Security Onion

Thursday, June 27, 2013

8-hour Security Onion class in Augusta GA on Thursday August 1, 2013

Want to learn more about Security Onion? Please make plans to attend the upcoming 8-hour class in Augusta GA on Thursday August 1, 2013! For more details and to register, please see:

http://securityonion.eventbrite.com/

Tuesday, June 25, 2013

New securityonion-rule-update package distributes OSSEC local_rules.xml and allows for per-sensor NIDS/HIDS rule tuning

A new version of our securityonion-rule-update package is now available that distributes OSSEC's local_rules.xml from master server to slave sensors by default and also allows for NIDS/HIDS rule tuning per physical sensor.

This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output

NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor. This new version of rule-update allows for ruleset tuning per physical sensor. If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:

LOCAL_NIDS_RULE_TUNING=true

The next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.

HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default. If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration. If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:

LOCAL_HIDS_RULE_TUNING=true

What if I've already modified OSSEC's local_rules.xml on the sensor? Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package. If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml. You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.

Thanks
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose

Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Github
Found bugs in rule-update or want to add new features? rule-update is now on github:
https://github.com/Security-Onion/securityonion-rule-update

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Monday, June 24, 2013

New securityonion-sguil-client package now available

I've patched the Sguil client to add "Copy IP Address" to the right-click context menu for IP addresses. So for example, if you find an interesting IP address in Sguil and want to search ELSA for that IP address, you can just right-click the IP address, select "Copy IP Address", select "SrcIP" or "DstIP", and then alt-tab to your ELSA window and paste it in.

Copy IP Address

Thanks
The new package has been tested by the following:
David Zawdie
Heine Lysemose

Upgrading
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Monday, June 17, 2013

8-hour Security Onion class in Augusta GA on Thursday August 1, 2013

Want to learn more about Security Onion? Please make plans to attend this 8-hour class in Augusta GA on Thursday August 1, 2013!

More details (including cost, location, and registration information) will be posted here soon. Stay tuned for details!

UPDATE 2013/06/27

Registration is now live!
http://securityonion.eventbrite.com/

Saturday, June 15, 2013

New securityonion-rule-update package

Michal Purzynski fixed a bug in our securityonion-rule-update package (thanks Michal!). The new package is now available in our stable repo. If you're running Sourcefire VRT rules in a distributed deployment, we recommend updating to ensure that Shared Object (SO) rules get copied to your distributed sensors properly.

Feedback

If you have any questions or problems, please use our mailing list:

https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted

If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Monday, June 10, 2013

Security Onion 12.04.1 ISO image now available

We have a new Security Onion 12.04.1 ISO image now available that contains all the latest Ubuntu and Security Onion updates as of June 5, 2013! It also contains the two new pcap samples packages recently released:
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion.html
http://securityonion.blogspot.com/2013/05/new-pcap-samples-package-securityonion_27.html

Changelog
For a list of all changes made since our original 12.04 ISO image was released, please see:
https://code.google.com/p/security-onion/wiki/Roadmap

New Users
I've updated the Installation guide to reflect the download locations for the new 12.04.1 ISO image:
https://code.google.com/p/security-onion/wiki/Installation

As always, please remember to verify the checksum of the downloaded ISO image using the instructions in the Installation guide.

Existing Deployments
If you have existing installations based on our original 12.04 ISO image, there is no need to download the new 12.04.1 ISO image. You can simply continue using the standard Ubuntu package management tools to install updated packages as they are made available:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Friday, June 7, 2013

New securityonion-pfring-module package now available

We recently released PF_RING 5.5.3 packages:
http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html

Shortly after releasing the packages, we determined that there was a bug in the kernel module. The PF_RING team patched the kernel module and I've created a new securityonion-pfring-module package which is now available in our stable repo.

To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:

sudo apt-get update ; sudo apt-get install securityonion-pfring-module ; sudo apt-get dist-upgrade

For more information, please see our Upgrade page:
https://code.google.com/p/security-onion/wiki/Upgrade

The securityonion-pfring-module package will do the following:

stop all NSM sensor processes
terminate any remaining processes using PF_RING
remove the existing PF_RING module
build the new PF_RING module and insert it
start all NSM sensor processes

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Friday, May 31, 2013

Suricata 1.4.2 package now available

Suricata 1.4.2 was recently released:
http://suricata-ids.org/2013/05/29/suricata-1-4-2-released/

I've packaged Suricata 1.4.2 and it has been tested by the following (thanks!):
David Zawdie

Upgrade Process

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get install securityonion-suricata

The Suricata update will do the following:

back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
update Suricata to 1.4.2

If you're running Suricata in production, then you'll need to do the following:

apply your local customizations to the new suricata.yaml
restart Suricata as follows:

sudo nsm_sensor_ps-restart --only-snort-alert

sudo apt-get update && sudo apt-get install securityonion-suricata

suricata -V

Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

Thursday, May 30, 2013

PF_RING 5.5.3 packages now available

PF_RING 5.5.3 was recently released:
http://www.ntop.org/pf_ring/pf_ring-5-5-3-released/

I've packaged PF_RING 5.5.3 and the packages have been tested by the following (thanks!):
David Zawdie
Matt Gregory

The new packages are now available in our stable repo. To ensure that the PF_RING kernel module is installed before any Ubuntu kernel updates, you may want to install as follows:

sudo apt-get update ; sudo apt-get install securityonion-pfring-module ; sudo apt-get dist-upgrade

For more information, please see our Upgrade page:
https://code.google.com/p/security-onion/wiki/Upgrade

The securityonion-pfring-module package will do the following:

stop all NSM sensor processes
terminate any remaining processes using PF_RING
remove the existing PF_RING module
build the new PF_RING module
start all NSM sensor processes

Update process

Tuesday, May 28, 2013

New Setup package configures OSSEC to send alerts to ELSA

Previously, when a user ran Setup and enabled ELSA, they would be able to log into ELSA and view OSSEC *archive* logs (the raw logs received by OSSEC) but they wouldn't be able to view OSSEC *alerts* (created based on OSSEC's analysis of the incoming logs as configured by the OSSEC ruleset). I've pushed a new Setup package that will configure OSSEC to send alerts to local syslog if the user enables ELSA. The new package has been tested by Matt Gregory. Thanks, Matt!

If you've already run Setup and would like to configure OSSEC to send alerts to ELSA, please see:
https://code.google.com/p/security-onion/wiki/OSSECalertsToELSA

Updating
If you're performing a new installation, it's important to update your packages right after you've completed the Ubuntu installer and BEFORE running Setup. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Upgrade Process

New NSM scripts package includes daily restart of Sguil agents

Under certain conditions, some Sguil agents may fail to reconnect to sguild properly. I've added daily cronjobs to /etc/cron.d/sensor-newday to restart all Sguil agents to help alleviate this.

The new securityonion-nsmnow-admin-scripts package has been tested and confirmed by the following (thanks!):
David Zawdie
Matt Gregory

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Upgrade Process

Snorby 2.6.2 package now available

Snorby 2.6.2 was recently released:
https://github.com/Snorby/snorby/blob/master/ChangeLog.md

I've packaged Snorby 2.6.2 and the new securityonion-snorby package has been tested and confirmed by the following (thanks!):
Matt Gregory
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time. Please see the following for the recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

When the new securityonion-snorby package installs, it should restart Apache and, if Setup has already been run, it should run "bundle exec rake snorby:update" and restart the Snorby worker as follows (you can disregard any "Jammit Warning" messages).

Upgrade Process

Monday, May 27, 2013

Snort 2.9.4.6 package now available

Snort 2.9.4.6 was recently released:
http://blog.snort.org/2013/04/snort-2946-has-been-released.html

I've packaged Snort 2.9.4.6 and and the new package has been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Install Process

The Snort update will do the following:

back up each of your existing snort.conf file(s) to snort.conf.bak
update Snort to 2.9.4.6

If you're running Snort in production, then you'll need to do the following:

apply your local customizations to the new snort.conf file(s)
update ruleset and restart Snort as follows:
sudo rule-update

sudo apt-get update && sudo apt-get dist-upgrade

snort -V

Apply any local customizations to snort.conf file(s) and then run "sudo rule-update"

New pcap samples package securityonion-samples-markofu

Mark Hillick put together some pcap samples (thanks Mark!) and I've put them into a new package called securityonion-samples-markofu. The package will install the pcaps to:
/opt/samples/markofu/

Installation
This package will be included in the upcoming 12.04.1 ISO image, but it's an optional package so it won't automatically install on existing installations. If you'd like to install this package onto your existing installation, you can use the graphical Update Manager or the following one-liner:

sudo apt-get update && sudo apt-get install securityonion-samples-markofu

Screenshot

Installation

New pcap samples package securityonion-samples-pnsm

Richard Bejtlich put together some pcap samples (thanks Richard!) and I've put them into a new package called securityonion-samples-pnsm. The package will install the pcaps to:
/opt/samples/pnsm/

Some of the pcaps have file extensions other than .pcap, so the default Ubuntu AppArmor policy won't allow tcpdump to read them. This package will automatically update the AppArmor policy to fix this.

Installation
This package will be included in the upcoming 12.04.1 ISO image, but it's an optional package so it won't automatically install on existing installations. If you'd like to install this package onto your existing installation, you can use the graphical Update Manager or the following one-liner:

sudo apt-get update && sudo apt-get install securityonion-samples-pnsm

Screenshot

Installation

Monday, May 13, 2013

Upcoming Events in May and June

I'll be speaking on "Enterprise Log Collection and Analysis using Security Onion, OSSEC, and ELSA" at the Augusta Linux User Group meeting on Thursday 5/16:
http://www.meetup.com/Augusta-Linux-User-Group/

I'll also be presenting Security Onion at BSides Charlotte on 6/8:
http://bsidesclt.org/

Hope to see you there!

New Setup package avoids bug when monitoring multiple interfaces

A new Setup package is now available that avoids a bug when monitoring multiple interfaces. When you choose Advanced Setup, the Bro CPU Cores screen will still ask you how many CPU cores you'd like to use for Bro, but it now also includes the following note:

Please note there is a bug in Bro 2.1 when monitoring multiple interfaces with PF_RING that results in traffic loss. If you're monitoring multiple interfaces, we'll configure Bro to disable PF_RING load balancing to avoid this issue. We'll record your desired number of PF_RING CPU cores for when Bro 2.2 is released.

This resolves the following issue:

Issue 317: Setup should disable Bro's PF_RING load balancing config when monitoring multiple NICs

The new package has been tested by Matt Gregory. Thanks, Matt!

Updating
If you're performing a new installation, it's important to update your packages right after you've completed the Ubuntu installer and BEFORE running Setup. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Friday, May 3, 2013

New ELSA and Sphinx packages now available

Scott Runnels has been hard at work updating our ELSA packages and building our own custom Sphinx package! These new packages should resolve the following issues:

Issue 290: Update ELSA to r713
Issue 289: ELSA - include YUI library
Issue 300: /etc/elsa_web.conf needs 127.0.0.1 to have ports defined as well
Issue 298: Build new sphinx package with --enable-id64 compile-time option
Issue 324: sphinx should check for proper permissions before starting
Issue 299: sphinx.conf - swap "3307" with "9312"
Issue 327: Remove sphinx default cronjob as it is unnecessary and can cause issues

The new packages have been tested by the following (thanks!):
Brad Shoop
David Zawdie
Matt Gregory

UPDATE 5/3 21:18 - We have reports of issues with the sphinxsearch upgrade. Please do not upgrade until we've determined the root cause.

UPDATE 5/4 00:05 - We've determined the root cause and are trying to determine the best fix.

UPDATE 5/4 13:00 - We're currently building a new package. Will update later today after it has finished building and has been tested.

UPDATE 5/5 08:24 - The new sphinxsearch package has had some initial testing which appears to be successful. If you can test it in a non-production environment, we'd appreciate any feedback on our mailing list.

UPDATE 5/7 07:21 - Added the "Cleaning Up Perl Processes" and "Rebuilding Indexes" sections below.

UPDATE 5/7 09:45 - Added the "Known Issues" section below.

Updating
The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Warning
Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time. If so, please cancel the update and use our recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

Cleaning Up Perl Processes
One of the issues fixed in this release was the extra perl processes occurring as a result of the ELSA LiveTail feature. LiveTail has been disabled in these new packages, but you may still have some extra perl processes hanging around from before the upgrade. You can resolve this by rebooting (Ubuntu recently released some kernel updates so you may need to do this anyway) or by doing the following:

sudo service syslog-ng stop && sudo pkill -9 perl && sudo service syslog-ng start

Rebuilding Indexes
Another issue fixed in this release is that sphinxsearch is now compiled with id64. Previously, we were using the stock Ubuntu package of sphinxsearch which used the CRC32 algorithm and could result in keyword collisions, meaning that you get results that don't actually match what you were searching for. To ensure that all of your indexes are using the new id64 support, you should reindex as follows (note this may take anywhere from minutes to hours):

sudo indexer --rotate --all

Known Issues
If you access ELSA from a browser whose local timezone is not UTC *and* you haven't enabled the use_utc setting in your ELSA Preferences, then each search rolls the From time back the same number of hours as the UTC offset. For example, suppose your local workstation is set to Eastern time and you login to ELSA and notice that the From defaults to:
2013-05-05 18:01:50

When you then perform a search, the From changes to:
2013-05-05 14:01:50

The workaround is to enable the use_utc setting in your ELSA Preferences (which is probably a good idea anyway to ensure that your timestamps in ELSA match your timestamps in Sguil/Squert/Snorby):
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Preferences

Screenshots

Upgrade Process

Thursday, April 25, 2013

Ubuntu MySQL Updates

Ubuntu recently released updated MySQL packages. As a reminder, please follow the instructions at the following link to avoid any issues with MySQL updates:
https://code.google.com/p/security-onion/wiki/MySQLUpdates

Wednesday, April 17, 2013

New netsniff-ng and NSM packages now available

I've packaged a new version of netsniff-ng that allows for dropping privileges to a non-root user and I've updated the NSM scripts to take advantage of that. These new packages fix the following issues:
Issue 310: Update netsniff-ng
Issue 320: Update NSM scripts so that nsm_sensor_ps-restart includes $PCAP_OPTIONS
Issue 311: Update NSM scripts to run netsniff-ng as non-root user
Issue 318: Update NSM scripts to force netsniff-ng to write to proper directory
Issue 303: Update NSM scripts so that sensor_cleandisk looks for unified2 files in proper directories

The new packages have been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

Updating
The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Once the new packages are installed, you'll need to restart netsniff-ng to run the new binary as a non-root user:

sudo nsm_sensor_ps-restart --only-pcap

Screenshots

Update Process

Restarting netsniff-ng

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you or your organization has found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Tuesday, April 2, 2013

Snort 2.9.4.1 packages now available

Snort 2.9.4.1 was recently released:
http://blog.snort.org/2013/03/snort-2941-has-been-released.html

I've packaged Snort 2.9.4.1 and DAQ 2.0.0 and the new packages have been tested by the following (thanks!):
Heine Lysemose
David Zawdie

The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Please note that, if you normally use the Registered User VRT Ruleset, you are on a 30-day delay and rules may not be available for Snort 2.9.4.1 yet.

Install Process

The Snort update will do the following:

back up each of your existing snort.conf file(s) to snort.conf.bak
update Snort to 2.9.4.1

If you're running Snort in production, then you'll need to do the following:

apply your local customizations to the new snort.conf file(s)
update ruleset and restart Snort as follows:

sudo rule-update

sudo apt-get update && sudo apt-get dist-upgrade

snort -V

Apply any local customizations to snort.conf and then run "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Monday, March 25, 2013

Suricata 1.4.1 package now available

Suricata 1.4.1 was recently released:
http://suricata-ids.org/2013/03/08/suricata-1-4-1-released/

I've packaged Suricata 1.4.1 and it has been tested by the following (thanks!):
Eric Ooi
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Install Process

The Suricata update will do the following:

install some new dependencies (libluajit and libjansson)
back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
update Suricata to 1.4.1

If you're running Suricata in production, then you'll need to do the following:

apply your local customizations to the new suricata.yaml
restart Suricata as follows:

sudo nsm_sensor_ps-restart --only-snort-alert

sudo apt-get update && sudo apt-get dist-upgrade

suricata -V

Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Sunday, March 24, 2013

New PRADS package available

I've packaged a new version of PRADS which changes the way that byte counts are reported. PRADS will now report total IP bytes, which matches up with the way that NetworkMiner reports byte counts. It also matches the byte counts in Bro's conn.log in the orig_ip_bytes and resp_ip_bytes fields. For more details, please see:
https://github.com/gamelinux/prads/issues/30

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

After upgrading, you'll need to manually restart PRADS as follows:

sudo nsm_sensor_ps-restart --only-prads

Here's an example using traffic from testmyids.com:

Byte counts in Sguil (provided by PRADS)

Byte counts in NetworkMiner

Byte counts in Bro's conn.log (orig_ip_bytes and resp_ip_bytes fields)

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Monday, March 11, 2013

New PF_RING 5.5.2 packages now available!

PF_RING 5.5.2 was recently released:
http://www.ntop.org/pf_ring/pf_ring-5-5-2-released/

I've packaged PF_RING 5.5.2 and the packages have been tested by the following (thanks!):
Eric Ooi
David Zawdie
Matt Gregory

The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Warnings
Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time. If so, please cancel the update and use our recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

UPDATE 2013/03/13: Ubuntu recently released some kernel updates, so you may also be prompted to update your kernel packages at the same time. If you do so, the PF_RING kernel module will get built for your current kernel and not for the newly installed kernel. You should install JUST the updated kernel packages, reboot, and then install the updated PF_RING packages so that the module gets built properly for the new kernel. If you accidentally install both the kernel and PF_RING packages at the same time and then reboot and find out that PF_RING services are failing, you can force PF_RING to build against the new kernel by simply running the update command again:

sudo apt-get update && sudo apt-get dist-upgrade

Install Process
The PF_RING update will do the following:

stop all NSM sensor processes
terminate any remaining processes using PF_RING
remove the existing PF_RING module
build the new PF_RING module
start all NSM sensor processes

Upgrade Process

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Wednesday, February 27, 2013

Important note for those monitoring multiple interfaces with Bro

An issue was recently discovered in Bro 2.1 when monitoring multiple interfaces with PF_RING that could result in traffic loss. This issue is targeted for resolution in Bro 2.2.

UPDATE 2013/05/13 - A new Setup package is now available which automatically disables Bro's PF_RING load balancing when multiple interfaces are being monitored:
http://securityonion.blogspot.com/2013/05/new-setup-package-avoids-bug-when.html

If you've already run Setup and selected multiple interfaces to monitor, please disable Bro's PF_RING load balancing as follows:

sudo broctl stop
sudo sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg
sudo sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg
sudo broctl install && sudo broctl start

For more information on the Bro issue, please see Bro Ticket #943.

New NSM scripts package now available!

I've updated our NSM scripts to resolve the following issues:

Issue 292: Need cronjob to reload syslog-ng at midnight
Issue 295: Increase sleep value in /etc/init/securityonion.conf
Issue 296: Run snort as non-root user
Issue 297: Run snort/suricata with unique PF_RING cluster-id per interface

Thanks to the following for testing this update!

Matt Gregory
GabrielS
Heine Lysemose

Installation
The new NSM scripts package is now available in our stable repo. You can initiate the update process using the graphical Update Manager or with the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Reminder about MySQL Updates
As a reminder, if you are prompted to install MySQL updates, please see the following for the recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

Feedback
If you have any questions or problems, please join our mailing list and ask away!
https://code.google.com/p/security-onion/wiki/MailingLists

Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report. Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only. We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2. Please see:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

sudo apt-get install -y git

cd /opt/bro/share/bro/site/

sudo git clone git://github.com/sethhall/bro-apt1.git apt1

echo "@load apt1" | sudo tee -a local.bro

sudo broctl install && sudo broctl restart

Wednesday, January 30, 2013

New securityonion-snorby 20130129 package fixes a vulnerability

Snorby 2.5.6 was recently released to fix a vulnerability:
https://github.com/Snorby/snorby/blob/master/ChangeLog.md

I've packaged Snorby 2.5.6 and the new securityonion-snorby package has been tested and confirmed by the following (thanks!):
Heine Lysemose
Mark Hillick
Matt Gregory

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Update Process

Wednesday, January 23, 2013

New securityonion-snorby package fixes multiple vulnerabilities

Snorby 2.5.4 was recently released with some vulnerability fixes:
https://github.com/Snorby/snorby/blob/master/ChangeLog.md

I've packaged Snorby 2.5.4 and the new securityonion-snorby package has been tested and confirmed by the following (thanks!):
Scott Runnels
Matt Gregory
Heine Lysemose
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:

sudo apt-get update && sudo apt-get dist-upgrade

Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time. Please see the following for the recommended procedure for updating MySQL:

http://code.google.com/p/security-onion/wiki/MySQLUpdates

When the new securityonion-snorby package installs, it should restart Apache and, if Setup has already been run, it should run "bundle exec rake snorby:update" and restart the Snorby worker as follows (you can disregard any "Jammit Warning" messages):

Upgrade Process

Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04

UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918

If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!

Hunting through DNS traffic with Bro and ELSA

Monday, December 31, 2012

Security Onion 12.04 is now available!

Introduction

New to Security Onion? Here's a short FAQ from Brad Shoop:

What is Security Onion?

Security Onion is a network security monitoring system that provides full context and forensic visibility into the traffic it monitors. At it's heart it is designed to make deploying multiple complex open source tools simple via a single package, reducing what would normally take days to weeks of work to minutes. Featuring Bro IDS, your choice of Snort or Suricata, Sguil analyst console, ELSA, Squert, Snorby and capME web interfaces, and the ability to pivot from one tool to the next seamlessly provides the most effective collection of network security tools available in a single package.

What can it do for you?

Signature-based detection - Whether you choose Snort or Suricata for signature-based detection, you'll have Snort and/or Emerging Threats signatures available for use.

Context - Bro IDS provides visibility into the haystack, while signature-based detection targets the needle. Now you can know not only what signature-based events occurred, but you can have full context of all activity detected from the host involved. What domains a host queries, SSL certificates it's used, files downloaded, FTP/SMTP/IRC activity? All contextual questions that can help determine whether a signature-based alert is an event or an incident.

Evidence - Full packet capture means you can know exactly what a host did. Sguil and its integration with other tools in Security Onion, such as Network Miner and Wireshark in addition to ELSA, Squert and Snorby via capME, allow an analyst to look at the evidence of a network attack frame by frame exactly as it happened, all with a click of a mouse.

Tools - Security Onion is loaded with tools to monitor your network efficiently and effectively. Sguil provides the best security analyst console available in terms of function and utility. Squert and Snorby provide visibility into Sguil and Snort respectively, and ELSA provides a Splunk-like interface to the vast wealth of log data Security Onion will harvest from Bro, OSSEC and more.

Save Money - It's free, well except for the hardware. But it will help you save a lot of money you might otherwise throw at commercial solutions and you could maybe spend some of that money so your analysts can become better.

What can't it do for you?

Security Onion is a network monitoring and detection system. It will not block an attack, nor is it designed to. It will however act as a video camera for your network for every connection it sees, not just the one's that it thinks are bad. In a world where detection rates are unpredictable, evidence like this can save you a lot of money.

Changes

No major changes since we announced RC1 and the ISO image, just a few small bug fixes:

Setup no longer disables NIC offloading features on management interface
Setup now disables the IPv6 stack on sniffing interfaces (can still sniff IPv6, though)
if running Quick Setup, netsniff-ng is started with "-c" option to disable scatter/gather mode and force traffic to be written to disk instantly