Sunday, September 29, 2024

Security Onion Conference cancelled due to Hurricane Helene damage

This is an update to yesterday's announcement:

https://blog.securityonion.net/2024/09/security-onion-training-class-starting.html


Due to the devastation by Hurricane Helene in Augusta GA, we have no choice but to cancel ALL Augusta Cyber Week activities including:

  • 4-day Security Onion training class that was scheduled for Monday September 30
  • Security Onion Conference that was scheduled for Friday October 4
  • BSidesAugusta that was scheduled for Saturday October 5
  • all other related activities this week


It is unclear at this time if we will reschedule these events for a later date. We hope to provide more information soon.


Saturday, September 28, 2024

Security Onion Training Class starting on 9/30 is cancelled due to Hurricane Helene damage

Augusta GA has been hit hard by Hurricane Helene and power is out in most areas around the city. Unfortunately, we will have to cancel this week's Security Onion class that starts on Monday 9/30. 


No decisions have been made yet regarding the Security Onion Conference on Friday 10/4, BSidesAugusta on Saturday 10/5, or other training classes this week. We hope to provide more updates soon.


Wednesday, September 25, 2024

Did you know Security Onion includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration?

Yesterday, we talked about how Security Onion is built BY defenders FOR defenders:

https://blog.securityonion.net/2024/09/did-you-know-security-onion-is-built-by.html


As defenders, we built the platform that we've always wanted! This includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration. These interfaces are streamlined and integrated to make you more effective and efficient as a defender!


Alerts:


Dashboards:

Hunt:


Cases:


Detections:


PCAP:


Grid Health:


Configuration:





Tuesday, September 24, 2024

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) with FTP EXFIL PCAP from 2024-09-17

Thanks to Brad Duncan for sharing this pcap from 2024-09-17 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html


If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Screenshots


First, we start with the overview of all alerts and logs:


Next, we look at just the NIDS alerts generated by Suricata:


Let's drill into the Snake keylogger alert:


This looks interesting so let's pivot to PCAP:


We can switch to ASCII transcript to make it more readable:


Now let's review the protocol metadata provided by Zeek:


We start with the Software dashboard where we see an interesting browser user agent string:


Next, let's review the X.509 dashboard:


and the associated SSL/TLS dashboard:


Next, we'll look at the DNS dashboard:


Looking at the HTTP dashboard, we see the interesting browser user agent we saw earlier on the Software dashboard:


Looking at the Files dashboard, we can see files being transferred by both HTTP and FTP:


Let's review the FTP dashboard. Here we see a couple of files being transferred:


At the bottom of the FTP dashboard, we can see the 2 FTP STOR transactions where files are being exfiltrated:


If we pivot to PCAP, we can see the FTP CONTROL channel:


To see the FTP DATA channel, we can switch to the Connections dashboard:


Pivoting to PCAP, we see one of the exfil files contains the user's browser cookies:


And the second exfil file contains the user's saved passwords:



Monday, September 23, 2024

Did you know Security Onion is built BY defenders FOR defenders?


In 2008, Doug Burks started the Security Onion project to help his fellow defenders. He is former Deputy CSO of Mandiant, former CISO of Morris Communications, and has been doing detection and response since the early 2000s for Department of Defense, Department of Energy, and several private companies in various industries. In 2010, he became SANS GSE #24:

https://blog.securityonion.net/2010/10/congratulations-to-latest-sans-gses.html

https://www.giac.org/certified-professional/Doug-Burks/117421


Today, our engineering team has several collective decades of defensive experience and we use that experience to build the platform that we always wanted as defenders. In addition, our instructors use their experience as defenders when teaching our classes and our support team uses their experience as defenders when supporting our customers.


From all our defenders to all of you defenders out there, thanks for what you do and happy hunting!





10% Discount for Security Onion Pro for a Limited Time Only!

We recently celebrated the 10th birthday of Security Onion Solutions by announcing Security Onion Pro!

https://blog.securityonion.net/2024/07/celebrating-10-years-of-security-onion.html


As we continue to celebrate our 10th birthday, we'd like to offer you a special gift! 


Here's a 10% discount code for new purchases of Security Onion Pro:

SOPRO-20240923


Please note:

  • This discount is for new purchases of Security Onion Pro only.
  • This discount is only valid through November 15, 2024.
  • This discount is not valid with any other discount or offer.


For more information about how you can take your game to the next level with Security Onion Pro, please see https://securityonion.com/pro.


For more details and to reach out to our Sales team, please go to https://securityonion.com/pro, click the Purchase Pro button, and make sure you mention the discount code above!


Friday, September 20, 2024

Did you know Security Onion scales from small virtual machines all the way up to large enterprise deployments of hundreds of nodes and thousands of endpoint agents?

A minimal Security Onion installation is an IMPORT installation and can be used to import PCAP or EVTX files in a minimal VM with as little as 4GB RAM:



On the opposite end of the architecture spectrum, a distributed deployment consists of:
  •  a manager node
  • one or more forward nodes running Suricata and Zeek to analyze network traffic and generate NIDS alerts and protocol metadata logs
  • one or more search nodes running Elasticsearch to store and search logs
  • optional receiver nodes for load balancing and pipeline redundancy
  • optional Intrusion Detection Honeypot (IDH) nodes for deception


This is a scalable model and can support hundreds of nodes and thousands of endpoints running the Elastic Agent.

For more information, please see the Architecture section of our documentation:

Thursday, September 19, 2024

Did you know Security Onion works on both Internet-connected and airgap networks?

Did you know Security Onion works on both Internet-connected and airgap networks? Our ISO image includes everything you need to run without Internet access. Make sure that you choose the Airgap option during Setup:


If your network has Internet access but has overly restrictive proxies, firewalls, or other network devices that might prevent Security Onion from connecting to certain Internet sites, then you may want to consider the Airgap option as everything will install from the ISO image itself.


For more information, please see the Airgap section of our documentation:

https://docs.securityonion.net/en/2.4/airgap.html


Wednesday, September 18, 2024

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) INFECTION, SMTP EXFIL pcap from 2024-09-16

Thanks to Brad Duncan for sharing this pcap from 2024-09-16 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html


If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Screenshots


First, we start with the overview of all alerts and logs:


Next, let's look at just the Alerts:


Let's drill into the Snake alert:


Now let's pivot to PCAP to see that entire TCP stream:


We can switch to ASCII transcript to make it a little more readable:


Now let's review the protocol metadata:


We'll start with X.509 certificates:


Next, we look at the related SSL/TLS connections:


Here are the DNS lookups:


Next, we can look at all of the connections:


Here are the HTTP transactions related to the Snake alert we saw in the beginning:


Finally, let's review SMTP transactions:


Pivoting to PCAP, we can see usernames and passwords being exfiltrated via SMTP:


In the second PCAP, we can see session cookies being exfiltrated via SMTP:




Did you know that Security Onion performs comprehensive analysis on both IT and OT (ICS/SCADA) networks?

Security Onion started back in 2008 primarily focused on traditional IT networks. However, in 2022, we added support for LOTS of different ICS protocols:

https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html


Here's a screenshot showing the list of ICS dashboards included in our current version:



Tuesday, September 17, 2024

Did you know that Security Onion provides both network AND host visibility?

Security Onion started in 2008 as a Network Security Monitoring (NSM) platform. Over the years, more and more of our network traffic has become encrypted. That's a good thing for privacy but it makes our jobs as defenders a little more difficult. To fill in those blind spots, we've spent the last several years making sure that Security Onion is equally as powerful on the host side as it is on the network side. Here's a diagram showing an overview of Security Onion consuming not just network traffic from your taps or span ports but also logs from your endpoints:

The following screenshot shows a comprehensive Security Onion deployment that does both network monitoring and host monitoring as well:

Security Onion includes a complete set of dashboards for each of those different kinds of endpoint data:

The Elastic Agent Overview dashboard gives you an overview of the comprehensive telemetry that is provided by the Elastic Agent when installed on your servers, desktops, and laptops:

You can read more about our endpoint capabilities in the Host Visibility section of our documentation:

https://docs.securityonion.net/en/2.4/host.html