Security Onion 2.4 Base OS

Introduction

Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4. 

On 6/21/2023, Red Hat announced changes to their source code availability for Red Hat Enterprise Linux (RHEL):

https://www.redhat.com/en/blog/furthering-evolution-centos-stream

On 6/26/2023, Red Hat then posted a follow-up:

https://www.redhat.com/en/blog/red-hats-commitment-open-source-response-gitcentosorg-changes

These announcements prompted us to go back to first principles and re-evaluate the base OS options for our upcoming Security Onion 2.4 RC1 release.

First Principles

To re-evaluate our base OS options based on first principles, we start with the basic hard requirements. Security Onion 2.4 primarily consists of Docker images orchestrated by Saltstack, so here are our requirements for the base OS:

• stable Linux kernel
• stable Docker packages
• stable Saltstack packages
• freely available at no cost
• long term support (greater than 3 years)

In addition to the requirements above, our customers have indicated certain preferences:

• Most customers prefer some sort of Red Hat derivative.
• Some customers strongly prefer operating systems that meet specific US government standards or certifications.
  
  

Options

Based on the requirements and preferences above, we considered the following options:

• Rocky Linux 9 (free RHEL rebuild) - https://rockylinux.org/ 
• Alma Linux 9 (free RHEL/CentOS rebuild) - https://almalinux.org/ 
• Oracle Linux 9 (free RHEL rebuild) - https://www.oracle.com/linux/ 
• CentOS Stream 9 (free RHEL upstream) - https://www.centos.org/centos-stream/ 
• Ubuntu 22.04 (free Debian derivative) - https://ubuntu.com/ 
• Debian 12 - https://www.debian.org/ 

Over the last few weeks, we performed an exhaustive investigation of each option to see if they satisfy the requirements and preferences above and also determine if there are any additional advantages or disadvantages.

Security Onion 2.4 ISO Image

At the conclusion of our exhaustive investigation, we decided to base our Security Onion 2.4 ISO image on Oracle Linux 9 for the following reasons:

• Oracle Linux 9 satisfies the highest number of requirements and preferences for the greatest number of customers.
• Oracle Linux is a RHEL rebuild that has been available since 2006 so they have a long track record.
• Oracle Linux is free. From https://yum.oracle.com/oracle-linux-downloads.html:
  Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.
• Oracle is well funded and fully committed to Oracle Linux in the long term:
  https://www.oracle.com/news/announcement/blog/keep-linux-open-and-free-2023-07-10/ 
• Oracle Linux 9 FIPS (Federal Information Processing Standards) certification is listed as “Under Test” as of 3/7/2023:
  https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List 
• Oracle Linux offers the ability to run a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds:
  https://unix.foo/posts/enterprise-linux/
  https://blogs.oracle.com/linux/post/tracking-linux-stable-kernels-with-uek 
  
  

Network Installation

If you don’t want to use our Security Onion 2.4 ISO image, you can still perform a network installation of our Security Onion components after manually installing one of the following:

• Oracle Linux 9
• Rocky Linux 9
• Alma Linux 9
• CentOS Stream 9
• RHEL 9
• Ubuntu 22.04
• Debian 12
  
  

Support

Customers with premium support and professional services can reach out to their normal support contacts for more information about support. 

If you are a non-paid community user, then please pay close attention to the support levels below.

Supported

Our Security Onion 2.4 ISO image (based on Oracle Linux 9) is the only fully supported installation method. Choose this option if any of the following apply to you:

• You are deploying in an enterprise environment.
• You are deploying in an airgap environment.
• You are performing a distributed deployment.
• You want the quickest and easiest installation with the fewest issues.
• You need full support.
  
  

Unsupported

If you don’t want to use our Security Onion 2.4 ISO image and choose to perform a manual OS installation followed by a network installation of our Security Onion components, then we recommend using Oracle Linux 9 or Rocky Linux 9. CentOS Stream 9 or Alma Linux 9 should also work. Another option might be RHEL 9 itself although that is a paid option.

If you really want to run Ubuntu 22.04 or Debian 12, then please note that these distros may work but they get less testing and therefore you will be more likely to run into issues.

Q&A

What will the Security Onion 2.4 ISO image be based on?

Our Security Onion 2.4 ISO image will be based on Oracle Linux 9.

Why Oracle Linux?

Oracle Linux has been around since 2006 and so it has a long track record. Additionally, FIPS certification is in progress. Finally, Oracle Linux offers a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds.

Is Oracle Linux free?

Yes, from https://yum.oracle.com/oracle-linux-downloads.html:

Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.

If we don’t want to use the Security Onion 2.4 ISO image or Oracle Linux, do we have other options?

If you don’t want or need support, then you can choose from Rocky Linux 9, Alma Linux 9, CentOS Stream 9, RHEL 9, Ubuntu 22.04, or Debian 12. However, please note that if you choose one of these options there will be more manual work required and you may be more likely to run into issues.

Why not use Rocky Linux 9 for the Security Onion 2.4 ISO image?

As of 7/25/2023, Rocky Linux 9 is not yet listed at the FIPS certification pages:

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List 

Why not use Alma Linux 9 for the Security Onion 2.4 ISO image?

Alma Linux does not yet have FIPS certification. Also, it has only been around since 2021 so it doesn’t have that long of a track record.

Why not use CentOS Stream for the Security Onion 2.4 ISO image?

CentOS Stream does not have any FIPS certification whatsoever.

Why not use Ubuntu for the Security Onion 2.4 ISO image?

Standard Ubuntu has no FIPS certification. FIPS certification requires a paid upgrade to Ubuntu Pro. Additionally, Ubuntu seems to be focused on their own snap architecture for the future.

Why not use Debian for the Security Onion 2.4 ISO image?

Debian does not have any FIPS certification whatsoever.

Why not use another Linux distro like fill in the blank?

We considered several other Linux distributions but only the ones listed above met the core requirements.

When do these Security Onion changes take effect?

These changes go into effect for the upcoming Security Onion 2.4 RC1 release.

When will Security Onion 2.4 reach General Availability (GA)?

These OS changes delayed our release schedule for Security Onion 2.4, but it was important to take our time and fully investigate our options. Security Onion 2.4 RC1 is coming soon. Stay tuned!

What does all of this mean for Security Onion 2.3?

There are no planned OS changes for 2.3.

I am a current customer with premium support and professional services and I have other questions about this change. To whom should I reach out?

Please feel free to reach out to your account manager.

I am a community user of Security Onion and I have other questions about this change. How may I ask those questions?

You may start a new discussion at https://securityonion.net/discuss. 

UPDATE 2023/07/27 - Added that these changes go into effect for the upcoming Security Onion 2.4 RC1 release.

Final Reminder about Ubuntu 18.04

We recently posted about Ubuntu 18.04 support:
https://blog.securityonion.net/2023/02/ubuntu-1804-reaches-end-of-ubuntu.html

This is one final reminder that if you're still running Security Onion on Ubuntu 18.04, you'll need to upgrade or replace it:
https://docs.securityonion.net/en/2.3/appendix-b.html

Ubuntu 18.04 Reaches End of Ubuntu Standard Support in April 2023

If you are running Security Onion 2.3 on Ubuntu 18.04, then you should be aware that Ubuntu 18.04 reaches the end of Ubuntu standard support in April 2023:
https://wiki.ubuntu.com/Releases

You should therefore start planning to upgrade or replace any Ubuntu 18.04 installations. We've added a guide to our documentation:
https://docs.securityonion.net/en/2.3/appendix-b.html

Security Onion in 2022 and 2023

Here's a quick review of some of the major improvements we made to Security Onion 2.3 in the past year!

Security Onion 2.3.100 added SOC Cases for Case Management and a new Receiver Node option for pipeline redundancy:
https://blog.securityonion.net/2022/01/security-onion-23100-now-available.html

Security Onion 2.3.110 added SOC Multi-Factor Authentication (MFA) and Intrusion Detection Honeypot (IDH) functionality:
https://blog.securityonion.net/2022/03/security-onion-23110-now-available.html

Security Onion 2.3.120 added Analyst Desktop improvements:
https://blog.securityonion.net/2022/04/security-onion-23120-now-available.html

Security Onion 2.3.130 added SOC Dashboards, Analyzers, and much more:
https://blog.securityonion.net/2022/06/security-onion-23130-now-available.html

Security Onion 2.3.140 improved SOC Dashboards and Cases:
https://blog.securityonion.net/2022/07/security-onion-23140-now-available.html

Security Onion 2.3.150 updated the TLP options in SOC Cases to align with TLP 2.0:
https://blog.securityonion.net/2022/08/security-onion-23150-now-available.html

Security Onion 2.3.160 added an Advanced toggle for SOC Alerts and Cases:
https://blog.securityonion.net/2022/08/security-onion-23160-now-available.html

Security Onion 2.3.170 improved Windows log parsing:
https://blog.securityonion.net/2022/09/security-onion-23170-now-available.html

Security Onion 2.3.180 added more SOC dashboards for sysmon logs:
https://blog.securityonion.net/2022/10/security-onion-23180-now-available.html

Security Onion 2.3.190 added coverage for lots of ICS/SCADA protocols:
https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html

Security Onion 2.3.200 added more improvements for SOC dashboards and sysmon support:
https://blog.securityonion.net/2023/01/security-onion-23200-now-available.html

New Features in 2023

In 2023, we plan to release Security Onion 2.4 and it will bring some exciting new features!

• Configuration Interface
• Enhanced Grid Status Interface
• Simplified Setup
• Elastic Agent and Elastic Fleet
• Security Onion Virtual Appliance based on Rocky Linux 9
• Simplified Updates
• Improved Health Metric Visualizations

Configuration Interface

This feature has us really excited! With the introduction of the configuration interface, we hope to reduce the overall time spent to manage and administer the grid. The goal is to make editing files at the command line a thing of the past. The configuration interface will help lower the barrier of entry for new users to the platform as well as be a nice convenience for our more seasoned users.

Enhanced Grid Status Interface

In addition to the configuration interface, we’ve also enhanced the SOC Grid page to give you more information about the status of your grid.

Simplified Setup

The installer has been greatly simplified and configuring new members of the grid will take place in the configuration interface. This removes the need for the soremote account and ssh access to the manager. 

Elastic Agent and Elastic Fleet

Our primary endpoint agent will be Elastic Agent. It replaces osquery, beats, and Wazuh and is easily managed in Elastic Fleet, giving more control over upgrades. Users will also be able to deploy agents in standalone (unmanaged) mode if they choose to do so.

Security Onion Virtual Appliance based on Rocky Linux 9

When we were laying out features for Security Onion 2.4, we really wanted to shift the focus away from the OS and more into features that help our users find evil. Users should be able to image a system or run a script to easily provision their grid. We felt that we needed to shift to more of a virtual appliance model to allow us to continue to grow and scale to the needs of the future. We are basing this new appliance model on Rocky Linux 9. This change will allow us to deliver features faster and simplify support of the platform. Rocky Linux 9 has an EOL date of March 2032 allowing us to continue to innovate on the platform for years to come. Users will be able to install Security Onion either from our ISO image or on top of a minimal installation of Rocky Linux 9. Below we explain how this will impact Ubuntu-based deployments.

Simplified Updates

For this new virtual appliance model, all packages will be distributed from the manager similar to the current Airgap mode. You can optionally override the package source to some other source which hosts specific signed packages. In non-Airgap deployments, the manager or repo will sync daily with the upstream Security Onion repo to ensure updates are downloaded from the Internet. Airgap deployments will continue to pull their updates from the latest ISO image as they do in 2.3.

Improved Health Metric Visualizations

Security Onion 2.4 will include InfluxDB 2 and some improved health metric visualizations.

Component Changes in Security Onion 2.4

Security Onion 2.4 will have some major changes, including components that will be removed. If you are running Security Onion today and planning to run 2.4, you will want to ensure you are prepared. The following technologies will be retired or phased out:

• Ubuntu support
• Wazuh
• FleetDM 
• Dedicated osquery agents
• Filebeat for SO components

Phasing Out Support for Ubuntu

Back in 2009, the first release of Security Onion was based on Ubuntu 9.04 and we have continued to support Ubuntu through Security Onion 2.3. Since Security Onion 2.4 is shifting to more of an appliance model based on Rocky Linux 9 (as described above), we are phasing out support for Ubuntu. Users running a large distributed grid of Ubuntu 20.04 nodes will be able to gradually migrate those nodes to the new appliance structure as long as the manager runs Rocky Linux 9. We will release more details on this as we finalize the process.

Endpoint Agent Changes

As mentioned above, our primary endpoint agent will be Elastic Agent. Since Elastic Agent has osquery built in, it will be taking the place of the current osquery agent. Security Onion 2.4 will also use the Elastic Agent to send alerts and metadata from the sensors to the back end, replacing the current Filebeat agent. Users will be able to manage all of their Elastic Agents using Elastic Fleet in Kibana. Since Elastic Agent covers most of the Wazuh use cases used in Security Onion, Wazuh is being removed as well. This single agent architecture will save resources, streamline administrative processes, and ease the upgrade process in Security Onion.

Post 2.4 Release

After releasing Security Onion 2.4, we plan to launch some additional projects that will change some core elements of the platform. Notably, we intend to add more features to the SOC Grid interface. We also want to integrate the functions of Playbook directly into SOC. There are no release dates for these improvements, so please continue to monitor our social media for updates on these and other changes.

SaltStack Security Release Causing Security Onion Installations to Fail on Ubuntu

SaltStack has released version 3004.1:
https://docs.saltproject.io/en/latest/topics/releases/3004.1.html

SaltStack also removed version 3004 which is causing new installations of Security Onion to fail on Ubuntu. For CentOS, we host our own packages so those installations are still working properly.

We are working on a Security Onion hotfix to include SaltStack version 3004.1. We hope to release this hotfix next week.

UPDATE 2022/04/04

We've released our hotfix:
https://blog.securityonion.net/2022/04/security-onion-23110-20220401-hotfix.html

Security Onion Hybrid Hunter 1.1.4 - Alpha 4 Available for Testing!

In 2018, we started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.4 is now available for testing and is considered our ALPHA 4 release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

This is our last planned alpha release for Hybrid Hunter.  If all goes according to plan, our next Hybrid Hunter release should be Beta!

Major Highlights in this Release

• Added new in-house auth method Security Onion Auth.
• Web user creation is done via the browser now instead of so-user-add.
• New Logstash pipeline setup. Now uses multiple pipelines.
• New Master + Search node type and well as a Heavy Node type in the install.
• Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
• Zeek 3.0.1
• Elastic 6.8.6
• New SO Start | Stop | Restart scripts for all components (eg. so-playbook-restart).
• BPF support for Suricata (NIDS), Steno (PCAP) & Zeek (docs).
• Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
• Added so-status script which gives an easy to read look at container status.
• Manage threshold.conf for Suricata using the thresholding pillar (docs).
• The ISO now includes all the docker containers for faster install speeds.
• You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.
• Updated Helix parsers for better compatibility.
• Updated telegraf docker to include curl and jq.
• CVE-2020-0601 Zeek Detection Script.
• ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

• Mike Reeves
• Wes Lambert
• Josh Brower
• Josh Patterson
• William Wernert

Screenshots

so-status

Registering first user account

Logging in

Creating additional user

Warnings and Disclaimers

• This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!
• If this breaks your system, you get to keep both pieces!
• This is a work in progress and is in constant flux.
• This is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release.
• Do NOT run this on a system that you care about!
• Do NOT run this on a system that has data that you care about!
• This should only be run on a TEST box with TEST data!
• Use of this ALPHA RELEASE may result in nausea, vomiting, or a burning sensation.

Ready to try it out?

If you want to try our new ISO image, please follow the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO

Otherwise, you can install Hybrid Hunter on Ubuntu 16.04 or CentOS 7 using the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack

Feedback
If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

Security Onion Hybrid Hunter 1.1.1 - Alpha 2 Available for Testing!

UPDATE 2019/12/16 - Security Onion Hybrid Hunter 1.1.3 Alpha 3 is now available for testing!
https://blog.securityonion.net/2019/12/security-onion-hybrid-hunter-113-alpha.html

In 2018, we started working on the next major version of Security Onion, code-named Hybrid Hunter:
https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

We're excited to announce that Hybrid Hunter 1.1.1 is now available for testing and is considered our ALPHA 2 release!
https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Changes:

• Alpha 2 is here!
• Hybrid Hunter minimal ISO image now available!
• Suricata 4.1.5.
• Bro/Zeek 2.6.4.
• TheHive 3.4.0 (Includes ES 6.8.3 for TheHive only).
• Fixed Bro/Zeek packet loss calculation for Grafana.
• Updated to latest Sensoroni which includes websockets support for job status updates without having to refresh the page.
• NIDS and HIDS dashboard updates.
• Playbook and ATT&CK Navigator features are now included.
• Filebeat now logs to a file, instead of stdout.
• Elastalert has been updated to use Python 3 and allow for use of custom alerters.
• Moved Bro/Zeek log parsing from Logstash to Elasticsearch Ingest for higher performance and lower memory usage!
• Several changes to the setup script have been made to improve stability of the setup process:
• Setup now modifies your hosts file so that the install works better in environments without DNS.
• You are now prompted for setting a password for the socore user.
• The install now forces a reboot at the end of the install. This fixes an issue with some of the Docker containers being in the wrong state from a manual reboot. Manual reboots are fine after the initial reboot.

