Thursday, May 30, 2019

Snort 2.9.13.0 and PulledPork 0.7.3 now available for Security Onion!

Snort 2.9.13.0 was recently released:
https://blog.snort.org/2019/04/snort-29130-has-been-released.html

We've packaged Snort 2.9.13.0 and the new version of PulledPork required for this new Snort version.  The new package versions are as follows:

securityonion-snort - 2.9.13.0-1ubuntu1securityonion3
securityonion-pulledpork - 0.7.3-1ubuntu1securityonion3

These packages should resolve the following issues:

Snort 2.9.13.0 #1142
https://github.com/Security-Onion-Solutions/security-onion/issues/1142

PulledPork 0.7.3 #1143
https://github.com/Security-Onion-Solutions/security-onion/issues/1143

Snort 2.9.13.0

PulledPork 0.7.3

Thanks
Thanks to the Snort team for Snort 2.9.13.0!
Thanks to the PulledPork team for PulledPork 0.7.3!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Columbia MD!  Use promotional code earlybird for 10% off the ADVANCED class for a limited time.  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Tuesday, May 28, 2019

Security Onion Users Can Now Switch to Elastic Features

Many folks have asked if they could switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license.  You can try it out starting today!

Instructions

  • First, please review the Elastic Features license:
    https://github.com/elastic/elasticsearch/blob/6.7/licenses/ELASTIC-LICENSE.txt
  • Next, you should make sure that all updates have been installed:
    sudo soup
  • If soup prompts to reboot, please do so.  
  • Verify that everything is working properly before continuing.
  • Edit /etc/nsm/elasticdownload.conf using your favorite text editor and change DOCKERHUB from "securityonionsolutions" to "securityonionsolutionselas":
    DOCKERHUB="securityonionsolutionselas"
  • Run soup again to download the new Docker images for Elastic Features:
    sudo soup
  • Once soup has downloaded the new Docker images, it should restart your Docker containers.
  • Kibana should now have some new features on the left side.


Screenshots
Soup downloading new Docker images

Kibana now includes new features on left side

Q&A

Is Elastic Features open source?

No, it is not open source.  It is licensed under the Elastic license:
https://github.com/elastic/elasticsearch/blob/6.7/licenses/ELASTIC-LICENSE.txt

What does this mean for Security Onion licensing?

Security Onion continues to be free and open source and will continue to default to the open source version of the Elastic Stack.  If you choose to switch to Elastic Features (not open source), you may do so using the instructions above.

If I switch to Elastic Features, is this a trial license?

If you switch to Elastic Features, you can remain on the BASIC license for free forever or you can choose to upgrade to a paid subscription. For more information about Elastic Features subscription levels, please see:
https://www.elastic.co/subscriptions

How does authentication work?

Authentication works the same way it does in our existing Elastic open source images.  Security Onion provides Single Sign On (SSO) using the same username and password for Sguil, Squert, and Kibana.

What about the recent Elastic announcement about security features?

Elastic recently announced that security features are included for free in the Elastic Features license starting in version 6.8.0.  Since Security Onion still uses Elastic 6.7.2, those security features are not free in that version.  We will begin the process of working towards Elastic 6.8.0.

Wednesday, May 22, 2019

Security Onion Documentation now available in Book Format!


Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This introductory price is good for a limited time only!






This book covers the following Security Onion topics:

  • Getting Started
  • Analyst Tools
  • Network Visibility
  • Host Visibility
  • Elastic Stack
  • Updating
  • Customizing for your Environment
  • Tuning
  • Tricks and Tips
  • Services
  • Utilities
  • Help
  • Integrations

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Finally, proceeds go to the Rural Technology Fund!

Who should get this book?

Security Onion users who work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

How often will the book be updated?

Currently, we plan to release a new edition of the book every time we release a new version of our ISO image.

Where do we get it?

https://www.amazon.com/dp/179779762X



Monday, May 20, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion126 now available for Security Onion!

securityonion-sostat - 20120722-0ubuntu0securityonion126 is now available.  This should resolve the following issue:

securityonion-sostat: re-apply debconf noninteractive setting so that soup can proceed unattended #1523
https://github.com/Security-Onion-Solutions/security-onion/issues/1523

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD!  Use promotional code earlybird for 10% off the Columbia MD classes for a limited time.  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

securityonion-iso - 20151016-1ubuntu1securityonion32 now available for Security Onion!

securityonion-iso - 20151016-1ubuntu1securityonion32 is now available.  This should resolve the following issue:

so-iso-build: purge php7.0-fpm #1463
https://github.com/Security-Onion-Solutions/security-onion/issues/1463

Thanks
Thanks to the following for testing!

  • Wes Lambert
  • Dustin Lee
  • Bryant Treacle

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD!  Use promotional code earlybird for 10% off the Columbia MD classes for a limited time.  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

pinguybuilder - 20180514-1ubuntu1securityonion18 now available for Security Onion!

pinguybuilder - 20180514-1ubuntu1securityonion18 is now available.  This should resolve the following issue:

pinguybuilder: increment version to 16.04.6.1 #1433
https://github.com/Security-Onion-Solutions/security-onion/issues/1433

Thanks
Thanks to the following for testing!

  • Wes Lambert
  • Dustin Lee
  • Bryant Treacle

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD!  Use promotional code earlybird for 10% off the Columbia MD classes for a limited time.  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Security Onion 16.04.6.1 now available featuring Elastic 6.7.2, CyberChef 8.31.3, Suricata 4.1.4, Wazuh 3.8.2, and more!

Security Onion 16.04.6.1 is now available!

Security Onion 16.04.6.1

Major Changes Since Last ISO Image
  • Elastic 6.7.2
  • CyberChef 8.31.3
  • Suricata 4.1.4
  • Wazuh 3.8.2
  • now includes a static copy of our new Documentation
  • now includes our Cheat Sheet PDF
  • so-import-pcap handles many more use cases and can now run Setup for you if necessary
  • new PCAP samples in /opt/samples/mta/
  • Setup now configures Bro and Suricata for AF_PACKET by default
  • fixed lots of bugs!

Thanks
Thanks to the following for testing this ISO image!

  • Wes Lambert
  • Dustin Lee
  • Bryant Treacle

Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/6

Release Notes
For more information about this release, please see:
https://securityonion.net/docs/release-notes.html

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://securityonion.net/docs/installation.html

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://securityonion.net/docs/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://securityonion.net/docs/upgrading-from-14.04-to-16.04.html

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD!  Use promotional code earlybird for 10% off the Columbia MD classes for a limited time.  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Screenshot Tour

ISO Boot Menu 
Once the Live Desktop appears, double-click the Install icon and follow the prompts

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup

Setup Wizard

Configure network interfaces, reboot, then log back in

You are then prompted to run Setup again to continue to the second phase of Setup

Skip network configuration to go to service configuration

Evaluation Mode vs Production Mode

Monitoring Interface Selection

Create Username

Create Password

Confirm Password

Confirm all options

Setup Complete

Desktop no longer prompts to run Setup


The README shortcut includes links to the cheat sheet and online and offline documentation

CyberChef 8.31.3

Single Sign On (SSO for Squert, CapMe, and Kibana)

Review IDS alerts using Squert

Retrieve full packet capture with CapMe

Kibana Overview

If you want to change from dark dashboards to light, you can run so-elastic-configure-kibana-dashboards-light

Light dashboards

If you want to switch back to dark dashboards, you can run so-elastic-configure-kibana-dashboards-dark

Back to dark dashboards

Help

Bro Notices

ElastAlert

HIDS Alerts from Wazuh (OSSEC)

NIDS Alerts from Snort or Suricata

Bro Connections

Bro DCE/RPC

Bro DHCP

Bro DNP3

Bro DNS

Bro Files

Bro FTP

Bro HTTP

Bro Intel

Bro IRC

Bro Kerberos

Bro Modbus

Bro MySQL

Bro NTLM

Bro PE

Bro RADIUS

Bro RDP

Bro RFB

Bro SIP

Bro SMB

Bro SMTP

Bro SNMP

Bro Software

Bro SSH

Bro SSL

Bro Syslog

Bro Tunnels

Bro Weird

Bro X.509

Autoruns

Beats

OSSEC (Wazuh) Logs

Sysmon

Domain Stats

Firewall

Frequency Analysis

Syslog