Saturday, December 19, 2015

BDR2: ISO Testers Wanted!

I recently announced our move towards Ubuntu 14.04, called the Big Distro Rebuild 2 (BDR2):
http://blog.securityonion.net/2015/09/bdr2-electric-boogaloo-towards-ubuntu.html
http://blog.securityonion.net/2015/10/bdr2-progress-report-towards-ubuntu-1404.html
http://blog.securityonion.net/2015/11/bdr2-testers-wanted.html

I'm pleased to report that an ALPHA version of our new ISO image is now available!


We need your help!

If you haven't already, please join our security-onion-testing mailing list and follow the testing procedures here:
https://groups.google.com/d/topic/security-onion-testing/Lma3vCYQMgw/discussion

Thanks in advance for your time and effort!

Tuesday, October 13, 2015

BDR2 Progress Report (towards Ubuntu 14.04)

I recently announced our move towards Ubuntu 14.04, called the Big Distro Rebuild 2 (BDR2):
http://blog.securityonion.net/2015/09/bdr2-electric-boogaloo-towards-ubuntu.html

I'm pleased to report that BDR2 is coming along quite nicely!

What works?
At this point, the securityonion-all metapackage and all of its dependencies should install correctly on Ubuntu 14.04 and most of the software should work correctly.

What doesn't work?
Xplico and Salt haven't been moved over yet.  There may be a few other optional packages which haven't been fully tested yet.

How can we help?
We're going to need lots of help testing all of these packages over the next few months, so if you'd like to contribute back to the community, please join the security-onion-testing mailing list and then see the following threads:
https://groups.google.com/d/topic/security-onion-testing/voIjY2OYjtc/discussion
https://groups.google.com/d/topic/security-onion-testing/dXd0qq5HP3c/discussion
https://groups.google.com/d/topic/security-onion-testing/N9DAGuvqSoo/discussion

Thanks!

What's new?
Most things are staying the same, although we're updating ELSA to the latest version which includes new animated charts and dashboards using charts.js.

Dashboard showing top DNS, HTTP, and SSL requests

Connections - Top Services

DHCP - DHCP Servers

DNS - Top Return Code

Files - MIME Types

Files - Sources

FTP - Top Commands

HTTP - Top Ports

HTTP - MIME Types

HTTP - Top Sites

HTTP - Sites Hosting EXEs

HTTP - Sites Hosting JARs

HTTP - Sites Hosting SWFs

HTTP - Sites Hosting ZIPs

Kerberos - Top Services

Notice - Top Notice Types

SMTP - Top Subjects

Software - Software Detected by Bro

SSL - Top SSL Versions

X.509 - Key Length

Monday, October 12, 2015

Thursday, September 17, 2015

BDR2: Electric Boogaloo (towards Ubuntu 14.04)

If you've been in the Security Onion community for a few years, you may remember that back in 2012 we embarked on a project called BDR (Big Distro Rebuild) to put all of our software into true Ubuntu packages designed for Ubuntu 12.04:
https://groups.google.com/d/topic/security-onion-testing/kOib06_QMPU/discussion

It's now time to rebuild all of those packages for Ubuntu 14.04, so I'm calling this BDR2.  As mentioned at the Security Onion Conference, I'm hoping to get all this work done by Christmas, but no promises!

I've done some initial work to get the securityonion-client metapackage to install cleanly on Ubuntu 14.04.
Sguil client running on Ubuntu 14.04
I'll soon start working on the securityonion-sensor and securityonion-server metapackages.

Help Wanted

We're going to need lots of help testing all of these packages over the next few months, so if you'd like to contribute back to the community, please join the security-onion-testing mailing list and then see the following thread:
https://groups.google.com/d/topic/security-onion-testing/voIjY2OYjtc/discussion

Thanks!

Wednesday, September 16, 2015

Slides from Security Onion Conference

This year's Security Onion Conference was an overwhelming success!  Thanks to all of the great speakers that made it such a great event!

In case you missed it, here are some of the slide decks that have been shared:

Todd Heberlein
Looking Back Over a Quarter Century of Network Monitoring
http://www.toddheberlein.com/blog/2015/9/11/security-onion-conference-presentation

Seth Hall
Detect it Once
Slides
https://drive.google.com/file/d/0BzQ65xrcMwNEYU4yQnV0QmYzX2s/view?usp=sharing
http-slow-read.bro
https://drive.google.com/file/d/0BzQ65xrcMwNEUFdwUm9laHdDN3M/view?usp=sharing

Martin Holste
Security Event Data in the OODA Loop Model
https://prezi.com/qzar9ip-zlvt/security-event-data-in-the-ooda-loop-model/

Chris Sistrunk
Industrially Hardened Security Onion Sensor
http://www.slideshare.net/chrissistrunk/def-con-23-nsm-101-for-ics

Josh Brower
Using Sysmon to Enrich Security Onion's Host-Level Capabilities
http://defensivedepth.com/2015/09/11/socaugusta-deck-sysmon-security-onion-integration/

Chris Montgomery
Threat Intel Powered IDS
https://drive.google.com/file/d/0B4apMwOBMmVUOXE0c0dDdWc1U0k/view?usp=sharing

Monday, September 14, 2015

Saturday, September 12, 2015

Security Onion 12.04.5.3 ISO image now available

We have a new Security Onion 12.04.5.3 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of August 25, 2015!

This resolves the following issue:

Issue 795: 12.04.5.3 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/795

This new ISO image has been tested by the following (thanks!):
James Taylor

Installation Guide
I've updated the Installation guide to reflect the download locations for the new 12.04.5.3 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Checksums
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

md5sum 38ee2cf19f884f0916b076163aab58a5

sha1sum 19544c73cef9a3799d9bc4b7fcd1b80b9e84056c

sha256sum 52b795b44fc0ae1a7dcabb3cef1d266877b54f9545aa213312904a75c2dd1352

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.3 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Friday, September 11, 2015

New securityonion-elsa-extras and securityonion-web-page packages add support for new Bro 2.4 logs

The recent Bro 2.4 package includes some new Bro logs such as mysql.log, kerberos.log, rdp.log, pe.log, and sip.log.  These new logs are now parsed properly with the new securityonion-elsa-extras package and the new securityonion-web-page package adds new queries that take advantage of this new parsing.

Here are the updated packages:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion112
securityonion-web-page - 20141015-0ubuntu0securityonion28
These packages have been tested by the following (thanks!):
James Taylor
Josh Brower
Simone Bonetti

These new packages resolve the following issues:

Issue 755: securityonion-elsa-extras: add parser for Bro 2.4 mysql.log
https://github.com/Security-Onion-Solutions/security-onion/issues/755

Issue 756: securityonion-elsa-extras: add parser for Bro 2.4 kerberos.log
https://github.com/Security-Onion-Solutions/security-onion/issues/756

Issue 757: securityonion-elsa-extras: add parser for Bro 2.4 rdp.log
https://github.com/Security-Onion-Solutions/security-onion/issues/757

Issue 758: securityonion-elsa-extras: add parser for Bro 2.4 pe.log
https://github.com/Security-Onion-Solutions/security-onion/issues/758

Issue 759: securityonion-elsa-extras: add parser for Bro 2.4 sip.log
https://github.com/Security-Onion-Solutions/security-onion/issues/759

Issue 780: securityonion-elsa-extras: add parser for IIS logs
https://github.com/Security-Onion-Solutions/security-onion/issues/780

Issue 782: securityonion-elsa-extras: update sysmon parser
https://github.com/Security-Onion-Solutions/security-onion/issues/782

Issue 776: securityonion-elsa-extras: set version 3.3 in syslog-ng.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/776

Issue 796: securityonion-elsa-extras: Add script to fix ELSA syslogs_archive_1 issue
https://github.com/Security-Onion-Solutions/security-onion/issues/796

Issue 801: securityonion-web-page: add queries for Bro kerberos logs
https://github.com/Security-Onion-Solutions/security-onion/issues/801

Issue 802: securityonion-web-page: add queries for Bro mysql logs
https://github.com/Security-Onion-Solutions/security-onion/issues/802

Issue 803: securityonion-web-page: add queries for Bro pe logs
https://github.com/Security-Onion-Solutions/security-onion/issues/803

Issue 804: securityonion-web-page: add queries for Bro rdp logs
https://github.com/Security-Onion-Solutions/security-onion/issues/804

Issue 805: securityonion-web-page: add queries for Bro sip logs
https://github.com/Security-Onion-Solutions/security-onion/issues/805

Issue 794: securityonion-web-page: add DHCP Servers query
https://github.com/Security-Onion-Solutions/security-onion/issues/794

Issue 798: securityonion-web-page: add HTTP sites hosting SWF
https://github.com/Security-Onion-Solutions/security-onion/issues/798

Screenshots
Mysql - Top Arguments

Kerberos - Top Services

PE - Sections

RDP - Result

RDP - Keyboard Layout

RDP - Client Build

SIP - Status Msg


Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, August 24, 2015

New NSM and Setup packages

The recent Bro 2.4 package had new default settings for SpoolDir and LogDir in broctl.cfg which required updates to our NSM and Setup scripts.  Pete also submitted a pull request for the NSM scripts:
https://github.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/pull/2

Here are the updated packages:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion122
securityonion-setup - 20120912-0ubuntu0securityonion157
These new packages resolve the following issues:

Issue 797: NSM: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/797

Issue 799: NSM: add stderr redirect to stdout on adduser
https://github.com/Security-Onion-Solutions/security-onion/issues/799

Issue 800: Setup: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/800

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 20, 2015

New securityonion-libcapture-tiny-perl package avoids conflict with x2go

Users trying to install x2go have reported conflicts with our securityonion-libcapture-tiny-perl package.  I've updated this package to avoid these conflicts.  The new package version is:
securityonion-libcapture-tiny-perl - 0.22-0ubuntu0securityonion1

This new package resolves the following issue:

Issue 728: securityonion-libcapture-tiny-perl should Provides: libcapture-tiny-perl
https://github.com/Security-Onion-Solutions/security-onion/issues/728

This new package has been tested by Tommy Dew and James Taylor (thanks!).

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, August 19, 2015

New rule-update and Setup packages

You may have previously experienced intermittent issues when the daily cron job runs rule-update to update your NIDS ruleset.  Because all Security Onion sensors around the world run their cron job at the same time, this was causing high load on the rule sites and some downloads would occasionally fail.  I've modified rule-update to avoid this issue and the changes are as follows:

  • no changes when running interactively from a shell (sudo rule-update)
  • no changes for sensor-only installations that have salt enabled as they don't use rule-update anyway
  • when running from a cron job:
    • if running on a master server, rule-update will sleep for a random number of minutes (up to 50) to avoid overwhelming rule update sites
    • if running on a sensor with salt disabled, rule-update will sleep for 60 minutes to allow the master server time to download the rules so that the sensor can then scp them

Here are the updated packages:
securityonion-rule-update - 20120726-0ubuntu0securityonion29
securityonion-setup - 20120912-0ubuntu0securityonion156

These new packages resolve the following issues:

Issue 724: /etc/cron.d/rule-update should avoid overwhelming rule sites
https://github.com/Security-Onion-Solutions/security-onion/issues/724

Issue 791: sosetup: change rule-update verbiage
https://github.com/Security-Onion-Solutions/security-onion/issues/791

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, August 18, 2015

Snort 2.9.7.5 now available for Security Onion!

Snort 2.9.7.5 was recently released:
http://blog.snort.org/2015/07/snort-2975-is-now-available-on-snortorg.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.5-0ubuntu0securityonion1
securityonion-daq - 2.0.6-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 784: Snort 2.9.7.5
https://github.com/Security-Onion-Solutions/security-onion/issues/784

Issue 788: DAQ 2.0.6
https://github.com/Security-Onion-Solutions/security-onion/issues/788

These new packages have been tested by James Taylor and Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, August 17, 2015

Snorby 2.6.3 package now available (final update before it is removed from Security Onion)

Snorby 2.6.3 was recently released to resolve some XSS issues:
https://github.com/Snorby/snorby/commit/5a3a33cf496b66be7ef4bd7d3cce0a996e1d2112

I've packaged Snorby 2.6.3 and the new package version is as follows:
securityonion-snorby - 20150704-0ubuntu0securityonion5

This new package has been tested by James Taylor.  Thanks, James!

