Our Security Onion onsite class is expanding to 4 days! This first 4-day session will be in Atlanta GA.
If you register before February 13, you can use the following discount code for $500 off!
early-bird-41173
For more details and to register, please see:
https://security-onion-class-20150309.eventbrite.com
Thursday, January 29, 2015
Tuesday, January 27, 2015
New NSM/setup/sostat packages
I've updated the NSM, setup, and sostat packages and the new package versions are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion110
securityonion-setup - 20120912-0ubuntu0securityonion130
securityonion-sostat - 20120722-0ubuntu0securityonion32
These new packages have been tested by the following (thanks!):
David Zawdie
Mike Pilkington
Issues Resolved
Issue 663: sosetup: sosetup.conf SGUIL_CLIENT_PASSWORD_1 should say Sguil/Squert/ELSA/Snorby
https://code.google.com/p/security-onion/issues/detail?id=663
Issue 664: sosetup: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=664
Issue 666: sostat: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=666
Issue 665: NSM: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=665
Issue 676: NSM: run Sguil as non-root user
https://code.google.com/p/security-onion/issues/detail?id=676
Issue 671: NSM: /etc/cron.d/sensor-clean needs 2>&1
https://code.google.com/p/security-onion/issues/detail?id=671
Release Notes
If you normally restart Bro with "sudo broctl restart", this will restart Bro as root. To restart Bro as a non-root user, please use "sudo nsm_sensor_ps-restart --only-bro" instead.
Screenshots
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion110
securityonion-setup - 20120912-0ubuntu0securityonion130
securityonion-sostat - 20120722-0ubuntu0securityonion32
These new packages have been tested by the following (thanks!):
David Zawdie
Mike Pilkington
Issues Resolved
Issue 663: sosetup: sosetup.conf SGUIL_CLIENT_PASSWORD_1 should say Sguil/Squert/ELSA/Snorby
https://code.google.com/p/security-onion/issues/detail?id=663
Issue 664: sosetup: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=664
Issue 666: sostat: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=666
Issue 665: NSM: run Bro as non-root user
https://code.google.com/p/security-onion/issues/detail?id=665
Issue 676: NSM: run Sguil as non-root user
https://code.google.com/p/security-onion/issues/detail?id=676
Issue 671: NSM: /etc/cron.d/sensor-clean needs 2>&1
https://code.google.com/p/security-onion/issues/detail?id=671
Release Notes
If you normally restart Bro with "sudo broctl restart", this will restart Bro as root. To restart Bro as a non-root user, please use "sudo nsm_sensor_ps-restart --only-bro" instead.
Screenshots
 |
| Update Process |
 |
| After updating, stop all processes with "sudo service nsm stop" and then... |
 |
| ...restart all processes with "sudo service nsm start" so that they will now be running as a non-root user |
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Monday, January 26, 2015
New version of sguil-db-purge helps prevent Sguil uncategorized events from getting out of control
We have a new version of sguil-db-purge which should help prevent your Sguil uncategorized events from getting out of control. sguil-db-purge now adds a new configuration parameter to /etc/nsm/securityonion.conf called UNCAT_MAX (and sets it to 100000 by default). If the number of Sguil uncategorized events is higher than UNCAT_MAX, then sguil-db-purge will categorize the oldest events until UNCAT_MAX is reached.
I've packaged this new version and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion10
Issues Resolved
Issue 672: sguil-db-purge: check for UNCAT_MAX
https://code.google.com/p/security-onion/issues/detail?id=672
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Screenshots
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
I've packaged this new version and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion10
Issues Resolved
Issue 672: sguil-db-purge: check for UNCAT_MAX
https://code.google.com/p/security-onion/issues/detail?id=672
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Screenshots
 |
| The next time sguil-db-purge runs, it adds UNCAT_MAX=100000 to /etc/nsm/securityonion.conf |
 |
| If there are less than UNCAT_MAX uncategorized events, no action is necessary |
 |
| If we set UNCAT_MAX to a number smaller than our number of uncategorized events... |
 |
| ...then sguil-db-purge categorizes the oldest events until we get down to UNCAT_MAX |
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Friday, January 23, 2015
Next session of Security Onion 101
The first run of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Thursday, February 5. It will be later in the day to be more convenient for folks on the US West Coast.
For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
Tuesday, January 20, 2015
New salt and securityonion-onionsalt packages
SaltStack has updated their salt packages and I've updated our securityonion-onionsalt packages.
