Monday, August 26, 2019

Elastic 6.8.2, Wazuh 3.9.5, and updated packages for Setup, CapMe, and sostat are now available for Security Onion!

The following updates are now available for Security Onion!
Elastic 6.8.2 Docker images
Wazuh 3.9.5 (packaged as ossec-hids-server -
securityonion-capme - 20121213-0ubuntu0securityonion78
securityonion-elastic - 20190510-1ubuntu1securityonion65
securityonion-setup - 20120912-0ubuntu0securityonion312
securityonion-sostat - 20120722-0ubuntu0securityonion129

These updates resolve a whopping 85 issues!  You can see the full list of resolved issues at the end of this blog post, but here is a quick summary of the new features in this release.

Setup can now run interactively via CLI!  Setup started out as a GUI built using Zenity.  Many years ago, we added the ability to automate Setup using sosetup.conf and this helped folks who didn't want to run Setup via GUI.  When Mike Reeves began building Hybrid Hunter last year, he started a new Setup process from scratch using whiptail to allow interactive prompts via CLI.  We've now added whiptail support to our existing 16.04 Setup!

Interactive Setup via CLI

Running sosetup-minimal and choosing Evaluation Mode can run in only 4GB RAM!

sosetup-minimal Evaluation Mode

LOGSTASH_MINIMAL config moves parsing from Logstash to Elasticsearch ingest node (NIDS alerts and Bro logs in JSON format) allowing Logstash to start faster and consume less resources!


so-import-pcap has been completely overhauled!

Lots of bug fixes and performance improvements!

If you would like to switch from open source Elastic to Elastic Features, then you can run the new so-elastic-features and it will walk you through that process!


If you would like to enable native Elastic authentication, you can run the new so-elastic-auth!  This will automatically run so-elastic-features as shown above and then enable Elastic authentication which includes Role Based Access Control (RBAC)!

Kibana auth
so-elastic-auth enumerates your existing Sguil/Squert user accounts and automatically generates corresponding Elastic accounts with minimal privileges


Thanks to the Elastic team for Elastic 6.8.2!
Thanks to the Wazuh team for Wazuh 3.9.5!
Thanks to the following for testing and QA!
  • Wes Lambert
  • Josh Brower
  • Dustin Lee

Please see the following page for full update instructions:

Registration is now open for Security Onion Conference 2019 on Friday, October 4, 2019!

Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:

We now offer hardware appliances!  For more information, please see:

Need support?  Please see:

Documentation Updates

Issues Resolved

Setup: interactive setup via command line

securityonion-elastic: change Beats user_data field to dynamic mapping

ElastAlert dashboard filter

Wazuh 3.9.5

securityonion-elastic: update Logstash config to support Wazuh 3.9 agent

securityonion-elastic: simplify Firewall Action/Reason viz to just Action

Logstash crashes due to logstash-filter-tld

securityonion-elastic: so-logstash-start should map /var/log/nsm/securityonion/

securityonion-elastic: Bro Logstash config - change body_len to body_length

securityonion-elastic: Add evaluation for multiple IPs in file_ip or destination_ip in Bro files.log

securityonion-elastic: add image_timestamp to autoruns pattern

securityonion-elastic: improve selection of closed indices in so-curator-closed-delete-delete

so-import-pcap: improve Logstash initialization check

so-import-pcap: improve handling of single pcap without full path

securityonion-elastic: Update OSSEC Dashboard

securityonion-elastic: DHCP dashboard should show hostname field

securityonion-elastic: copy so-ossec-verb scripts to so-wazuh-verb

securityonion-elastic: add note to Help dashboard that Wazuh has replaced OSSEC

securityonion-elastic: decrease logstash pipeline.workers depending on config

securityonion-elastic: improve Kibana check before importing dashboards and config

so-import-pcap: if pcap already exists in pcap store, then use mergecap to avoid overwriting

so-import-pcap: create lock file to prevent multiple instances from trying to configure the system at the same time