PLEASE NOTE!  This will most likely be our last Snorby package update.  The creator and lead developer of Snorby has left the project and so Snorby is now considered unmaintained.  Snorby will be removed from Security Onion in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to go ahead and disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

Issues Resolved

Issue 766: Snorby 2.6.3
https://github.com/Security-Onion-Solutions/security-onion/issues/766

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 6, 2015

Monday, August 3, 2015

Bro 2.4 now available for Security Onion!

Bro 2.4 was recently released:
http://blog.bro.org/2015/06/bro-24-released.html

I've packaged Bro 2.4 and updated the securityonion-bro-scripts, securityonion-elsa-extras, and securityonion-capme packages.  The new packages are as follows:
securityonion-bro - 2.4-0ubuntu0securityonion2
securityonion-bro-scripts - 20121004-0ubuntu0securityonion43
securityonion-elsa-extras - 20131117-1ubuntu0securityonion99
securityonion-capme - 20121213-0ubuntu0securityonion23  
These packages resolve the following issues:

Issue 743: Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/743

Issue 752: securityonion-bro-scripts: update sensortab.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/752

Issue 753: securityonion-bro-scripts: update shellshock module for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/753

Issue 754: securityonion-bro-scripts: update extract.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/754

Issue 762: securityonion-elsa-extras: update bro_conn parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/762

Issue 765: securityonion-elsa-extras: update bro_intel parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/765

Issue 768: securityonion-elsa-extras: update bro_ssl parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/768

Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/774

Issue 773: securityonion-elsa-extras: add Windows and Cisco parsers from Brian Kellogg
https://github.com/Security-Onion-Solutions/security-onion/issues/773

Issue 793: CapMe: Update for Bro 2.4 conn.log
https://github.com/Security-Onion-Solutions/security-onion/issues/793

These packages have been tested by the following (thanks!):
James Taylor
Jay Swan
Heine Lysemose
Tommy Dew
Brian Kellogg

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

UPDATED 2015-08-10 to add securityonion-capme required due to new field in Bro conn.log.

Wednesday, July 29, 2015

New securityonion-web-page package resolve two issues

I've updated the securityonion-web-page package to resolve two issues.  The new package version is as follows:
securityonion-web-page - 20141015-0ubuntu0securityonion27

Issues Resolved

Issue 767: securityonion-web-page: add SSL Top Subjects query
https://github.com/Security-Onion-Solutions/security-onion/issues/767

Issue 775: securityonion-web-page: add groupby:site to ELSA HTTP SQL Injection query
https://github.com/Security-Onion-Solutions/security-onion/issues/775

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, July 28, 2015

New securityonion-setup package allows you to disable Snorby

I've updated the Setup package to resolve several issues, including allowing you to disable Snorby.  It should work as follows:

  • choosing Quick Setup still defaults to enabling Snorby automatically.  It will automatically set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in /etc/nsm/HOSTNAME-INTERFACE/barnyard2-1.conf.
  • choosing Advanced Setup and then Server will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf.  Otherwise, it will set SNORBY_ENABLED=no.
  • choosing Advanced Setup and then Standalone will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in all /etc/nsm/*/barnyard*.conf files.  If you instead choose no, it will set SNORBY_ENABLED=no and disable (comment out) the snorby output in all /etc/nsm/*/barnyard*.conf files.
  • choosing Sensor will check /etc/nsm/securityonion.conf on the master server to see if SNORBY_ENABLED=no and, if so, disable (comment out) the Snorby output in all /etc/nsm/*/barnyard*.conf files.

