Monday, June 29, 2015

OSSEC 2.8.2 now available!

OSSEC 2.8.2 was recently released:
http://www.ossec.net/?p=1198

I've packaged OSSEC 2.8.2 and the new package version is as follows:

ossec-hids-server - 2.8.2-ubuntu10securityonion2

The new package has been tested by the following (thanks!):
James Taylor
Shane Castle

Issues Resolved

Issue 745: OSSEC 2.8.2
https://github.com/Security-Onion-Solutions/security-onion/issues/745

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, June 19, 2015

New Setup package resolves an issue

I've updated our Setup package and the new package is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion142

This new package resolves the following issue:

Issue 744: sosetup: Restart Apache to activate new ELSA apikey
https://github.com/Security-Onion-Solutions/security-onion/issues/744

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 18, 2015

New NSM package resolves an issue

Pete sent a patch for the nsm-watchdog cron job that should help avoid a race condition.  I've applied the patch and the new package is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion120

This new package resolves the following issue:

Issue 751: NSM: change watchdog run time to avoid race condition
https://github.com/Security-Onion-Solutions/security-onion/issues/751

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

4-day Security Onion Training in the Washington DC area

The next run of our expanded 4-day Security Onion class will be in the Washington DC area in August!

For more details and to register, please see:
http://security-onion-class-20150810.eventbrite.com/

Wednesday, June 17, 2015

New ELSA packages resolve three issues

ELSA 1205 packages were recently released:
http://blog.securityonion.net/2015/06/elsa-1205-now-available.html

A few issues were found so I've built these new packages:

securityonion-elsa - 1205-1ubuntu0securityonion5
securityonion-elsa-extras - 20131117-1ubuntu0securityonion91

These new packages resolve the following issues:

Issue 746: ELSA 1205 package enabled perl module on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/746

Issue 747: ELSA 1205 package duplicated syslog-ng.conf entries on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/747

Issue 748: ELSA 1205 package didn't add the pid column to the query_log table for upgrades
https://github.com/Security-Onion-Solutions/security-onion/issues/748

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

New tcltls package resolves OpenSSL issue

Recent OpenSSL changes prevented the default Debian/Ubuntu tcltls package from working properly, so I've built a new one:
tcltls - 1.5.0.dfsg-10build1securityonion2

This new package resolves the following issue:

Issue 749: Update tcl-tls package and replace DH512 key with DH2048
https://github.com/Security-Onion-Solutions/security-onion/issues/749

This new package has been tested by the following (thanks!):
Shane Castle
James Taylor
Larry Layten
hakawarrior

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

If you continue to have issues with the Sguil client/agents connecting to sguild, you may need to restart services:
sudo service nsm restart

and/or reboot:
sudo reboot

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, June 11, 2015

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

UPDATE 2015/06/17 08:52
All clear! You may safely resume your normal "soup" updates! New tcl-tls package resolves the OpenSSL issue:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

UPDATE 2015/06/12 7:18
Please see the following mailing list thread for updated information:
https://groups.google.com/d/topic/security-onion/E7HdGGUuq6c/discussion

New securityonion-nsmnow-admin-scripts package resolves an issue

If you're running salt, you may have noticed that if you run a command like this:
sudo salt '*' cmd.run 'service nsm status'
you get some garbled output as the bash color codes aren't interpreted by salt.  I've updated the NSM scripts to only output these color codes if they are running on a tty.  The result looks much better:



The new package version is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion119

Issues Resolved

Issue 732: NSM: only output color codes if running on a tty
https://github.com/Security-Onion-Solutions/security-onion/issues/732

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, June 10, 2015

ELSA 1205 now available!

I've updated our packages to reflect the latest version of ELSA:

securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25

These new packages resolve the following issues:

Issue 657: ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/657
This version of ELSA fixes many bugs in our previous version of ELSA.

Issue 447: ELSA syslog-ng.conf rewrite r_pipes
https://github.com/Security-Onion-Solutions/security-onion/issues/447
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.

Issue 512: ELSA syslog-ng.conf filter f_bro_headers
https://github.com/Security-Onion-Solutions/security-onion/issues/512
Syslog-ng will now filter out headers in Bro logs.

Issue 726: ELSA syslog-ng.conf - add filesystem destinations
https://github.com/Security-Onion-Solutions/security-onion/issues/726
Syslog-ng will now output some logs to their standard filesystem locations.  This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.

Issue 674: ELSA - update bro_notice parser to parse src and dst fields
https://github.com/Security-Onion-Solutions/security-onion/issues/674
Syslog-ng will now parse src and dst fields out of Bro Notices.

Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/722
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.

Issue 723: CapMe: Update for new ELSA API
https://github.com/Security-Onion-Solutions/security-onion/issues/723
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.

Issue 500: sosetup: restart starman
https://github.com/Security-Onion-Solutions/security-onion/issues/500
When running Setup and choosing sensor-only, starman should now restart properly.

Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
https://github.com/Security-Onion-Solutions/security-onion/issues/504
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.

Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/547
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.

Issue 740: sosetup: sensor should use sudo to restart apache on master
https://github.com/Security-Onion-Solutions/security-onion/issues/740
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.

Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
https://github.com/Security-Onion-Solutions/security-onion/issues/741
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.

These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Screenshots
Update process

"About ELSA" now shows ELSA Rev 1205

New ELSA Query "HTTP: Sites Hosting JARs"

New ELSA Query "HTTP: Sites Hosting ZIPs"

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Bro Scanning Notices should now be parsed correctly

CapME now uses the ELSA JSON API and provides better error handling

Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, June 9, 2015

Next Round of Online Training Sessions - 6/29 through 7/2

The next round of online training sessions will be held Monday 6/29 through Thursday 7/2!

For more information and to register, please see:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144

Snort 2.9.7.3 now available!

Snort 2.9.7.3 was recently released:
http://blog.snort.org/2015/05/snort-2973-is-now-available.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.3-0ubuntu0securityonion3
securityonion-daq - 2.0.5-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 730: Snort 2.9.7.3
https://github.com/Security-Onion-Solutions/security-onion/issues/730

Issue 731: Snort DAQ 2.0.5
https://github.com/Security-Onion-Solutions/security-onion/issues/731

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
  • sudo rule-update



Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, June 8, 2015

New securityonion-suricata package resolves an issue

We recently released a securityonion-suricata package for Suricata 2.0.8:
http://blog.securityonion.net/2015/05/suricata-208.html

An issue was found in the packaging:
https://groups.google.com/d/topic/security-onion/1MmmmO2XOyc/discussion

I've updated the securityonion-suricata package to resolve this issue.

The new package version is:
securityonion-suricata - 2.0.8-0ubuntu0securityonion2

Issues Resolved

Issue 742: securityonion-suricata package missing debian/install
https://github.com/Security-Onion-Solutions/security-onion/issues/742

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!