New packages:
python-urllib3 - 1.7.1-2~precise+1
python-requests_2.0.0-1
salt - 2014.7.0+ds-2precise3
securityonion-onionsalt - 20140917-0ubuntu0securityonion19
These new packages have been tested by the following (thanks!):
Ryan Peck
David Zawdie
Issues Resolved
Issue 642: Update Salt packages/scripts to 2014.7.0
https://code.google.com/p/security-onion/issues/detail?id=642
Issue 619: Onionsalt: backup /opt/onionsalt/pillar/top.sls
https://code.google.com/p/security-onion/issues/detail?id=619
Issue 661: Onionsalt: replicate /usr/local/lib/snort_dynamicrules/
https://code.google.com/p/security-onion/issues/detail?id=661
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
New packages:
python-urllib3 - 1.7.1-2~precise+1
python-requests_2.0.0-1
salt - 2014.7.0+ds-2precise3
securityonion-onionsalt - 20140917-0ubuntu0securityonion19
These new packages have been tested by the following (thanks!):
Ryan Peck
David Zawdie
Issues Resolved
Issue 642: Update Salt packages/scripts to 2014.7.0
https://code.google.com/p/security-onion/issues/detail?id=642
Issue 619: Onionsalt: backup /opt/onionsalt/pillar/top.sls
https://code.google.com/p/security-onion/issues/detail?id=619
Issue 661: Onionsalt: replicate /usr/local/lib/snort_dynamicrules/
https://code.google.com/p/security-onion/issues/detail?id=661
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Suricata 2.0.6
Suricata 2.0.6 was recently released:
http://suricata-ids.org/2015/01/15/suricata-2-0-6-available/
I've packaged Suricata 2.0.6 and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-suricata - 2.0.6-0ubuntu0securityonion1
Issues Resolved
Issue 673: Suricata 2.0.6
https://code.google.com/p/security-onion/issues/detail?id=673
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
This update will back up each of your existing suricata.yaml files to suricata.yaml.bak. You'll then need to do the following:
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
http://suricata-ids.org/2015/01/15/suricata-2-0-6-available/
I've packaged Suricata 2.0.6 and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-suricata - 2.0.6-0ubuntu0securityonion1
Issues Resolved
Issue 673: Suricata 2.0.6
https://code.google.com/p/security-onion/issues/detail?id=673
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
This update will back up each of your existing suricata.yaml files to suricata.yaml.bak. You'll then need to do the following:
- re-apply any local customizations to suricata.yaml
- update ruleset and restart Suricata as follows:
sudo rule-update
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Wednesday, January 14, 2015
First Online Training Session is next Thursday, January 22
Many folks have asked about online training. Our first online training session will be a 3-hour introduction to Security Onion and will be next Thursday, January 22.
For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
For more details and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
Monday, January 12, 2015
New securityonion-samples packages
I've added some new securityonion-samples packages:
securityonion-samples-mta - 20150103-0ubuntu0securityonion1
(from http://malware-traffic-analysis.net/, thanks Brad!)
securityonion-samples-shellshock - 20140926-0ubuntu0securityonion1
(from https://github.com/broala/bro-shellshock, thanks Seth!)
These new packages should resolve the following issue:
Issue 667: New packages for shellshock and malware-traffic-analysis samples
https://code.google.com/p/security-onion/issues/detail?id=667
Screenshots
Installing
The new packages are now available in our stable repo. You'll need to use "sudo apt-get install" to install them as shown in the screenshot above.
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
securityonion-samples-mta - 20150103-0ubuntu0securityonion1
(from http://malware-traffic-analysis.net/, thanks Brad!)
securityonion-samples-shellshock - 20140926-0ubuntu0securityonion1
(from https://github.com/broala/bro-shellshock, thanks Seth!)
These new packages should resolve the following issue:
Issue 667: New packages for shellshock and malware-traffic-analysis samples
https://code.google.com/p/security-onion/issues/detail?id=667
Screenshots
 |
| Installing new samples packages |
 |
| /opt/samples/mta/ directory |
 |
| /opt/samples/shellshock/ directory |
 |
| Using tcpreplay to replay shellshock traffic |
 |
| ELSA showing Bro notice for ShellShock Exploit |
 |
| Using tcpreplay to replay malware-traffic-analysis traffic |
 |
| Sguil alerts from malware-traffic-analysis traffic |
Installing
The new packages are now available in our stable repo. You'll need to use "sudo apt-get install" to install them as shown in the screenshot above.
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Wednesday, January 7, 2015
New ELSA packages parse country code out of Bro conn.log
I've updated the ELSA packages to parse the responder country code out of the Bro conn.log. The new packages are as follows:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion53
securityonion-web-page - 20141015-0ubuntu0securityonion13
These new packages should resolve the following issues:
Issue 656: ELSA: update parser for bro_conn to parse country code
https://code.google.com/p/security-onion/issues/detail?id=656
Issue 659: securityonion-web-page: add ELSA query for bro_conn groupby:resp_country_code
https://code.google.com/p/security-onion/issues/detail?id=659
These new packages have been tested by David Zawdie (thanks!).
