Thursday, September 17, 2015

BDR2: Electric Boogaloo (towards Ubuntu 14.04)

If you've been in the Security Onion community for a few years, you may remember that back in 2012 we embarked on a project called BDR (Big Distro Rebuild) to put all of our software into true Ubuntu packages designed for Ubuntu 12.04:
https://groups.google.com/d/topic/security-onion-testing/kOib06_QMPU/discussion

It's now time to rebuild all of those packages for Ubuntu 14.04, so I'm calling this BDR2.  As mentioned at the Security Onion Conference, I'm hoping to get all this work done by Christmas, but no promises!

I've done some initial work to get the securityonion-client metapackage to install cleanly on Ubuntu 14.04.
Sguil client running on Ubuntu 14.04
I'll soon start working on the securityonion-sensor and securityonion-server metapackages.

Help Wanted

We're going to need lots of help testing all of these packages over the next few months, so if you'd like to contribute back to the community, please join the security-onion-testing mailing list and then see the following thread:
https://groups.google.com/d/topic/security-onion-testing/voIjY2OYjtc/discussion

Thanks!

Wednesday, September 16, 2015

Slides from Security Onion Conference

This year's Security Onion Conference was an overwhelming success!  Thanks to all of the great speakers that made it such a great event!

In case you missed it, here are some of the slide decks that have been shared:

Todd Heberlein
Looking Back Over a Quarter Century of Network Monitoring
http://www.toddheberlein.com/blog/2015/9/11/security-onion-conference-presentation

Seth Hall
Detect it Once
Slides
https://drive.google.com/file/d/0BzQ65xrcMwNEYU4yQnV0QmYzX2s/view?usp=sharing
http-slow-read.bro
https://drive.google.com/file/d/0BzQ65xrcMwNEUFdwUm9laHdDN3M/view?usp=sharing

Martin Holste
Security Event Data in the OODA Loop Model
https://prezi.com/qzar9ip-zlvt/security-event-data-in-the-ooda-loop-model/

Chris Sistrunk
Industrially Hardened Security Onion Sensor
http://www.slideshare.net/chrissistrunk/def-con-23-nsm-101-for-ics

Josh Brower
Using Sysmon to Enrich Security Onion's Host-Level Capabilities
http://defensivedepth.com/2015/09/11/socaugusta-deck-sysmon-security-onion-integration/

Chris Montgomery
Threat Intel Powered IDS
https://drive.google.com/file/d/0B4apMwOBMmVUOXE0c0dDdWc1U0k/view?usp=sharing

Monday, September 14, 2015

Saturday, September 12, 2015

Security Onion 12.04.5.3 ISO image now available

We have a new Security Onion 12.04.5.3 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of August 25, 2015!

This resolves the following issue:

Issue 795: 12.04.5.3 ISO image
https://github.com/Security-Onion-Solutions/security-onion/issues/795

This new ISO image has been tested by the following (thanks!):
James Taylor

Installation Guide
I've updated the Installation guide to reflect the download locations for the new 12.04.5.3 ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Checksums
As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

md5sum 38ee2cf19f884f0916b076163aab58a5

sha1sum 19544c73cef9a3799d9bc4b7fcd1b80b9e84056c

sha256sum 52b795b44fc0ae1a7dcabb3cef1d266877b54f9545aa213312904a75c2dd1352

Existing Deployments
If you have existing installations based on a previous ISO image, there is no need to download the new 12.04.5.3 ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Thanks!

Friday, September 11, 2015

New securityonion-elsa-extras and securityonion-web-page packages add support for new Bro 2.4 logs

The recent Bro 2.4 package includes some new Bro logs such as mysql.log, kerberos.log, rdp.log, pe.log, and sip.log.  These new logs are now parsed properly with the new securityonion-elsa-extras package and the new securityonion-web-page package adds new queries that take advantage of this new parsing.

Here are the updated packages:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion112
securityonion-web-page - 20141015-0ubuntu0securityonion28
These packages have been tested by the following (thanks!):
James Taylor
Josh Brower
Simone Bonetti

These new packages resolve the following issues:

Issue 755: securityonion-elsa-extras: add parser for Bro 2.4 mysql.log
https://github.com/Security-Onion-Solutions/security-onion/issues/755

Issue 756: securityonion-elsa-extras: add parser for Bro 2.4 kerberos.log
https://github.com/Security-Onion-Solutions/security-onion/issues/756

Issue 757: securityonion-elsa-extras: add parser for Bro 2.4 rdp.log
https://github.com/Security-Onion-Solutions/security-onion/issues/757

Issue 758: securityonion-elsa-extras: add parser for Bro 2.4 pe.log
https://github.com/Security-Onion-Solutions/security-onion/issues/758

Issue 759: securityonion-elsa-extras: add parser for Bro 2.4 sip.log
https://github.com/Security-Onion-Solutions/security-onion/issues/759

Issue 780: securityonion-elsa-extras: add parser for IIS logs
https://github.com/Security-Onion-Solutions/security-onion/issues/780

Issue 782: securityonion-elsa-extras: update sysmon parser
https://github.com/Security-Onion-Solutions/security-onion/issues/782

Issue 776: securityonion-elsa-extras: set version 3.3 in syslog-ng.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/776

Issue 796: securityonion-elsa-extras: Add script to fix ELSA syslogs_archive_1 issue
https://github.com/Security-Onion-Solutions/security-onion/issues/796

Issue 801: securityonion-web-page: add queries for Bro kerberos logs
https://github.com/Security-Onion-Solutions/security-onion/issues/801

Issue 802: securityonion-web-page: add queries for Bro mysql logs
https://github.com/Security-Onion-Solutions/security-onion/issues/802

Issue 803: securityonion-web-page: add queries for Bro pe logs
https://github.com/Security-Onion-Solutions/security-onion/issues/803

Issue 804: securityonion-web-page: add queries for Bro rdp logs
https://github.com/Security-Onion-Solutions/security-onion/issues/804

Issue 805: securityonion-web-page: add queries for Bro sip logs
https://github.com/Security-Onion-Solutions/security-onion/issues/805

Issue 794: securityonion-web-page: add DHCP Servers query
https://github.com/Security-Onion-Solutions/security-onion/issues/794

Issue 798: securityonion-web-page: add HTTP sites hosting SWF
https://github.com/Security-Onion-Solutions/security-onion/issues/798

Screenshots
Mysql - Top Arguments

Kerberos - Top Services

PE - Sections

RDP - Result

RDP - Keyboard Layout

RDP - Client Build

SIP - Status Msg


Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive