Wednesday, August 31, 2016

securityonion-setup - 20120912-0ubuntu0securityonion228 resolves an issue

A new setup package is now available:
securityonion-setup - 20120912-0ubuntu0securityonion228

This new package should resolve the following issue:

Issue 986: Setup: use default MTU
https://github.com/Security-Onion-Solutions/security-onion/issues/986

Thanks
Thanks to Wes Lambert for testing this package!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes on Friday September 2!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Wednesday, August 24, 2016

securityonion-setup - 20120912-0ubuntu0securityonion226 resolves an issue

A new setup package is now available:
securityonion-setup - 20120912-0ubuntu0securityonion226

This new package should resolve the following issue:

Issue 981: sosetup-network: bug when configuring management interface only
https://github.com/Security-Onion-Solutions/security-onion/issues/981

Thanks
Thanks to Wes Lambert for testing this package!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes on Friday September 2!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

securityonion-web-page - 20141015-0ubuntu0securityonion68 resolves an issue

Tom Webb recently posted to the Internet Storm Center about checking HTTP status codes:
https://isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/

I've added a new HTTP Top Status Code query to the ELSA hunting menu and built a new package:
securityonion-web-page - 20141015-0ubuntu0securityonion68

This new package should resolve the following issue:

Issue 984: securityonion-web-page: add HTTP top status code
https://github.com/Security-Onion-Solutions/security-onion/issues/984

Thanks
Thanks to Wes Lambert for testing this package!

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes on Friday September 2!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, August 23, 2016

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion141 resolves an issue

Wes Lambert submitted a Pull Request which should automatically start Snort with a calculated snaplen setting passed via the --snaplen command-line option:
https://github.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/pull/8

I've merged the Pull Request and built a new package:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion141

This new package should resolve the following issue:

Issue 975: NSM: configure Snort snaplen via command line argument
https://github.com/Security-Onion-Solutions/security-onion/issues/975

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes on Friday September 2!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, August 22, 2016

securityonion-elsa-extras - 20151011-1ubuntu1securityonion37 resolves 2 issues

James Taylor and Josh Brower submitted updates for some ELSA patterns.  I've merged their pull requests and built a new package:
securityonion-elsa-extras - 20151011-1ubuntu1securityonion37

This new package has been tested by James Taylor, Josh Brower, and Wes Lambert (thanks!) and should resolve the following issues:

Issue 979: securityonion-elsa-extras: additional patterns for Sysmon 4 and 4.11
https://github.com/Security-Onion-Solutions/security-onion/issues/979

Issue 983: securityonion-elsa-extras: add "AR-LOG" header to autoruns pattern
https://github.com/Security-Onion-Solutions/security-onion/issues/983

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes on Friday September 2!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Thursday, August 11, 2016

securityonion-setup - 20120912-0ubuntu0securityonion225 resolves an issue

I've updated the Setup package and the new package version is:
securityonion-setup - 20120912-0ubuntu0securityonion225

This new package has been tested by Wes Lambert (thanks!) and should resolve the following issue:

Setup: sosetup.conf SGUIL_CLIENT_USERNAME alphanumeric only #980
https://github.com/Security-Onion-Solutions/security-onion/issues/980

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes in just a few weeks!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Wednesday, August 10, 2016

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion140 resolves an issue

I've updated the NSM scripts to wipe Suricata's stats.log when starting/restarting Suricata.  The new package is:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion140

This new package has been tested by Wes Lambert (thanks!) and should resolve the following issue:

Issue 968: NSM: wipe stats.log when restarting Suricata
https://github.com/Security-Onion-Solutions/security-onion/issues/968

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration closes in just a few weeks!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, August 9, 2016

securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion17 resolves 3 issues

Wes Lambert submitted a pull request for sguil-db-purge:
https://github.com/Security-Onion-Solutions/securityonion-sguil-db-purge/pull/1

I merged the pull request and also did the following:

  • refactored mysql calls to use mysql defaults-file
  • added check for root privileges

This new package should resolve the following issues:

Issue 971: securityonion-sguil-db-purge: add command line options
https://github.com/Security-Onion-Solutions/security-onion/issues/971

Issue 972: securityonion-sguil-db-purge: update mysql calls
https://github.com/Security-Onion-Solutions/security-onion/issues/972

Issue 974: securityonion-sguil-db-purge: check for privileges
https://github.com/Security-Onion-Solutions/security-onion/issues/974

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration is open!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, August 8, 2016

New ELSA packages resolve several issues

I've merged several pull requests:
https://github.com/Security-Onion-Solutions/securityonion-elsa-extras/pull/10
https://github.com/Security-Onion-Solutions/securityonion-elsa-extras/pull/15
https://github.com/Security-Onion-Solutions/securityonion-elsa-extras/pull/17
https://github.com/Security-Onion-Solutions/securityonion-elsa-extras/pull/18
https://github.com/Security-Onion-Solutions/securityonion-web-page/pull/5

Martin Holste merged several pull requests in his ELSA repo:
https://github.com/mcholste/elsa/pull/16
https://github.com/mcholste/elsa/pull/40
https://github.com/mcholste/elsa/pull/39
https://github.com/mcholste/elsa/pull/37

I've built new packages including all of these changes and the new
package versions are as follows:
securityonion-elsa - 1205chartsjsd3-1ubuntu1securityonion9
securityonion-elsa-extras - 20151011-1ubuntu1securityonion35
securityonion-web-page - 20141015-0ubuntu0securityonion67

These new packages should resolve the following issues:

Issue 950: ELSA: change Help link to point to ELSA Github
https://github.com/Security-Onion-Solutions/security-onion/issues/950

Issue 827: securityonion-elsa-extras: merge additional patterns including DNP3 and Modbus
https://github.com/Security-Onion-Solutions/security-onion/issues/827

Issue 970: securityonion-web-page: add queries for autoruns, dnp3, and modbus
https://github.com/Security-Onion-Solutions/security-onion/issues/970

Issue 973: securityonion-web-page: Apache ServerName localhost
https://github.com/Security-Onion-Solutions/security-onion/issues/973

Issue 964: securityonion-web-page: add "bottom" queries for long tail analysis
https://github.com/Security-Onion-Solutions/security-onion/issues/964

Issue 976: securityonion-web-page: additional protections in securityonion.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/976

These packages have been tested by the following (thanks!):
Phil Plantamura
Josh Brower
Wes Lambert
James Taylor

Screenshots
DNP3 - Top SRC IPs 
DNP3 - Top DST IPs 
DNP3 - Top DST Ports 
DNP3 - Top Requests 
DNP3 - Top Replies

Modbus - Top SRC IPs

Modbus - Top DST IPs

Modbus - Top DST Ports

Modbus - Top Functions

Modbus - Top Exceptions

Autoruns Queries
 
DNS - Bottom Requests (Long Tail Analysis)
Updating
These packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration is open!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Tuesday, August 2, 2016

securityonion-squert - 20141015-0ubuntu0securityonion19 resolves XSS issue and disables Apache autoindex module

Manuel Mancera discovered a XSS issue in Squert:
https://github.com/int13h/squert/issues/76
https://groups.google.com/d/topic/security-onion/-x_PQQwm4bQ/discussion

securityonion-squert - 20141015-0ubuntu0securityonion19 resolves this XSS issue and also disables the Apache autoindex module:

Issue 967: Squert: Parameter not escaped in ip2c.php
https://github.com/Security-Onion-Solutions/security-onion/issues/967

Issue 969: Squert: prevent directory listing for subdirectories
https://github.com/Security-Onion-Solutions/security-onion/issues/969

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration is open!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!

Monday, August 1, 2016

securityonion-setup - 20120912-0ubuntu0securityonion224 resolves an issue

Wes Lambert submitted a pull request for sosetup:
https://github.com/Security-Onion-Solutions/securityonion-setup/pull/22

I've merged this pull request and the following package is now available:
securityonion-setup - 20120912-0ubuntu0securityonion224

This new package should resolve the following issues:

Issue 966: Setup: sosetup.conf needs to include MTU
https://github.com/Security-Onion-Solutions/security-onion/issues/966

Issue 592: sosetup: add -y option
https://github.com/Security-Onion-Solutions/security-onion/issues/592

Updating
This package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Want to show your support for Security Onion?
Security Onion t-shirts are available in our CafePress store!
http://www.cafepress.com/securityonion/11820053

Conference
Security Onion Conference will be on Friday September 9 and registration is open!
https://securityonion.net/conference

Training
Need training?  Please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Support

Thanks!