Monday, June 23, 2014

New securityonion-rule-update package resolves two issues

We recently released new barnyard2 and rule-update packages:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html 

Some folks have reported a few issues since updating to these new packages, so we're releasing a new version of rule-update which should help with these issues.

The first issue is that rule-update takes longer now.  Per the barnyard2 developers, all entries in the sig_reference table must be deleted when upgrading to this new version of barnyard2.  rule-update then uses barnyard2 to re-populate this table.  Depending on the size of your Snorby database, this may take a while.  The new version of rule-update (released today) will only do a full delete of the sig_reference table once, so subsequent runs of rule-update should be much faster.

The second issue is that users running the Snort engine with the VRT ruleset are experiencing barnyard2 failing with errors like "Returned signature_id is not equal to updated signature_id".  This is due to some wrong entries in the database left by the previous version of barnyard2.  One of the barnyard2 developers wrote a MySQL script to fix these entries and I've packaged it into a shell script called so-snorby-fix-sigs and included it in today's rule-update package.  If you're running the Snort engine with the VRT ruleset, please run so-snorby-fix-sigs and follow the directions (including shutting down all barnyard2 instances).

The updated package version is as follows:
securityonion-rule-update - 20120726-0ubuntu0securityonion20

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 556: rule-update: add so-snorby-fix-sigs script
https://code.google.com/p/security-onion/issues/detail?id=556

Issue 557: rule-update: only delete sig_reference table once
https://code.google.com/p/security-onion/issues/detail?id=557

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, June 19, 2014

New securityonion-web-page package adds an ELSA query

I've updated our securityonion-web-page package to add a new ELSA query under the HTTP category labeled "Sites Hosting CABs".

The updated package version is as follows:
securityonion-web-page - 20120722-0ubuntu0securityonion22

This new package has been tested by the following (thanks!):
David Zawdie
Heine Lysemose

Issues Resolved

Issue 549: securityonion-web-page: add ELSA query for Sites Hosting CABs
https://code.google.com/p/security-onion/issues/detail?id=549

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, June 18, 2014

New NSM package resolves an issue

The recently released NSM scripts had a typo:

Thanks to Andrea De Pasquale for the notification!  

I've updated the NSM package to fix the typo.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion77

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 555: NSM: replace "2>1" with "2>&1"

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:

Feedback
If you have any questions or problems, please use our security-onion mailing list:

Training
Want to learn more about Security Onion?  Check out our 2-day training class:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list:

We also need help testing new packages:

Thanks!

Monday, June 16, 2014

New Barnyard2, NSM, rule-update, and securityonion-server packages

You may have noticed previously that when barnyard2 started up, it would consume a large amount of CPU (on both the sensor and the server) for a while (more than a minute in some cases) while it updated Snorby's reference table.  Multiply this by several barnyard instances per interface and several interfaces per physical sensor and you now have multiple instances fighting each other for scarce CPU resources.

To alleviate this, the barnyard2 folks introduced a new option called disable_signature_reference_table that allows you to disable the reference table update on all sensors, leaving just one barnyard2 instance on the server itself to update Snorby's reference table, avoiding the duplication of effort.  I packaged the latest version of barnyard2 (version 2.1.13 Build 333) which contains this option and also updated the NSM scripts to add the new option to all barnyard2.conf files on all sensors. rule-update has been modified such that right after the master downloads new rules from the Internet, it will use barnyard2 to update Snorby's reference table.  Finally, since we're now forcing the server to use barnyard2 to update Snorby's reference table, I updated the securityonion-server metapackage to require securityonion-barnyard2 as a dependency.

The updated package versions are as follows:
securityonion-barnyard2 - 20140531-0ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion76
securityonion-rule-update - 20120726-0ubuntu0securityonion15
securityonion-server - 20120722-0ubuntu0securityonion11

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie
Kevin Branch

Issues Resolved
Issue 294: Barnyard2-1.13
https://code.google.com/p/security-onion/issues/detail?id=294

Issue 550: securityonion-server: add barnyard2 as a dependency
https://code.google.com/p/security-onion/issues/detail?id=550

Issue 411: NSM: have only one copy of barnyard2 that updates signature
reference table
https://code.google.com/p/security-onion/issues/detail?id=411

Issue 551: rule-update: have server use barnyard2 to update Snorby
reference table
https://code.google.com/p/security-onion/issues/detail?id=551

Issue 399: rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true
https://code.google.com/p/security-onion/issues/detail?id=399

Issue 544: rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true
https://code.google.com/p/security-onion/issues/detail?id=544

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Thursday, June 12, 2014

New securityonion-sguil-db-purge package resolves two issues

I've updated our securityonion-sguil-db-purge package to resolve two issues.

The updated package version is as follows:
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion9

This new package has been tested by the following (thanks!):
Eddy Simons

Issues Resolved

Issue 406: sguil-db-purge needs to purge history table as well
https://code.google.com/p/security-onion/issues/detail?id=406 

Issue 428: sguil-db-purge should check for existence of tables
https://code.google.com/p/security-onion/issues/detail?id=428 

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, June 10, 2014

Save the Date: Security Onion Conference

I recently asked the community if there was interest in a Security Onion Conference:
http://blog.securityonion.net/2014/05/security-onion-conference.html

The response was overwhelmingly positive!

The Security Onion Conference will be held in Augusta GA on Friday September 12 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

UPDATE 2014/07/11

Registration is now open:
http://blog.securityonion.net/2014/07/registration-for-security-onion.html

CFP is now closed!  Thanks to all who responded!

June 10 - CFP Open
July 10 - CFP Closed
July 31 - Speakers selected and notified

Friday, June 6, 2014

New securityonion-sostat package resolves an issue

sostat-quick now checks for privileges.

The updated package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion26

This new package has been tested by the following (thanks!):
Eddy Simons
David Zawdie

Issues Resolved

Issue 537: sostat-quick: check for root
https://code.google.com/p/security-onion/issues/detail?id=537

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn what all that sostat output means?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, June 4, 2014

2-day Security Onion class in Sacramento CA

Do you want to...

... learn more about Security Onion?

... get the most out of your Security Onion deployment?

... catch more bad guys and catch them faster?

In addition to the recently announced 2-day Security Onion class in Raleigh NC, we're now also offering the 2-day Security Onion class in Sacramento CA!

If you sign up before June 25, you can use the following promo code for $100 off!
earlybird56219

If you are a student or work for a non-profit and need an additional discount, please contact me using the "Contact Doug Burks" link at the bottom of the Eventbrite page.

For full details and to register, please see:
https://securityonion20140807.eventbrite.com

What do previous students say about the class?
"I highly, HIGHLY recommend attending this class.  I attended the class in Houston and it was excellent.
Doug is very knowledgeable and has an informal style of instruction that keeps the class interesting and encourages interaction with the students, and is not simply a 16 hour lecture.
I also met many interesting people and made some new contacts. All in all, if this class comes anywhere near me again ... I'll be going if I have to host a bake sale to get there." 
-- Jake Sallee 

Tuesday, June 3, 2014

New Salt and OnionSalt packages

Mike Reeves has updated his OnionSalt scripts to be compatible with the latest Salt packages.  I've packaged these scripts and copied the latest Salt packages to our stable repo.

The updated package versions are as follows:
securityonion-onionsalt - 20130817-0ubuntu0securityonion11
salt-master - 2014.1.4-2precise2
salt-minion - 2014.1.4-2precise2

This new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Please see the updated OnionSalt page on our Wiki:
https://code.google.com/p/security-onion/wiki/Salt

Issues Resolved
Issue 540: Update Salt packages/scripts
https://code.google.com/p/security-onion/issues/detail?id=540

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, June 2, 2014

New Setup package changes the way in which we disable some services

We have a new Setup package that changes the way in which we disable services like network-manager, salt-master, and salt-minion.  Previously, we were disabling these services by renaming their init script.  For example, we would disable salt-master as follows:
mv /etc/init/salt-master.conf /etc/init/salt-master.DISABLED

We're getting ready to update to the latest salt packages which don't handle that method of disabling gracefully.  So we're going to move to a more graceful method of disabling these services which is to create an override file as follows:
echo "manual" > /etc/init/salt-master.override

When the new Setup package installs, it has a preinst script that should check /etc/init/ and see if network-manager, salt-master, and/or salt-minion were disabled via the old method.  If so, it will then migrate them to the new style of disabling.  /usr/bin/sosetup and /usr/bin/sosetup-network have also been updated such that new runs of Setup will result in the new method of disabling.

The updated package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion105

This new package has been tested by the following (thanks!):
David Vasil
Eddy Simons

Issues Resolved

Issue 542: Setup: when disabling salt, avoid modifying salt package files
https://code.google.com/p/security-onion/issues/detail?id=542

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Do you want to learn more about Security Onion?
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!