Tuesday, September 30, 2014

securityonion-bro-scripts now detects the ShellShock Qmail SMTP "MAIL FROM" attack vector

Seth Hall added support for the ShellShock Qmail SMTP "MAIL FROM" attack vector to his Bro ShellShock scripts:
https://github.com/broala/bro-shellshock/commit/6ba280179e86243ecc0ed0b84d38e5906bbdcadc

I've updated the securityonion-bro-scripts package to include these changes.

New package version:
securityonion-bro-scripts - 20121004-0ubuntu0securityonion37

Issues Resolved
Issue 616: securityonion-bro-scripts: ShellShock Qmail SMTP "MAIL FROM" attack vector
https://code.google.com/p/security-onion/issues/detail?id=616

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro

Screenshots

Update Process

Restarting Bro to load new ShellShock detection

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 16 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Suricata 2.0.4

Suricata 2.0.4 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/198-suricata-204-available

I've packaged Suricata 2.0.4 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.4-0ubuntu0securityonion1

Issues Resolved

Issue 600: Suricata 2.0.4
https://code.google.com/p/security-onion/issues/detail?id=600

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak.  You'll then need to do the following:

  • re-apply any local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
    sudo rule-update


Screenshots

Update Process
sudo rule-update

rule-update restarts Suricata

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 16 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, September 29, 2014

New Setup package adds Snort Community Ruleset to VRT Ruleset

On Friday, I wrote a quick blog post about the ShellShock rules in the Snort Community ruleset:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-5-shellshock.html

The new version of Setup mentioned in that blog post has been tested by Eddy Simons (thanks!) and is now available in our stable PPA.

New package versions:
securityonion-setup - 20120912-0ubuntu0securityonion122

Issues Resolved
Issue 613: Setup: if user chooses VRT rules, enable Community as well
https://code.google.com/p/security-onion/issues/detail?id=613

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshots
Update Process

ShellShock alert in Snorby
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 17 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Friday, September 26, 2014

New securityonion-bro-scripts, securityonion-onionsalt, and salt packages

I've updated the securityonion-bro-scripts package to include Seth Hall's ShellShock detector from here:
https://github.com/broala/bro-shellshock

securityonion-bro-scripts also creates a new directory called /opt/bro/share/bro/intel/ that makes it easy for you to add intel to the Bro Intel framework.

Mike Reeves, Ryan Peck, and I have updated the OnionSalt scripts to replicate more data from master to sensor.  This includes the /opt/bro/share/bro/intel/ directory mentioned above and also OSSEC's agent.conf and local_decoder.xml files.

Finally, SaltStack has updated their salt packages, so we include that as well.

New package versions:
salt - 2014.1.10-1precise1
securityonion-bro-scripts - 20121004-0ubuntu0securityonion36
securityonion-onionsalt - 20140917-0ubuntu0securityonion17

These new packages have been tested by the following (thanks!):
Brian Kellogg
Rob C

Issues Resolved:
Issue 612: securityonion-bro-scripts: include ShellShock detection
https://code.google.com/p/security-onion/issues/detail?id=612

Issue 606: securityonion-bro-scripts: create /opt/bro/share/bro/intel/
with example intel
https://code.google.com/p/security-onion/issues/detail?id=606

Issue 609: Onionsalt should copy /opt/bro/share/bro/intel/
https://code.google.com/p/security-onion/issues/detail?id=609

Issue 580: onionsalt should copy OSSEC agent.conf and local_decoder.xml
https://code.google.com/p/security-onion/issues/detail?id=580

Issue 579: Update salt
https://code.google.com/p/security-onion/issues/detail?id=579

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro

Screenshots

Update Process

Restarting Bro to load new ShellShock Detection

/opt/bro/share/bro/ now contains intel/ and shellshock/ directories

Bro ShellShock logs (http.log and notice.log)


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 17 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Bash Vulnerability Part 5: ShellShock rules in Snort Community ruleset

This is a continuation of the ShellShock posts from the last few days:
http://blog.securityonion.net/2014/09/bash-vulnerability.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-4-another.html

If you're running the Snort VRT ruleset, please read this post in its entirety.

The Snort VRT added some ShellShock rules to the Community ruleset:
http://blog.snort.org/2014/09/snort-community-ruleset-out-of-band.html

If you look at your current /etc/nsm/pulledpork/pulledpork.conf file, you'll see that the Snort Community ruleset line is not enabled (or missing altogether if it's been a while since you ran Setup).  I've updated Setup so that when you run Setup and choose Snort VRT, it will also enable the Snort Community ruleset.  If you've already run Setup, the new Setup package will check your existing pulledpork.conf file and add/enable the Snort Community ruleset if necessary.

I've submitted securityonion-setup - 20120912-0ubuntu0securityonion122 for testing:
https://groups.google.com/d/topic/security-onion-testing/W_R_ejUc-Z4/discussion

If you're not already a member of the security-onion-testing Google Group, please join the group and help us test this new package so we can get it released as quickly as possible.

Thanks!

