Suricata 4.1.9 now available for Security Onion 16.04!

securityonion-suricata - 4.1.9-1ubuntu1securityonion1 is now available for Security Onion 16.04 and should resolve the following issue:

Suricata 4.1.9 #1760
https://github.com/Security-Onion-Solutions/security-onion/issues/1788

Thanks

• Thanks to the Suricata team for Suricata 4.1.9!
• Thanks to Chris Morgret for testing!

Updating

Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Support

Need support?  Please see:
https://securityonion.net/docs/Support

Documentation

You can find our documentation here:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Training

Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:
https://securityonionsolutions.com

Appliances

For more information about our hardware appliances, please see:
https://securityonionsolutions.com

Thanks!

Zeek 3.0.11 now available for Security Onion 16.04!

Zeek 3.0.11 was recently released and is a security update:
https://github.com/zeek/zeek/releases/tag/v3.0.11

The following updates are now available for Security Onion 16.04!

• securityonion-bro - 3.0.11-1ubuntu1securityonion1 (Zeek 3.0.11)
• securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion29
• securityonion-bro-scripts - 20121004-0ubuntu0securityonion111

These updates should resolve the following issue:

Zeek 3.0.11 #1792
https://github.com/Security-Onion-Solutions/security-onion/issues/1792

Thanks

• Thanks to the Zeek team for Zeek 3.0.11!
• Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Support

Need support?  Please see:
https://securityonion.net/docs/Support

Documentation

You can find our documentation here:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Training

Security Onion Solutions is the only official authorized training provider for Security Onion.  For more information about our training classes, please see:
https://securityonionsolutions.com

Appliances

We now offer hardware appliances!  For more information, please see:
https://securityonionsolutions.com

Thanks!

Zeek 3.0.1, Elastic 6.8.6, and CyberChef 9.12.0 now available for Security Onion!

The following updates are now available for Security Onion!

Elastic 6.8.6 Docker images
securityonion-bro - 3.0.1-1ubuntu1securityonion10 (Zeek 3.0.1)
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion17
securityonion-bro-scripts - 20121004-0ubuntu0securityonion100
securityonion-elastic - 20190510-1ubuntu1securityonion83
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion225
securityonion-onionsalt - 20140917-0ubuntu0securityonion28
securityonion-samples-bro - 20170824-1ubuntu1securityonion4
securityonion-setup - 20120912-0ubuntu0securityonion325
securityonion-sostat - 20120722-0ubuntu0securityonion141
securityonion-tcpudpflow - 001-0ubuntu0securityonion10
securityonion-web-page - 20141015-0ubuntu0securityonion105

These updates should resolve the following issues:

Zeek 3.0.1 #1645
https://github.com/Security-Onion-Solutions/security-onion/issues/1645

Elastic 6.8.6 #1684
https://github.com/Security-Onion-Solutions/security-onion/issues/1684

CyberChef 9.12.0 #1689
https://github.com/Security-Onion-Solutions/security-onion/issues/1689

securityonion-bro-scripts: migrate from Bro to Zeek #1683
https://github.com/Security-Onion-Solutions/security-onion/issues/1683

securityonion-bro-scripts: remove conn-add-country #1630
https://github.com/Security-Onion-Solutions/security-onion/issues/1630

securityonion-bro-scripts: improve postinst to avoid errors when reinstalling #1711
https://github.com/Security-Onion-Solutions/security-onion/issues/1711

securityonion-bro-scripts: add cve-2020-0601 script #1709
https://github.com/Security-Onion-Solutions/security-onion/issues/1709

securityonion-samples-bro: add cve-2020-0601 pcaps #1710
https://github.com/Security-Onion-Solutions/security-onion/issues/1710

securityonion-elastic: update parsers for Zeek 3 #1680
https://github.com/Security-Onion-Solutions/security-onion/issues/1680

securityonion-elastic: improve logstash parser for pfsense filterlog #1696
https://github.com/Security-Onion-Solutions/security-onion/issues/1696

securityonion-elastic: update dashboards for Zeek migration #1685
https://github.com/Security-Onion-Solutions/security-onion/issues/1685

