

Issues Resolved

Issue 469: securityonion-web-page: add SSH queries for country and status
https://code.google.com/p/security-onion/issues/detail?id=469

Screenshots
SSH: Top Countries - SSH connections grouped by country code

SSH: Status - Bro heuristically determines if an SSH login attempt succeeded

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, January 10, 2014

New securityonion-web-page package fixes the ELSA Tunnel query

I've updated our recently released securityonion-web-page package to fix the ELSA Tunnel query.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion13.

Issues Resolved

Issue 466: securityonion-web-page: change elsa/menu.php to fix Tunnel query
https://code.google.com/p/security-onion/issues/detail?id=466

Screenshots
Tunnels: Top Tunnels shows the tunnels detected by ELSA

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, January 8, 2014

New securityonion-web-page package available

I've updated our securityonion-web-page package.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion12 and has been tested by David Zawdie.

Issues Resolved

Issue 455: securityonion-web-page: update hyperlink
https://code.google.com/p/security-onion/issues/detail?id=455

Issue 456: securityonion-web-page: add example ELSA queries
https://code.google.com/p/security-onion/issues/detail?id=456

This package adds a new URL (https://your.security.onion.hostname/elsa/) that includes a menu on the left with some common ELSA queries.

Screenshots
Connections: Top SRC IPs - Top Source IP Addresses in Bro's conn.log

Connections: Top DST Ports - Top Destination Ports in Bro's conn.log

Connections: Top Services - Top Services Identified in Bro's conn.log

Connections: Port 53 groupby Service - Top Services Identified on Port 53 in Bro's conn.log

DHCP: Top Assigned IPs - Top Assigned IP Addresses seen in Bro's dhcp.log

DNS: Top Requests - Top DNS Requests seen in Bro's dns.log

DNS: Top nxdomain - Top nxdomain Responses seen in Bro's dns.log

Files: MIME Types - Top MIME Types seen in Bro's files.log

Files: Sources - Top Protocol Sources in Bro's files.log

FTP: Top arg - FTP Transactions in Bro's ftp.log

Host Logs: OSSEC Alerts - HIDS Alerts from OSSEC

Host Logs: All OSSEC Logs - Raw Logs from OSSEC (not HIDS Alerts)

Host Logs: Syslog-NG - Standard Syslog received by Syslog-NG

Host Logs: Syslog Detected by Bro - Syslog detected by Bro and logged to syslog.log

HTTP: Top User Agents - Top HTTP User Agents in Bro's http.log

HTTP: Top Sites - Top HTTP Sites in Bro's http.log

HTTP: Sites hosting EXEs - Sites hosting EXEs in Bro's http.log

Notice: Top Notice Types - Top Notice Types found in Bro's notice.log

SMTP: Top Subjects - Top Email Subject Lines in Bro's smtp.log

Snort/Suricata: Top Snort Alerts - Top IDS Alerts from Snort or Suricata

Sortware: Software Detected by Bro - Top Software Types found in Bro's software.log

Weird: Top Weird Types - Top Traffic Anomalies found in Bro's weird.log


Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, January 7, 2014

New securityonion-elsa-extras package available

Scott Runnels has fixed a bug in the recent securityonion-elsa-extras package.  The updated package version is securityonion-elsa-extras - 20131117-1ubuntu0securityonion28 and has been tested by David Zawdie.

Issues Resolved

Issue 460: Fix tunnel.log entry in syslog-ng.conf
https://code.google.com/p/security-onion/issues/detail?id=460

ELSA now properly captures Bro's tunnel.log

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Update process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, January 6, 2014

New CapMe package allows you to download PCAP files

I've updated our CapMe package with some new features.

Retrieving PCAPs using CapMe
CapMe now allows you to retrieve the actual pcap file.  There are two ways to do this:

1.  On the CapMe main page, change the Output option to "pcap" and click the "submit" button.  The pcap will automatically download.



2.  If you choose a tcpflow or bro transcript, hyperlinks to the full pcap will be placed at the top and bottom of the transcript page.



Timezone Support
If you had previously configured Snorby to render timestamps in your local timezone, you would have noticed that pivoting to CapMe would not work since CapMe expects the timestamps to be in UTC.


CapMe now supports setting your local timezone so that it can convert timestamps back to UTC and find sessions properly.  Set your local timezone in /var/www/capme/.inc/timezone.php.


Updating
The new package is securityonion-capme - 20121213-0ubuntu0securityonion17 and it resolves the following issues:

Issue 413: Extend CapMe to pull pcap file
https://code.google.com/p/security-onion/issues/detail?id=413

Issue 449: CapMe: add timeout:0 to ELSA query
https://code.google.com/p/security-onion/issues/detail?id=449

Issue 450: CapMe: add support for Snorby timezones
https://code.google.com/p/security-onion/issues/detail?id=450

It has been tested by the following (thanks!):
David Zawdie

The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade


Release Notes

  • When you submit a CapMe request, it creates a symlink to the actual pcap in /var/www/capme/pcap/.  
  • /etc/cron.d/capme is a cron job that runs every minute and deletes any symlinks in /var/www/capme/pcap/ older than five minutes. 
  • Please be reminded that the management interface of your master server (where CapMe runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
    https://code.google.com/p/security-onion/wiki/Firewall

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Thursday, January 2, 2014

Roadmap

Happy New Year!

I've cleaned up our Roadmap page and moved all 2013 activity to its own page for archival purposes:
https://code.google.com/p/security-onion/wiki/2013

The updated Roadmap page for 2014 is here:
https://code.google.com/p/security-onion/wiki/Roadmap

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive