Friday, April 3, 2020

20200323 Edition of Security Onion Documentation printed book now available!

Many folks have asked for a printed version of our official online documentation and we're excited to provide that!  Whether you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries, this is what you've been asking for.

Thanks to Richard Bejtlich for writing the inspiring foreword!

Proceeds go to the Rural Technology Fund!

This 20200323 edition has been updated for our latest ISO image release and includes a 10% discount code for our online training!






This book covers the following Security Onion topics:

  • Getting Started
  • Analyst Tools
  • Network Visibility
  • Host Visibility
  • Elastic Stack
  • Updating
  • Customizing for your Environment
  • Tuning
  • Tricks and Tips
  • Services
  • Utilities
  • Help
  • Integrations


Q&A

What is the difference between this book and the online documentation?

This book is the online documentation formatted specifically for print.  It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else!  Proceeds go to the Rural Technology Fund!  Finally, the printed book includes a 10% discount code for our online training.

Who should get this book?

You should get this book if you work on airgapped networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!

How often will the book be updated?

Currently, we plan to release a new edition of the book every time we release a new version of our ISO image.

What is the difference between this edition and the previous edition?

This edition has been updated for our latest ISO image release!

Where do we get it?

The following URL will always take you to the latest version of the printed book at Amazon:
https://securityonion.net/book

Monday, March 30, 2020

Security Onion 16.04.6.5 ISO image now available featuring Zeek 3.0.3, Suricata 4.1.7, Elastic 6.8.7, CyberChef 9.18.2, and more!

Our Security Onion 16.04.6.5 ISO image is now available!

Security Onion 16.04.6.5 boot menu

Major Changes Since Last ISO Image
Zeek 3.0.3
Suricata 4.1.7
Elastic 6.8.7
CyberChef 9.18.2

Thanks
Thanks to Bryant Treacle for testing this ISO image!

Package Updates
This release also includes the following updated packages:
securityonion-setup - 20120912-0ubuntu0securityonion327
securityonion-web-page - 20141015-0ubuntu0securityonion106
pinguybuilder - 20180514-1ubuntu1securityonion22
securityonion-iso - 20151016-1ubuntu1securityonion35

These packages resolve the following issues:

sosetup-minimal: remove old check for securityonion_ssh.conf #1731
https://github.com/Security-Onion-Solutions/security-onion/issues/1731

sosetup: new production deployments should default to LOGSTASH_MINIMAL #1732
https://github.com/Security-Onion-Solutions/security-onion/issues/1732

sosetup-minimal: improve service check #1738
https://github.com/Security-Onion-Solutions/security-onion/issues/1738

sosetup: set LOGSTASH_MINIMAL if running sosetup-minimal #1739
https://github.com/Security-Onion-Solutions/security-onion/issues/1739

cheat sheet: convert to two pages #1717
https://github.com/Security-Onion-Solutions/security-onion/issues/1717

Docs: add new cloud documentation #1733
https://github.com/Security-Onion-Solutions/security-onion/issues/1733

CyberChef 9.18.2 #1730
https://github.com/Security-Onion-Solutions/security-onion/issues/1730

securityonion-iso: latest chromium-browser packages #1721
https://github.com/Security-Onion-Solutions/security-onion/issues/1721

pinguybuilder: increment version to 16.04.6.5 #1736
https://github.com/Security-Onion-Solutions/security-onion/issues/1736

Production Mode Now Defaults to LOGSTASH_MINIMAL For New Deployments
Please note that the new version of Setup now defaults to LOGSTASH_MINIMAL for new Production Mode deployments.  LOGSTASH_MINIMAL means that Logstash transports unparsed logs to Elasticsearch where they are parsed using ingest node parsing, which results in better performance.  Here are a few examples:

  • If you choose Production Mode and New to create a master server, then Setup will set LOGSTASH_MINIMAL in /etc/nsm/securityonion.conf on your master server.
  • If you then add a storage node to that master server, it will inherit the LOGSTASH_MINIMAL setting from the master server.
  • If you have an existing deployment without LOGSTASH_MINIMAL (traditional Logstash parsing), then if you add new nodes they will continue using traditional Logstash parsing.
  • Evaluation Mode is unchanged and will continue to use traditional Logstash parsing.


Issues Resolved
For a list of all issues resolved in this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/projects/11

Release Notes
For more information about this release, please see:
https://securityonion.net/docs/release-notes.html

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://securityonion.net/docs/installation.html

Existing Deployments
If you have existing 16.04 installations, there is no need to download the new ISO image.  You can simply continue using our standard update process to install updated packages as they are made available:
https://securityonion.net/docs/Upgrade

If you have existing installations of Security Onion 14.04, you can upgrade from 14.04 to 16.04:
https://securityonion.net/docs/upgrading-from-14.04-to-16.04.html

Documentation
You can find our documentation here:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Training
Security Onion Solutions is the only official authorized training provider for Security Onion:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://securityonionsolutions.com

Screenshot Tour
ISO boot menu

Once the Live Desktop appears, double-click the Install icon and follow the prompts

Once you've completed the installer and rebooted, login using the username and password you created in the installer

After logging in, you are prompted to run Setup

Welcome to Setup
 

Configure network interfaces
 
If your hostname is securityonion, Setup gives you the opportunity to rename it


Configure your network interfaces, reboot, then log back in

Launch Setup again and skip network configuration to go to service configuration

Production Mode now defaults to LOGSTASH_MINIMAL for better performance

If you choose New to create a master server, Setup will add LOGSTASH_MINIMAL to /etc/nsm/securityonion.conf

Create username

Create Password

Confirm Password

In most cases, we recommend choosing Best Practices

Choose your NIDS ruleset

Choose your NIDS engine

Choose to enable or disable network services

Set PF_RING min_num_slots

Verify sniffing interface

Set HOME_NET 
Choose to store logs locally or add storage nodes


Allocate storage for Elasticsearch

Confirm all options

Setup complete

Desktop no longer prompts to run Setup and includes icons for analyst applications 
The README shortcut includes links to the cheat sheet and online and offline documentation

CyberChef 9.18.2


Single Sign On (SSO) for Squert, CapMe, and Kibana

Analyze IDS alerts using Squert
 
Retrieve full packet capture with CapMe


Kibana Overview Dashboard

Help

Zeek Notices

ElastAlert

HIDS Alerts from OSSEC/Wazuh

NIDS Alerts from Snort or Suricata

Zeek Connections

Zeek Total Bytes

Zeek DCERPC

Zeek DHCP

Zeek DNP3

Zeek DNS

Zeek Files

Zeek FTP

Zeek HTTP

Zeek Intel
 
Zeek IRC


Zeek Kerberos

Zeek Modbus

Zeek MySQL

Zeek NTLM

Zeek PE

Zeek RADIUS

Zeek RDP

Zeek RFB

Zeek SIP

Zeek SMB

Zeek SMTP

Zeek SNMP

Zeek Software

Zeek SSH

Zeek SSL

Zeek Tunnels

Zeek Weird

Zeek X.509

OSSEC/Wazuh Logs

Syslog