Saturday, November 3, 2018

Security Onion Hybrid Hunter 1.0.1 Tech Preview Available for Testing!

From Doug Burks:

When Mike Reeves joined Security Onion Solutions in January 2018, one of the first things we discussed was building a brand new Security Onion platform with the following characteristics:
  • Move from Ubuntu DEB packages to Docker images
  • Support both Ubuntu 16.04 and RedHat/CentOS 7
  • Higher performance
  • More centralized configuration

In just a few short months, Mike has done an incredible amount of work to make this idea a reality and we announced it at Security Onion Conference 2018:

Here’s Mike Reeves to tell you more about this exciting platform!

From Mike Reeves:

First off I would like to thank everyone who presented at or attended the 2018 Security Onion Conference. This was the best one yet and I am already excited about next year. I wanted to take the time to talk about some of the long term plans we have for the Security Onion platform and how these potential changes, which we’ve code named “Hybrid Hunter”, may affect your deployment. 

The general theme of Hybrid Hunter is simplification. We want you spending more time finding evil than running your sensor grid. Since 2008, Security Onion’s primary mission was to provide a Network Security Monitoring distribution that could be deployed in minutes instead of days or weeks.  Hybrid Hunter expands on this and allows it to scale better in large enterprise networks. 

At Security Onion Con 2018, Doug and I unveiled some details behind Hybrid Hunter. We received so much feedback and we are very appreciative to all of you. One item of feedback I received involved changes to the way Security Onion operates today. I think a perfect use case we can use to illustrate the changes is Logstash. Today, when there is an update to Logstash a couple of things happen. First, the Docker container gets replaced with a container running a newer version of Logstash. Additionally, an Ubuntu package is downloaded which updates the Logstash configuration, e.g., parsers, output configurations, etc. If we continued this method and wanted to support RedHat/CentOS, we would need to create a separate package to manage the parsers. Multiply that effort by over fifty packages, along with nuanced differences between the operating systems, and we would have an arduous task!

Our intent is for Hybrid Hunter to deliver as many components as possible as Docker containers. Gone would be the days where a new DEB or RPM package would be required for delivery of these changes, thus allowing us to support multiple Linux distributions going forward. Updating most Security Onion components would be as easy as updating Logstash and other Docker containers today. The process of updating would also allow for easy rollback. If something doesn’t work properly, the container can simply be stopped and the older version applied. The administrator will still run “soup”; however, it would not apply packages for SO components, just Docker containers!

For those of us that like to get our hands dirty when it comes to tweaking, you will be glad to know that the configurations will be centralized in the new platform. Today you have to visit multiple config files in multiple places to do tuning. Our goal is to put as much of this as possible into a single location, allowing you to tune more in less time. 

Even though there are some new tools being added or replaced, the end user experience should remain the same. The training you get from Security Onion Solutions will be applicable to the current version and Hybrid Hunter, with minor differences for advanced tuning. You will still pivot to PCAP the same way even though Google Stenographer will be gathering the packets instead of netsniff-ng. The whole reason for this change is to get more consistent results when pulling PCAP but it doesn’t change the way you use SO. The end result is the same PCAP with the same experience. Changing from PF_RING to AF_PACKET improves the way that we acquire packets but does not change the end result of what you will see in the console. AF_PACKET allows you to expand your tuning possibilities with Suricata and improves performance. Those alerts will still look the same and will be more consistent. Zeek (formerly Bro) will see a performance improvement over using PF_RING but the meta data will look the same.  We will also be allowing our users to select Community Bro if they so choose. Either choice will provide the same great metadata you have seen in Security Onion for years … and more!

I would also like to reiterate that there is no firm release date set. We are gathering input from you, the community, on other ways to make SO easier to deploy and tune. Our goal is to make the most successful experience for our users and expand our capabilities to fit the enterprise security monitoring needs of customers of all sizes.

Mike Reeves
Product Manager
Security Onion Solutions     

Try It Out
Try out the Hybrid Hunter Tech Preview here:

If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:


Is the current Ubuntu-based platform still supported?
Yes, the current Ubuntu-based platform is still fully supported.  Once the new Hybrid Hunter platform reaches final release, we will announce plans to migrate from the current Ubuntu-based platform to the new platform.

Why the change from Ubuntu DEB packages to Docker images?
Docker images are easier to build and maintain and allow us to support other distros like CentOS.

Why the change from PF_RING to AF_PACKET?
AF_PACKET is included in the Linux kernel itself and thus doesn't require a separate kernel module.  It also provides some additional tuning capability.

Why manage everything with salt?
Salt will allow us to manage configuration centrally on the master node so that it won't matter whether you have 1 box or 100, you can still manage everything easily from a central location.

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive