AbheLink Black or White ?

Showing posts with label securityonion. Show all posts

New securityonion-sostat package

Jon Schipp submitted some patches for soup (thanks Jon!) and I updated sostat to resolve a few issues. The new package is securityonion-sostat - 20120722-0ubuntu0securityonion21 and it has been tested by Matt Gregory and David Zawdie (thanks!).

Issues Resolved
Issue 481: soup: Add skip interactive option
https://code.google.com/p/security-onion/issues/detail?id=481

Issue 494: sostat should display ELSA v_indexes
https://code.google.com/p/security-onion/issues/detail?id=494

Issue 497: sostat should ignore "Cannot set NIC flags!" in netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=497

Issue 508: sostat should include full process output but exclude usernames
https://code.google.com/p/security-onion/issues/detail?id=508

Screenshots

sostat now includes ELSA Index Date Range

soup now has options

sostat now includes expanded process output but excludes usernames

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion? Sign up for the new expanded 2-day class in Houston TX! For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-rule-update package

I've updated our securityonion-rule-update package to resolve an issue. The new package is securityonion-rule-update - 20120726-0ubuntu0securityonion12 and it has been tested by David Zawdie (thanks!).

Issues Resolved
Issue 505: rule-update: check to see if barnyard and IDS engine are enabled
https://code.google.com/p/security-onion/issues/detail?id=505

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion? Sign up for the new expanded 2-day class in Houston TX! For full details and to register, please see:
https://securityonion20140508.eventbrite.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-web-page package updates OSSEC and DNS Queries

I've updated our securityonion-web-page package to resolve a few issues. The new package is securityonion-web-page -20120722-0ubuntu0securityonion19 and it has been tested by Matt Gregory (thanks!).

Issues Resolved
Issue 495: securityonion-web-page: OSSEC logs query should exclude MARK
https://code.google.com/p/security-onion/issues/detail?id=495

Issue 498: securityonion-web-page: add DNS IXFR query
https://code.google.com/p/security-onion/issues/detail?id=498

Release Notes
Previously, we added a "DNS - Zone Transfers" query that would look for full zone transfers (AXFR):
http://blog.securityonion.net/2014/02/new-securityonion-web-page-package-adds_19.html

This new package updates that query to also look for incremental zone transfers (IXFR) and group the results by the source IP address:

class=BRO_DNS proto="tcp" "axfr" OR "ixfr" groupby:srcip

The "Host Logs - All OSSEC Logs" query should now exclude any OSSEC --MARK-- logs as follows:

class=none program="ossec_archive" "2014" -"packets_received" -"--MARK--"

Selengkapnya

New securityonion-squert package updates to Squert 1.2.0

Paul Halliday recently released Squert 1.2.0:
http://www.squertproject.org/
https://github.com/int13h/squert

He also recorded a couple of videos showcasing some of the new features recently added to Squert:
Changes v1.1.6: http://www.youtube.com/watch?v=_eheJv0MJDY
Changes v1.1.9: http://www.youtube.com/watch?v=QkgrigopfQA

I've packaged Squert 1.2.0 as securityonion-squert - 20140216-0ubuntu0securityonion2 and the package has been tested by the following (thanks!):
Heine Lysemose
David Zawdie
Matt Gregory

Issues Resolved

Issue 448: When changing time zone in Squert, it needs to revert to UTC when requesting transcripts
https://code.google.com/p/security-onion/issues/detail?id=448

Release Notes

When you update the package, it will copy new files into place and then display "Updating database". Please do not cancel or interrupt this process.
You no longer have to hardcode your Sguil credentials in config.php.
You may need to Shift-Reload in your browser and/or empty browser cache to ensure you're running the latest Squert javascript.
Timestamps are displayed in UTC by default, but you can change this by clicking the arrows to the right of the timeline. De-select UTC, then specify your local timezone offset. Then click the "save TZ" button to save your preference into the database and click "Update" to refresh the page with the new timestamps.

Screenshots

Do not cancel or interrupt the database update

Events tab

GeoIP mapping

Pivoting on an event and requesting a TCP transcript with the TX button

Summary tab

Views tab

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-capme package checks for active pcap_agent

I've updated the securityonion-capme package to check for active pcap_agents. This will provide a more helpful error message for folks who forgot to enable netsniff-ng and pcap_agent and then tried to pivot to CapMe for full packet capture.

The updated package version is securityonion-capme - 20121213-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose
Matt Gregory
David Zawdie

Issues Resolved

Issue 475: CapMe? should check for active pcap_agent
https://code.google.com/p/security-onion/issues/detail?id=475

Screenshots

CapMe checks for active pcap_agent

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-web-page package adds ELSA query to show DNS zone transfers

I've updated the securityonion-web-page package to add an ELSA query that will show DNS zone transfers. The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion18 and it has been tested by the following (thanks!):
Heine Lysemose

Issues Resolved

Issue 487: securityonion-web-page: add DNS zone transfer query
https://code.google.com/p/security-onion/issues/detail?id=487

Screenshots

DNS: Zone Transfers - shows any DNS AXFR requests over TCP

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-elsa-extras package properly randomizes apikey on master server

Scott Runnels has updated the securityonion-elsa-extras package to properly randomize the ELSA apikey on the master server. Thanks, Scott!

The updated package version is securityonion-elsa-extras - 20131117-1ubuntu0securityonion36 and it has been tested by the following (thanks!):
Michal Purzynski
David Zawdie

Issues Resolved
Issue 478: securityonion-elsa-extras: randomize API key in master's elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=478

Release Notes
When the new package installs, it will check /etc/elsa_web.conf to see if you have an apikey set to the default of "1". If so, it will automatically replace that default apikey with a properly randomized apikey. You'll then need to restart Apache to make the change take effect:

sudo service apache2 restart

Please be reminded that the management interface of your master server (where the ELSA web interface runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
https://code.google.com/p/security-onion/wiki/Firewall

Screenshots

BEFORE new package - apikey defaulted to 1

Installing new package, which will automatically check for default apikey and randomize if necessary

AFTER new package - apikey is now properly randomized

Restarting Apache to make change in /etc/elsa_web.conf take effect

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

Table of Contents added to Wiki

I've added a Table of Contents page to our Wiki and made it the Sidebar for all pages in the Wiki. You can see it on the left side of the screenshot below. Hopefully, this helps organize our various Wiki pages in a more logical manner and helps you find what you're looking for faster.

Table of Contents added as Sidebar

Please take a look and let us know what you think!

https://code.google.com/p/security-onion/wiki/TableOfContents

Selengkapnya

New securityonion-setup package resolves several issues

I've updated the securityonion-setup package to resolve several issues. The updated package version is securityonion-setup - 20120912-0ubuntu0securityonion99 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie
JP Bourget

Issue 463: sosetup: prompt for ELSA log_size_limit
https://code.google.com/p/security-onion/issues/detail?id=463

Issue 470: sosetup: Add verbiage to ELSA screen about running on sensors
https://code.google.com/p/security-onion/issues/detail?id=470

Issue 474: sosetup: increase default query_timeout in /etc/elsa_web.conf
https://code.google.com/p/security-onion/issues/detail?id=474

Issue 388: sosetup: configure MySQL to create an innodb file per table to prevent ibdata1 growing indefinitely
https://code.google.com/p/security-onion/issues/detail?id=388

Issue 416: sosetup: increase default MySQL open-files-limit
https://code.google.com/p/security-onion/issues/detail?id=416

Screenshots

Setup now prompts for ELSA log_size_limit

Setup sets ELSA log_size_limit as requested by user

Setup now sets ELSA query_timeout to 10000

Setup now configures MySQL with better defaults

MySQL now creates an innodb file per table

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Selengkapnya

New securityonion-sostat package provides more data for monitoring ELSA

I've updated the securityonion-sostat package to redact IPv6/MAC addresses and also increase verbosity for monitoring ELSA. The updated package version is securityonion-sostat - 20120722-0ubuntu0securityonion20 and it has been tested by the following (thanks!):
Matt Gregory
David Zawdie

Issue 471: sostat-redacted should redact IPv6 and MAC addresses
https://code.google.com/p/security-onion/issues/detail?id=471
(thanks to Steve Fennell and BBCan177 for the patches!)

Issue 476: sostat: add verbosity for troubleshooting ELSA
https://code.google.com/p/security-onion/issues/detail?id=476

Screenshots

sostat-redacted now redacts IPv4, IPv6, and MAC addresses

Additional ELSA info from a master server

Additional ELSA info from a sensor

Selengkapnya

New securityonion-web-page package adds ELSA query to show connections grouped by node

I've updated the securityonion-web-page package to add an ELSA query that will group connections by node. The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion15 and it has been tested by the following (thanks!):
JP Bourget

Issues Resolved

Issue 477: ELSA menu should include BRO_CONN groupby:node
https://code.google.com/p/security-onion/issues/detail?id=477

Screenshots

Connections: Grouped by Node - shows how many connections each sensor is seeing

Selengkapnya

Snort 2.9.5.6 and Suricata 1.4.7 packages now available!

The following software was recently released:

Snort 2.9.5.6
http://blog.snort.org/2013/11/snort-2956-is-now-available-on-snortorg.html

Suricata 1.4.7
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/184--suricata-147-released

I've packaged these new releases and the new packages have been tested by JP Bourget and David Zawdie. Thanks, guys!

Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

back up each of your existing snort.conf files to snort.conf.bak
update Snort
back up each of your existing suricata.yaml files to suricata.yaml.bak
update Suricata

You'll then need to do the following:

apply your local customizations to the new snort.conf or suricata.yaml files
update ruleset and restart Snort/Suricata as follows:
sudo rule-update

Release Notes
Snort is now compiled with --enable-sourcefire.

Screenshots

"sudo soup" upgrade process

Snort 2.9.5.6 and Suricata 1.4.7

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel. Thanks!

Selengkapnya

New securityonion-sostat package available

I've packaged a new version of sostat that resolves the following issue:

Issue 461: sostat: improve pf_ring output
https://code.google.com/p/security-onion/issues/detail?id=461

The version number of the new package is securityonion-sostat - 20120722-0ubuntu0securityonion13 and it has been tested by the following (thanks!):
David Zawdie

Updating
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshot

PF_RING section of sostat output

Selengkapnya

New securityonion-web-page package adds SSH country and status links

I've updated our recently released securityonion-web-page package to add links that will group SSH connections by country and status. The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion14.

Issues Resolved

Issue 469: securityonion-web-page: add SSH queries for country and status
https://code.google.com/p/security-onion/issues/detail?id=469

Screenshots

SSH: Top Countries - SSH connections grouped by country code

SSH: Status - Bro heuristically determines if an SSH login attempt succeeded

Selengkapnya

New securityonion-web-page package fixes the ELSA Tunnel query

I've updated our recently released securityonion-web-page package to fix the ELSA Tunnel query. The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion13.

Issues Resolved

Issue 466: securityonion-web-page: change elsa/menu.php to fix Tunnel query
https://code.google.com/p/security-onion/issues/detail?id=466

Screenshots

Tunnels: Top Tunnels shows the tunnels detected by ELSA

Selengkapnya

New securityonion-web-page package available

I've updated our securityonion-web-page package. The updated package version is securityonion-web-page - 20120722-0ubuntu0securityonion12 and has been tested by David Zawdie.

Issues Resolved

Issue 455: securityonion-web-page: update hyperlink
https://code.google.com/p/security-onion/issues/detail?id=455

Issue 456: securityonion-web-page: add example ELSA queries
https://code.google.com/p/security-onion/issues/detail?id=456

This package adds a new URL (https://your.security.onion.hostname/elsa/) that includes a menu on the left with some common ELSA queries.

Screenshots