Warnings and Disclaimers

• This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!
• If this breaks your system, you get to keep both pieces!
• This is a work in progress and is in constant flux.
• This is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release.
• Do NOT run this on a system that you care about!
• Do NOT run this on a system that has data that you care about!
• This should only be run on a TEST box with TEST data!
• Use of this script may result in nausea, vomiting, or a burning sensation.

Ready to try it out?

If you want to try our new minimal ISO image, please follow the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO

Otherwise, you can install Hybrid Hunter on Ubuntu 16.04 or CentOS 7 using the instructions here:
https://github.com/Security-Onion-Solutions/securityonion-saltstack

After you've installed, if you want to try out the new Playbook functionality, take a look at:
https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Playbook

Feedback
If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

Security Onion Hybrid Hunter 1.0.3 Tech Preview Available for Testing!

We recently announced Security Onion Hybrid Hunter:

https://blog.securityonion.net/2018/11/security-onion-hybrid-hunter-101-tech.html

Hybrid Hunter 1.0.3 is now available for testing!

https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

This release includes Suricata 4.1.0, Elastic 6.4.2, and many improvements!  For more information, please see the Changelog:

https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Changelog

Security Onion Hybrid Hunter 1.0.1 Tech Preview Available for Testing!

From Doug Burks:

When Mike Reeves joined Security Onion Solutions in January 2018, one of the first things we discussed was building a brand new Security Onion platform with the following characteristics:

• Move from Ubuntu DEB packages to Docker images
• Support both Ubuntu 16.04 and RedHat/CentOS 7
• Higher performance
• More centralized configuration

In just a few short months, Mike has done an incredible amount of work to make this idea a reality and we announced it at Security Onion Conference 2018:

https://www.youtube.com/watch?v=MVZ33P_tN-g

Here’s Mike Reeves to tell you more about this exciting platform!

From Mike Reeves:

First off I would like to thank everyone who presented at or attended the 2018 Security Onion Conference. This was the best one yet and I am already excited about next year. I wanted to take the time to talk about some of the long term plans we have for the Security Onion platform and how these potential changes, which we’ve code named “Hybrid Hunter”, may affect your deployment. 

The general theme of Hybrid Hunter is simplification. We want you spending more time finding evil than running your sensor grid. Since 2008, Security Onion’s primary mission was to provide a Network Security Monitoring distribution that could be deployed in minutes instead of days or weeks.  Hybrid Hunter expands on this and allows it to scale better in large enterprise networks. 

At Security Onion Con 2018, Doug and I unveiled some details behind Hybrid Hunter. We received so much feedback and we are very appreciative to all of you. One item of feedback I received involved changes to the way Security Onion operates today. I think a perfect use case we can use to illustrate the changes is Logstash. Today, when there is an update to Logstash a couple of things happen. First, the Docker container gets replaced with a container running a newer version of Logstash. Additionally, an Ubuntu package is downloaded which updates the Logstash configuration, e.g., parsers, output configurations, etc. If we continued this method and wanted to support RedHat/CentOS, we would need to create a separate package to manage the parsers. Multiply that effort by over fifty packages, along with nuanced differences between the operating systems, and we would have an arduous task!

Our intent is for Hybrid Hunter to deliver as many components as possible as Docker containers. Gone would be the days where a new DEB or RPM package would be required for delivery of these changes, thus allowing us to support multiple Linux distributions going forward. Updating most Security Onion components would be as easy as updating Logstash and other Docker containers today. The process of updating would also allow for easy rollback. If something doesn’t work properly, the container can simply be stopped and the older version applied. The administrator will still run “soup”; however, it would not apply packages for SO components, just Docker containers!

For those of us that like to get our hands dirty when it comes to tweaking, you will be glad to know that the configurations will be centralized in the new platform. Today you have to visit multiple config files in multiple places to do tuning. Our goal is to put as much of this as possible into a single location, allowing you to tune more in less time. 

Even though there are some new tools being added or replaced, the end user experience should remain the same. The training you get from Security Onion Solutions will be applicable to the current version and Hybrid Hunter, with minor differences for advanced tuning. You will still pivot to PCAP the same way even though Google Stenographer will be gathering the packets instead of netsniff-ng. The whole reason for this change is to get more consistent results when pulling PCAP but it doesn’t change the way you use SO. The end result is the same PCAP with the same experience. Changing from PF_RING to AF_PACKET improves the way that we acquire packets but does not change the end result of what you will see in the console. AF_PACKET allows you to expand your tuning possibilities with Suricata and improves performance. Those alerts will still look the same and will be more consistent. Zeek (formerly Bro) will see a performance improvement over using PF_RING but the meta data will look the same.  We will also be allowing our users to select Community Bro if they so choose. Either choice will provide the same great metadata you have seen in Security Onion for years … and more!

I would also like to reiterate that there is no firm release date set. We are gathering input from you, the community, on other ways to make SO easier to deploy and tune. Our goal is to make the most successful experience for our users and expand our capabilities to fit the enterprise security monitoring needs of customers of all sizes.

Thanks,

Mike Reeves

Product Manager

Security Onion Solutions     

Try It Out

Try out the Hybrid Hunter Tech Preview here:

https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/master/README.md

Feedback

If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:

https://www.reddit.com/r/securityonion/

FAQ

Is the current Ubuntu-based platform still supported?

Yes, the current Ubuntu-based platform is still fully supported.  Once the new Hybrid Hunter platform reaches final release, we will announce plans to migrate from the current Ubuntu-based platform to the new platform.

Why the change from Ubuntu DEB packages to Docker images?

Docker images are easier to build and maintain and allow us to support other distros like CentOS.

Why the change from PF_RING to AF_PACKET?

AF_PACKET is included in the Linux kernel itself and thus doesn't require a separate kernel module.  It also provides some additional tuning capability.

Why manage everything with salt?

Salt will allow us to manage configuration centrally on the master node so that it won't matter whether you have 1 box or 100, you can still manage everything easily from a central location.

securityonion-pfring-module - 20121107-0ubuntu0securityonion31 now available for Security Onion 16.04!

securityonion-pfring-module - 20121107-0ubuntu0securityonion31 is now available for Security Onion 16.04 and should resolve the following issues:

securityonion-pfring-module: compile on kernel 4.15 #1274
https://github.com/Security-Onion-Solutions/security-onion/issues/1274

Thanks
Thanks to Wes Lambert for testing this new package!

Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade

Training
We have 4-day Security Onion training classes coming up in Maryland and Georgia!  For more information and other training options, please see:
https://securityonionsolutions.com

Support
Need support?  Please see:
https://securityonion.net/wiki/Support

Thanks!

Ubuntu 16.04 with HWE and PF_RING

Introduction
This blog post only applies to you if you installed our Security Onion 16.04 ISO images OR if you installed Ubuntu 16.04 with the HWE stack:
https://wiki.ubuntu.com/Kernel/LTSEnablementStack
https://wiki.ubuntu.com/Kernel/RollingLTSEnablementStack

As of this morning, it appears that Ubuntu has rolled the Ubuntu 16.04 HWE stack to 18.04 which means a 4.15 Linux kernel.

Problem
Our current PF_RING module will not compile on kernel 4.15.  If you upgrade to 4.15, you will have a failed PF_RING module and services that use PF_RING such as Snort, Suricata, and Bro, may not work properly.

Solution
We will be building new PF_RING packages to ensure compatibility with this new HWE stack.  In the meantime, please use the following guidance.

If you haven't already updated, we recommend avoiding updates until we have the new PF_RING packages available. 

If you've already updated, you can boot your machine(s) to the previous kernel by choosing "Advanced options" at the grub boot menu and then selecting the 4.13 kernel.

Updated 2018/07/02 12:27 PM Eastern
We've released an updated securityonion-pfring-module package that should resolve this issue, so you should now be able to install updates normally.
https://blog.securityonion.net/2018/07/securityonion-pfring-module-20121107.html

Security Onion 16.04.4.1 ISO image now available!

We're pleased to announce that Security Onion 16.04.4.1 RC2 has been promoted to RELEASE status!

This release resolves the following issues:

Issue 1247: Ubuntu 16.04 Xenial Support
https://github.com/Security-Onion-Solutions/security-onion/issues/1247

Issue 1202: CapMe: purge pcap symlinks older than 24 hours
https://github.com/Security-Onion-Solutions/security-onion/issues/1202

Issue 1169: Squert: remove search link from context menu
https://github.com/Security-Onion-Solutions/security-onion/issues/1169

Issue 875: Allow mysql root password
https://github.com/Security-Onion-Solutions/security-onion/issues/875

Release Notes
ELSA, Argus, and PRADS are no longer included in Security Onion.

