In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:
Today, we are dropping the Hybrid Hunter code name and are proud to release Security Onion 2.0 RC1! It has some amazing new features and improvements!
This is our first Release Candidate for 2.0, so we're getting closer to a final release, but we're not quite there yet. Please be reminded of the usual pre-release warnings and disclaimers:
- If this breaks your system, you get to keep both pieces!
- This is a work in progress and is in constant flux.
- This configuration may change drastically over time leading up to the final release.
- Do NOT run this on a system that you care about!
- Do NOT run this on a system that has data that you care about!
- This script should only be run on a TEST box with TEST data!
- Use of this script may result in nausea, vomiting, or a burning sensation.
We've started migrating our documentation to 2.0:
However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.
Once you've reviewed the documentation and are ready to download, you can find instructions here:
Questions or Problems
If you have questions or problems, please see:
Changes from Previous Beta Releases
After installing Security Onion 2.0, you'll notice many changes from previous beta releases. One of the first changes you'll notice is that account creation and authentication is much more streamlined now. This includes the initial OS account and the individual web interface accounts.
Another change is that so-import-pcap is back by popular demand! You can run through our installer choosing Eval or Standalone and then run "sudo so-import-pcap" and give it the full path to one or more pcap files. It will then provide a custom hyperlink to show you the resulting data in our new Hunt interface. Another utility that is back by popular demand is soup! Looking forward to RC2 and beyond, this should make it possible to perform in-place updates.
Finally, there are lots of little bug fixes and improvements and you can find more information in the detailed change list below!
- Re-branded 2.0 to give it a fresh look
- All documentation has moved to our docs site
- soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date.
- so-import-pcap is back! See the so-import-pcap docs here.
- Fixed issue with so-features-enable
- Users can now pivot to PCAP from Suricata alerts
- ISO install now prompts users to create an admin/sudo user instead of using a default account name
- The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
- Fixed issue with disk cleanup
- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
- Locked down access to certain SSL keys
- Suricata logs now compress after they roll over
- Users can now easily customize shard counts per index
- Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
- Elastic nodes are now “hot” by default, making it easier to add a warm node later
- so-allow now runs at the end of an install so users can enable access right away
- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
1-Low / 2-Medium / 3-High / 4-Critical
- Initial implementation of alerting queues:
- Low & Medium alerts are accessible through Kibana & Hunt
- High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
- ATT&CK Navigator is now a statically-hosted site in the nginx container
- All Sigma rules in the community repo (500+) are now imported and kept up to date
- Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
- Updated UI Theme
- Once authenticated through SOC, users can now access Playbook with analyst permissions without login
- Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
- Fixed issue with Wazuh authd registration service port not being correctly exposed
- Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
- Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
- Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
- Added the ability to use custom Zeek scripts
- Renamed “master server” to “manager node”
- Improved unification of Zeek and Strelka file data
so-import-pcap currently doesn't check for sudo. If you get any errors, try running with sudo.
Lots of love went into this release!
Special thanks to all our folks working so hard to make this release happen!
|ISO Boot Menu|
|OS account creation|
|Web account creation|
|Logging into Security Onion Console (SOC)|
|Security Onion Console (SOC)|
|Pivot to PCAP from Hunt or Kibana|
|SOC Sensor Management|
|Downloads page includes links to Winlogbeat and osquery packages|
|SOC User Management|