Tuesday, April 30, 2019

securityonion-capme - 20121213-0ubuntu0securityonion76 now available for Security Onion!

securityonion-capme - 20121213-0ubuntu0securityonion76 is now available and resolves the following issue:

securityonion-capme: update callback.php #1509
https://github.com/Security-Onion-Solutions/security-onion/issues/1509

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have a 4-day Security Onion Basic Training class coming up in Costa Mesa CA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

securityonion-setup - 20120912-0ubuntu0securityonion296 now available for Security Onion!

securityonion-setup - 20120912-0ubuntu0securityonion296 is now available and should resolve the following issues:

so-allow: add OSSEC/Wazuh registration service option #1506
https://github.com/Security-Onion-Solutions/security-onion/issues/1506

Setup: /etc/network/interfaces ethtool rx setting should be commented out by default #1508
https://github.com/Security-Onion-Solutions/security-onion/issues/1508

Discussion
Richard Bejtlich recently blogged about an issue with Virtualbox and /etc/network/interfaces:
https://taosecurity.blogspot.com/2019/04/troubleshooting-nsm-virtualization.html

We were able to duplicate the issue and determine that it had to do with the ethtool -G rx setting.  Traditionally, our Setup script has used ethtool -g to determine the maximum rx setting and then ethtool -G to enforce that maximum rx setting.  It seems as if VirtualBox 6.0.4 may have an issue whereby its virtual network interfaces report a maximum rx setting of 4096 but are unable to reliably be set to that value.  Therefore, the safest option for widest compatibility is to keep the rx setting at its default value.  Additionally, some folks are recommending lower rx values for better performance:
https://github.com/pevma/SEPTun/blob/master/SEPTun.rst

Our new Setup script continues to write the ethtool -G rx setting into /etc/network/interfaces but it is now commented out by default.  If you need to modify this, you can certainly do so.

For more information, please see the Network Configuration page on our Documentation site:
https://securityonion.readthedocs.io/en/latest/network-configuration.html

Thanks
Thanks to Richard Bejtlich for reporting the /etc/network/interfaces issue!
Thanks to Dustin Lee for duplicating the /etc/network/interfaces issue!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have a 4-day Security Onion Basic Training class coming up in Costa Mesa CA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Monday, April 29, 2019

Security Onion Conference 2019 CFP

This year's Security Onion Conference will be held in Augusta, GA on Friday, October 4, 2019 (please mark your calendar!). Registration will open July 18.

CFP

Want to speak at Security Onion Conference? We want to hear from you!

How are you...
...using Security Onion to find evil?
...handling lots of traffic using Security Onion?
...consuming host telemetry with Security Onion?
...integrating Security Onion with other technologies?
...automating common tasks with your own scripts?
...using Security Onion in a unique way?

Each talk should be 30 minutes with an additional 10 minutes for questions.

Submit your talk here!
https://securityonion.net/cfp

Schedule

April 29 - CFP open
June 24 - CFP closes
July 18 - Speakers selected and notified
July 18 - Registration opens
September 30 - October 3 - Security Onion 4-day training in Augusta
October 4 - Security Onion Conference
October 5 - BSidesAugusta

Security Onion Docker Images NOT Affected by Recent Docker Hub Data Exposure

In Security Onion 16.04, our Elastic components are delivered via Docker images stored on Docker Hub.  Docker recently announced unauthorized access to a single Docker Hub database:
https://success.docker.com/article/docker-hub-user-notification

From the article:
Q: How do I know if I was impacted by this unauthorized access?
If you directly received an email from Docker about this incident, you may have been impacted. If you have received a password reset link, your password hash was potentially exposed. We have invalidated it and sent you a password reset link as a precaution. If you are using autobuilds and your GitHub or Bitbucket repositories have been unlinked from Docker Hub, you will need to relink those repositories for autobuilds to work correctly.
Security Onion does NOT use autobuilds and did NOT receive an email from Docker, so we don't have any reason to believe that our Docker accounts or images were impacted.  However, to err on the side of caution, we have verified our Docker images and reset our passwords.  Finally, please note that our images are digitally signed using Docker Content Trust:
https://docs.docker.com/engine/security/trust/content_trust/

tcpflow - 1.4.5+repack1-1ubuntu1securityonion2 now available for Security Onion!

tcpflow - 1.4.5+repack1-1ubuntu1securityonion2 is now available and should resolve the following issue:

update tcpflow #1507
https://github.com/Security-Onion-Solutions/security-onion/issues/1507

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion Basic Training class coming up in Costa Mesa CA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Wednesday, April 24, 2019

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion203 now available for Security Onion!

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion203 is now available and should resolve the following issue:

NSM: nsm_server_user-add should check to see if user account exists and prompt user #1505
https://github.com/Security-Onion-Solutions/security-onion/issues/1505

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Training
We have a 4-day Security Onion Basic Training class coming up in Costa Mesa CA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Wednesday, April 3, 2019

Security Onion Hybrid Hunter 1.0.7 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.7 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

  • Suricata 4.1.3
  • Influxdb 1.7.5
  • Telegraf 1.10.1
  • Grafana 6.0.2
  • Setup now requires interface selection #26
  • Reduced the RAM usage for ES in Eval mode #25
  • Eval Mode setup is now choose your own adventure style
  • Fresh dockers for all the things to bring everything to 1.0.7
  • New utility docker called SOctopus
  • New html landing page now in dark mode
  • Added support for TheHive
Screenshots
From Kibana, you can pivot from a log entry to TheHive

Log now available in TheHive