In 2018, Security Onion Solutions started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html
After 4 Technology Preview releases, 4 Alpha releases, and 3 Beta releases, we dropped the Hybrid Hunter code name and announced 2.0 (RC1), 2.1 (RC2), and 2.2 (RC3). This has been our most ambitious project to date, taking over 34 months and resulting in a whopping 5,034 git commits. Today, we are proud to announce that Security Onion 2.3 has reached General Availability (GA)!
Changes from Security Onion 16.04
Here are some of the major differences of the new Security Onion 2.3 compared to Security Onion 16.04:
- Features a new web interface called Security Onion Console (SOC) that includes native alert management, threat hunting, and pcap retrieval
- Adds TheHive, Strelka, support for Sigma rules, Grafana/InfluxDB (independent health monitoring/alerting), Fleet (osquery management), and Playbook (detection playbook tool).
- Moves from Ubuntu packages to containers
- Supports both CentOS 7 and Ubuntu 18.04
- Changes pcap collection tool from netsniff-ng to Google Stenographer
- Upgrade to Elastic Stack 7.x and support the Elastic Common Schema (ECS)
- Completely replaces unsigned kernel module PF_RING with AF_PACKET
- Suricata completely replaces Snort. (We may elect to add Snort back after Snort 3.0 is officially released.)
- Removes Sguil, Squert, capME, and PHP
- Storage Nodes are now known as Search Nodes
- The first node in a distributed deployment is now called a Manager
Changes from Security Onion 2.2 RC3
If you tried out Security Onion 2.2 RC3, you will notice some changes in this release.
This release features a brand new web interface for alerts. This includes NIDS alerts from Suricata, HIDS alerts from Wazuh, Playbook alerts, and YARA matches from Strelka. This interface is specifically designed to help you triage alerts as quickly as possible. Slice and dice your alerts with multiple views and then pivot to full packet capture or our Hunt interface to investigate IP addresses or other items of interest. Once you've made a determination about an alert, you can either acknowledge it or escalate it to TheHive to create a case.
Next, we've continued to iterate on Hunt, improving its default queries and default pivot actions. Hunt now supports more customization as well.
Finally, we've continued to improve support for airgap deployments. Airgap deployments now include a local copy of the documentation. Also, airgap deployments now support updates using the latest ISO image.
Documentation
We've started migrating our documentation to 2.3:
https://docs.securityonion.net/en/2.3/
However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.
Security Onion 16.04 EOL
Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then.
Upgrading from Security Onion 16.04
If you're currently running Security Onion 16.04, please see the following for upgrade options:
https://docs.securityonion.net/en/2.3/appendix.html
Existing Installations
If you have an existing 2.x (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues
New Installations
If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html
Questions or Problems
If you have questions or problems, please see our new community support forum:
https://docs.securityonion.net/en/2.3/community-support.html
Known Issues
https://docs.securityonion.net/en/2.3/release-notes.html#known-issues
Changes from Previous Releases
https://docs.securityonion.net/en/2.3/release-notes.html#changes
Thanks
Lots of love went into this release!
Special thanks to all our folks working so hard to make this release happen!
- Josh Brower
- Jason Ertel
- Wes Lambert
- Josh Patterson
- Mike Reeves
- Bryant Treacle
- William Wernert
Screenshot Tour
If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!
|
ISO Boot Menu
|
|
ISO Installer
|
|
ISO Install Complete
|
|
Welcome to Setup |
|
Choose the Setup type |
|
Set hostname
|
|
Select management NIC
|
|
Configure management NIC
|
|
Configure networking
|
|
Configure networking |
|
Configure networking |
|
Configure networking |
|
Configure networking |
|
Configure HOME_NET
|
|
Create user account
|
|
Set password
|
|
Confirm password
|
|
Choose how you want to access the web interface
|
|
Optionally run so-allow
|
|
Specify IP address or range to allow through firewall
|
|
Confirm options
|
|
Setup complete
|
|
Optionally enable Analyst Workstation with so-analyst-install
|
|
Enter username to login to GNOME |
|
Enter password to login to GNOME
|
|
GNOME Desktop
|
|
Analyst Workstation includes Chromium, NetworkMiner, and Wireshark
|
|
Login to Security Onion Console (SOC)
|
|
SOC Overview page
|
|
Use so-import-pcap to import one or more pcap files
|
|
Use the hyperlink provided by so-import-pcap to review all alerts and logs
|
|
New Alerts interface
|
|
Use the Quick Action Bar to pivot to the PCAP page for full packet capture
|
|
PCAP Overview
|
|
PCAP transcript
|
|
Download the pcap and open in NetworkMiner for file extraction
|
|
All this in a minimal VM with only 4GB RAM!
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.