Thursday, November 10, 2022

Security Onion 2.3.182 Now Available!

We recently released Security Onion 2.3.180 and 2.3.181:
https://blog.securityonion.net/2022/10/security-onion-23180-now-available.html
https://blog.securityonion.net/2022/10/security-onion-23181-now-available.html

Today, we are releasing 2.3.182 which updates Zeek:
https://docs.securityonion.net/en/2.3/release-notes.html#changes

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you haven't yet updated to 2.3.180, then you should review all links at the top of this post so that you are aware of all recent changes.

WARNING! If you have an existing Security Onion 2.3 installation and update to Security Onion 2.3.140 or higher, the Elastic components will undergo a major version upgrade to version 8. Please review and follow the steps at the link below. Failure to do so could result in loss of access to all data stored inside of Elastic and a non-functioning Security Onion installation.

https://docs.securityonion.net/en/2.3/soup.html#elastic-8

Please be aware that custom settings in Kibana may be overwritten during upgrade. We recommend that you test the upgrade process on a test deployment before deploying to production. If you have a distributed deployment, then we recommend monitoring SOC Grid while your update is running to verify that all nodes update properly. If there are issues, you can review logs, services, and containers for any additional clues. If you need help, please see our support information below.

If you have custom Elasticsearch templates, please see:
https://docs.securityonion.net/en/2.3/elasticsearch.html#custom-templates

For more information about the update process, please see:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our support options:
https://docs.securityonion.net/en/2.3/support.html


Wednesday, November 2, 2022

Quick Malware Analysis: ICEDID (BOKBOT) with DARK VNC and COBALT STRIKE pcap from 2022-10-31

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2022/10/31/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

The screenshots below show some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots

Click the first image to start the screenshot tour:

NIDS alerts

Drilling into interesting NIDS alert and pivoting to full packet capture

ASCII transcript for TCP stream

Network metadata overview

NTLM metadata

HTTP metadata

SMB Files metadata

Kerberos metadata

Zeek Weird logs

SMB Mapping metadata

Zeek Notices

DNS metadata

SSL metadata

Connection metadata