Wednesday, July 29, 2015

New securityonion-web-page package resolve two issues

I've updated the securityonion-web-page package to resolve two issues.  The new package version is as follows:
securityonion-web-page - 20141015-0ubuntu0securityonion27

Issues Resolved

Issue 767: securityonion-web-page: add SSL Top Subjects query
https://github.com/Security-Onion-Solutions/security-onion/issues/767

Issue 775: securityonion-web-page: add groupby:site to ELSA HTTP SQL Injection query
https://github.com/Security-Onion-Solutions/security-onion/issues/775

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, July 28, 2015

New securityonion-setup package allows you to disable Snorby

I've updated the Setup package to resolve several issues, including allowing you to disable Snorby.  It should work as follows:

  • choosing Quick Setup still defaults to enabling Snorby automatically.  It will automatically set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in /etc/nsm/HOSTNAME-INTERFACE/barnyard2-1.conf.
  • choosing Advanced Setup and then Server will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf.  Otherwise, it will set SNORBY_ENABLED=no.
  • choosing Advanced Setup and then Standalone will ask if you want to enable or disable Snorby.  If you choose yes, it will set SNORBY_ENABLED=yes in /etc/nsm/securityonion.conf and enable the snorby output in all /etc/nsm/*/barnyard*.conf files.  If you instead choose no, it will set SNORBY_ENABLED=no and disable (comment out) the snorby output in all /etc/nsm/*/barnyard*.conf files.
  • choosing Sensor will check /etc/nsm/securityonion.conf on the master server to see if SNORBY_ENABLED=no and, if so, disable (comment out) the Snorby output in all /etc/nsm/*/barnyard*.conf files.

Snorby is going away in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

The new package version is as follows:
securityonion-setup - 20120912-0ubuntu0securityonion155

Issues Resolved

Issue 769: sosetup: allow user to enable/disable Snorby
https://github.com/Security-Onion-Solutions/security-onion/issues/769

Issue 596: sosetup: sensor should stop/disable Apache and Snorby worker
https://github.com/Security-Onion-Solutions/security-onion/issues/596

Issue 693: sosetup: improve input validation for email address
https://github.com/Security-Onion-Solutions/security-onion/issues/693

Issue 764: sosetup: fix typo in sosetup.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/764

Issue 605: sosetup: replace tmp with mktemp
https://github.com/Security-Onion-Solutions/security-onion/issues/605

Issue 771: sosetup: comment out 2 examples in top.sls
https://github.com/Security-Onion-Solutions/security-onion/issues/771

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Friday, July 10, 2015

New securityonion-sguil-agent-ossec package resolves an issue

Brian Kellogg sent in a patch for the securityonion-sguil-agent-ossec package to parse syslog IP addresses.  Thanks, Brian!

The new package version is as follows:
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion16

Issues Resolved
ossec_agent: Add source of syslog as destination IP for Sguil alert #760
https://github.com/Security-Onion-Solutions/security-onion/issues/760

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, July 9, 2015

New securityonion-tcpudpflow package resolves an issue

I've updated the securityonion-tcpudpflow package to improve the formatting of the Bro transcript option when processing UDP (primarily DNS) traffic.  The new package version is as follows:
securityonion-tcpudpflow - 001-0ubuntu0securityonion3

Screenshots
The Bro transcript option now clearly shows 3 separate sections: "Bro UDP output from SRC", "Bro UDP output from DST", and "Bro DNS analyzer output"

Issues Resolved
securityonion-tcpudpflow: remove connection_state_remove event handler #761
https://github.com/Security-Onion-Solutions/security-onion/issues/761

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, July 8, 2015

New sostat package resolves an issue

I've updated the sostat package to resolve an issue.  The new package version is as follows:
securityonion-sostat - 20120722-0ubuntu0securityonion35

Issues Resolved
Issue 763: sostat: show last update
https://github.com/Security-Onion-Solutions/security-onion/issues/763

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, July 6, 2015

Security Onion 12.04.5.2 ISO image now available

We have a new Security Onion 12.04.5.2 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 17, 2015!

This resolves the following issue:

Issue 733: 12.04.5.2 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/733

This new ISO image has been tested by the following (thanks!):
Shane Castle
James Taylor
Robert Bardo
Jeff Tehovnik
Jay Holmes
LeeJR

Training
This new ISO image will be used in our upcoming class in the Washington DC area:
http://security-onion-class-20150810.eventbrite.com/

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.5.2 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

MD5 e35846293dcecf76e5b8d39f6d48c9de
SHA1 a8c04e9bde175425835537cb3d9b336e2614a363
SHA256 53a775a746bf64ea5b3b689aded3f0b288bc86de5e7cd1057358307b93bc6b5f

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.2 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!