For more information about this release, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/16.04.4.1

Security Onion 14.04 EOL Notice
All new development will now be on Security Onion 16.04.  Security Onion 14.04 will reach EOL on November 30, 2018.  After that date, we will not provide any support for Security Onion 14.04.  Please plan to upgrade or replace any existing 14.04 systems before that date.

Installation Guide
We've updated the Installation guide to reflect the download locations for the new ISO image:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Existing Deployments
If you have existing installations of Security Onion 14.04, you can upgrade to 16.04:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-14.04-to-16.04

Want us to upgrade your deployment for you?  Please contact Security Onion Solutions for pricing and scheduling:
https://securityonionsolutions.com

Training
We also offer onsite and online training!  For pricing and availability, please see:
https://securityonionsolutions.com

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Thanks!

Ubuntu released fixes for CVE-2015-7547 glibc security issue

Ubuntu has released fixes for the CVE-2015-7547 glibc security issue:
http://www.ubuntu.com/usn/usn-2900-1/

You should install these fixes as soon as possible using our normal update process:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

BDR2: Electric Boogaloo (towards Ubuntu 14.04)

If you've been in the Security Onion community for a few years, you may remember that back in 2012 we embarked on a project called BDR (Big Distro Rebuild) to put all of our software into true Ubuntu packages designed for Ubuntu 12.04:
https://groups.google.com/d/topic/security-onion-testing/kOib06_QMPU/discussion

It's now time to rebuild all of those packages for Ubuntu 14.04, so I'm calling this BDR2.  As mentioned at the Security Onion Conference, I'm hoping to get all this work done by Christmas, but no promises!

I've done some initial work to get the securityonion-client metapackage to install cleanly on Ubuntu 14.04.

Sguil client running on Ubuntu 14.04

I'll soon start working on the securityonion-sensor and securityonion-server metapackages.

Help Wanted

We're going to need lots of help testing all of these packages over the next few months, so if you'd like to contribute back to the community, please join the security-onion-testing mailing list and then see the following thread:
https://groups.google.com/d/topic/security-onion-testing/voIjY2OYjtc/discussion

Thanks!

Bash Vulnerability Part 6: YABU - Yet Another Bash Update

This is a continuation of the ShellShock posts from the last few days:
http://blog.securityonion.net/2014/09/bash-vulnerability.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-4-another.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-5-shellshock.html
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html

Ubuntu has now released yet another bash update:
http://www.ubuntu.com/usn/usn-2364-1/

You should install this updated package as soon as possible.  As always, we recommend using "soup" to apply package updates.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Ubuntu Hardware Enablement (HWE) Stacks

Summary

If you installed Security Onion using our ISO image, then you should be running the original 3.2 kernel which should be fully supported until April 2017.  However, if you installed Ubuntu and then added our PPA and packages, you may be running a Hardware Enablement (HWE) Stack that has reached End-of-life.  If this is the case, then you'll need to update to a newer HWE Stack that will continue to be supported.

Checking Your System using hwe-support-status
To check your system, run the following command:

hwe-support-status tool --verbose

For example, in the following screenshot, I'm running the command on a machine that was installed from the Security Onion ISO image.  If this is what you get, then you can disregard the rest of this blog post.

If, on the other hand, you receive output similar to the following screenshot (taken from a machine that was installed from an Ubuntu ISO image), then you'll need to update to a newer HWE Stack.

WARNING! Do NOT run the do-release-upgrade command as this will upgrade to Ubuntu 14.04, which is incompatible with our packages.  We'll be using the second "apt-get install" option to update the HWE stack.

Updating your HWE Stack
Before you update your HWE stack, make sure that you've installed all updates so that you have the new PF_RING packages that support Linux kernel 3.13:
http://blog.securityonion.net/2014/08/new-pfring-snort-suricata-bro-packages.html

You can verify that you have the new PF_RING 6.0.2 with "cat /proc/net/pf_ring/info":

Then run the apt-get command shown in *your* output of hwe-support-status.  In the hwe-support-status screenshot above, we were requested to run the following because we were just running Ubuntu Server (no GUI):

sudo apt-get install linux-generic-lts-trusty linux-image-generic-lts-trusty

Depending on how your system was installed, hwe-support-status may ask you to install additional packages.  For example, you may also be requested to update your xserver packages.  Run whatever command hwe-support-status recommends for you.

If the new HWE stack installed successfully, then reboot your system:

After rebooting and logging in, verify that you're running the new 3.13 kernel with the "uname -a" command:

You can also verify that the PF_RING kernel module got built and loaded correctly for the new 3.13 kernel:

Finally, run the hwe-support-status tool again to verify that your HWE stack is supported until April 2017:

For more information about Ubuntu HWE Stacks, please see:

https://wiki.ubuntu.com/Kernel/LTSEnablementStack

https://wiki.ubuntu.com/1204_HWE_EOL

Feedback

If you have any questions or problems, please use our security-onion mailing list:

https://code.google.com/p/security-onion/wiki/MailingLists

Conference

Less than 30 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!

https://securityonionconference2014.eventbrite.com

Commercial Support/Training

Need training and/or commercial support?  Please see:

http://securityonionsolutions.com

Help Wanted

If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:

http://groups.google.com/group/security-onion

We also need help testing new packages:

http://groups.google.com/group/security-onion-testing

Thanks!

New securityonion-nsmnow-admin-scripts package prevents update prompts for Ubuntu 14.04

Over the past few weeks, you may have seen some Ubuntu prompts to upgrade to the new Ubuntu release (Ubuntu 14.04).  For example:

We have no immediate plans to support Ubuntu 14.04, so Ryan Peck suggested some changes to avoid these Ubuntu prompts (thanks, Ryan!):
https://groups.google.com/d/topic/security-onion/_N6O0XZbcSE/discussion

I've updated the NSM package to include these changes.  The updated package version is as follows:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion82

After installing, you should no longer receive either of the prompts shown above.  Here's an example of logging in via ssh without being prompted to upgrade to Ubuntu 14.04:

If you're running a kernel other than 3.2 (as shown above), you may still receive an Ubuntu message about updating your kernel and HWE stack.  Please do NOT do this until we release new PF_RING packages which support the new 3.13 kernel.  You can help us test the new PF_RING packages by joining the security-onion-testing Google Group and referring to this thread:
https://groups.google.com/d/topic/security-onion-testing/mKVn-GAPaIg/discussion

UPDATE 2014/08/27: Our new PF_RING packages have been released:
http://blog.securityonion.net/2014/08/new-pfring-snort-suricata-bro-packages.html

For instructions on updating your HWE stack, please see:
http://blog.securityonion.net/2014/08/ubuntu-hardware-enablement-hwe-stacks.html

This new package has been tested by the following (thanks!):
Pete Nelson
David Zawdie
Ronny Vaningh

Issues Resolved

Issue 574: NSM: prevent checking for new Ubuntu releases
https://code.google.com/p/security-onion/issues/detail?id=574

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Conference
Only 37 seats left for the Security Onion conference in Augusta GA! Reserve your seat today!
https://securityonionconference2014.eventbrite.com

Commercial Support/Training
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Ubuntu MySQL Updates

Ubuntu recently released updated MySQL packages.  As a reminder, please follow the instructions at the following link to avoid any issues with MySQL updates:
https://code.google.com/p/security-onion/wiki/MySQLUpdates

Security Onion and Ubuntu 12.04.1

The current version of Security Onion is based on Ubuntu 10.04.  Ubuntu 12.04.1 was just released yesterday and is being offered to users of 10.04 as an upgrade.  Existing users of Security Onion should NOT accept this upgrade to 12.04!  This is untested, unsupported, and is likely to break your system.

We are currently working on the new version of Security Onion that is based on Ubuntu 12.04.1.  As a reminder, we won't be able to support in-place upgrades from Security Onion 10.04 to Security Onion 12.04.1 since most folks will be migrating from 32-bit to 64-bit.  Begin planning your migrations now.

For more details on the upcoming version of Security Onion, please see the following:
http://code.google.com/p/security-onion/wiki/Roadmap
http://code.google.com/p/security-onion/issues/detail?id=247
http://groups.google.com/group/security-onion-testing

Suggestions for the Security Onion LiveCD

I'm currently working on the next version of the Security Onion LiveCD. What specific packages/features would you like to see added to the Security Onion LiveCD? Post a comment here or contact me on Twitter. Thanks!