Snorby is going away in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

The new package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion155

Issues Resolved

Issue 769: sosetup: allow user to enable/disable Snorby
https://github.com/Security-Onion-Solutions/security-onion/issues/769

Issue 596: sosetup: sensor should stop/disable Apache and Snorby worker
https://github.com/Security-Onion-Solutions/security-onion/issues/596

Issue 693: sosetup: improve input validation for email address
https://github.com/Security-Onion-Solutions/security-onion/issues/693

Issue 764: sosetup: fix typo in sosetup.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/764

Issue 605: sosetup: replace tmp with mktemp
https://github.com/Security-Onion-Solutions/security-onion/issues/605

Issue 771: sosetup: comment out 2 examples in top.sls
https://github.com/Security-Onion-Solutions/security-onion/issues/771

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, July 10, 2015

Registration for the 2015 Security Onion Conference is now open

Registration for the 2015 Security Onion Conference in Augusta GA is now open!
http://security-onion-conference-2015.eventbrite.com/

New securityonion-sguil-agent-ossec package resolves an issue

Brian Kellogg sent in a patch for the securityonion-sguil-agent-ossec package to parse syslog IP addresses.  Thanks, Brian!

The new package version is as follows:
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion16

Issues Resolved
ossec_agent: Add source of syslog as destination IP for Sguil alert #760
https://github.com/Security-Onion-Solutions/security-onion/issues/760

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, July 9, 2015

New securityonion-tcpudpflow package resolves an issue

I've updated the securityonion-tcpudpflow package to improve the formatting of the Bro transcript option when processing UDP (primarily DNS) traffic.  The new package version is as follows:
securityonion-tcpudpflow - 001-0ubuntu0securityonion3

Screenshots
The Bro transcript option now clearly shows 3 separate sections: "Bro UDP output from SRC", "Bro UDP output from DST", and "Bro DNS analyzer output"

Issues Resolved
securityonion-tcpudpflow: remove connection_state_remove event handler #761
https://github.com/Security-Onion-Solutions/security-onion/issues/761

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, July 8, 2015

New sostat package resolves an issue

I've updated the sostat package to resolve an issue.  The new package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion35

Issues Resolved
Issue 763: sostat: show last update
https://github.com/Security-Onion-Solutions/security-onion/issues/763

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, July 6, 2015

Security Onion 12.04.5.2 ISO image now available

We have a new Security Onion 12.04.5.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 17, 2015!

This resolves the following issue:

Issue 733: 12.04.5.2 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/733

This new ISO image has been tested by the following (thanks!):
Shane Castle
James Taylor
Robert Bardo
Jeff Tehovnik
Jay Holmes
LeeJR

Training
This new ISO image will be used in our upcoming class in the Washington DC area:
http://security-onion-class-20150810.eventbrite.com/

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.2 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5 e35846293dcecf76e5b8d39f6d48c9de
SHA1 a8c04e9bde175425835537cb3d9b336e2614a363
SHA256 53a775a746bf64ea5b3b689aded3f0b288bc86de5e7cd1057358307b93bc6b5f

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.2 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Monday, June 29, 2015

OSSEC 2.8.2 now available!

OSSEC 2.8.2 was recently released:
http://www.ossec.net/?p=1198

I've packaged OSSEC 2.8.2 and the new package version is as follows:

ossec-hids-server - 2.8.2-ubuntu10securityonion2

The new package has been tested by the following (thanks!):
James Taylor
Shane Castle

Issues Resolved

Issue 745: OSSEC 2.8.2
https://github.com/Security-Onion-Solutions/security-onion/issues/745

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, June 19, 2015

New Setup package resolves an issue

I've updated our Setup package and the new package is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion142

This new package resolves the following issue:

Issue 744: sosetup: Restart Apache to activate new ELSA apikey
https://github.com/Security-Onion-Solutions/security-onion/issues/744

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 18, 2015

New NSM package resolves an issue

Pete sent a patch for the nsm-watchdog cron job that should help avoid a race condition.  I've applied the patch and the new package is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion120

This new package resolves the following issue:

Issue 751: NSM: change watchdog run time to avoid race condition
https://github.com/Security-Onion-Solutions/security-onion/issues/751

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

4-day Security Onion Training in the Washington DC area

The next run of our expanded 4-day Security Onion class will be in the Washington DC area in August!

