Monday, February 23, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Houston TX

The third run of our newly expanded 4-day Security Onion class will be in Houston TX!

If you register before March 6, you can use the following discount code for $500 off!
early-bird-91418

For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/

Monday, February 16, 2015

Security Onion 12.04.5.1 ISO image now available

We have a new Security Onion 12.04.5.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 5, 2015!

It should also resolve the following issues:

Issue 632: ISO: add bridge-utils
https://code.google.com/p/security-onion/issues/detail?id=632

Issue 601: ISO: add foremost
https://code.google.com/p/security-onion/issues/detail?id=601

Issue 614: ISO: add securityonion-samples-shellshock
https://code.google.com/p/security-onion/issues/detail?id=614

Issue 662: ISO: add securityonion-samples-mta
https://code.google.com/p/security-onion/issues/detail?id=662

Issue 675: ISO: add xfsprogs
https://code.google.com/p/security-onion/issues/detail?id=675

Issue 602: 12.04.5.1 ISO image
https://code.google.com/p/security-onion/issues/detail?id=602

In short, it's the best release ever!

This new ISO image has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
~eundv
Eddy Simons

Training
This new ISO image will be used in our upcoming classes:
Atlanta - https://security-onion-class-20150309.eventbrite.com/
Seattle - https://security-onion-class-20150316.eventbrite.com/
Houston - https://security-onion-class-20150512.eventbrite.com/
Online - https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5: 02a49a06a55df8997669b4df9f1048a0
SHA1: 3cf32398d2859d0ca4009cdf13df0bb4f4ab98d9

Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5.1 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Tuesday, February 10, 2015

ISO Testers wanted!

We have a new 12.04.5.1 ISO image ready for testing that will be used in the upcoming 4-day classes in Atlanta and Seattle.  If you have some time and can help us test in the next day or two, please join our security-onion-testing group and follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/82sgMwnrLxA/discussion

Thanks!

Monday, February 9, 2015

Save the Date: Security Onion Conference 2015

Last year's Security Onion Conference was an overwhelming success!

This year's Security Onion Conference will be held in Augusta GA on Friday September 11 (please mark your calendar!).  This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org

I'll publish more details about the Security Onion Conference as they are finalized.

UPDATE 2015-07-10: Registration is now open!
http://security-onion-conference-2015.eventbrite.com/

Friday, February 6, 2015

Next session of Security Onion 101

The first two sessions of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Monday, March 2.

For more details and to register, please use the following link (then click "read more..." for full description):
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

New securityonion-et-rules package

I've updated our securityonion-et-rules package in preparation for our upcoming 12.04.5.1 ISO image.  This is a static set of free NIDS rules from Emerging Threats that is only used if you have LOCAL_NIDS_RULE_TUNING=yes in /etc/nsm/securityonion.conf (most users should have LOCAL_NIDS_RULE_TUNING=no which causes PulledPork to download updated rules from the Internet).

This package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 683: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=683

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Thursday, February 5, 2015

Bro 2.3.2 now available!

Bro 2.3.2 was recently released:
http://blog.bro.org/2015/01/bro-232-release.html

I've packaged Bro 2.3.2 and updated the securityonion-bro-scripts package.  The new packages are as follows:
 securityonion-bro - 2.3.2-0ubuntu0securityonion1
 securityonion-bro-scripts - 20121004-0ubuntu0securityonion39

These packages resolve the following issues:

Issue 680: Bro 2.3.2
https://code.google.com/p/security-onion/issues/detail?id=680

These packages have been tested by David Zawdie and Kevin Branch (thanks!).

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Release Notes
After updating to the new packages, you should restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Wednesday, February 4, 2015

New NSM and ossec_agent.tcl packages resolve several issues

Brian Kellogg submitted a patch for ossec_agent.tcl that allows you to enable or disable DNS lookups.  Thanks, Brian!  I've packaged this and also updated the NSM package to resolve several issues.

The new packages are as follows:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion114
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion7

These new packages should resolve the following issues:

Issue 684: NSM: nsm_server_ps-start needs to create /var/log/sguild/ if it doesn't already exist
https://code.google.com/p/security-onion/issues/detail?id=684

Issue 686: NSM: nsm_server_ps-start needs to set permissions on /var/log/nsm/so-elsa/ properly
https://code.google.com/p/security-onion/issues/detail?id=686

Issue 687: NSM: nsm_sensor_ps-start should set permissions on /var/log/nsm/HOSTNAME-INTERFACE/ properly
https://code.google.com/p/security-onion/issues/detail?id=687

Issue 689: NSM: add USE_DNS option to ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=689

Issue 688: ossec_agent: add option to disable DNS lookups
https://code.google.com/p/security-onion/issues/detail?id=688

These new packages have been tested by David Zawdie (thanks!).

Release Notes
After updating to the new packages, the next time that the NSM scripts start ossec_agent.tcl, they will add a new USE_DNS option to /etc/nsm/ossec/ossec_agent.conf and default it to 0 (disabled).  This results in much better performance for ossec_agent.tcl.

If you need to revert to the previous behavior of DNS lookups enabled and don't mind the additional lookup delay, you can change USE_DNS to 1 (enabled) and then restart ossec_agent.tcl:
sudo nsm_sensor_ps-restart --only-ossec-agent
Also note that these packages move ossec_agent.tcl to /usr/bin/.

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Tuesday, February 3, 2015

New ELSA packages parse additional fields out of Bro dns.log

Pietro Delsante contributed some updated parsers for Bro and BIND DNS logs (thanks, Pietro!) and I've updated the securityonion-elsa-extras package with these new parsers.  I've also updated the securityonion-web-page package to include some new ELSA queries for these newly exposed BRO_DNS fields.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15

These new packages should resolve the following issues:

Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668

Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696

Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670

Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685

These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).

Screenshots

Update process

DNS - Top Query Class

DNS - Top Query Type

DNS - Top Return Code


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Monday, February 2, 2015

$500 Early Bird discount for expanded 4-day Security Onion class in Seattle WA

The second run of our newly expanded 4-day Security Onion class will be in Seattle WA!

If you register before February 20, you can use the following discount code for $500 off!
early-bird-51414

For more details and to register, please see:
https://security-onion-class-20150316.eventbrite.com