securityonion-elastic: Update Kibana dashboard for firewall logs #1697
https://github.com/Security-Onion-Solutions/security-onion/issues/1697

securityonion-elastic: add elasticsearch ingest parser for pfsense filterlog #1698
https://github.com/Security-Onion-Solutions/security-onion/issues/1698

securityonion-elastic: elasticsearch ingest pipelines need to support "ips" fields #1666
https://github.com/Security-Onion-Solutions/security-onion/issues/1666

securityonion-elastic: update dns domain info for elasticsearch ingest #1667
https://github.com/Security-Onion-Solutions/security-onion/issues/1667

securityonion-elastic: improve support for custom ingest parsers #1671
https://github.com/Security-Onion-Solutions/security-onion/issues/1671

securityonion-elastic: Docker daemon.json conflict #1674
https://github.com/Security-Onion-Solutions/security-onion/issues/1674

securityonion-elastic: improve postinst update check #1699
https://github.com/Security-Onion-Solutions/security-onion/issues/1699

securityonion-elastic: migrate script.* settings from elasticsearch.yml.bak to elasticsearch.yml #1676
https://github.com/Security-Onion-Solutions/security-onion/issues/1676

securityonion-elastic: container status scripts should check system uptime before declaring fail #1686
https://github.com/Security-Onion-Solutions/security-onion/issues/1686

securityonion-elastic: Bro HTTP Logs "user" field not mapped in Elasticsearch template #1672
https://github.com/Security-Onion-Solutions/security-onion/issues/1672

securityonion-elastic: so-elastic-start times out waiting for elasticsearch #1695
https://github.com/Security-Onion-Solutions/security-onion/issues/1695

Elastalert - Update new_term.yaml #1706
https://github.com/Security-Onion-Solutions/security-onion/issues/1706

securityonion-onionsalt: replicate /etc/elasticsearch/custom #1693
https://github.com/Security-Onion-Solutions/security-onion/issues/1693

securityonion-sostat: migrate from Bro to Zeek #1692
https://github.com/Security-Onion-Solutions/security-onion/issues/1692

NSM: change Bro references to Zeek #1682
https://github.com/Security-Onion-Solutions/security-onion/issues/1682

NSM: increase timeout in /etc/systemd/system/securityonion.service #1708
https://github.com/Security-Onion-Solutions/security-onion/issues/1708

NSM: broctl and zeekctl need to check if parameters were passed #1713
https://github.com/Security-Onion-Solutions/security-onion/issues/1713

Docs: Change bro to zeek #1690
https://github.com/Security-Onion-Solutions/security-onion/issues/1690

Setup: change #inter#face to #interface #1675
https://github.com/Security-Onion-Solutions/security-onion/issues/1675

Setup: change Bro references to Zeek #1681
https://github.com/Security-Onion-Solutions/security-onion/issues/1681

securityonion-tcpudpflow: update for Zeek #1700
https://github.com/Security-Onion-Solutions/security-onion/issues/1700

securityonion-web-page: change bro to zeek #1687
https://github.com/Security-Onion-Solutions/security-onion/issues/1687

securityonion-web-page: update docs and cheat sheet for 16.04.6.4 #1688
https://github.com/Security-Onion-Solutions/security-onion/issues/1688

Test Zeek 3.0.1, Elastic 6.8.6, and related updates #1691
https://github.com/Security-Onion-Solutions/security-onion/issues/1691

Thanks
Thanks to the Zeek team for Zeek 3.0.1!
Thanks to the Elastic team for Elastic 6.8.6!
Thanks to the CyberChef team for CyberChef 9.12.0!
Thanks to the following for testing and QA!
Bryant Treacle
Wes Lambert
Josh Brower
Chris Cuevas

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Since we are transitioning from Bro to Zeek, Bro will automatically stop before the packages are upgraded.  Once soup completes, double-check your Bro/Zeek configuration and then restart Zeek:

sudo so-zeek-restart

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Documentation
You can find our documentation here:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Basic and 4-day Advanced onsite training classes.  We also offer online classes as well.  For more information, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://securityonionsolutions.com

Thanks!

Bro 2.6.3 now available for Security Onion!