For more details and to register, please see:
http://security-onion-class-20150810.eventbrite.com/

Wednesday, June 17, 2015

New ELSA packages resolve three issues

ELSA 1205 packages were recently released:
http://blog.securityonion.net/2015/06/elsa-1205-now-available.html

A few issues were found so I've built these new packages:

securityonion-elsa - 1205-1ubuntu0securityonion5
securityonion-elsa-extras - 20131117-1ubuntu0securityonion91

These new packages resolve the following issues:

Issue 746: ELSA 1205 package enabled perl module on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/746

Issue 747: ELSA 1205 package duplicated syslog-ng.conf entries on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/747

Issue 748: ELSA 1205 package didn't add the pid column to the query_log table for upgrades
https://github.com/Security-Onion-Solutions/security-onion/issues/748

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

New tcltls package resolves OpenSSL issue

Recent OpenSSL changes prevented the default Debian/Ubuntu tcltls package from working properly, so I've built a new one:
tcltls - 1.5.0.dfsg-10build1securityonion2

This new package resolves the following issue:

Issue 749: Update tcl-tls package and replace DH512 key with DH2048
https://github.com/Security-Onion-Solutions/security-onion/issues/749

This new package has been tested by the following (thanks!):
Shane Castle
James Taylor
Larry Layten
hakawarrior

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you continue to have issues with the Sguil client/agents connecting to sguild, you may need to restart services:
sudo service nsm restart

and/or reboot:
sudo reboot

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 11, 2015

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

UPDATE 2015/06/17 08:52
All clear! You may safely resume your normal "soup" updates! New tcl-tls package resolves the OpenSSL issue:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

UPDATE 2015/06/12 7:18
Please see the following mailing list thread for updated information:
https://groups.google.com/d/topic/security-onion/E7HdGGUuq6c/discussion

New securityonion-nsmnow-admin-scripts package resolves an issue

If you're running salt, you may have noticed that if you run a command like this:
sudo salt '*' cmd.run 'service nsm status'
you get some garbled output as the bash color codes aren't interpreted by salt.  I've updated the NSM scripts to only output these color codes if they are running on a tty.  The result looks much better:



The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion119

Issues Resolved

Issue 732: NSM: only output color codes if running on a tty
https://github.com/Security-Onion-Solutions/security-onion/issues/732

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, June 10, 2015

ELSA 1205 now available!

I've updated our packages to reflect the latest version of ELSA:

securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25

These new packages resolve the following issues:

Issue 657: ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/657
This version of ELSA fixes many bugs in our previous version of ELSA.

Issue 447: ELSA syslog-ng.conf rewrite r_pipes
https://github.com/Security-Onion-Solutions/security-onion/issues/447
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.

Issue 512: ELSA syslog-ng.conf filter f_bro_headers
https://github.com/Security-Onion-Solutions/security-onion/issues/512
Syslog-ng will now filter out headers in Bro logs.

Issue 726: ELSA syslog-ng.conf - add filesystem destinations
https://github.com/Security-Onion-Solutions/security-onion/issues/726
Syslog-ng will now output some logs to their standard filesystem locations.  This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.

Issue 674: ELSA - update bro_notice parser to parse src and dst fields
https://github.com/Security-Onion-Solutions/security-onion/issues/674
Syslog-ng will now parse src and dst fields out of Bro Notices.

Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/722
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.

Issue 723: CapMe: Update for new ELSA API
https://github.com/Security-Onion-Solutions/security-onion/issues/723
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.

Issue 500: sosetup: restart starman
https://github.com/Security-Onion-Solutions/security-onion/issues/500
When running Setup and choosing sensor-only, starman should now restart properly.

Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
https://github.com/Security-Onion-Solutions/security-onion/issues/504
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.

Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/547
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.

Issue 740: sosetup: sensor should use sudo to restart apache on master
https://github.com/Security-Onion-Solutions/security-onion/issues/740
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.

Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
https://github.com/Security-Onion-Solutions/security-onion/issues/741
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.

These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Screenshots
Update process

"About ELSA" now shows ELSA Rev 1205

New ELSA Query "HTTP: Sites Hosting JARs"

New ELSA Query "HTTP: Sites Hosting ZIPs"

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Bro Scanning Notices should now be parsed correctly

CapME now uses the ELSA JSON API and provides better error handling

Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Search This Blog

Featured Post

1-month End Of Life (EOL) reminder for Security Onion 2.3

In October of last year, we announced the End Of Life (EOL) date for Security Onion 2.3: https://blog.securityonion.net/2023/10/6-month-eol-...

Popular Posts

Blog Archive