Elastic 6.8.2 Docker images
Wazuh 3.9.5 (packaged as ossec-hids-server - 3.9.5.1-ubuntu1securityonion1)
securityonion-capme - 20121213-0ubuntu0securityonion78
securityonion-elastic - 20190510-1ubuntu1securityonion65
securityonion-setup - 20120912-0ubuntu0securityonion312
securityonion-sostat - 20120722-0ubuntu0securityonion129
These updates resolve a whopping 85 issues! You can see the full list of resolved issues at the end of this blog post, but here is a quick summary of the new features in this release.
Setup can now run interactively via CLI! Setup started out as a GUI built using Zenity. Many years ago, we added the ability to automate Setup using sosetup.conf and this helped folks who didn't want to run Setup via GUI. When Mike Reeves began building Hybrid Hunter last year, he started a new Setup process from scratch using whiptail to allow interactive prompts via CLI. We've now added whiptail support to our existing 16.04 Setup!
Interactive Setup via CLI |
Running sosetup-minimal and choosing Evaluation Mode can run in only 4GB RAM!
sosetup-minimal Evaluation Mode |
LOGSTASH_MINIMAL config moves parsing from Logstash to Elasticsearch ingest node (NIDS alerts and Bro logs in JSON format) allowing Logstash to start faster and consume less resources!
LOGSTASH_MINIMAL config |
so-import-pcap has been completely overhauled!
Lots of bug fixes and performance improvements!
If you would like to switch from open source Elastic to Elastic Features, then you can run the new so-elastic-features and it will walk you through that process!
so-elastic-features |
If you would like to enable native Elastic authentication, you can run the new so-elastic-auth! This will automatically run so-elastic-features as shown above and then enable Elastic authentication which includes Role Based Access Control (RBAC)!
so-elastic-auth |
Kibana auth |
so-elastic-auth enumerates your existing Sguil/Squert user accounts and automatically generates corresponding Elastic accounts with minimal privileges |
Thanks
Thanks to the Elastic team for Elastic 6.8.2!
Thanks to the Wazuh team for Wazuh 3.9.5!
Thanks to the following for testing and QA!
- Wes Lambert
- Josh Brower
- Dustin Lee
Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade
Conference
Registration is now open for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/
Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA! If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com
Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html
Support
Need support? Please see:
https://securityonion.net/docs/Support
Documentation Updates
https://securityonion.readthedocs.io/en/latest/use-cases.html#minimal-evaluation
https://securityonion.readthedocs.io/en/latest/elastic-features.html
https://securityonion.readthedocs.io/en/latest/elastic-auth.html
https://securityonion.readthedocs.io/en/latest/accounts.html
https://securityonion.readthedocs.io/en/latest/passwords.html
https://securityonion.readthedocs.io/en/latest/adding-accounts.html
https://securityonion.readthedocs.io/en/latest/listing-accounts.html
https://securityonion.readthedocs.io/en/latest/disabling-accounts.html
https://securityonion.readthedocs.io/en/latest/so-elasticsearch-query.html
https://securityonion.readthedocs.io/en/latest/logstash.html#logstash-minimal
https://securityonion.readthedocs.io/en/latest/quick-iso-image.html
https://securityonion.readthedocs.io/en/latest/installing-on-ubuntu.html
https://securityonion.readthedocs.io/en/latest/production-deployment.html
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Issues Resolved
Setup: interactive setup via command line
securityonion-elastic: change Beats user_data field to dynamic mapping
ElastAlert dashboard filter
Wazuh 3.9.5
securityonion-elastic: update Logstash config to support Wazuh 3.9 agent
securityonion-elastic: simplify Firewall Action/Reason viz to just Action
Logstash crashes due to logstash-filter-tld
securityonion-elastic: so-logstash-start should map /var/log/nsm/securityonion/
securityonion-elastic: Bro Logstash config - change body_len to body_length
securityonion-elastic: Add evaluation for multiple IPs in file_ip or destination_ip in Bro files.log
securityonion-elastic: add image_timestamp to autoruns pattern
securityonion-elastic: improve selection of closed indices in so-curator-closed-delete-delete
so-import-pcap: improve Logstash initialization check
so-import-pcap: improve handling of single pcap without full path
securityonion-elastic: Update OSSEC Dashboard
securityonion-elastic: DHCP dashboard should show hostname field
securityonion-elastic: copy so-ossec-verb scripts to so-wazuh-verb
securityonion-elastic: add note to Help dashboard that Wazuh has replaced OSSEC
securityonion-elastic: decrease logstash pipeline.workers depending on config
securityonion-elastic: improve Kibana check before importing dashboards and config
so-import-pcap: if pcap already exists in pcap store, then use mergecap to avoid overwriting
so-import-pcap: create lock file to prevent multiple instances from trying to configure the system at the same time
securityonion-setup: default PCAP_OPTIONS in sosetup-forward.conf to no options
securityonion-elastic: add so-redis-count
securityonion-elastic: improve status scripts
so-import-pcap: split configuration out into separate script
so-import-pcap: create lock file to prevent multiple instances from writing to pcap store at same time
so-import-pcap: create lock file to prevent multiple instances from writing IDS alerts at same time
securityonion-elastic: so-elasticsearch-start should map /etc/elasticsearch
securityonion-elastic: add login and logout to apache reverse proxy
securityonion-elastic: so-elasticsearch-start needs to set ownership on /etc/elasticsearch/
securityonion-elastic: change ownership and perms of kibana.yml
securityonion-elastic: support elastic auth in so-component-verb scripts
sostat: support elastic auth
securityonion-elastic: create so-elastic-auth
securityonion-elastic: create so-elastic-features
securityonion-elastic: copy so-bro-verb scripts to so-zeek-verb
securityonion-elastic: so-test-configure-bro no longer needs to configure for smb
securityonion-setup: support elastic auth
CapMe: support Elastic auth
securityonion-elastic: create so-elasticsearch-query
securityonion-setup: if re-running setup, delete any existing elastic auth config
securityonion-elastic: update so-user-* to support elastic auth
Elastic 6.8.2
Setup: sosetup-network should check for hostname of securityonion and recommend changing
securityonion-elastic: create new LOGSTASH_MINIMAL config
securityonion-setup: create new sosetup-minimal script
securityonion-elastic: create so-rule-update as a wrapper to rule-update
securityonion-elastic: don't overwrite conf.d.redis.output files
securityonion-elastic: support elastic auth in ElastAlert
securityonion-elastic: fix typo in 6501_ossec_sysmon.conf
securityonion-elastic: support elastic auth in curator
securityonion-elastic: upgrades need to preserve auth settings in elasticsearch.yml and kibana.yml
Wazuh: create agent-template.conf
securityonion-elastic: update logstash jvm.options
securityonion-elastic: update so-elasticsearch-node-list and so-elasticsearch-node-remove
securityonion-elastic: elasticsearch ingest node parsing should create bro_conn total_bytes
securityonion-elastic: elasticsearch ingest geoip should output all fields
securityonion-elastic: update elasticsearch ingest parser for bro_ntlm
securityonion-elastic: update elasticsearch ingest parser for bro_ssh
securityonion-elastic: elasticsearch ingest node parsing should populate connection_state_description
so-import-pcap: improve geoip for NIDS alerts
so-import-pcap: parse NIDS rule category
so-import-pcap: set NIDS severity field
securityonion-elastic: move common ingest node config into common file
securityonion-elastic: ingest node parser for ossec/wazuh
securityonion-elastic: resize DHCP hostname viz to avoid scrollbars
securityonion-elastic: LOGSTASH_MINIMAL should support standard syslog
securityonion-elastic: update Help dashboard
securityonion-elastic: LOGSTASH_MINIMAL should parse NIDS logs via ingest
so-import-pcap: fix sguild_nids parsing for ICMP alerts
so-import-pcap: sguild_nids should translate protocol field
securityonion-elastic: common_nids should set rule_type
securityonion-elastic: common_nids should set signature_info
so-import-pcap: sguild_nids dissect should drop on failure
securityonion-elastic: snort ingest drop on failure
so-import-pcap: sguild_nids should drop null values in source_ip, destination_ip, and protocol
securityonion-elastic: change DHCP dashboard button from Refresh to Update
securityonion-elastic: adjust DHCP Logs panel to avoid scrollbars
securityonion-elastic: create bro_common_ssl to parse cert fields for bro ssl and x509 logs
securityonion-elastic: add length fields to bro_http ingest
securityonion-elastic: add query_length field to bro_dns ingest
securityonion-elastic: improve LOGSTASH_MINIMAL config file check in so-logstash-start
so-import-pcap-configure: improve heap adjustment
securityonion-setup: improve heap adjustment in sosetup-minimal
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.