The third run of our newly expanded 4-day Security Onion class will be in Houston TX!
If you register before March 6, you can use the following discount code for $500 off!
early-bird-91418
For more details and to register, please see:
https://security-onion-class-20150512.eventbrite.com/
Monday, February 23, 2015
Monday, February 16, 2015
Security Onion 12.04.5.1 ISO image now available
We have a new Security Onion 12.04.5.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of February 5, 2015!
It should also resolve the following issues:
Issue 632: ISO: add bridge-utils
https://code.google.com/p/security-onion/issues/detail?id=632
Issue 601: ISO: add foremost
https://code.google.com/p/security-onion/issues/detail?id=601
Issue 614: ISO: add securityonion-samples-shellshock
https://code.google.com/p/security-onion/issues/detail?id=614
Issue 662: ISO: add securityonion-samples-mta
https://code.google.com/p/security-onion/issues/detail?id=662
Issue 675: ISO: add xfsprogs
https://code.google.com/p/security-onion/issues/detail?id=675
Issue 602: 12.04.5.1 ISO image
https://code.google.com/p/security-onion/issues/detail?id=602
In short, it's the best release ever!
This new ISO image has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
~eundv
Eddy Simons
Training
This new ISO image will be used in our upcoming classes:
Atlanta - https://security-onion-class-20150309.eventbrite.com/
Seattle - https://security-onion-class-20150316.eventbrite.com/
Houston - https://security-onion-class-20150512.eventbrite.com/
Online - https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
MD5: 02a49a06a55df8997669b4df9f1048a0
SHA1: 3cf32398d2859d0ca4009cdf13df0bb4f4ab98d9
Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5.1 ISO image. You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
It should also resolve the following issues:
Issue 632: ISO: add bridge-utils
https://code.google.com/p/security-onion/issues/detail?id=632
Issue 601: ISO: add foremost
https://code.google.com/p/security-onion/issues/detail?id=601
Issue 614: ISO: add securityonion-samples-shellshock
https://code.google.com/p/security-onion/issues/detail?id=614
Issue 662: ISO: add securityonion-samples-mta
https://code.google.com/p/security-onion/issues/detail?id=662
Issue 675: ISO: add xfsprogs
https://code.google.com/p/security-onion/issues/detail?id=675
Issue 602: 12.04.5.1 ISO image
https://code.google.com/p/security-onion/issues/detail?id=602
In short, it's the best release ever!
This new ISO image has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
~eundv
Eddy Simons
Training
This new ISO image will be used in our upcoming classes:
Atlanta - https://security-onion-class-20150309.eventbrite.com/
Seattle - https://security-onion-class-20150316.eventbrite.com/
Houston - https://security-onion-class-20150512.eventbrite.com/
Online - https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.
MD5: 02a49a06a55df8997669b4df9f1048a0
SHA1: 3cf32398d2859d0ca4009cdf13df0bb4f4ab98d9
Existing Deployments
If you have existing installations based on a previous 12.04 ISO image, there is no need to download the new 12.04.5.1 ISO image. You can simply continue using our standard update process to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
Tuesday, February 10, 2015
ISO Testers wanted!
We have a new 12.04.5.1 ISO image ready for testing that will be used in the upcoming 4-day classes in Atlanta and Seattle. If you have some time and can help us test in the next day or two, please join our security-onion-testing group and follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/82sgMwnrLxA/discussion
Thanks!
https://groups.google.com/d/topic/security-onion-testing/82sgMwnrLxA/discussion
Thanks!
Monday, February 9, 2015
Save the Date: Security Onion Conference 2015
Last year's Security Onion Conference was an overwhelming success!
This year's Security Onion Conference will be held in Augusta GA on Friday September 11 (please mark your calendar!). This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org
I'll publish more details about the Security Onion Conference as they are finalized.
This year's Security Onion Conference will be held in Augusta GA on Friday September 11 (please mark your calendar!). This is the day before BSides Augusta, so you may want to plan on attending both:
http://bsidesaugusta.org
I'll publish more details about the Security Onion Conference as they are finalized.
Friday, February 6, 2015
Next session of Security Onion 101
The first two sessions of Security Onion 101 sold out quickly, so we're going to run another session of the same class on Monday, March 2.
For more details and to register, please use the following link (then click "read more..." for full description):
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
For more details and to register, please use the following link (then click "read more..." for full description):
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144
New securityonion-et-rules package
I've updated our securityonion-et-rules package in preparation for our upcoming 12.04.5.1 ISO image. This is a static set of free NIDS rules from Emerging Threats that is only used if you have LOCAL_NIDS_RULE_TUNING=yes in /etc/nsm/securityonion.conf (most users should have LOCAL_NIDS_RULE_TUNING=no which causes PulledPork to download updated rules from the Internet).
This package has been tested by the following (thanks!):
David Zawdie
Issues Resolved
Issue 683: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=683
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
This package has been tested by the following (thanks!):
David Zawdie
Issues Resolved
Issue 683: securityonion-et-rules: update for new ISO
https://code.google.com/p/security-onion/issues/detail?id=683
Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
Thursday, February 5, 2015
Bro 2.3.2 now available!
Bro 2.3.2 was recently released:
http://blog.bro.org/2015/01/bro-232-release.html
I've packaged Bro 2.3.2 and updated the securityonion-bro-scripts package. The new packages are as follows:
securityonion-bro - 2.3.2-0ubuntu0securityonion1
securityonion-bro-scripts - 20121004-0ubuntu0securityonion39
These packages resolve the following issues:
Issue 680: Bro 2.3.2
https://code.google.com/p/security-onion/issues/detail?id=680
These packages have been tested by David Zawdie and Kevin Branch (thanks!).
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Release Notes
After updating to the new packages, you should restart Bro as follows:
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
http://blog.bro.org/2015/01/bro-232-release.html
I've packaged Bro 2.3.2 and updated the securityonion-bro-scripts package. The new packages are as follows:
securityonion-bro - 2.3.2-0ubuntu0securityonion1
securityonion-bro-scripts - 20121004-0ubuntu0securityonion39
These packages resolve the following issues:
Issue 680: Bro 2.3.2
https://code.google.com/p/security-onion/issues/detail?id=680
These packages have been tested by David Zawdie and Kevin Branch (thanks!).
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Release Notes
After updating to the new packages, you should restart Bro as follows:
sudo nsm_sensor_ps-restart --only-broFeedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
Wednesday, February 4, 2015
New NSM and ossec_agent.tcl packages resolve several issues
Brian Kellogg submitted a patch for ossec_agent.tcl that allows you to enable or disable DNS lookups. Thanks, Brian! I've packaged this and also updated the NSM package to resolve several issues.
The new packages are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion114
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion7
These new packages should resolve the following issues:
Issue 684: NSM: nsm_server_ps-start needs to create /var/log/sguild/ if it doesn't already exist
https://code.google.com/p/security-onion/issues/detail?id=684
Issue 686: NSM: nsm_server_ps-start needs to set permissions on /var/log/nsm/so-elsa/ properly
https://code.google.com/p/security-onion/issues/detail?id=686
Issue 687: NSM: nsm_sensor_ps-start should set permissions on /var/log/nsm/HOSTNAME-INTERFACE/ properly
https://code.google.com/p/security-onion/issues/detail?id=687
Issue 689: NSM: add USE_DNS option to ossec_agent.conf
https://code.google.com/p/security-onion/issues/detail?id=689
Issue 688: ossec_agent: add option to disable DNS lookups
https://code.google.com/p/security-onion/issues/detail?id=688
These new packages have been tested by David Zawdie (thanks!).
Release Notes
After updating to the new packages, the next time that the NSM scripts start ossec_agent.tcl, they will add a new USE_DNS option to /etc/nsm/ossec/ossec_agent.conf and default it to 0 (disabled). This results in much better performance for ossec_agent.tcl.
If you need to revert to the previous behavior of DNS lookups enabled and don't mind the additional lookup delay, you can change USE_DNS to 1 (enabled) and then restart ossec_agent.tcl:
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
The new packages are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion114
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion7
These new packages should resolve the following issues:
Issue 684: NSM: nsm_server_ps-start needs to create /var/log/sguild/ if it doesn't already exist
https://code.google.com/p/security-onion/issues/detail?id=684
https://code.google.com/p/security-onion/issues/detail?id=686
Issue 687: NSM: nsm_sensor_ps-start should set permissions on /var/log/nsm/HOSTNAME-INTERFACE/ properly
https://code.google.com/p/security-onion/issues/detail?id=687
https://code.google.com/p/security-onion/issues/detail?id=689
Issue 688: ossec_agent: add option to disable DNS lookups
https://code.google.com/p/security-onion/issues/detail?id=688
These new packages have been tested by David Zawdie (thanks!).
Release Notes
After updating to the new packages, the next time that the NSM scripts start ossec_agent.tcl, they will add a new USE_DNS option to /etc/nsm/ossec/ossec_agent.conf and default it to 0 (disabled). This results in much better performance for ossec_agent.tcl.
If you need to revert to the previous behavior of DNS lookups enabled and don't mind the additional lookup delay, you can change USE_DNS to 1 (enabled) and then restart ossec_agent.tcl:
sudo nsm_sensor_ps-restart --only-ossec-agentAlso note that these packages move ossec_agent.tcl to /usr/bin/.
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
Tuesday, February 3, 2015
New ELSA packages parse additional fields out of Bro dns.log
Pietro Delsante contributed some updated parsers for Bro and BIND DNS logs (thanks, Pietro!) and I've updated the securityonion-elsa-extras package with these new parsers. I've also updated the securityonion-web-page package to include some new ELSA queries for these newly exposed BRO_DNS fields. The new packages are as follows:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15
These new packages should resolve the following issues:
Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668
Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696
Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670
Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685
These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).
Screenshots
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15
These new packages should resolve the following issues:
Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668
Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696
Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670
Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685
These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).
Screenshots
 |
| Update process |
 |
| DNS - Top Query Class |
 |
| DNS - Top Query Type |
 |
| DNS - Top Return Code |
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Commercial Support
Need training and/or commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053
Thanks!
Monday, February 2, 2015
$500 Early Bird discount for expanded 4-day Security Onion class in Seattle WA
The second run of our newly expanded 4-day Security Onion class will be in Seattle WA!
If you register before February 20, you can use the following discount code for $500 off!
early-bird-51414
For more details and to register, please see:
https://security-onion-class-20150316.eventbrite.com
If you register before February 20, you can use the following discount code for $500 off!
early-bird-51414
For more details and to register, please see:
https://security-onion-class-20150316.eventbrite.com