Monday, March 31, 2014

New securityonion-setup package

I've updated our Setup package to resolve a few issues.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion101

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 485: sosetup-network: mention MTU and other custom config can be
manually added to /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=485

Issue 499: sosetup-network: fix backup path in /etc/network/interfaces
https://code.google.com/p/security-onion/issues/detail?id=499

Issue 511: sosetup-network: management interface selection should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=511

Issue 489: sosetup: capture rmmod output
https://code.google.com/p/security-onion/issues/detail?id=489

Issue 479: sosetup: should verify that it can resolve server hostname
before trying to connect
https://code.google.com/p/security-onion/issues/detail?id=479

Issue 496: sosetup: VRT policy screen should be a radiolist
https://code.google.com/p/security-onion/issues/detail?id=496

Issue 514: sosetup: fix df /nsm check
https://code.google.com/p/security-onion/issues/detail?id=514

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 20, 2014

New securityonion-elsa-extras and securityonion-elsa-node-perl packages

Scott Runnels has updated two of our ELSA packages to resolve a couple of issues.  Thanks, Scott!

The updated packages are as follows:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion41
securityonion-elsa-node-perl - 20130819-0ubuntu0securityonion3

These new packages have been tested by the following (thanks!):
David Zawdie
Matt Gregory
JP Bourget

Issues Resolved
Issue 502: securityonion-elsa-node-perl: add libtext-csv-perl as a dependency
https://code.google.com/p/security-onion/issues/detail?id=502

Issue 503: securityonion-elsa-extras: parsers for BRO_INTEL feed
https://code.google.com/p/security-onion/issues/detail?id=503

Screenshots

Show all entries in Bro's intel.log grouped by indicator

Drilling into an indicator

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, March 12, 2014

New securityonion-sostat package

Jon Schipp submitted some patches for soup (thanks Jon!) and I updated sostat to resolve a few issues.  The new package is securityonion-sostat - 20120722-0ubuntu0securityonion21 and it has been tested by Matt Gregory and David Zawdie (thanks!).

Issues Resolved
Issue 481: soup: Add skip interactive option
https://code.google.com/p/security-onion/issues/detail?id=481

Issue 494: sostat should display ELSA v_indexes
https://code.google.com/p/security-onion/issues/detail?id=494

Issue 497: sostat should ignore "Cannot set NIC flags!" in netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=497

Issue 508: sostat should include full process output but exclude usernames
https://code.google.com/p/security-onion/issues/detail?id=508

Screenshots
sostat now includes ELSA Index Date Range

soup now has options

sostat now includes expanded process output but excludes usernames

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, March 11, 2014

New securityonion-rule-update package

I've updated our securityonion-rule-update package to resolve an issue.  The new package is securityonion-rule-update - 20120726-0ubuntu0securityonion12 and it has been tested by David Zawdie (thanks!).

Issues Resolved
Issue 505: rule-update: check to see if barnyard and IDS engine are enabled
https://code.google.com/p/security-onion/issues/detail?id=505

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, March 10, 2014

New securityonion-web-page package updates OSSEC and DNS Queries

I've updated our securityonion-web-page package to resolve a few issues.  The new package is securityonion-web-page -20120722-0ubuntu0securityonion19 and it has been tested by Matt Gregory (thanks!).

Issues Resolved
Issue 495: securityonion-web-page: OSSEC logs query should exclude MARK
https://code.google.com/p/security-onion/issues/detail?id=495

Issue 498: securityonion-web-page: add DNS IXFR query
https://code.google.com/p/security-onion/issues/detail?id=498

Release Notes
Previously, we added a "DNS - Zone Transfers" query that would look for full zone transfers (AXFR):
http://blog.securityonion.net/2014/02/new-securityonion-web-page-package-adds_19.html

This new package updates that query to also look for incremental zone transfers (IXFR) and group the results by the source IP address:
class=BRO_DNS proto="tcp" "axfr" OR "ixfr" groupby:srcip

The "Host Logs - All OSSEC Logs" query should now exclude any OSSEC --MARK-- logs as follows:
class=none program="ossec_archive" "2014" -"packets_received" -"--MARK--"

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Sign up for the new expanded 2-day class in Houston TX!  For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, March 6, 2014

Expanded 2-Day Security Onion Training Class in Houston TX 5/8 - 5/9

Want to learn more about Security Onion?  Sign up for the new and expanded 2-day class in Houston TX!  If you sign up before March 31, you can use the following promo code for $100 off!
earlybird46099

For full details and to register, please see:
https://securityonion20140508.eventbrite.com