Wednesday, August 27, 2014

Ubuntu Hardware Enablement (HWE) Stacks

Summary

If you installed Security Onion using our ISO image, then you should be running the original 3.2 kernel which should be fully supported until April 2017.  However, if you installed Ubuntu and then added our PPA and packages, you may be running a Hardware Enablement (HWE) Stack that has reached End-of-life.  If this is the case, then you'll need to update to a newer HWE Stack that will continue to be supported.

Checking Your System using hwe-support-status
To check your system, run the following command:
hwe-support-status tool --verbose
For example, in the following screenshot, I'm running the command on a machine that was installed from the Security Onion ISO image.  If this is what you get, then you can disregard the rest of this blog post.

If, on the other hand, you receive output similar to the following screenshot (taken from a machine that was installed from an Ubuntu ISO image), then you'll need to update to a newer HWE Stack.

WARNING! Do NOT run the do-release-upgrade command as this will upgrade to Ubuntu 14.04, which is incompatible with our packages.  We'll be using the second "apt-get install" option to update the HWE stack.

Updating your HWE Stack
Before you update your HWE stack, make sure that you've installed all updates so that you have the new PF_RING packages that support Linux kernel 3.13:
http://blog.securityonion.net/2014/08/new-pfring-snort-suricata-bro-packages.html

You can verify that you have the new PF_RING 6.0.2 with "cat /proc/net/pf_ring/info":


Then run the apt-get command shown in *your* output of hwe-support-status.  In the hwe-support-status screenshot above, we were requested to run the following because we were just running Ubuntu Server (no GUI):
sudo apt-get install linux-generic-lts-trusty linux-image-generic-lts-trusty
Depending on how your system was installed, hwe-support-status may ask you to install additional packages.  For example, you may also be requested to update your xserver packages.  Run whatever command hwe-support-status recommends for you.

If the new HWE stack installed successfully, then reboot your system:


After rebooting and logging in, verify that you're running the new 3.13 kernel with the "uname -a" command:

You can also verify that the PF_RING kernel module got built and loaded correctly for the new 3.13 kernel:

Finally, run the hwe-support-status tool again to verify that your HWE stack is supported until April 2017:

For more information about Ubuntu HWE Stacks, please see:



Feedback
If you have any questions or problems, please use our security-onion mailing list:

Conference
Less than 30 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!

Commercial Support/Training
Need training and/or commercial support?  Please see:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list:

We also need help testing new packages:

Thanks!

Tuesday, August 26, 2014

New PF_RING, Snort, Suricata, Bro packages

New versions of our PF_RING, Snort, Suricata, and Bro packages are now available!  The new package versions are as follows:

securityonion-bro - 2.3-0ubuntu0securityonion10
securityonion-bro-scripts - 20121004-0ubuntu0securityonion26
securityonion-daq - 2.0.2-0ubuntu0securityonion5
securityonion-elsa-extras - 20131117-1ubuntu0securityonion43
securityonion-pfring-daq - 20121107-0ubuntu0securityonion7
securityonion-pfring-devel - 20121107-0ubuntu0securityonion7
securityonion-pfring-ld - 20120827-0ubuntu0securityonion7
securityonion-pfring-module - 20121107-0ubuntu0securityonion23
securityonion-pfring-userland - 20140805-0ubuntu0securityonion3
securityonion-snort - 2.9.6.2-0ubuntu0securityonion7
securityonion-suricata - 2.0.3-0ubuntu0securityonion2

These new packages have been tested by the following (thanks!):
Ronny Vaningh
Andrea De Pasquale
Pete Nelson
Pietro Delsante
David Zawdie
Heine Lysemose
Eddy Simons

Issues Resolved

Issue 535: PF_RING 6.0.2 SVN
https://code.google.com/p/security-onion/issues/detail?id=535

Issue 462: Snort 2.9.6.2
https://code.google.com/p/security-onion/issues/detail?id=462

Issue 567: Snort Daq 2.0.2
https://code.google.com/p/security-onion/issues/detail?id=567

Issue 465: Suricata 2.0.3
https://code.google.com/p/security-onion/issues/detail?id=465

Issue 445: Bro 2.3
https://code.google.com/p/security-onion/issues/detail?id=445

Issue 484: securityonion-bro-scripts: update APT1 scripts with Seth's changes for certificate matching
https://code.google.com/p/security-onion/issues/detail?id=484

Issue 414: Bro script should lookup interface in /etc/nsm/sensortab to obtain sensorname
https://code.google.com/p/security-onion/issues/detail?id=414

Issue 577: ELSA: update parsers for Bro 2.3 log changes
https://code.google.com/p/security-onion/issues/detail?id=577

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • back up your Bro configuration
  • back up each of your existing snort.conf files to snort.conf.bak
  • back up each of your existing suricata.yaml files to suricata.yaml.bak

You'll then need to do the following:
  • re-apply any local customizations to the Bro/Snort/Suricata config
  • restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
  • update ruleset and restart Snort/Suricata as follows:
sudo rule-update

Screenshots
Run "sudo soup" which first installs the new PF_RING kernel module

DKMS compiles the new kernel module

Soup then installs the remaining packages

Bro, Snort, and Suricata notify you that config files have been updated and you'll need to add back any local customizations

After adding back any local Bro customizations, restart Bro using "sudo nsm_sensor_ps-restart --only-bro"

After adding back any local snort.conf or suricata.yaml customizations, run "sudo rule-update" to download the latest ruleset for the new IDS engine

rule-update then restarts Barnyard2 and the IDS engine



Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Conference
Less than 30 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!
https://securityonionconference2014.eventbrite.com

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, August 25, 2014

New securityonion-setup package restarts MySQL to make config changes take effect

I noticed recently that the following issue didn't actually get resolved properly:

Issue 388: Configure MySQL to create an innodb file per table to prevent ibdata1 growing indefinitely
https://code.google.com/p/security-onion/issues/detail?id=388

After troubleshooting the issue, I realized that Setup was only doing a MySQL reload and that's not picking up the new innodb_file_per_table setting, so we need to replace that with a MySQL restart.  I've updated Setup and the securityonion-setup package.  This new package has been tested by the following (thanks!):
David Zawdie
Heine Lysemose

Screenshots
Old version of Setup resulted in no per-table innodb files

New version of Setup results in an innodb file per table

Issues Resolved

Issue 576: Setup: restart MySQL to make config changes take effect
https://code.google.com/p/security-onion/issues/detail?id=576

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Conference
Only 33 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!
https://securityonionconference2014.eventbrite.com

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Friday, August 22, 2014

New securityonion-nsmnow-admin-scripts package prevents update prompts for Ubuntu 14.04

Over the past few weeks, you may have seen some Ubuntu prompts to upgrade to the new Ubuntu release (Ubuntu 14.04).  For example:



We have no immediate plans to support Ubuntu 14.04, so Ryan Peck suggested some changes to avoid these Ubuntu prompts (thanks, Ryan!):
https://groups.google.com/d/topic/security-onion/_N6O0XZbcSE/discussion

I've updated the NSM package to include these changes.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion82

After installing, you should no longer receive either of the prompts shown above.  Here's an example of logging in via ssh without being prompted to upgrade to Ubuntu 14.04:


If you're running a kernel other than 3.2 (as shown above), you may still receive an Ubuntu message about updating your kernel and HWE stack.  Please do NOT do this until we release new PF_RING packages which support the new 3.13 kernel.  You can help us test the new PF_RING packages by joining the security-onion-testing Google Group and referring to this thread:
https://groups.google.com/d/topic/security-onion-testing/mKVn-GAPaIg/discussion

UPDATE 2014/08/27: Our new PF_RING packages have been released:
http://blog.securityonion.net/2014/08/new-pfring-snort-suricata-bro-packages.html

For instructions on updating your HWE stack, please see:
http://blog.securityonion.net/2014/08/ubuntu-hardware-enablement-hwe-stacks.html

This new package has been tested by the following (thanks!):
Pete Nelson
David Zawdie
Ronny Vaningh

Issues Resolved

Issue 574: NSM: prevent checking for new Ubuntu releases
https://code.google.com/p/security-onion/issues/detail?id=574

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Conference
Only 37 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!
https://securityonionconference2014.eventbrite.com

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, August 12, 2014

New securityonion-capme package resolves an issue

Ryan Peck found and fixed an issue in CapMe (thanks Ryan!):
https://groups.google.com/d/topic/security-onion/h-WFiDETBVU/discussion

I've accepted the patch and built a new securityonion-capme package.  The updated package version is as follows:
securityonion-capme - 20121213-0ubuntu0securityonion19

This new package has been tested by the following (thanks!):
Karolis
David Zawdie

Issues Resolved

Issue 570: CapMe: Ignore extra data from ELSA cli.pl
https://code.google.com/p/security-onion/issues/detail?id=570

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Conference
Over half the seats for the Security Onion conference in Augusta GA are sold! Reserve your seat today!
https://securityonionconference2014.eventbrite.com

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Friday, August 1, 2014

PF_RING, Snort, and Suricata packages have reached Release Candidate status!

Our new PF_RING/Snort/Suricata packages have reached Release Candidate status!  Since these packages are critical components, I'd like to do one final phase of testing before promoting to stable.  If at all possible, please try installing on some of your production sensors so that we can get some real world testing before promoting to stable.

Join the discussion here:
https://groups.google.com/d/topic/security-onion-testing/mKVn-GAPaIg/discussion

New securityonion-server package resolves an issue

I've built a new version of securityonion-server that resolves an issue.  The updated package version is as follows:
securityonion-server - 20120722-0ubuntu0securityonion12

This new package has been tested by the following (thanks!):
Pete Nelson

Issues Resolved

Issue 569: securityonion-server: add p0f as a dependency
https://code.google.com/p/security-onion/issues/detail?id=569

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!