Friday, February 28, 2014

Security Onion 12.04.4 ISO image now available

We have a new Security Onion 12.04.4 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 21, 2014!

Changes since 12.04.3 ISO

The new 12.04.4 ISO image has all Ubuntu and Security Onion updates as of 2/21 including:

  • Linux kernel 3.2.0-59
  • Snort 2.9.5.6
  • Suricata 1.4.7
  • Bro 2.2
  • ELSA 1.5
  • Squert 1.2.0
  • CapMe
  • securityonion-web-page (ELSA query page at https://onion/elsa)
  • Setup
  • sostat
  • NSM scripts
  • ET ruleset (/etc/nsm/rules/downloaded.rules)

Changes in the ISO Image Itself

The new 12.04.4 ISO image resolves a few issues in the ISO image itself:

  • boot menu: the Install option never really worked right and has now been removed so that folks will choose one of the Live options that allow them to Install but also allow them to check hardware and read the README
  • boot menu: added "nomodeset" option since some folks needed that to boot on certain video chipsets
  • after choosing an option on the boot menu, the Xubuntu boot progress indicator has been replaced with a Security Onion boot progress indicator
  • unnecessary shortcuts have been removed from the Live desktop so that users don't try to run Setup before running the Installer
  • previously, if you ran "sudo service nsm status" before running Setup, you'd get an error message.  This has been resolved.
  • salt-master and salt-minion were previously enabled on ISO boot, which resulted in lots of DNS lookups for "salt".  They are now disabled by default (you can still enable them during Setup of course).
  • byobu is now included by default:
    https://help.ubuntu.com/community/Byobu

In short, it's the best release ever!

Screenshots
Boot menu (Install option has been removed and replaced with "nomodeset" option)

Security Onion boot progress indicator

Removed extraneous icons from Live desktop 

Byobu is now installed by default

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.4 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.  Here's the MD5 for this release:
4107d6b6c469b27014da7ce26f249e5e

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.4 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Thanks

Thanks to George Jones for creating the torrent for the new ISO image!

Thanks to the following for testing the new ISO image!
Matt Gregory
David Zawdie
Heine Lysemose
JP Bourget

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Training
There will be a 2-day Security Onion class in Houston on May 8-9.  Stay tuned for further details!

Friday, February 21, 2014

New securityonion-squert package updates to Squert 1.2.0

Paul Halliday recently released Squert 1.2.0:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a couple of videos showcasing some of the new features recently added to Squert:
Changes v1.1.6: http://www.youtube.com/watch?v=_eheJv0MJDY
Changes v1.1.9: http://www.youtube.com/watch?v=QkgrigopfQA

I've packaged Squert 1.2.0 as securityonion-squert - 20140216-0ubuntu0securityonion2 and the package has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
Matt Gregory

Issues Resolved

Issue 448: When changing time zone in Squert, it needs to revert to UTC when requesting transcripts
https://code.google.com/p/security-onion/issues/detail?id=448

Release Notes

  • When you update the package, it will copy new files into place and then display "Updating database".  Please do not cancel or interrupt this process.
  • You no longer have to hardcode your Sguil credentials in config.php.
  • You may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
  • Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline.  De-select UTC, then specify your local timezone offset.  Then click the "save TZ" button to save your preference into the database and click "Update" to refresh the page with the new timestamps.

Screenshots
Do not cancel or interrupt the database update

Events tab

GeoIP mapping

Pivoting on an event and requesting a TCP transcript with the TX button

Summary tab

Views tab

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, February 20, 2014

New securityonion-capme package checks for active pcap_agent

I've updated the securityonion-capme package to check for active pcap_agents.  This will provide a more helpful error message for folks who forgot to enable netsniff-ng and pcap_agent and then tried to pivot to CapMe for full packet capture.

The updated package version is securityonion-capme - 20121213-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

Issues Resolved

Issue 475: CapMe? should check for active pcap_agent
https://code.google.com/p/security-onion/issues/detail?id=475

Screenshots
CapMe checks for active pcap_agent

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, February 19, 2014

New securityonion-web-page package adds ELSA query to show DNS zone transfers

I've updated the securityonion-web-page package to add an ELSA query that will show DNS zone transfers.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose

Issues Resolved

Issue 487: securityonion-web-page: add DNS zone transfer query
https://code.google.com/p/security-onion/issues/detail?id=487

Screenshots

DNS: Zone Transfers - shows any DNS AXFR requests over TCP

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, February 13, 2014

New securityonion-elsa-extras package properly randomizes apikey on master server

Scott Runnels has updated the securityonion-elsa-extras package to properly randomize the ELSA apikey on the master server.  Thanks, Scott!

The updated package version is securityonion-elsa-extras - 20131117-1ubuntu0securityonion36 and it has been tested by the following (thanks!):
Michal Purzynski
David Zawdie

Issues Resolved
Issue 478: securityonion-elsa-extras: randomize API key in master's elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=478

Release Notes
When the new package installs, it will check /etc/elsa_web.conf to see if you have an apikey set to the default of "1".  If so, it will automatically replace that default apikey with a properly randomized apikey.  You'll then need to restart Apache to make the change take effect:
sudo service apache2 restart

Please be reminded that the management interface of your master server (where the ELSA web interface runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
https://code.google.com/p/security-onion/wiki/Firewall

Screenshots
BEFORE new package - apikey defaulted to 1

Installing new package, which will automatically check for default apikey and randomize if necessary

AFTER new package - apikey is now properly randomized 
Restarting Apache to make change in /etc/elsa_web.conf take effect

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, February 12, 2014

Table of Contents added to Wiki

I've added a Table of Contents page to our Wiki and made it the Sidebar for all pages in the Wiki. You can see it on the left side of the screenshot below. Hopefully, this helps organize our various Wiki pages in a more logical manner and helps you find what you're looking for faster.

Table of Contents added as Sidebar
Please take a look and let us know what you think!

https://code.google.com/p/security-onion/wiki/TableOfContents

Tuesday, February 11, 2014

New securityonion-setup package resolves several issues

I've updated the securityonion-setup package to resolve several issues.  The updated package version is securityonion-setup - 20120912-0ubuntu0securityonion99 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie
JP Bourget

Issue 463: sosetup: prompt for ELSA log_size_limit
https://code.google.com/p/security-onion/issues/detail?id=463

Issue 470: sosetup: Add verbiage to ELSA screen about running on sensors
https://code.google.com/p/security-onion/issues/detail?id=470

Issue 474: sosetup: increase default query_timeout in /etc/elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=474

Issue 388: sosetup: configure MySQL to create an innodb file per table to prevent ibdata1 growing indefinitely
https://code.google.com/p/security-onion/issues/detail?id=388

Issue 416: sosetup: increase default MySQL open-files-limit
https://code.google.com/p/security-onion/issues/detail?id=416

Screenshots

Setup now prompts for ELSA log_size_limit

Setup sets ELSA log_size_limit as requested by user

Setup now sets ELSA query_timeout to 10000

Setup now configures MySQL with better defaults

MySQL now creates an innodb file per table

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, February 10, 2014

New securityonion-sostat package provides more data for monitoring ELSA

I've updated the securityonion-sostat package to redact IPv6/MAC addresses and also increase verbosity for monitoring ELSA.  The updated package version is securityonion-sostat - 20120722-0ubuntu0securityonion20 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie

Issue 471: sostat-redacted should redact IPv6 and MAC addresses
https://code.google.com/p/security-onion/issues/detail?id=471
(thanks to Steve Fennell and BBCan177 for the patches!)

Issue 476: sostat: add verbosity for troubleshooting ELSA
https://code.google.com/p/security-onion/issues/detail?id=476

Screenshots
sostat-redacted now redacts IPv4, IPv6, and MAC addresses

Additional ELSA info from a master server

Additional ELSA info from a sensor

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Saturday, February 8, 2014

New securityonion-web-page package adds ELSA query to show connections grouped by node

I've updated the securityonion-web-page package to add an ELSA query that will group connections by node.  The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion15 and it has been tested by the following (thanks!):
JP Bourget

Issues Resolved

Issue 477: ELSA menu should include BRO_CONN groupby:node
https://code.google.com/p/security-onion/issues/detail?id=477

Screenshots

Connections: Grouped by Node - shows how many connections each sensor is seeing


Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!