Bro 2.6.3 is now available for Security Onion!  The new package versions are as follows:

securityonion-bro - 2.6.3-1ubuntu1securityonion1
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion12
securityonion-bro-scripts - 20121004-0ubuntu0securityonion72

Bro 2.6.3

These packages should resolve the following issue:

Bro 2.6.3 #1603
https://github.com/Security-Onion-Solutions/security-onion/issues/1603

Thanks
Thanks to the Bro/Zeek team for Bro 2.6.3!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Registration is now open for Security Onion Conference 2019 on Friday, October 4, 2019!
https://socaugusta2019.eventbrite.com/

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Training
Security Onion Solutions is the only official authorized training provider for Security Onion and we have 4-day Security Onion Training classes coming up in Columbia MD and Augusta GA!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

Bro 2.6.2 now available for Security Onion!

Bro 2.6.2 is now available for Security Onion!  The new package versions are as follows:

securityonion-bro - 2.6.2-1ubuntu1securityonion2
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion11
securityonion-bro-scripts - 20121004-0ubuntu0securityonion71

These packages should resolve the following issue:

Bro 2.6.2 #1525
https://github.com/Security-Onion-Solutions/security-onion/issues/1525

Thanks
Thanks to the Bro/Zeek team for Bro 2.6.2!
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade

Conference
Please mark your calendar! Security Onion Conference 2019 will be on Friday, October 4, 2019 and registration will open July 18! CFP is open now and we want to hear from you!
https://blog.securityonion.net/2019/04/security-onion-conference-2019-cfp.html

Documentation
We've got a brand new documentation site!  Please let us know if anything needs to be updated:
https://securityonion.net/docs

Also, we're now offering a printed copy of our official documentation with foreword by Richard Bejtlich and proceeds going to Rural Technology Fund:
https://securityonion.net/book

Training
We have 4-day Security Onion Training classes coming up in Columbia MD!  If you can't make it to an onsite class, we have a new online training platform.  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Support
Need support?  Please see:
https://securityonion.net/docs/Support

Thanks!

New Setup and NSM packages now available for Security Onion!

The following packages are now available:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion199
securityonion-setup - 20120912-0ubuntu0securityonion285

This should resolve the following issues:

Setup: update setup conf files #1417
https://github.com/Security-Onion-Solutions/security-onion/issues/1417

Setup: Fix bug where the regex in sed disables incorrect interfaces #1427
https://github.com/Security-Onion-Solutions/security-onion/issues/1427

Setup: add logger node to Bro node.cfg #1420
https://github.com/Security-Onion-Solutions/security-onion/issues/1420

Setup: configure Bro cluster mode for AF_PACKET #1421
https://github.com/Security-Onion-Solutions/security-onion/issues/1421

Setup: configure Suricata for AF_PACKET #1432
https://github.com/Security-Onion-Solutions/security-onion/issues/1432

NSM: Improve the method of updating thread count in suricata.yaml #1230
https://github.com/Security-Onion-Solutions/security-onion/issues/1230

NSM: support running Suricata using AF_PACKET #1431
https://github.com/Security-Onion-Solutions/security-onion/issues/1431

As an overview, these updates will cause new installations to configure Bro and Suricata to collect network traffic via AF_PACKET (instead of PF_RING as we've done for the last few years).  Installations already configured for PF_RING will continue to use PF_RING.  Please see the links above for background information and config changes.

Thanks
Thanks to Wes Lambert for testing!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in San Antonio TX, Atlanta GA, and Columbia MD!  If you can't make it to one of these onsite classes, we have a new online training platform!  For more information and other training options, please see:
https://securityonionsolutions.com

Appliances
We now offer hardware appliances!  For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html

Documentation
We've started moving our documentation to https://securityonion.net/docs!  Please let us know if anything needs to be updated.

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Security Onion 20111028 now available!

Security Onion 20111028 is now available!  This resolves Issue 135 by updating the NSM scripts to start Snort with the AFPACKET DAQ for higher performance.  For more information about the AFPACKET DAQ, please see:

http://manual.snort.org/node7.html
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots

Upgrade Process