Screenshots
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
securityonion-elsa-extras - 20131117-1ubuntu0securityonion53
securityonion-web-page - 20141015-0ubuntu0securityonion13
These new packages should resolve the following issues:
Issue 656: ELSA: update parser for bro_conn to parse country code
https://code.google.com/p/security-onion/issues/detail?id=656
Issue 659: securityonion-web-page: add ELSA query for bro_conn groupby:resp_country_code
https://code.google.com/p/security-onion/issues/detail?id=659
These new packages have been tested by David Zawdie (thanks!).
Screenshots
 |
| Update process |
 |
| Connections - Groupby Resp Country: group connections by responder country code |
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Tuesday, January 6, 2015
New NSM and Setup packages resolve several issues
I've updated the NSM and Setup packages to resolve several issues. The new packages are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion99
securityonion-setup - 20120912-0ubuntu0securityonion127
These new packages should resolve the following issues:
Issue 658: NSM: fix umask on Snort unified2 output
https://code.google.com/p/security-onion/issues/detail?id=658
Issue 548: NSM: run barnyard2 as non-root user
https://code.google.com/p/security-onion/issues/detail?id=548
Issue 649: nsm_all_del_quick: check for /etc/nsm/servertab and /etc/nsm/sensortab before trying to read
https://code.google.com/p/security-onion/issues/detail?id=649
Issue 598: so-snorby-wipe
https://code.google.com/p/security-onion/issues/detail?id=598
Issue 610: NSM: ossec_agent alert level should be configurable
https://code.google.com/p/security-onion/issues/detail?id=610
Issue 660: Setup: add OSSEC_AGENT_LEVEL to /etc/nsm/securityonion.conf
https://code.google.com/p/security-onion/issues/detail?id=660
These new packages have been tested by David Zawdie (thanks!).
Screenshots
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion99
securityonion-setup - 20120912-0ubuntu0securityonion127
These new packages should resolve the following issues:
Issue 658: NSM: fix umask on Snort unified2 output
https://code.google.com/p/security-onion/issues/detail?id=658
Issue 548: NSM: run barnyard2 as non-root user
https://code.google.com/p/security-onion/issues/detail?id=548
Issue 649: nsm_all_del_quick: check for /etc/nsm/servertab and /etc/nsm/sensortab before trying to read
https://code.google.com/p/security-onion/issues/detail?id=649
Issue 598: so-snorby-wipe
https://code.google.com/p/security-onion/issues/detail?id=598
Issue 610: NSM: ossec_agent alert level should be configurable
https://code.google.com/p/security-onion/issues/detail?id=610
Issue 660: Setup: add OSSEC_AGENT_LEVEL to /etc/nsm/securityonion.conf
https://code.google.com/p/security-onion/issues/detail?id=660
These new packages have been tested by David Zawdie (thanks!).
Screenshots
 |
| Run "sudo nsm_sensor_ps-restart" to restart ossec_agent, snort, and barnyard2 |
 |
| /etc/nsm/securityonion.conf now contains OSSEC_AGENT_LEVEL |
 |
| Snort unified2 output now has proper permissions |
 |
| Barnyard2 is now running as a non-root user |
 |
| If you need to wipe the alerts in the Snorby database, you can now use so-snorby-wipe |
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Monday, January 5, 2015
Suricata 2.0.5
Suricata 2.0.5 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/201-suricata-205-available
I've packaged Suricata 2.0.5 and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-suricata - 2.0.5-0ubuntu0securityonion1
Issues Resolved
Issue 655: Suricata 2.0.5
https://code.google.com/p/security-onion/issues/detail?id=655
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
This update will back up each of your existing suricata.yaml files to suricata.yaml.bak. You'll then need to do the following:
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/201-suricata-205-available
I've packaged Suricata 2.0.5 and it has been tested by David Zawdie (thanks!).
The new package version is:
securityonion-suricata - 2.0.5-0ubuntu0securityonion1
Issues Resolved
Issue 655: Suricata 2.0.5
https://code.google.com/p/security-onion/issues/detail?id=655
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
This update will back up each of your existing suricata.yaml files to suricata.yaml.bak. You'll then need to do the following:
- re-apply any local customizations to suricata.yaml
- update ruleset and restart Suricata as follows:
sudo rule-update
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Thanks!
Subscribe to:
Posts (Atom)