Thursday, July 30, 2020

Security Onion 2.0.3 RC1 Available for Testing!

We recently released Security Onion 2.0 RC1 versions 2.0.0, 2.0.1, and 2.0.2:

Elastic and Zeek had recent security updates and so we've built a new 2.0.3 release that includes these security updates:

Zeek 3.0.8 #1114

Elastic 7.8.1 #1105

This release also includes LVM partitioning in our ISO image!

Please note that this is still considered part of the Release Candidate 1 phase.

Thanks
Thanks to Elastic for Elastic 7.8.1!
Thanks to Zeek for Zeek 3.0.8!
Thanks to Mike Reeves and Jason Ertel for getting this security update published so quickly!

Existing Installations
If you have an existing 2.0 RC1 installation, please see the soup page on our documentation site:

New Installations
If you download our ISO image, you'll get the new 2.0.3 ISO image that already contains these fixes. If you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Zeek 3.0.8 now available for Security Onion 16.04!

Zeek 3.0.8 was recently released and is a security update:

The following updates are now available for Security Onion 16.04!

securityonion-bro - 3.0.8-1ubuntu1securityonion1 (Zeek 3.0.8)
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion25
securityonion-bro-scripts - 20121004-0ubuntu0securityonion108

These updates should resolve the following issue:

Zeek 3.0.8 #1779

Thanks
Thanks to the Zeek team for Zeek 3.0.8!
Thanks to Chris Morgret for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Wednesday, July 29, 2020

Elastic Stack 6.8.11 now available for Security Onion 16.04!


Elastic Stack 6.8.11 was recently released and is a security update:

The following updates are now available for Security Onion 16.04!

Elastic 6.8.11 Docker images
securityonion-elastic - 20190510-1ubuntu1securityonion95

These updates should resolve the following issues:

Elastic 6.8.11 #1778

Add ignore_failure to geoip processor calls #1776

Thanks
Thanks to the Elastic team for Elastic 6.8.11!
Thanks to Chris Morgret for testing and QA!

Updating
Please see the following page for full update instructions:

Support
Need support?  Please see:

Documentation
You can find our documentation here:

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:

Training
Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:

Appliances
We now offer hardware appliances!  For more information, please see:

Thanks!

Friday, July 24, 2020

Security Onion 2.0.2 RC1 Available for Testing!

We recently released Security Onion 2.0 RC1 and 2.0.1:

2.0.1 introduced a sensoroni regression for some deployment types:

We've fixed the regression and are releasing 2.0.2.

Thanks to Mike Reeves and Jason Ertel for getting this regression resolved so quickly!

Existing Installations
If you have an existing 2.0 RC1 installation, please see the soup page on our documentation site:

New Installations
If you download our ISO image, you'll get the new 2.0.2 ISO image that already contains these fixes. If you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Thursday, July 23, 2020

Security Update for Security Onion 2.0 RC1

We recently released Security Onion 2.0 RC1:

Some community members quickly reported some issues (including 2 security issues) and we've released fixes:

Security Fix 1067: variables.txt from ISO install stays on disk for 10 days

Security Fix 1068: Remove user values from static.sls

Issue 1059: Fix distributed deployment sensor interval issue allowing PCAP

Issue 1058: Support for passwords that start with special characters

Thanks to Max Diorio and Reddit user TungstenCLXI for reporting these issues!

UPDATE 2020/07/23 4:53 PM
Looks like the sensor interval fix for distributed deployments introduced a regression for other installation types. We're working on this issue now:
https://github.com/Security-Onion-Solutions/securityonion/issues/1089

UPDATE 2020/07/24 12:14 PM
We've fixed the regression in 2.0.2:
https://blog.securityonion.net/2020/07/security-onion-202-rc1-available-for.html

Existing Installations
If you have an existing 2.0 RC1 installation, you'll want to run "sudo soup" as soon as possible. soup will then update itself and ask you to run soup again. On the second run, soup will update salt and your Docker images. Salt will then remove variables.txt and update static.sls.

Please note that Docker images may still show 2.0.0 (instead of 2.0.1) as they have simply been re-tagged.

For more information, please see the soup page on our documentation site:

New Installations
If you're doing a new installation and you download our ISO image, you'll get the new 2.0.1 ISO image that already contains these fixes. 

Otherwise, if you install a standard CentOS7 or Ubuntu 18.04 ISO and then perform a network installation, you'll get the latest code that contains the fixes.

For more information, please see the download page on our documentation site:

Feedback
If you have questions or problems, please reach out to our community:

Thanks!

Wednesday, July 22, 2020

Security Onion Documentation Changes

As we continue to transition from the traditional Security Onion 16.04 to the new Security Onion 2.0 (currently in Release Candidate phase), we've recently made some changes to our documentation hosted by the fine folks at ReadTheDocs:
When you're viewing the documentation at https://docs.securityonion.net, it will default to the traditional 16.04 version. If you want to switch to the new 2.0 documentation, you can do so in the lower left corner:


Please keep in mind that the 2.0 documentation is a work in progress and some pages may be incomplete or incorrect.  Please let us know if you see any issues.  Thanks!

Tuesday, July 21, 2020

Security Onion 2.0 Release Candidate 1 (RC1) Available for Testing!

In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:

Today, we are dropping the Hybrid Hunter code name and are proud to release Security Onion 2.0 RC1! It has some amazing new features and improvements!

Release Candidate
This is our first Release Candidate for 2.0, so we're getting closer to a final release, but we're not quite there yet. Please be reminded of the usual pre-release warnings and disclaimers:
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This configuration may change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Documentation
We've started migrating our documentation to 2.0:
However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Download
Once you've reviewed the documentation and are ready to download, you can find instructions here:
Changes from Previous Beta Releases
After installing Security Onion 2.0, you'll notice many changes from previous beta releases. One of the first changes you'll notice is that account creation and authentication is much more streamlined now. This includes the initial OS account and the individual web interface accounts. 

Another change is that so-import-pcap is back by popular demand! You can run through our installer choosing Eval or Standalone and then run "sudo so-import-pcap" and give it the full path to one or more pcap files. It will then provide a custom hyperlink to show you the resulting data in our new Hunt interface. Another utility that is back by popular demand is soup! Looking forward to RC2 and beyond, this should make it possible to perform in-place updates.

Finally, there are lots of little bug fixes and improvements and you can find more information in the detailed change list below!
  • Re-branded 2.0 to give it a fresh look
  • All documentation has moved to our docs site
  • soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date.
  • so-import-pcap is back! See the so-import-pcap docs here.
  • Fixed issue with so-features-enable
  • Users can now pivot to PCAP from Suricata alerts
  • ISO install now prompts users to create an admin/sudo user instead of using a default account name
  • The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
  • Fixed issue with disk cleanup
  • Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
  • Locked down access to certain SSL keys
  • Suricata logs now compress after they roll over
  • Users can now easily customize shard counts per index
  • Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
  • Elastic nodes are now “hot” by default, making it easier to add a warm node later
  • so-allow now runs at the end of an install so users can enable access right away
  • Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
    1-Low / 2-Medium / 3-High / 4-Critical
  • Initial implementation of alerting queues:
    • Low & Medium alerts are accessible through Kibana & Hunt
    • High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
  • ATT&CK Navigator is now a statically-hosted site in the nginx container
  • Playbook
    • All Sigma rules in the community repo (500+) are now imported and kept up to date
    • Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
    • Updated UI Theme
    • Once authenticated through SOC, users can now access Playbook with analyst permissions without login
  • Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
  • Fixed issue with Wazuh authd registration service port not being correctly exposed
  • Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
  • Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
  • Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
  • Added the ability to use custom Zeek scripts
  • Renamed “master server” to “manager node”
  • Improved unification of Zeek and Strelka file data

Known Issues

so-import-pcap currently doesn't check for sudo. If you get any errors, try running with sudo.

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

Josh Brower
Jason Ertel
Wes Lambert
Josh Patterson
Mike Reeves
Bryant Treacle
William Wernert

Screenshot Tour
ISO Boot Menu

OS account creation

Web account creation


Logging into Security Onion Console (SOC)

Security Onion Console (SOC)

Hunt

Pivot to PCAP from Hunt or Kibana

SOC Sensor Management

Downloads page includes links to Winlogbeat and osquery packages


SOC User Management

Kibana

Grafana

CyberChef

Playbook

Fleet

TheHive

ATT&CK Navigator


Wednesday, July 1, 2020

Security Onion Hybrid Hunter 1.4.1 Available for Testing!

Several folks who tried Security Onion Hybrid Hunter 1.4.0 Beta 3 experienced hostname issues, so we've added some fixes and released a new 1.4.1 version.

To read more and download Hybrid Hunter, please see:

If you have any questions about Hybrid Hunter, please post a message on our reddit community and prefix the title with [Hybrid Hunter]!