Coming soon to Security Onion: Local IP Lookups!

Our upcoming Security Onion 2.4.120 release includes a new local IP lookup feature! This allows you to define local descriptions for important IP addresses in your environment. This is useful for IP addresses that don't have a reverse DNS entry or for when you want to override the reverse DNS entry with a custom value. 

When you are viewing IP addresses in Security Onion Console (SOC) with reverse lookups enabled, SOC will check the local mappings first. If it doesn’t find a match, then it will attempt a reverse DNS lookup. The lookup will be displayed to the right of the IP address. For example:

Security Onion 2.4.120 is coming soon!

New ELSA packages parse additional fields out of Bro dns.log

Pietro Delsante contributed some updated parsers for Bro and BIND DNS logs (thanks, Pietro!) and I've updated the securityonion-elsa-extras package with these new parsers.  I've also updated the securityonion-web-page package to include some new ELSA queries for these newly exposed BRO_DNS fields.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion56
securityonion-web-page - 20141015-0ubuntu0securityonion15

These new packages should resolve the following issues:

Issue 668: ELSA: pdbtool errors
https://code.google.com/p/security-onion/issues/detail?id=668

Issue 669: ELSA: update parsers for Bro DNS and BIND
https://code.google.com/p/security-onion/issues/detail?id=696

Issue 670: securityonion-web-page: add queries for updated bro_dns parser
https://code.google.com/p/security-onion/issues/detail?id=670

Issue 685: securityonion-web-page: update links
https://code.google.com/p/security-onion/issues/detail?id=685

These new packages have been tested by Pietro Delsante and David Zawdie (thanks!).

Screenshots

Update process

DNS - Top Query Class

DNS - Top Query Type

DNS - Top Return Code

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Want to show your support for Security Onion?
Several folks have asked about Security Onion t-shirts and they are now available in our CafePress store!
http://www.cafepress.com/securityonion/11820053


Thanks!

Got DNS visibility?

Jaime Blasco recently wrote a great blog post on using DNS records to identify suspicious domains:
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

Here are some other great articles on the power of DNS visibility:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918

Got Security Onion?

If you currently don't have the kind of DNS visibility described above or are unable to effectively search your DNS logs for anomalies, get Security Onion today!
https://code.google.com/p/security-onion/wiki/Installation

Here's a quick video on using Security Onion to configure Bro and ELSA in minutes to give you DNS visibility and the ability to quickly search, summarize, and look for anomalies:
http://www.youtube.com/watch?v=33HZyIxbg6c&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Need Training?
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!  This class is being held in conjunction with University of Memphis Center for Information Assurance Cyber Security Expo taking place October 18, 2013 at the FedEx Institute of Technology.  Your paid tuition for this SANS course includes registration for the Cyber Security Expo when you register with Discount Code "ISC-Memphis":
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!  Be one of the first 10 students to sign up and you can register at the discounted Early Bird price!  For full details and to register, please see:
https://securityonion20131026.eventbrite.com/

DNS Visibility with Security Onion 12.04

UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918

If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!

Hunting through DNS traffic with Bro and ELSA

Dr. J's Poor Man DNS Anomaly Detection using Bro

Dr. Johannes Ullrich of the SANS Internet Storm Center posted a great DNS Anomaly Detection script based on the query logs coming from his DNS server. We can do the same thing with Bro's dns.log (where Bro captures all the DNS queries it sees on the network):
http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection