Security Onion

Monday, December 31, 2012

Security Onion 12.04 is now available!

Introduction

New to Security Onion? Here's a short FAQ from Brad Shoop:

Changes

No major changes since we announced RC1 and the ISO image, just a few small bug fixes:

Setup no longer disables NIC offloading features on management interface
Setup now disables the IPv6 stack on sniffing interfaces (can still sniff IPv6, though)
if running Quick Setup, netsniff-ng is started with "-c" option to disable scatter/gather mode and force traffic to be written to disk instantly

Instructions

For full instructions on installing Security Onion 12.04, please see the installation page on our Wiki.

Screenshots

Booting ISO image

Booted into Live desktop, starting Xubuntu installer

Started Xubuntu installer

Completed Xubuntu installer, ready to reboot into new installation

Rebooted into new installation, ready to run Setup

Started Setup Wizard

Configuring /etc/network/interfaces

Selecting management interface

Selecting DHCP for this test VM

Selecting sniffing interfaces

Confirming network interface configuration, ready to reboot

Rebooted and ready to do the second phase of Setup

Started Setup Wizard

Setup detects that network interfaces have already been configured

Choosing Quick Setup for this test VM

Selecting interface to run sniffing processes on

Setting username for Sguil/Squert/ELSA

Setting email address for Snorby

Setting password for Sguil/Squert/Snorby/ELSA

Confirming password

Optionally enabling ELSA

Confirming selections

Setup wizard performs all configuration automatically

Setup Complete #1

Setup Complete #2

Setup Complete #3

Replaying sample pcaps to simulate network traffic

Logging into Snorby

Snorby Dashboard

Pivoting from IDS alert in Snorby to Full Transcript

Viewing full transcript in CapME

Logging into Squert

Squert Dashboard

Squert Signature Statistics

Squert GeoIP

Squert events

Logging into Sguil

Sguil RealTime Console

Sguil pivoting from IDS alert to full transcript

Logging into ELSA

ELSA query for Bro Notices

ELSA pivoting from Bro notice to full transcript

Full transcript in CapME

Thursday, December 20, 2012

Need help testing Security Onion 12.04 RC1 ISO image

We now have an official Security Onion 12.04 RC1 ISO image!

It's based on Xubuntu 12.04 64-bit and contains all of our Security Onion packages. The RC1 page has been updated with instructions for downloading and installing the ISO:
http://code.google.com/p/security-onion/wiki/RC1

Please test this ISO image *thoroughly* and verify the following:

hardware compatibility (VM and bare metal)
run through several variations of Setup (Quick, Advanced, Standalone, Distributed)
all features work as advertised (sniffers, Sguil, Squert, Snorby, ELSA)
no glaring security holes
no personal artifacts I forgot to remove

Please send your feedback (good or bad) to our security-onion-testing mailing list:

http://code.google.com/p/security-onion/wiki/MailingLists

Thanks for your help!

Sunday, December 16, 2012

Security Onion 12.04 RC1 Available Now!

Introduction

New to Security Onion? Here's a short FAQ from Brad Shoop:

Changes

We've made lots of improvements since we announced our Beta release. Here are some quick highlights:

added CapME, an OpenFPC-like web interface for pcap transcripts
updated Setup script to automatically configure Snorby and ELSA to integrate with CapME
enhanced Setup script to automatically configure network interfaces and disable NIC offloading
updated many packages including ELSA, Suricata, and PF_RING
included some sample pcaps from OpenPacket.org
replaced daemonlogger with netsniff-ng
lots of bug fixes

Instructions

For full instructions on installing RC1, please see the RC1 page on our Wiki.

Screenshots

The following screenshot starts out with a typical IDS alert in Snorby. Wanting to investigate further, we click "Packet Capture Options" and then "Custom" which results in the "Packet Capture Builder" popup window. Clicking "Fetch Packet" will result in a CapME query to display the transcript of the entire conversation as shown in the final screenshot.

Pivoting from Snorby to CapME pcap transcript

In the following screenshot, we've queried ELSA for Bro notices of type "HTTP::Malware_Hash_Registry_Match". (Did you know that Bro automatically creates an MD5 sum of every file it sees transferred over HTTP and compares those MD5 sums to Team Cymru's Malware Hash Registry?) After finding some matches, we click the "Info" link on the left which results in an Info popup window. Here we click the Plugin dropdown box and select "getPcap" to send a request to CapME as shown in the final screenshot.

Pivoting from ELSA to CapME pcap transcript

CapME pcap transcript

Can your IDS/SIEM do that? If not, get Security Onion today!

Thanks

Thanks to everyone who has helped us get this far! Thanks to all of our testers for finding and reporting issues and HUGE thanks to the following for their tireless efforts over the last few weeks on building CapME and getting it fully integrated:
Paul Halliday
Martin Holste
Scott Runnels

Wednesday, November 14, 2012

Security Onion at FloCon 2013

Security Onion will be at FloCon 2013!

I'll be giving a 4-hour training session on Monday:
http://www.cert.org/flocon/program.html

and a 30-minute presentation on Wednesday:
http://www.cert.org/flocon/program-wed.html

Please make plans to attend!

http://www.cert.org/flocon/register.html

Tuesday, October 2, 2012

Security Onion video from DerbyCon

Once again, Adrian Crenshaw sets a land speed record for publishing conference videos! The Security Onion presentation was on Saturday and Adrian had the video published by Monday night. Thanks to Irongeek, rel1k, and the rest of the Derbycon crew!

Saturday, September 29, 2012

Security Onion 12.04 Beta Available Now!

After many months of hard work, I'm excited to announce that Security Onion 12.04 Beta is available now! Thanks to everyone who has helped get us this far!

Quick highlights:

Choose your favorite flavor of 32-bit/64-bit Ubuntu (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server)

Add our PPA and our packages and run through the Setup wizard to get:

Snort, Suricata, Bro, Sguil, Squert, Snorby, NetworkMiner

PF_RING and AF_PACKET fanout for high performance and scalability

ELSA - Enterprise Log Search and Archive

For full instructions, please see the Security Onion 12.04 Beta page on our Wiki.

If you're at DerbyCon this weekend, come check out the new Security Onion 12.04 Beta on Saturday at 6:00 PM!

Sguil showing 2 load-balanced Snort processes using PF_RING

Snorby showing 2 load-balanced Snort processes using PF_RING

Squert showing 2 load-balanced Snort processes using PF_RING

ELSA with new Dashboard functionality

Friday, August 24, 2012

Security Onion and Ubuntu 12.04.1

The current version of Security Onion is based on Ubuntu 10.04. Ubuntu 12.04.1 was just released yesterday and is being offered to users of 10.04 as an upgrade. Existing users of Security Onion should NOT accept this upgrade to 12.04! This is untested, unsupported, and is likely to break your system.

We are currently working on the new version of Security Onion that is based on Ubuntu 12.04.1. As a reminder, we won't be able to support in-place upgrades from Security Onion 10.04 to Security Onion 12.04.1 since most folks will be migrating from 32-bit to 64-bit. Begin planning your migrations now.

For more details on the upcoming version of Security Onion, please see the following:
http://code.google.com/p/security-onion/wiki/Roadmap
http://code.google.com/p/security-onion/issues/detail?id=247
http://groups.google.com/group/security-onion-testing

Friday, August 17, 2012

Dr. J's Poor Man DNS Anomaly Detection using Bro

Dr. Johannes Ullrich of the SANS Internet Storm Center posted a great DNS Anomaly Detection script based on the query logs coming from his DNS server. We can do the same thing with Bro's dns.log (where Bro captures all the DNS queries it sees on the network):
http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection

Friday, May 18, 2012

Security Onion 20120518 now available!

Security Onion 20120518 is now available! This resolves the following issues:

Issue 261: Add Mark Baggett's reassembler.py
http://code.google.com/p/security-onion/issues/detail?id=261

Look for an upcoming blog post by Mark Baggett (@MarkBaggett) talking about reassembler.py and what it can show you.

UPDATE: Mark's blog post has been posted to the Internet Storm Center:
http://isc.sans.edu/diary.html?storyid=13282

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Mark Baggett for reassembler.py!
Thanks to the following for their help in testing this release!
Joe Stevensen
Mark Hillick

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, May 14, 2012

Security Onion at DC404 in Atlanta GA this Saturday 5/19

I'll be presenting Security Onion at the DC404 meeting this Saturday 5/19!

Brad Shoop will also be there presenting his Splunk app for Security Onion!

For more information, please see:
http://dc404.org/

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Thursday, May 10, 2012

Security Onion 20120511 now available!

Security Onion 20120511 is now available! This resolves the following issues:

Issue 205: Bro's http.log needs to be per-interface
http://code.google.com/p/security-onion/issues/detail?id=205

Issue 264: NSM package is missing the bro cron job
http://code.google.com/p/security-onion/issues/detail?id=264

Issue 265: Upgrade httpry_agent to http_agent to support Bro logs
http://code.google.com/p/security-onion/issues/detail?id=265

Issue 266: Remove httpry from NSM scripts
http://code.google.com/p/security-onion/issues/detail?id=266

In summary, this update migrates from the combination of httpry/httpry_agent to Bro/http_agent. As noted in http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.html, this means that networks with VLAN tags will now get HTTP logs in Sguil.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Paul Halliday for adding Bro http.log support to http_agent!
Thanks to Seth Hall for the security-onion.bro script for splitting Bro's http.log when necessary!
Thanks to the following for their help in testing this release!
Scott Runnels
Tom De Vries
David Zawdie

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Tuesday, May 8, 2012

Security Onion 20120508 now available!

Security Onion 20120508 is now available! This resolves the following issue:
Issue 239: autossh tunnel from sensor to server needs to be more robust

Please note that the update does NOT automatically restart the running ssh tunnel. If you have sensors reporting to servers, please schedule a time to reboot them to get the new tunnel settings.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to the following for their help in testing this release!
Tom De Vries
Jason Boss
David Zawdie
Mark Hillick
Liam Randall

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Thursday, April 26, 2012

Security Onion 20120427 now available!

Security Onion 20120427 is now available! This resolves the following issues:
Issue 245: Snort 2.9.2.2
Issue 259: Update Security Onion logo

Please note that if you are using the VRT ruleset and are a free "Registered User" (instead of a paid "Subscriber"), then you may need to wait until the 30-day wait period has elapsed to get the new 2.9.2.2 rules.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Please note that the new snort.conf will overwrite your existing snort.conf. Your existing snort.conf will be backed up to /nsm/backup/20120427/NAME_OF_SENSOR/. Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

Screenshots

Upgrade Process

Upgrade Process (cont.)

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Sourcefire for Snort 2.9.2.2!
Thanks to Jack Blanchard for the updated Security Onion logo!
Thanks to the following for their help in testing this release!
Heine Lysemose
Tom De Vries
Eric Ooi
David Zawdie

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Wednesday, April 25, 2012

Security Onion 20120425 now available!

Security Onion 20120425 is now available! This resolves the following issues:
Issue 155: Modify Setup script so that IDS Engine choice is a list instead of Yes or No default
Issue 250: Setup needs to delete /var/www/squert/.scripts/Ip2c/*.md5 before running ip2c.tcl
Issue 251: /var/www/squert/.scripts/Ip2c/ip2c.tcl needs to run once a week
Issue 256: Update Setup to allow running multiple times in sensor-->server config
Issue 257: Setup should create snort.stats if user chooses Suricata

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Paul Halliday for his suggestions for Squert!
Thanks to the following for their help in testing this release!
Scott Runnels
David Zawdie
Karolis

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, April 23, 2012

Security Onion 20120423 now available!

Security Onion 20120423 is now available! This resolves the following issues:
Issue 248: sostat doesn't handle single-digit date properly
Issue 258: sostat should display the size of each pcap directory

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Stephane Chazelas for his contributions to sostat!
Thanks to the following for their help in testing this release!
Eric Ooi
Scott Runnels
David Zawdie

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Friday, April 20, 2012

Security Onion 20120418 now available!

Security Onion 20120418 is now available! This resolves the following issue:
Issue 254: tcpflow 1.1.1 connection counter breaks Sguil's transcript window

Notes
This update installs the new tcpflow 1.2.6 at /usr/local/bin/tcpflow and a shim at /usr/bin/tcpflow. The shim is just a bash script that runs the following:

The new version of tcpflow has a new output format so we execute the shim to call tcpflow with the correct -T options to produce the original tcpflow format that Sguil is expecting.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the proxy page of our FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to the following for their help in testing this release!
Sunil Gupta
Heine Lysemose
Tom De Vries

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Friday, April 13, 2012

Security Onion 20120412 now available!

Security Onion 20120412 is now available! This resolves the following issues:
Issue 226: Rename bro workers
Issue 255: Add /etc/cron.d/nsm-watchdog back to nsmnow-admin-scripts package

Notes
Users with two or more interfaces will notice that the Bro worker configuration in /usr/local/etc/node.cfg has changed. Instead of worker-1, worker-2, etc., they now follow our normal naming convention (so-eth0, so-eth1, etc.). For users with only one interface, there will be no changes to the Bro configuration since the standalone Bro configuration doesn't have named workers.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Karolis Cepulis for identifying the missing /etc/cron.d/nsm-watchdog file!
Thanks to the following for their help in testing this release!
Scott Burkhart
David Zawdie

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Thursday, April 5, 2012

Security Onion 20120405 now available!

Security Onion 20120405 is now available! This resolves the following issue:
Issue 219: Default Web page

Notes
After this upgrade, you will have a new default web page for the Apache web server at https://localhost. This new page contains links to Squert, Snorby, and Xplico on the local server. It also contains links to the Security Onion blog, wiki, etc.

The existing README.html on user desktops will be replaced with a link to this page.

Any Firefox profiles that are still set to the default home page will be set to https://localhost.

PLEASE close any running instances of Firefox BEFORE running the upgrade to make sure that the home page gets set properly and not overwritten by the running Firefox instance.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks!
Thanks to Eric Ooi for his work on the new web page and the Tools page in our Wiki!
Thanks to the following for their help in testing this release!
Joe Stevensen
Scott Burkhart
David Zawdie
Eric Ooi
Victor Julien

Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

Monday, December 31, 2012

Introduction

What is Security Onion?

What can it do for you?

What can't it do for you?

Changes

Instructions

Screenshots

Thursday, December 20, 2012

Sunday, December 16, 2012

Introduction

What is Security Onion?

What can it do for you?

What can't it do for you?

Changes

Instructions

Screenshots

Thanks

Wednesday, November 14, 2012

Tuesday, October 2, 2012

Saturday, September 29, 2012

Friday, August 24, 2012

Friday, August 17, 2012

Friday, May 18, 2012

Monday, May 14, 2012

Thursday, May 10, 2012

Tuesday, May 8, 2012

Thursday, April 26, 2012

Wednesday, April 25, 2012

Monday, April 23, 2012

Friday, April 20, 2012

Friday, April 13, 2012

Thursday, April 5, 2012

Search This Blog

Featured Post

Popular Posts

Blog Archive