Security Onion Blog
Showing posts with label cortex. Show all posts
Showing posts with label cortex. Show all posts

Friday, December 10, 2021

Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

The following components have vulnerable versions of log4j:

  • Elasticsearch
  • Logstash
  • TheHive/Cortex have a separate Elasticsearch instance

For Elasticsearch, Logstash, and the Elasticsearch instance for TheHive/Cortex, we've added the log4j2.formatMsgNoLookups=true option to disable the vulnerable code. It should be noted that TheHive/Cortex includes log4j 2.9.1 but NOT log4j-core-2.9.1.jar, which is the JAR that contains the JNDI lookup code. Instead, TheHive and Cortex utilize the simple logging facade via log4j-to-slf4j-2.9.1.jar and that library does NOT contain the vulnerable JNDI lookup code.

UPDATE 2021/12/13 We've released an additional hotfix that more fully addresses all known log4j attack vectors:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

at No comments:
Labels: , , , , , , , , , ,

Monday, December 16, 2019

Security Onion Hybrid Hunter 1.1.3 - Alpha 3 Available for Testing!

In 2018, we started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.3 is now available for testing and is considered our ALPHA 3 release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major Highlights in this Release
  • Cortex integration with TheHive
  • Pre-loaded plays in Playbook from the Sigma community repo
  • OS patch scheduling
  • Python 3 for CentOS
Screenshots


TheHive Cortex Integration

TheHive Alerts - Playbook NIDS

TheHive - NIDS Alert

TheHive - Playbook Alert

Playbook - Bulk Activate

Playbook - Sigma Community Rules - Sysmon 
so-playbook-ruleupdate


Warnings and Disclaimers

  • This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Use of this ALPHA RELEASE may result in nausea, vomiting, or a burning sensation.

Ready to try it out?

If you want to try our new minimal ISO image, please follow the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO

Otherwise, you can install Hybrid Hunter on Ubuntu 16.04 or CentOS 7 using the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack

After you've installed, if you want to try out the new Playbook functionality, take a look at:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Playbook

Feedback
If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)

Search This Blog

Featured Post

Quick Malware Analysis: NETSUPPORT RAT pcap from 2025-08-20

Thanks to Brad Duncan for sharing this pcap from 2025-08-20 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive