Coming Soon in Security Onion 2.3.100!

We hope your 2022 is off to a great start! We're excited for what this year will bring, starting with two major changes coming very soon!

High Availability Pipeline via New Receiver Node

Our customers and community have asked for a high availability pipeline option and so we are happy to announce that Security Onion 2.3.100 will include a new role option called the “receiver node.” This node allows for redundancy in the data pipeline so if for some reason the manager goes down the search nodes can continue to receive data. This also allows for load balancing of external log sources if the manager is overloaded. 

Say Goodbye to TheHive and Hello to Cases!

In September, 2021, StrangeBee announced a change to TheHive's licensing model and ended support for TheHive version 3 effective December 31, 2021:
https://medium.com/strangebee-announcements/faq-for-thehive-5s-upcoming-distribution-model-af0ccb95d18

The new licensing model for TheHive version 5 is not compatible with our project so we must say goodbye to TheHive and Cortex. With the release of Security Onion 2.3.100, existing installations with TheHive enabled will still be able to use TheHive for a very short time. However, new installations will not be able to enable TheHive. We will stop including TheHive and Cortex container images starting in Security Onion 2.3.120, currently scheduled for release in March 2022. From that point forward, users running the current version of Security Onion will no longer be able to natively run TheHive on the platform and our support for TheHive on Security Onion will end. Users wishing to continue using TheHive on Security Onion should plan to migrate to an external instance of TheHive. For now, users will still be able to escalate events from Security Onion Console to external instances of TheHive version 3.

We took this opportunity to re-imagine case management. We started with standard case management features:

• assigning analysts
• defining Severity, Priority, TLP, PAP, Category, and Tags
• robust commenting including markdown support
• adding attachments
• tracking observables

Now what if all of these features were even more tightly integrated into Security Onion Console? What if users could go to the Alerts page and escalate multiple alerts to the same case quickly and easily without having to merge cases? What if they could then pivot to the Hunt interface to find related logs and add those to the same case just as quickly and easily?

We are excited to announce that Security Onion 2.3.100 will include SOC Cases! For more information, please see the screenshot tour below and the documentation at:
https://docs.securityonion.net/en/2.3/cases.html

Stay tuned for Security Onion 2.3.100 and SOC Cases!

Questions

If you have any questions about any of these changes, please start a new discussion at:
https://securityonion.net/discuss

Screenshot Tour

Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

The following components have vulnerable versions of log4j:

• Elasticsearch
• Logstash
• TheHive/Cortex have a separate Elasticsearch instance

For Elasticsearch, Logstash, and the Elasticsearch instance for TheHive/Cortex, we've added the log4j2.formatMsgNoLookups=true option to disable the vulnerable code. It should be noted that TheHive/Cortex includes log4j 2.9.1 but NOT log4j-core-2.9.1.jar, which is the JAR that contains the JNDI lookup code. Instead, TheHive and Cortex utilize the simple logging facade via log4j-to-slf4j-2.9.1.jar and that library does NOT contain the vulnerable JNDI lookup code.

UPDATE 2021/12/13 We've released an additional hotfix that more fully addresses all known log4j attack vectors:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Security Onion Hybrid Hunter 1.1.3 - Alpha 3 Available for Testing!

In 2018, we started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.3 is now available for testing and is considered our ALPHA 3 release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major Highlights in this Release

• Cortex integration with TheHive
• Pre-loaded plays in Playbook from the Sigma community repo
• OS patch scheduling
• Python 3 for CentOS

Screenshots

TheHive Cortex Integration

TheHive Alerts - Playbook NIDS

TheHive - NIDS Alert

TheHive - Playbook Alert

Playbook - Bulk Activate

Playbook - Sigma Community Rules - Sysmon 

so-playbook-ruleupdate

Warnings and Disclaimers

• This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!
• If this breaks your system, you get to keep both pieces!
• This is a work in progress and is in constant flux.
• This is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release.
• Do NOT run this on a system that you care about!
• Do NOT run this on a system that has data that you care about!
• This should only be run on a TEST box with TEST data!
• Use of this ALPHA RELEASE may result in nausea, vomiting, or a burning sensation.

Ready to try it out?

If you want to try our new minimal ISO image, please follow the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO

Otherwise, you can install Hybrid Hunter on Ubuntu 16.04 or CentOS 7 using the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack

After you've installed, if you want to try out the new Playbook functionality, take a look at:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Playbook

Feedback
If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

Security Onion Hybrid Hunter 1.1.1 - Alpha 2 Available for Testing!

UPDATE 2019/12/16 - Security Onion Hybrid Hunter 1.1.3 Alpha 3 is now available for testing!
https://blog.securityonion.net/2019/12/security-onion-hybrid-hunter-113-alpha.html

In 2018, we started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.1 is now available for testing and is considered our ALPHA 2 release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Changes:

• Alpha 2 is here!
• Hybrid Hunter minimal ISO image now available!
• Suricata 4.1.5.
• Bro/Zeek 2.6.4.
• TheHive 3.4.0 (Includes ES 6.8.3 for TheHive only).
• Fixed Bro/Zeek packet loss calculation for Grafana.
• Updated to latest Sensoroni which includes websockets support for job status updates without having to refresh the page.
• NIDS and HIDS dashboard updates.
• Playbook and ATT&CK Navigator features are now included.
• Filebeat now logs to a file, instead of stdout.
• Elastalert has been updated to use Python 3 and allow for use of custom alerters.
• Moved Bro/Zeek log parsing from Logstash to Elasticsearch Ingest for higher performance and lower memory usage!
• Several changes to the setup script have been made to improve stability of the setup process:
• Setup now modifies your hosts file so that the install works better in environments without DNS.
• You are now prompted for setting a password for the socore user.
• The install now forces a reboot at the end of the install. This fixes an issue with some of the Docker containers being in the wrong state from a manual reboot. Manual reboots are fine after the initial reboot.

Warnings and Disclaimers

• This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!
• If this breaks your system, you get to keep both pieces!
• This is a work in progress and is in constant flux.
• This is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release.
• Do NOT run this on a system that you care about!
• Do NOT run this on a system that has data that you care about!
• This should only be run on a TEST box with TEST data!
• Use of this script may result in nausea, vomiting, or a burning sensation.

Ready to try it out?

If you want to try our new minimal ISO image, please follow the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO

Otherwise, you can install Hybrid Hunter on Ubuntu 16.04 or CentOS 7 using the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack

After you've installed, if you want to try out the new Playbook functionality, take a look at:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Playbook

Feedback
If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

Security Onion Hybrid Hunter 1.1.0 ALPHA Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.0 is now available for testing and is considered our ALPHA release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this ALPHA release:

• Alpha is here!! Check out the Hybrid Hunter Quick Start Guide.
• There is a new PCAP interface called Sensoroni. You can pivot directly from Kibana to Sensoroni via the _id field.
• Bond interface setup now uses nmcli for better compatibility in the network based setup script.
• Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
• Authentication is now enabled by default for all the web based components. There will be some major changes before we get to BETA with how authentication in general is handled due to Elastic "Features" and other components.
• Add users to the web interface via so-user-add and follow the prompts.
• so-allow now exists to make your life easier.
• Bro 2.6.2.
• All Docker images were updated to reflect Alpha status.
• Disabled DEBUG logging on a lot of components to reduce space usage.
• Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
• You can now manually run a rule update using the so-rule-update command.

Thanks to the following for all of their work on this release!
Mike Reeves
Wes Lambert
Dustin Lee
Josh Brower
William Wernert

And special thanks to Jason Ertel for his work on Sensoroni!

Screenshots

Pivoting from Kibana to Sensoroni 

Sensoroni showing overview of pcap data

Sensoroni showing detail of pcap data

Sensoroni showing ASCII transcript of pcap data

Security Onion Hybrid Hunter 1.0.7 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.0.7 is now available for testing!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Major highlights of this release:

• Suricata 4.1.3
• Influxdb 1.7.5
• Telegraf 1.10.1
• Grafana 6.0.2
• Setup now requires interface selection #26
• Reduced the RAM usage for ES in Eval mode #25
• Eval Mode setup is now choose your own adventure style
• Fresh dockers for all the things to bring everything to 1.0.7
• New utility docker called SOctopus
• New html landing page now in dark mode
• Added support for TheHive

Screenshots

From Kibana, you can pivot from a log entry to TheHive

Log now available in TheHive