Tuesday, March 31, 2015

Four package updates

I've updated four packages to resolve a few issues and these new packages have been tested by Josh Brower (thanks!).

The new package version are as follows:
securityonion-setup - 20120912-0ubuntu0securityonion132
securityonion-sostat - 20120722-0ubuntu0securityonion33
securityonion-web-page - 20141015-0ubuntu0securityonion22
securityonion-elsa-extras - 20131117-1ubuntu0securityonion58

Issues Resolved

Issue 703: Move from Google Code to Github
https://github.com/Security-Onion-Solutions/security-onion/issues/703
Security Onion has moved to Github, so some of the hyperlinks in Setup and sostat had to be updated.

Issue 706: Add Josh Brower's ELSA parsers for process logs and sysmon
https://github.com/Security-Onion-Solutions/security-onion/issues/706
If you have Windows machines with OSSEC agents on them and process auditing enabled, ELSA now parses those "new process" logs.

Issue 709: Add fear.nothing's ELSA parsers for pfSense
https://github.com/Security-Onion-Solutions/security-onion/issues/709
If you're running pfSense firewalls and send their logs to Security Onion via syslog, ELSA will now parse them.

Issue 710: securityonion-web-page: add ELSA queries for Firewall logs
and Windows Processes
https://github.com/Security-Onion-Solutions/security-onion/issues/710
Since ELSA is now parsing firewall logs and Windows processes, we provide some additional ELSA queries to slice and dice those logs.  See screenshots below.

Screenshots
Host Logs - Windows Processes

Firewall - Top SRC IPs Allowed

Firewall - Top DST IPs Allowed

Firewall - Top SRC IPs Denied

Firewall - Top DST IPs Denied


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes and also a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 30, 2015

Snort 2.9.7.2 now available!

Snort 2.9.7.2 was recently released:
http://blog.snort.org/2015/03/snort-2972-has-been-released.html

I've updated our Snort package:
securityonion-snort - 2.9.7.2-0ubuntu0securityonion2

This new package resolves the following issue:

Issue 702: Snort 2.9.7.2
https://github.com/Security-Onion-Solutions/security-onion/issues/702

The new package has been tested by David Zawdie (thanks!).

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

This update will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:


  • re-apply any local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, March 23, 2015

New NSM and Setup packages

I've updated our NSM and Setup packages to resolve a few issues and these new packages have been tested by Pete Nelson (thanks!).

The new package version are as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion116
securityonion-setup - 20120912-0ubuntu0securityonion131

Issues Resolved

Issue 691: NSM: chown -R $BRO_USER:$BRO_GROUP /nsm/bro >/dev/null 2>&1
https://code.google.com/p/security-onion/issues/detail?id=691

Issue 698: NSM: nsm_server_del line 170 echo_msg 0 "Deleting server:
$SERVER_NAME"
https://code.google.com/p/security-onion/issues/detail?id=698

Issue 699: NSM: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=699

Issue 700: Setup: Bro node.cfg host=localhost
https://code.google.com/p/security-onion/issues/detail?id=700

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 3-hour online classes next week and a 4-day onsite class coming up in Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

New Online Training Sessions

The next round of online training sessions will be held next week!  In addition to Security Onion 101, we're also offering two new online classes:

  • 201 - Best Practices for Standalone Production Sensors
  • 202 - Case Studies

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

As a reminder, we also have seats available for our 4-day onsite class in Houston TX!
https://security-onion-class-20150512.eventbrite.com/

Wednesday, March 11, 2015

Add your own custom ELSA queries to our ELSA query menu

BBCan177 submitted a patch (thanks!) that allows you to add your own custom ELSA queries to our ELSA query menu:



I've added the patch to our securityonion-web-page package and the updated package has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-web-page - 20141015-0ubuntu0securityonion18

Issues Resolved

Issue 696: ELSA custom menu
https://code.google.com/p/security-onion/issues/detail?id=696

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 4-day classes coming up in Seattle and Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

Monday, March 2, 2015

Suricata 2.0.7

Suricata 2.0.7 was recently released:
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/204-suricata-207-available

I've packaged Suricata 2.0.7 and it has been tested by David Zawdie (thanks!).

The new package version is:
securityonion-suricata - 2.0.7-0ubuntu0securityonion1

Issues Resolved

Issue 695: Suricata 2.0.7
https://code.google.com/p/security-onion/issues/detail?id=695

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

This update will back up each of your existing suricata.yaml files to suricata.yaml.bak.  You'll then need to do the following:

  • re-apply any local customizations to suricata.yaml
  • update ruleset and restart Suricata as follows:
  • sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  We have 4-day classes coming up in Atlanta, Seattle, and Houston.  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!