Security Onion: May 2019

Thursday, May 30, 2019

Snort 2.9.13.0 and PulledPork 0.7.3 now available for Security Onion!

Snort 2.9.13.0 was recently released:
https://blog.snort.org/2019/04/snort-29130-has-been-released.html

We've packaged Snort 2.9.13.0 and the new version of PulledPork required for this new Snort version. The new package versions are as follows:

securityonion-snort - 2.9.13.0-1ubuntu1securityonion3
securityonion-pulledpork - 0.7.3-1ubuntu1securityonion3

These packages should resolve the following issues:

Snort 2.9.13.0 #1142
https://github.com/Security-Onion-Solutions/security-onion/issues/1142

PulledPork 0.7.3 #1143
https://github.com/Security-Onion-Solutions/security-onion/issues/1143

Snort 2.9.13.0

PulledPork 0.7.3

Thanks
Thanks to the Snort team for Snort 2.9.13.0!
Thanks to the PulledPork team for PulledPork 0.7.3!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Columbia MD! Use promotional code earlybird for 10% off the ADVANCED class for a limited time. If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site! Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support? Please see:
https://securityonion.net/docs/Support

Thanks!

Tuesday, May 28, 2019

Security Onion Users Can Now Switch to Elastic Features

Many folks have asked if they could switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license. You can try it out starting today!

Instructions

First, please review the Elastic Features license:
https://github.com/elastic/elasticsearch/blob/6.7/licenses/ELASTIC-LICENSE.txt
Next, you should make sure that all updates have been installed:
sudo soup
If soup prompts to reboot, please do so.
Verify that everything is working properly before continuing.
Edit /etc/nsm/elasticdownload.conf using your favorite text editor and change DOCKERHUB from "securityonionsolutions" to "securityonionsolutionselas":
DOCKERHUB="securityonionsolutionselas"
Run soup again to download the new Docker images for Elastic Features:
sudo soup
Once soup has downloaded the new Docker images, it should restart your Docker containers.
Kibana should now have some new features on the left side.

Screenshots

Soup downloading new Docker images

Kibana now includes new features on left side

Q&A

Is Elastic Features open source?

No, it is not open source. It is licensed under the Elastic license:
https://github.com/elastic/elasticsearch/blob/6.7/licenses/ELASTIC-LICENSE.txt

What does this mean for Security Onion licensing?

Security Onion continues to be free and open source and will continue to default to the open source version of the Elastic Stack. If you choose to switch to Elastic Features (not open source), you may do so using the instructions above.

If I switch to Elastic Features, is this a trial license?

If you switch to Elastic Features, you can remain on the BASIC license for free forever or you can choose to upgrade to a paid subscription. For more information about Elastic Features subscription levels, please see:
https://www.elastic.co/subscriptions

How does authentication work?

Authentication works the same way it does in our existing Elastic open source images. Security Onion provides Single Sign On (SSO) using the same username and password for Sguil, Squert, and Kibana.

What about the recent Elastic announcement about security features?

Elastic recently announced that security features are included for free in the Elastic Features license starting in version 6.8.0. Since Security Onion still uses Elastic 6.7.2, those security features are not free in that version. We will begin the process of working towards Elastic 6.8.0.

Wednesday, May 22, 2019

Security Onion Documentation now available in Book Format!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that! Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This introductory price is good for a limited time only!

This book covers the following Security Onion topics:

Getting Started
Analyst Tools
Network Visibility
Host Visibility
Elastic Stack
Updating
Customizing for your Environment
Tuning
Tricks and Tips
Services
Utilities
Help
Integrations

Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print. It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else! Finally, proceeds go to the Rural Technology Fund!

Who should get this book?

Security Onion users who work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

How often will the book be updated?

Currently, we plan to release a new edition of the book every time we release a new version of our ISO image.

Where do we get it?

https://securityonion.net/book

Tuesday, May 21, 2019

Only 1 week left to register for 4-day Security Onion Basic Training class in beautiful Costa Mesa CA!

For more information and to register, please see:
https://securityonionsolutions.com/onsitetraining

Monday, May 20, 2019

securityonion-sostat - 20120722-0ubuntu0securityonion126 now available for Security Onion!

securityonion-sostat - 20120722-0ubuntu0securityonion126 is now available. This should resolve the following issue:

securityonion-sostat: re-apply debconf noninteractive setting so that soup can proceed unattended #1523
https://github.com/Security-Onion-Solutions/security-onion/issues/1523

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD! Use promotional code earlybird for 10% off the Columbia MD classes for a limited time. If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site! Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support? Please see:
https://securityonion.net/docs/Support

Thanks!

securityonion-iso - 20151016-1ubuntu1securityonion32 now available for Security Onion!

securityonion-iso - 20151016-1ubuntu1securityonion32 is now available. This should resolve the following issue:

so-iso-build: purge php7.0-fpm #1463
https://github.com/Security-Onion-Solutions/security-onion/issues/1463

Thanks
Thanks to the following for testing!

Wes Lambert
Dustin Lee
Bryant Treacle

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD! Use promotional code earlybird for 10% off the Columbia MD classes for a limited time. If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site! Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support? Please see:
https://securityonion.net/docs/Support

Thanks!

pinguybuilder - 20180514-1ubuntu1securityonion18 now available for Security Onion!

pinguybuilder - 20180514-1ubuntu1securityonion18 is now available. This should resolve the following issue:

pinguybuilder: increment version to 16.04.6.1 #1433
https://github.com/Security-Onion-Solutions/security-onion/issues/1433

Thanks
Thanks to the following for testing!

Wes Lambert
Dustin Lee
Bryant Treacle

Security Onion 16.04.6.1 now available featuring Elastic 6.7.2, CyberChef 8.31.3, Suricata 4.1.4, Wazuh 3.8.2, and more!

Security Onion 16.04.6.1 is now available!

Security Onion 16.04.6.1

Major Changes Since Last ISO Image

Elastic 6.7.2
CyberChef 8.31.3
Suricata 4.1.4
Wazuh 3.8.2
now includes a static copy of our new Documentation
now includes our Cheat Sheet PDF
so-import-pcap handles many more use cases and can now run Setup for you if necessary
new PCAP samples in /opt/samples/mta/
Setup now configures Bro and Suricata for AF_PACKET by default
fixed lots of bugs!

Thanks
Thanks to the following for testing this ISO image!

Wes Lambert
Dustin Lee
Bryant Treacle

Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/6

Release Notes
For more information about this release, please see:
https://securityonion.net/docs/release-notes.html

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://securityonion.net/docs/installation.html

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image. You can simply continue using our standard update process to install updated packages as they are made available:
https://securityonion.net/docs/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://securityonion.net/docs/upgrading-from-14.04-to-16.04.html

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Training
We have 4-day Security Onion Training classes coming up in Costa Mesa CA and Columbia MD! Use promotional code earlybird for 10% off the Columbia MD classes for a limited time. If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've got a brand new documentation site! Please let us know if anything needs to be updated:
https://securityonion.net/docs

Support
Need support? Please see:
https://securityonion.net/docs/Support

Screenshot Tour