Setup updating pulledpork.conf
Snorby displaying ShellShock alert from Snort Community ruleset

UPDATE 20140927 07:59
Please see:
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html

UPDATE 20140929 08:25
The new Setup package has been tested and published:
http://blog.securityonion.net/2014/09/new-setup-package-adds-snort-community.html

Thursday, September 25, 2014

Bash Vulnerability Part 4: Another updated bash package

Earlier today (http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html), I said:
"There are most likely other issues, so expect additional updates to bash in the near future."

Ubuntu has now released another new bash package:
http://www.ubuntu.com/usn/usn-2363-1/

You should install this updated package as soon as possible.  As always, we recommend using "soup" to apply package updates.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

UPDATE 20140926 14:12
Please see Part 5:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-5-shellshock.html

Bash Vulnerability Part 3

Earlier today, I wrote a quick blog post about detecting exploit attempts for this new Bash Vulnerability:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html

As mentioned in an update to that blog post, Seth Hall wrote a ShellShock detector for Bro that detects successful exploitation (not just an attempt):
https://github.com/broala/bro-shellshock

I've added these Bro scripts to our securityonion-bro-scripts package and submitted the package for testing:
https://groups.google.com/forum/#!topic/security-onion-testing/kOBEKrhKvTo

If you're not already a member of the security-onion-testing Google Group, please join the group and help us test this new package so we can get it released as quickly as possible.

Thanks!

Bro Notice for ShellShock::Exploit

Bro http.log showing ShellShock::HIT
UPDATE 20140926 14:12
Please see Part 4:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-4-another.html

UPDATE 20140927 08:01
The updated securityonion-bro-scripts package has been released to our stable PPA:
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html

Bash Vulnerability Part 2

Yesterday, a vulnerability in bash was announced and I wrote a quick blog post on updating your Security Onion sensors to the latest version of bash:
http://blog.securityonion.net/2014/09/bash-vulnerability.html

There are most likely other issues, so expect additional updates to bash in the near future.

To monitor your network for exploit attempts, IDS signatures are now available from Snort VRT and Emerging Threats (ET).  Assuming you have PulledPork configured correctly, you should have received the VRT and/or ET rules in your rule update this morning.

https://www.snort.org/advisories/vrt-rules-2014-09-24.html

(copied from link above)
1:31978 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31977 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31976 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31975 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)

http://emergingthreats.net/daily-ruleset-update-summary-09242014/

(copied from link above)
2019231 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI (web_server.rules)
2019232 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers (web_server.rules)
2019233 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body (web_server.rules)
2019234 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 (web_server.rules)

Also, a Bro script is now available from Critical Stack and Hectaman:
https://github.com/CriticalStack/bro-scripts

UPDATE 20140925 14:04
Here's another Bro script from Broala and Seth Hall:
https://github.com/broala/bro-shellshock

If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

UPDATE 20140925 16:37
Please see Part 3:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html

Wednesday, September 24, 2014

Bash Vulnerability

A vulnerability in bash was announced this morning:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://seclists.org/oss-sec/2014/q3/649

You can test your system to see if it's vulnerable using the POC shown here:
https://twitter.com/kbsingh/status/514801829633593345

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
For example:
Vulnerable
Ubuntu has released an updated version of bash to resolve this:
http://www.ubuntu.com/usn/usn-2362-1/

You should install this updated package as soon as possible.  As always, we recommend using "soup" to apply package updates.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the updated package, you can verify using the POC again:
New version of bash
UPDATE 20140925 16:38:
Please see Part 2:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html

Tuesday, September 23, 2014

New Bro 2.3.1 packages

Bro 2.3.1 was recently released:
http://blog.bro.org/2014/09/bro-231-release.html

I've packaged Bro 2.3.1 and it has been tested by the following (thanks!):
Eddy Simons
David Zawdie

The new package versions are as follows:

securityonion-bro - 2.3.1-0ubuntu0securityonion1
securityonion-bro-scripts - 20121004-0ubuntu0securityonion27

Issues Resolved

Issue 586: Bro 2.3.1
https://code.google.com/p/security-onion/issues/detail?id=586

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will back up your Bro configuration.  You'll then need to do the following:

  • re-apply any local customizations to the Bro config
  • restart Bro as follows:

sudo nsm_sensor_ps-restart --only-bro

Screenshots
Update Process

Restarting Bro after updating config

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Less than 20 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, September 22, 2014

New securityonion-setup package resolves issue with answer file support

securityonion-setup - 20120912-0ubuntu0securityonion119 should resolve the following issue:

Issue 590: Setup: sosetup.conf SALT="yes"
https://code.google.com/p/security-onion/issues/detail?id=590

This new package has been tested by the following (thanks!):
Eddy Simons

Answer file support is still considered experimental.  You can test it using the instructions here:
https://groups.google.com/d/topic/security-onion-testing/GEMTSVFWkXA/discussion

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Less than 20 seats left for the new 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Friday, September 12, 2014

Security Onion 12.04.5 ISO image now available

We have a new Security Onion 12.04.5 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of September 8, 2014!

It should also resolve the following issues:

Issue 536: ISO: deleting desktop icons for live user sometimes doesn't work properly
https://code.google.com/p/security-onion/issues/detail?id=536

Issue 584: ISO: 14.04 HWE stack (Linux kernel 3.13)
https://code.google.com/p/security-onion/issues/detail?id=584

In short, it's the best release ever!

This new ISO image has been tested by the following (thanks!):
Eddy Simons
David Zawdie

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.  Here's the MD5 for this release:
d1b46b982bf41370515689de82bd81b8

Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

New securityonion-setup package adds answer file support

securityonion-setup - 20120912-0ubuntu0securityonion118 should resolve the following issue:

Issue 587: Setup: allow for automated setup using answer file
https://code.google.com/p/security-onion/issues/detail?id=587

This new package has been tested by the following (thanks!):
Eddy Simons
Karolis

Answer file support is still considered experimental.  You can test it using the instructions here:
https://groups.google.com/d/topic/security-onion-testing/GEMTSVFWkXA/discussion

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

New ossec-hids-server package resolves three issues

ossec-hids-server - 2.8.0-ubuntu10securityonion7 should resolve the following issues:

Issue 412: OSSEC 2.8
https://code.google.com/p/security-onion/issues/detail?id=412

Issue 573: OSSEC increase setmaxagents to 1024
https://code.google.com/p/security-onion/issues/detail?id=573

Issue 330: ossec.conf changes
https://code.google.com/p/security-onion/issues/detail?id=330

This new package has been tested by the following (thanks!):
Brian Kellogg
David Zawdie
Mike Seward

Installation Process

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  Also, if you had added any local rules to /var/ossec/rules/local_rules.xml, you'll need to do the following:
sudo cp /var/ossec/rules/local_rules.xml-2.6 /var/ossec/rules/local_rules.xml

You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, September 10, 2014

New securityonion-nsmnow-admin-scripts package resolves two issues

securityonion-nsmnow-admin-scripts 20120724-0ubuntu0securityonion83 should resolve the following issues:

Issue 582: NSM: only run "broctl cron" if Bro is enabled
https://code.google.com/p/security-onion/issues/detail?id=582

This should avoid the situation described here:
https://groups.google.com/d/topic/security-onion/Fo4xQ7VDIyY/discussion

Issue 581: NSM: avoid filling disk if CRIT_DISK_USAGE exceeded in one day
https://code.google.com/p/security-onion/issues/detail?id=581

We still have occasional reports of disks filling up with pcaps.  I've addressed this in 3 ways:

1.  sensor-clean used to run every 5 minutes, but has been changed to run *every* minute.

2.  sensor-clean no longer ignores pcaps from the current day.  If all previous days have been removed, then it will go into the current day's directory and remove pcaps one at a time until EITHER disk is no longer critical OR there are no pcaps remaining.

3.  If sensor-clean determines that there are no pcaps remaining to purge but disk is still critical, then it will stop netsniff-ng.



This new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

New securityonion-networkminer package

NetworkMiner 1.6.1 was recently released:
http://www.netresec.com/?page=Blog&month=2014-06&post=NetworkMiner-1-6-Released


I've packaged NetworkMiner 1.6.1 and the new package has been tested by the following (thanks!):
Brian Kellogg
David Zawdie

Issues Resolved

Issue 553: NetworkMiner 1.6.1
https://code.google.com/p/security-onion/issues/detail?id=553

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, September 9, 2014

New securityonion-et-rules package

I've updated our securityonion-et-rules package in preparation for our upcoming 12.04.5 ISO image.  This is a static set of free NIDS rules from Emerging Threats that is only used if you have LOCAL_NIDS_RULE_TUNING=yes in /etc/nsm/securityonion.conf (most users should have LOCAL_NIDS_RULE_TUNING=no which causes PulledPork to download updated rules from the Internet).

This package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 572: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=572

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

New pcap samples package securityonion-samples-jackcr

Jack Crook provided a fun pcap (thanks Jack!):
https://twitter.com/dougburks/status/494829729523171328

I've put the pcap into a new package called securityonion-samples-jackcr, which will install the pcap to:
/opt/samples/jackcr/

This package has been tested by the following (thanks!):
Brian Kellogg
David Zawdie

Issues Resolved

Issue 568: New package securityonion-samples-jackcr
https://code.google.com/p/security-onion/issues/detail?id=568

Installation
This package will be included in the upcoming 12.04.5 ISO image, but it's an optional package so it won't automatically install on existing installations.  If you'd like to install this package onto your existing installation, you can use the graphical Update Manager or the following one-liner:
sudo apt-get update && sudo apt-get install securityonion-samples-jackcr

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
$400 off the new 3-day Security Onion class in Richmond VA!
http://blog.securityonion.net/2014/09/400-off-our-new-3-day-security-onion.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, September 8, 2014

$400 off our new 3-day Security Onion Training Class in Richmond VA

Our Security Onion training class is expanding to 3 days!  This new class will debut in Richmond VA next month.  If you register by Friday September 19, you can use the following discount code for $400 off!

early-bird-23698

For more details and to register, please see:
https://security-onion-class-20141020.eventbrite.com/

If you have any questions, please use the Contact link on the bottom of the Eventbrite page.