securityonion-setup: default PCAP_OPTIONS in sosetup-forward.conf to no options

securityonion-elastic: add so-redis-count

securityonion-elastic: improve status scripts

so-import-pcap: split configuration out into separate script

so-import-pcap: create lock file to prevent multiple instances from writing to pcap store at same time

so-import-pcap: create lock file to prevent multiple instances from writing IDS alerts at same time

securityonion-elastic: so-elasticsearch-start should map /etc/elasticsearch

securityonion-elastic: add login and logout to apache reverse proxy

securityonion-elastic: so-elasticsearch-start needs to set ownership on /etc/elasticsearch/

securityonion-elastic: change ownership and perms of kibana.yml

securityonion-elastic: support elastic auth in so-component-verb scripts

sostat: support elastic auth

securityonion-elastic: create so-elastic-auth

securityonion-elastic: create so-elastic-features

securityonion-elastic: copy so-bro-verb scripts to so-zeek-verb

securityonion-elastic: so-test-configure-bro no longer needs to configure for smb

securityonion-setup: support elastic auth

CapMe: support Elastic auth

securityonion-elastic: create so-elasticsearch-query

securityonion-setup: if re-running setup, delete any existing elastic auth config

securityonion-elastic: update so-user-* to support elastic auth

Elastic 6.8.2

Setup: sosetup-network should check for hostname of securityonion and recommend changing

securityonion-elastic: create new LOGSTASH_MINIMAL config

securityonion-setup: create new sosetup-minimal script

securityonion-elastic: create so-rule-update as a wrapper to rule-update

securityonion-elastic: don't overwrite conf.d.redis.output files

securityonion-elastic: support elastic auth in ElastAlert

securityonion-elastic: fix typo in 6501_ossec_sysmon.conf

securityonion-elastic: support elastic auth in curator

securityonion-elastic: upgrades need to preserve auth settings in elasticsearch.yml and kibana.yml

Wazuh: create agent-template.conf

securityonion-elastic: update logstash jvm.options

securityonion-elastic: update so-elasticsearch-node-list and so-elasticsearch-node-remove

securityonion-elastic: elasticsearch ingest node parsing should create bro_conn total_bytes

securityonion-elastic: elasticsearch ingest geoip should output all fields

securityonion-elastic: update elasticsearch ingest parser for bro_ntlm

securityonion-elastic: update elasticsearch ingest parser for bro_ssh

securityonion-elastic: elasticsearch ingest node parsing should populate connection_state_description

so-import-pcap: improve geoip for NIDS alerts

so-import-pcap: parse NIDS rule category

so-import-pcap: set NIDS severity field

securityonion-elastic: move common ingest node config into common file

securityonion-elastic: ingest node parser for ossec/wazuh

securityonion-elastic: resize DHCP hostname viz to avoid scrollbars

securityonion-elastic: LOGSTASH_MINIMAL should support standard syslog

securityonion-elastic: update Help dashboard

securityonion-elastic: LOGSTASH_MINIMAL should parse NIDS logs via ingest

so-import-pcap: fix sguild_nids parsing for ICMP alerts

so-import-pcap: sguild_nids should translate protocol field

securityonion-elastic: common_nids should set rule_type

securityonion-elastic: common_nids should set signature_info

so-import-pcap: sguild_nids dissect should drop on failure

securityonion-elastic: snort ingest drop on failure

so-import-pcap: sguild_nids should drop null values in source_ip, destination_ip, and protocol

securityonion-elastic: change DHCP dashboard button from Refresh to Update

securityonion-elastic: adjust DHCP Logs panel to avoid scrollbars

securityonion-elastic: create bro_common_ssl to parse cert fields for bro ssl and x509 logs

securityonion-elastic: add length fields to bro_http ingest

securityonion-elastic: add query_length field to bro_dns ingest

securityonion-elastic: improve LOGSTASH_MINIMAL config file check in so-logstash-start

so-import-pcap-configure: improve heap adjustment

securityonion-setup: improve heap adjustment in sosetup-minimal

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive