Security Onion

Attention Shmoocon attendees!

2012-01-28T01:52:00.002-05:00

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120125 now available!

2012-01-26T16:30:00.000-05:00

Security Onion 20120125 is now available! This resolves the following issues:
Issue 203: New users should have a more sensible default for Sguil client fonts
Issue 204: /usr/local/sbin/nsm_server_del: line 192: [: eq: binary operator expected
Issue 206: /usr/local/sbin/nsm_sensor_clean should purge old Bro logs
Issue 207: Re-install /etc/skel/.bashrc to enable bash coloring
Issue 208: Need a new ISO for NoVA Hackers presentation

New Users
New users can download and install the 20120125 ISO image using the instructions here.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Upcoming Security Onion Presentations

2012-01-26T06:10:00.002-05:00

I'll be giving a Shmoocon Firetalk on Saturday 1/28 at 7:40 PM:
http://www.novainfosecportal.com/2012/01/25/shmoocon-2012-firetalks-%E2%80%93-update-5-schedule/

I'll also be presenting Security Onion at the NoVA Hackers Shmoocon Epilogue on Monday 1/30 at 8:00 PM:
http://novahackers.blogspot.com/2012/01/shmoocon-epilogue-speakers-and-location.html

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion Success Stories 2012

2012-01-23T21:27:00.002-05:00

Last year, I received a few success stories from satisfied Security Onion users:
http://securityonion.blogspot.com/2011/05/security-onion-success-stories.html

Please share your Security Onion success story in the comments below!

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120124 now available!

2012-01-23T19:55:00.001-05:00

Security Onion 20120124 is now available! This resolves the following issue:
Issue 140: OSSEC agent needs to be integrated into NSM scripts

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

sudo service nsm status

Security Onion 20120123 now available!

2012-01-22T16:19:00.000-05:00

Security Onion 20120123 is now available! This resolves the following issues:

Issue 191: Update NSM scripts to control Bro
Issue 202: If user selects only one interface, configure Bro as standalone

Notes
If you're only monitoring a single network interface, this update will configure Bro for standalone mode which will greatly increase performance!

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

NSM scripts now control Bro

Thanks
Thanks to Seth Hall of the Bro project for his tuning suggestion!
Thanks to Richard Bejtlich for his suggestion of updating the NSM scripts to control Bro!

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120119 now available!

2012-01-22T00:35:00.002-05:00

Security Onion 20120119 is now available! This resolves the following issues:
Issue 154: Track pulledpork download status
Issue 160: PulledPork should be using https for ET and ETPRO downloads
Issue 198: Suricata 1.2.1
Issue 200: PulledPork isn't handling so_rules properly
Issue 201: snorby-db-fix is causing problems with large/busy snorby databases

For more information about Suricata 1.2.1, please see:
http://www.openinfosecfoundation.org/index.php/component/content/article/144-suricata-12-available
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12
http://www.suricata-ips.net/index.php/component/content/article/145-suricata-121-available

Please also note that the new suricata.yaml will overwrite your existing suricata.yaml. Your existing suricata.yaml will be backed up to /nsm/backup/20120119/NAME_OF_SENSOR/. Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/suricata.yaml.

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade begins

Upgrade runs pulledpork_update.sh to update rules

pulledpork_update.sh restarts barnyard2 and the IDS engine

Thanks
Thanks to the Suricata team for their hard work on Suricata 1.2.1!
Thanks to Scott Runnels for his assistance in testing this release!

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion Presentation at NoVA Hackers

2012-01-18T08:57:00.004-05:00

I'll be presenting Security Onion at the NoVA Hackers Shmoocon Epilogue:
http://novahackers.blogspot.com/2012/01/shmoocon-epilogue-speakers-and-location.html

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120116 now available!

2012-01-16T00:42:00.001-05:00

Security Onion 20120116 is now available! This resolves the following issue:

Issue 170: Snort 2.9.2

For more information about Snort 2.9.2, please see:

Snort 2.9.2: SCADA Preprocessors

http://www.snort.org/docs

http://manual.snort.org

Please note that if you are using the Registered (30-day delay) VRT ruleset you may need to wait until the rules are released for Snort 2.9.2.

Please also note that the new snort.conf will overwrite your existing snort.conf. Your existing snort.conf will be backed up to /nsm/backup/20120116/NAME_OF_SENSOR/. Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

New Users

New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade script installs Snort 2.9.2 and launches PulledPork

Once PulledPork completes, barnyard2 and Snort are restarted

Thanks

Thanks to the Snort team for their hard work on Snort 2.9.2!

Thanks to Scott Runnels for his assistance in testing this release!

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120114 now available!

2012-01-13T10:38:00.002-05:00

Security Onion 20120114 is now available! This resolves the following issue:

Issue 190: typo in /etc/cron.d/bro

New Users

New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!

http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120113 now available!

2012-01-13T09:58:00.001-05:00

Security Onion 20120113 is now available! This resolves the following issues:

Issue 147: Bro 2.0 integration

Issue 185: Syntax error clearing sensor data

Note that this is just the initial integration of Bro. In the future, we'll switch Sguil's http_agent to use Bro's http.log and we'll also look at using Barnyard2 to send IDS alerts to Bro to give it a better understanding of your network.

New Users

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

sudo broctl status

Current Bro logs can be found in /nsm/bro/logs/current

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120107 now available!

2012-01-06T16:39:00.000-05:00

Security Onion 20120107 is now available! This resolves the following issue:

Issue 184: reference.config needs to be updated

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20120106 now available!

2012-01-06T09:54:00.000-05:00

Security Onion 20120106 is now available! This resolves the following issues:

Issue 152: etherape

Issue 158: whois

Issue 178: nsm_sensor_ps-status shouldn't delete stale PID files

Issue 179: NSM watchdog should put timestamps in log file

Issue 180: vim

Issue 181: nsm_sensor_ps-restart should rotate current log file to TIMESTAMP

Issue 182: Setup needs to make sure MySQL is running if user chooses Server

Issue 183: Need to periodically remove invalid data from snorby database

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20111229 now available!

2011-12-29T08:07:00.002-05:00

Security Onion 20111229 is now available! This resolves the following issues:

Issue 109: Optional PADS or PRADS

Issue 115: edit nsm_sensor_edit

Issue 162: Process watchdog

Issue 164: No sensor status info then server is down

Issue 173: nsm_sensor_clean cronjob should output date to logfile

Thanks to Karolis for his work on integrating PADS into the distro!

Notes

The PADS configuration file (/etc/nsm/SENSOR-NAME/pads.conf) contains a "network" variable which defaults to:
192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
You will need to change this variable if you're monitoring public IP space.
The new process watchdog runs every 5 minutes and will restart any sensor process that has crashed. It will move the process's old log file to PROCESS.log.TIMESTAMP so that you can determine why the process crashed.

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

PADS events in Sguil

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20111228 now available!

2011-12-27T13:04:00.001-05:00

Security Onion 20111228 is now available! This resolves the following issue:
Issue 151: NetworkMiner

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

NetworkMiner menu entry

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20111227 now available!

2011-12-27T10:22:00.002-05:00

Security Onion 20111227 is now available! This resolves the following issue:
Issue 172: Snorby Export-to-PDF results in error

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20111222 now available!

2011-12-23T14:51:00.001-05:00

Security Onion 20111222 is now available! This resolves the following issue:
Issue 51: Snorby

Snorby is a modern web interface for Network Security Monitoring:

The new hotness

A few things to note:

The Snorby database is totally separate from the Sguil database. This means that you will have a separate user account to log into Snorby. It also means that any events that you classify in Snorby are not reflected back into the Sguil database.
A new output is added to the barnyard2 configuration to send events to the Snorby database. Remote sensors establish an SSH tunnel to the server to encrypt the MySQL traffic.
This is just the initial integration of Snorby. In the future we'll add things like full packet capture support and Dustin's new unified2 library.

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

The Setup wizard has been updated to support Snorby. You will create a username for Sguil/Squert and a separate username for Snorby (your email address). The password that you enter will be used for both Sguil/Squert and Snorby.

Updated Setup Wizard

Entering email address for Snorby

Same password will be used for both Sguil/Squert and Snorby

Double-click the Snorby desktop shortcut

If necessary, generate some IDS alerts using "curl http://testmyids.com"

View your IDS alerts on the Events tab

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

If you have one or more slave sensors reporting to a central master server, always upgrade the master first!

Since Snorby and Sguil have separate databases, your existing Sguil credentials will not allow you to log into Snorby. The in-place upgrade process will generate a username and random password for your initial Snorby login. You should immediately login with your temporary credentials and change them.

Completing upgrade of an existing system

Double-click the Snorby desktop shortcut or use the URL shown in the upgrade

Click "Settings" to change your username/password

Set your new credentials

If necessary, generate some alerts with "curl http://testmyids.com"

View your IDS alerts on the Events tab

If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Merry Christmas!

Security Onion is in the running for 2011 Toolsmith Tool of the Year!

2011-12-20T13:22:00.000-05:00

Security Onion is in the running for 2011 Toolsmith Tool of the Year! I know which one I'm voting for :)
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Security Onion 20111214 now available!

2011-12-14T14:43:00.000-05:00

Security Onion 20111214 is now available! This resolves the following issue:

Issue 143: Need a better solution for purging at 90% disk usage

The previous purging method only removed old pcaps from the dailylogs directories. The new method removes old pcaps but also purges old argus, httpry, and unified2 files.

For those running multiple sensors on the same /nsm, the previous purging method would have deleted all pcaps from the first sensor before beginning to purge the second sensor. The new method tries to delete more evenly across the sensors.

New Users

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Purging

/etc/cron.d/sensor-clean contains a cronjob that runs the purge hourly. You can manually run the purge as follows:

sudo /usr/local/sbin/nsm --sensor --clean

Security Onion 20111213 now available!

2011-12-12T16:22:00.000-05:00

Security Onion 20111213 is now available! This resolves the following issues:
Issue 168: Suricata 1.1.1

If you are already using Suricata and have customized your suricata.yaml file, please note that it will be backed up to /nsm/backup/20111213/NAME-OF-SENSOR/ and then overwritten with the new config file. Please copy any of your customizations (HOME_NET, etc.) from /nsm/backup/20111127/NAME-OF-SENSOR/suricata.yaml to the production copy /etc/nsm/NAME-OF-SENSOR/suricata.yaml.

As noted here, Suricata includes some anomaly detection in the form of decoder-events.rules and stream-events.rules. These two rulesets have been disabled in this update. You can manually re-enable them if desired.

New Users
New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Switching to Suricata
If you're currently running Snort and would like to switch to Suricata, use the following commands to stop Snort, change the ENGINE variable in the config file, and then run PulledPork to download the Suricata-specific ruleset (if running Emerging Threats rules):

Screenshots

Upgrade Process

Security Onion 20111202 now available!

2011-12-01T16:35:00.001-05:00

Security Onion 20111202 is now available! This resolves the following issue:

Issue 139: Squert needs HTTPS

This update will convert Squert and Xplico to HTTPS. It will also automatically update any Squert/Xplico shortcuts contained within the Security Onion installation to use HTTPS. If you have any Squert/Xplico bookmarks on any other computers in your network, you should just need to change them from HTTP to HTTPS.

New Users

New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Security Onion 20111201 now available!

2011-12-01T05:56:00.001-05:00

Security Onion 20111201 is now available! This resolves the following issues:

Issue 157: Update pulledpork.conf.master with new local_rules declaration

Issue 159: NSM scripts are storing initial Sguil credentials in /etc/nsm/securityonion/server.conf

New Users

New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Security Onion 20111130 now available!

2011-11-30T09:11:00.001-05:00

Security Onion 20111130 is now available! This resolves the following issue:

Issue 144 - sguild.email configuration not loading properly

New Users

New users can download and install the new 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Notes on Suricata 1.1 Update

2011-11-29T06:56:00.001-05:00

A few quick notes on the Suricata 1.1 update and its default suricata.yaml configuration file:

decoder-events.rules and stream-events.rules
By default, suricata.yaml includes the following rules:
- decoder-events.rules
- stream-events.rules

This results in alerts like these:

Suricata stream events example

If you don't wish to see these alerts, simply comment out those two rules in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

EXTERNAL_NET
By default, suricata.yaml sets EXTERNAL_NET to "!HOME_NET". (The Snort default in snort.conf is "EXTERNAL_NET any".) If you'd like to change this, simply make the change in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

How do I edit suricata.yaml and restart Suricata?
If you have GUI access to your sensor, you can use the "IDS Config" menu entry as described here:
http://securityonion.blogspot.com/2011/09/security-onion-20110909-now-available.html

Otherwise, you can do the following:

Modify /etc/nsm/NAME-OF-SENSOR/suricata.yaml using your favorite text editor.
Restart Suricata using the following command:
sudo nsm --sensor --restart --only-snort-alert

Security Onion 20111127 now available!

2011-11-27T16:04:00.001-05:00

Security Onion 20111127 is now available! This resolves the following issues:

Issue 134 - Upgrade Suricata to 1.1

Issue 153 - When IDS Engine is Suricata, PulledPork needs to download Suricata version of ET rules

If you are already using Suricata and have customized your suricata.yaml file, please note that it will be backed up to /nsm/backup/20111127/NAME-OF-SENSOR/ and then overwritten with the new config file. Please copy any of your customizations (HOME_NET, etc.) from /nsm/backup/20111127/NAME-OF-SENSOR/suricata.yaml to the production copy /etc/nsm/NAME-OF-SENSOR/suricata.yaml.

New Users

New users can download and install the 20111103 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Switching to Suricata

If you're currently running Snort and would like to switch to Suricata, use the following commands to stop Snort, change the ENGINE variable in the config file, and then run PulledPork to download the Suricata-specific ruleset (if running Emerging Threats rules):

Screenshots

Upgrade Process

Follow-up on OSSEC alerts for packet loss

2011-11-17T09:31:00.001-05:00

This is a follow-up to my recent post "How do I receive an email when my sensor stops receiving traffic?". That post explains the core idea which I have since refined.

Refinement #1: Tell me which interface stopped receiving traffic
The first area of refinement is making the output a little more verbose so that, if we have multiple interfaces, we know exactly which interface stopped receiving traffic. We do that by modifying the "bandwidth" command in /var/ossec/etc/ossec.conf as follows:

Refinement #2: Give me more flexibility in the OSSEC rule structure
The second area of refinement is implementing a tiered OSSEC rule structure. This gives us more flexibility and troubleshooting capability. We do this by editing /var/ossec/rules/local_rules.xml and replacing our previous single rule with these two rules:

The first rule just identifies "bandwidth" output and only logs it to disk (level 1 alerts do not generate email by default). The second rule is a child rule of the first and alerts/emails (level 7) when bandwidth is down to 0.000.

Since we're now logging all "bandwidth" output, we can search for it in the OSSEC logs:

Refinement #3: Use Linux kernel's built-in packet counters instead of relying on snort.stats
The third area of refinement is not relying on snort.stats but instead using the Linux kernel's built-in packet counters. (I hinted at this in the previous post.) This could be used to replace the entire "bandwidth" configuration above, or to complement it for a belt-and-suspenders approach. We start off by adding the following to /var/ossec/etc/ossec.conf:

This follows the same format as the "bandwidth" command, but pulls the count of received packets from ifconfig, waits 5 minutes, pulls the RX count from ifconfig a second time, and subtracts the first from the second to get the total number of packets received in the 5-minute interval.

Next, we add these two rules to /var/ossec/rules/local_rules.xml:

Since we're now logging all "packets_received" output, we can search for it in the OSSEC logs:

When the number of received packets drops to 0, rule 100004 triggers a level 7 alert, generating an email if configured to do so.

Security Onion 20111118 now available!

2011-11-17T09:09:00.001-05:00

Security Onion 20111118 is now available! This resolves the following issue:

Issue 141 - Upgrade Barnyard2

New Users

New users can download and install the new 20111103 ISO image using the instructions here and then follow the In-Place Upgrade instructions below.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Security Onion 20111116 now available!

2011-11-16T14:11:00.001-05:00

Security Onion 20111116 is now available! This resolves the following issue:

Issue 150 - Ensure that OSSEC timezone matches the host's timezone

New Users

New users can download and install the new 20111103 ISO image using the instructions here and then follow the In-Place Upgrade instructions below.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

How do I receive an email when my sensor stops receiving traffic?

2011-11-15T06:49:00.001-05:00

Recently, I logged into Sguil and noticed that a normally busy sensor had no current alerts. I looked at the full packet capture logs for the sensor and determined that it hadn't received any traffic from the tap in a while. We resolved the issue with the tap and started seeing traffic again, but I also resolved to create an automated notification for the next time this happens.

Snort is already writing bandwidth statistics to /nsm/sensor_data/$SENSOR/snort.stats and we are going to use OSSEC to monitor the file and send email when the bandwidth drops to 0. We could possibly write an OSSEC decoder to have it parse snort.stats directly, but let's instead use OSSEC's process monitoring feature so that we can perhaps extend this in the future to use the Linux kernel's built-in packet counters. For now, we're going to rely on snort.stats.

The first thing we need to do is obtain the full path to the snort.stats file(s) by determining the interfaces that are being monitored by Sguil. We do this by searching /etc/nsm/sensortab for any lines that are not commented out and piping to awk to print just the first column:

For each of the sensors in the output of the previous command, we want to look at the most recent bandwidth statistics, so we pipe to a while-loop and use "tail -1" on the respective snort.stats file:

snort.stats is a CSV file and we only want the third column of data, so we pipe the previous command to cut and tell it the delimiter is a comma and to output the third field:

Here's some sample output for a sensor with two monitored interfaces:

We now have a nice single command that OSSEC can run periodically to retrieve the bandwidth of our monitored interfaces. We add this as a "command" in /var/ossec/etc/ossec.conf and give it an alias of "bandwidth":

Upon restart, OSSEC will periodically run the command, but won't do anything with the output until we add a rule to tell it what to do. We add the following rule to /var/ossec/rules/local_rules.xml to check the output hourly (every 3600 seconds) and see if the bandwidth value has gone down to 0.000:

If we didn't already have OSSEC configured to send email, we could do so by adding the following to the <global> section of /var/ossec/etc/ossec.conf:

Next, we restart OSSEC to activate the new configuration:

Finally, we simulate traffic loss and receive an email like the following:

Update: A question over on Google+ prompted the following clarification:
Security Onion has Snort's perfmonitor configured for 300-second intervals by default, which means that the value we're inspecting would be the average traffic for 5 minutes. My deployments have enough constant traffic that 0.000 for 5 minutes is a pretty good indicator of failure. YMMV!

Security Onion 20111103 now available!

2011-11-03T07:19:00.001-04:00

Security Onion 20111103 is now available! This resolves the following issues:

Issue 138 - Time for a new ISO image

Issue 136 - Setup script should automatically set OS timezone to UTC

Issue 137 - Bro 2.0 Beta

Please note that Bro 2.0 Beta installs to /usr/local/bro/.

For more information about Bro 2.0 Beta, please see:

http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html

http://bro-ids.org/documentation-beta/quickstart.bro.html

http://bro-ids.org/documentation-beta/index.html

New Users

New users can download and install the new 20111103 ISO image using the instructions here.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Completing Upgrade

Bro 2.0 Beta in /usr/local/bro/bin/bro

Security Onion 20111028 now available!

2011-10-28T06:46:00.000-04:00

Security Onion 20111028 is now available! This resolves Issue 135 by updating the NSM scripts to start Snort with the AFPACKET DAQ for higher performance. For more information about the AFPACKET DAQ, please see:

http://manual.snort.org/node7.html
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

Security Onion 20111025 now available!

2011-10-25T07:21:00.000-04:00

Security Onion 20111025 is now available! This resolves Issue 84 by updating Snort to version 2.9.1.2 and its DAQ to version 0.6.2. For more information about Snort 2.9.1.2, please see:

http://blog.snort.org/2011/10/snort-2912-has-been-posted.html

Please note that if you are using the Registered (30-day delay) VRT ruleset you will need to wait until the rules are released for Snort 2.9.1.2. For more information, please see:

http://blog.snort.org/2011/10/vrt-rule-release-for-10202011-snort.html

Please also note that the new snort.conf will overwrite your existing snort.conf. Your existing snort.conf will be backed up to /nsm/backup/20111025/NAME_OF_SENSOR/. Please copy any customizations (HOME_NET, etc.) from the backup copy to the production copy /etc/nsm/NAME_OF_SENSOR/snort.conf.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Installing new packages

Backing up config files and copying new files into place

Running PulledPork to download new ruleset

Stopping the old Snort and starting the new Snort

snort -V

Security Onion 20111020 now available!

2011-10-22T16:14:00.000-04:00

Security Onion 20111020 is now available! This resolves Issue 133 by updating the NSM scripts to spawn daemonlogger (instead of snort) for full packet capture. Since daemonlogger is simpler than snort and specifically designed for packet capture, it is more efficient and possibly more secure.

In addition, daemonlogger defaults to a snaplen of 65535, so this is a PARTIAL solution to the problem described here. I emphasize that this only a partial solution because it only solves the full packet capture problem and not the packet reassembly problem. NIC offloading should still be disabled to allow Snort to do proper target-based reassembly and thus minimize the likelihood of insertion/evasion attacks. For more information, please see the Snort manual.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

When is full packet capture NOT full packet capture?

2011-10-19T07:40:00.000-04:00

I was looking at some packets recently and noticed the Wireshark message "Packet size limited during capture". This was strange since the packets came from a Sguil sensor performing full packet capture using Snort's default snaplen on a standard Ethernet connection (no Jumbo frames and no VLAN tags). Drilling down into the packet capture, some of the packets were 2900 bytes and Snort was only capturing the first 1500 bytes. The full packet capture was not "full" packet capture after all.

So where did the 2900-byte packets come from?

The OS had enabled by default the following NIC offload features:
tcp-segmentation-offload (tso)
generic-segmentation-offload (gso)
generic-receive-offload (gro)

For more information about these features and their side effects, please see:
http://www.unleashnetworks.com/blog/?p=307
http://wiki.wireshark.org/CaptureSetup/Offloading
http://manual.snort.org/node7.html
http://www.inliniac.net/blog/2007/04/20/snort_inline-and-tcp-segmentation-offloading.html

I won't repeat all the information in those links, but I'll summarize by saying that the NIC was reassembling packets before being passed up the stack to Snort. I disabled the offload features and then verified that this resulted in no more packets larger than 1500 bytes. The packet capture truly was "full" packet capture.

[ UPDATE: A reader asked why we couldn't simply change Snort's default snaplen to a larger value to capture the 2900-byte packets. While it's true that would solve the "full" packet capture problem, another problem would remain. Since the packets are being reassembled on the NIC, Snort is not able to properly perform target-based reassembly (see the Snort manual link above). This opens the door for potential IDS evasion/insertion attacks. NIC offload settings need to be disabled so that Snort sees the same packets the destination host does. ]

Some NIC/driver combinations may disable these offload settings by default, while others enable it by default. You should check your sensors now before you get into a situation where you really need that full packet capture and find out that you don't actually have it. To check, run ethtool with the "-k" (lower-case k) option on the interface you'd like to check. For example, to check eth0:

You should repeat this for every interface in your system, as you may have NICs from different manufacturers with different defaults.

You can set these options using the "-K" (upper-case K) option to ethtool and specify which option you'd like to set. For example, to disable tcp-segmentation-offload for eth0:

You can set multiple options in one "ethtool" command, but this can be problematic if your card doesn't support all of the settings. To avoid this, you could invoke ethtool for each option like this:

Or we could simply wrap the ethtool command in a for-loop like this:

These settings will remain in effect only while the OS is booted, so this needs to be applied at every boot. This can be done by adding the above for-loop as a "post-up" command for each of the interfaces in /etc/network/interfaces. If you're still using the graphical Network Manager to configure your interfaces, I've put together some documentation on disabling it and configuring interfaces and their offloading features via /etc/network/interfaces:

http://code.google.com/p/security-onion/wiki/NetworkConfiguration

I'd really like some feedback on this:

What were your default settings? (ethtool -k eth0)
Did you have any problems disabling the offload features?
Did you notice any difference in performance after disabling the offload features?
Is there a better way of disabling offload features globally? I tried putting the commands in /etc/rc.local and /etc/init/securityonion.conf, but the only way I could get it to work consistently was via /etc/network/interfaces as documented above.
I'm considering disabling offload features by default in the Security Onion Setup script. Can anyone think of any reason why this might be a bad idea?

Security Onion: Network Security Monitoring in Minutes at BSides Atlanta

2011-10-18T07:12:00.000-04:00

I'll be presenting "Security Onion: Network Security Monitoring in Minutes" at #BSidesATL on Friday, November 4. For more information, please see: http://goo.gl/w2yZg.

Hope to see you there!

In Search Of Evil User Agents

2011-10-17T10:33:00.002-04:00

I've got a guest blog post over at PaulDotCom describing how to find evil User Agents on your network using the new httpry functionality in Security Onion:
In Search Of Evil User Agents

Security Onion 20111013 now available!

2011-10-14T07:31:00.000-04:00

Security Onion 20111013 is now available! This simple update resolves Issue 131.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

Security Onion 20111001 now available!

2011-10-01T22:54:00.000-04:00

Security Onion 20111001 is now available! This simple update resolves two issues in /usr/local/bin/pulledpork_update.sh:

Issue 127 requests that /usr/local/bin/pulledpork_update.sh determine whether it is running interactively or via crontab and perform accordingly.
A comment on Issue 87 requests that the rule backups /etc/nsm/rules/backup/ be purged after a specified number of days.

The default number of days is 30.
This default can be overridden by setting the $DAYSTOKEEP_RULE_BACKUPS variable in /etc/nsm/securityonion.conf.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Security Onion 20110922 now available!

2011-09-23T10:19:00.000-04:00

Security Onion 20110922 is now available! This update resolves Issue 126. It also spawns instances of httpry and httpry_agent for each monitored interface. Thanks go to Jason Bittel for his work on httpry and Paul Halliday for his work on httpry_agent!

Please note!

httpry is going to be logging all HTTP traffic on every monitored interface and httpry_agent is going to be inserting those HTTP logs into the MySQL database so they can be queried in Sguil and SQueRT. This may increase the load on your sensors and/or MySQL server.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

httpry events are autocategorized so as not to clutter the main Sguil window

If you're responding to an incident for an IP address, search for the IP and you'll see the httpry events are prefixed with "URL"

Clicking on a URL event will show further information in the Detail pane

Right-clicking on the Alert ID allows you to pull the entire transcript

SQueRT has an httpry search that will show all httpry logs

Security Onion 20110920 now available!

2011-09-20T08:16:00.000-04:00

Security Onion 20110920 is now available! This update enables IP-to-country mapping in the SQueRT web interface (great for showing off to executives)!

Please note!

This upgrade will make changes to the database and therefore it is recommended to backup your MySQL database and/or test the upgrade on a non-production system before deploying to production.

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade Process

SQueRT IP-to-country mapping

Security Onion 20110919 now available!

2011-09-19T06:38:00.000-04:00

Security Onion 20110919 is now available! This update does the following:

Updates the NSMnow admin scripts to support argus.
Starts argus on all monitored interfaces.

Each argus instance will log to the following location:

/nsm/sensor_data/NAME-OF-SENSOR/argus/YYYY-MM-DD.log

In-place Upgrade

Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade script installs new NSM scripts and starts argus on all monitored interfaces (eth0, eth1, and eth2 in this case)

Running argus processes

Argus processes log to /nsm/sensor_data/NAME-OF-SENSOR/argus/YYYY-MM-DD.log

Running one of the argus clients (ranonymize, to anonymize my IP addresses) on the argus logs

Security Onion 20110915 now available!

2011-09-16T06:54:00.000-04:00

Security Onion 20110915 is now available! This update does the following:

fixes a minor bug in sguil-db-purge
upgrades Argus to version 3.0.4 (Issue 122)
upgrades httpry to version 0.1.6 (Issue 124)
installs nftracker (Issue 54)
installs pcapcat (Issue 119)
cleans up existing menu entries and adds new menu entries for Argus

Screenshots

New Argus menu

Security Onion 20110914 now available!

2011-09-15T06:43:00.000-04:00

Security Onion 20110914 is now available! This will update the Setup script to use the new config file format and install a daily script to purge old alerts from the database.

PLEASE NOTE!
sguil-db-purge is scheduled to run every day at 5:01 AM. It will do the following:

stop sguild
purge old events from the database
repair the remaining MySQL tables
start sguild

The default retention policy for the purge is 365 days. If you would like to change this value, please change the DAYSTOKEEP variable in /etc/nsm/securityonion.conf.

The daily cron job logs its output to /var/log/nsm/sguil-db-purge.log.

Since the purge script will be making changes to the database, it is recommended to backup your MySQL database and/or test the purge script on a non-production system before deploying to production.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

Upgrade process

Purge script

Security Onion 20110913 now available!

2011-09-14T07:21:00.000-04:00

Security Onion 20110913 is now available! This update upgrades the SQueRT web interface to version 0.9.3b. Thanks go to Paul Halliday at http://www.squertproject.org/ for all of his hard work on this new version of SQueRT!

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Screenshots

SQueRT Summary Tab

More screenshots can be found at the SQueRT screenshots page.

Security Onion 20110909 now available

2011-09-12T05:00:00.000-04:00

Security Onion 20110909 is now available! This upgrade adds some new menu entries to make IDS tuning a little easier.

The "IDS Rules" menu now has a new entry called "Add Local Rules" which will open /etc/nsm/rules/local.rules for editing using the "mousepad" GUI editor. You can then add any rules that you want to maintain locally (outside of the downloaded VRT or Emerging Threats rulesets).
A new menu called "IDS Config" was added with a new menu entry called "Configure IDS engine(s)". This will list all of the IDS engines on your system and allow you to choose one to configure. It will then open the proper config file for whatever IDS engine you're running. After you save and close the config file, it will offer to restart the IDS engine for you.

Example #1

Suppose you're currently running Snort and you choose eth0. The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth0/snort.conf for editing using the "mousepad" GUI editor.

Example #2

Suppose you're currently running Suricata and you choose eth1. The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth1/suricata.yaml for editing using the "mousepad" GUI editor.

Screenshots

New "Add Local Rules" menu entry under "IDS Rules"

Clicking the above menu entry opens /etc/nsm/rules/local.rules for editing

New "IDS Config" menu with "Configure IDS engine(s)" menu entry

"Configure IDS engine(s)" allows you to pick which engine to configure

Selecting an engine opens that engine's config file for editing

After saving and closing the config file, you will have the option to restart the engine

Security Onion featured in Network World

2011-09-10T22:32:00.004-04:00

Scott Hogg wrote a great review of Security Onion here:
http://www.networkworld.com/community/node/78633

tcpdump and ngrep

2011-07-26T07:04:00.001-04:00

Yesterday, I tweeted the following:

So what does it all mean?

-nn This option disables name resolution for IP addresses and port numbers. Some versions of tcpdump do this with a single "-n", but the double "-nn" option should work on all of them.
vv This option enables Very Verbose output. It wasn't strictly needed for the purposes of this command, but I'm in a habit of using it.
A This option prints just the ASCII text in the packets. This is useful when looking for strings like "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland" or "c99shell".
i This option allows you to specify the Interface (in this case eth1). eth1 on my Security Onion box at home is connected to a Dualcomm Switch Tap that monitors all ingress/egress of my home network. Doesn't everybody do full packet capture at home?
-s0 This option sets the snaplen. By default, tcpdump only captures 68 bytes and would therefore not see the entire payload of the HTTP connection. Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size.
grep Since we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings.

I was waiting on someone to ask the question "Why not use ngrep instead?". tcpdump's advantage is that it is more universally available than ngrep. If you're doing Incident Response on a Unix box of some kind, chances are that it already has tcpdump installed and you can use that to look for suspicious traffic as defined above.

Most Unix boxes do not have ngrep installed by default. But let's assume that you've got a dedicated IDS platform such as Security Onion which just so happens to include ngrep by default. Here's the ngrep version of the command:

Here we use the "-d eth1" option to force ngrep to listen on device eth1 and the "-s0" option to force ngrep to look at the entire packet. Note that, unlike tcpdump's default snaplen of 68 bytes, ngrep defaults to 65536, so this option isn't strictly needed here, but is included for completeness. After specifying these options, we simply tell ngrep what string to look for.

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland Oregon 8/22 - 8/27. Sign up today!
http://www.sans.org/portland-2011-cs-2/description.php?tid=4866

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland 8/22 - 8/27

2011-07-25T06:35:00.002-04:00

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland Oregon 8/22 - 8/27. For more information about the class, please see:
http://www.sans.org/portland-2011-cs-2/description.php?tid=4866

Enter Discount Code COINS10 at the time of registration to save $356 on Tuition!

Security Onion 20110714 now available

2011-07-14T06:56:00.002-04:00

Security Onion 20110714 is now available! This release completes the PulledPork reconfiguration to ignore a new Emerging Threats BLOCK category released on 7/8/2011.

Existing Security Onion users can perform an in-place upgrade to version 20110714 using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Security Onion 20110709 now available

2011-07-11T00:41:00.003-04:00

Security Onion 20110709 is now available! This release configures PulledPork to ignore a new Emerging Threats BLOCK category released on 7/8/2011.

Existing Security Onion users can perform an in-place upgrade to version 20110709 using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Security Onion 20110628 now available

2011-06-29T20:12:00.002-04:00

Security Onion 20110628 is now available! This release fixes two minor issues with the OSSEC Sguil agent.

Existing Security Onion users can perform an in-place upgrade to version 20110628 using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Security Onion and UTC

2011-06-22T06:51:00.000-04:00

Sguil uses UTC. It does this for a few reasons:

UTC avoids any timewarps when changing from standard time to daylight saving time and vice versa.
UTC allows for correlation when sensors are in different time zones.

Because Sguil uses UTC, it is recommended to set your Security Onion timezone to UTC. Here's how:

For more information, please see:

https://help.ubuntu.com/community/UbuntuTime

Security Onion 20110614

2011-06-17T06:29:00.000-04:00

Security Onion 20110614 is now available! This upgrade fixes a few issues with downloading rules and adds some new menu entries to make rule editing a little easier. For more information, please see Issue 111.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade to version 20110614 using the following commands:

Screenshots

New menu entries

Clicking "Disable Downloaded Rules" opens disablesid.conf in a text editor

Clicking "Rule update" will run PulledPork and restart Barnyard2/Snort

Security Onion 20110607 featuring Sguil 0.8, Squert 0.8.3, and more polish!

2011-06-13T06:23:00.004-04:00

Update: Looks like the Security Onion 20110607 files haven't fully replicated to all Sourceforge mirrors yet. If you're having trouble downloading, please try later today.

Update 2011/06/14 6:00 AM: Sourceforge is reporting that the Security Onion 20110607 files have replicated to at least 15 mirrors now.

Security Onion 20110607 is now available! New features in this release are as follows:

Sguil 0.8 (now with more shininess and anti-aliased fonts!)
Squert 0.8.3 (now with user authentication!)
new tcl/tk packages (resolves a scaling issue when running in VMWare and allows for the anti-aliased fonts mentioned above)
httpry
a new Setup script (adds support for Sguil 0.8 and Squert 0.8.3 and also provides more information once Setup completes)

New Users
New users can download the latest ISO image from here. It should be noted that pentest tools have been removed from this ISO. This includes metasploit, john, ophcrack, and steghide. For more information, please see Issue 106.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade to version 20110607 using the following commands:

It will then upgrade your box to the latest tcl/tk, Sguil, Squert, and Setup script. If you have an existing Sguil database, it will run the Sguil DB upgrade, which will ask:

Please test the upgrade on test machines before upgrading your production machines.

Screenshots

Upgrade process

Sguil login window

Squert login window

Security Onion featured in SANS Student Project

2011-06-04T12:41:00.000-04:00

Security Onion was featured in a SANS Student Project. Russ McRee, Beth Binde, and Terrence O’Connor recently published Assessing Outbound Traffic to Uncover Advanced Persistent Threat. Great paper!

Security Onion Success Stories

2011-05-24T06:16:00.000-04:00

I received a couple of Security Onion Success Stories recently. I appreciate Brett S. and Gene A. taking the time to say thanks. It's a great source of encouragement and motivation for me to continue with the project. If you would like to share your Security Onion Success Story, please post it in the Comments section. Thanks!

Security Onion featured in ISSA Journal

2011-05-02T21:14:00.001-04:00

I always look forward to Russ McRee's Toolsmith column in the ISSA Journal. This month's Toolsmith column features Security Onion! Russ, thanks for the article and your kind words!

Security Onion 20110321: Distributed Sguil Sensors

2011-04-07T06:30:00.000-04:00

Security Onion 20110321 is now available! This new version includes an updated Setup script that allows you to easily create a Sguil server and then create multiple Sguil sensors that report back to the Sguil server.

How do I get it?
New users can download the latest ISO image from here. Existing Security Onion users can perform an in-place upgrade to version 20110321 using the following commands:

Existing users, please note that running Setup on a previously configured system will remove any existing configuration.

How do I create a Sguil server?
You have three options:
1. Launch Setup and choose "Quick Setup". This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server.
2. Launch Setup, choose "Advanced Setup", and choose "Both". This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server, but will give you more options than "Quick Setup".
3. Launch Setup, choose "Advanced Setup", and choose "Server". This will just install a Sguil server.

How do I create a Sguil sensor?
Launch Setup, choose "Advanced Setup", and choose "Sensor". Enter the name/address of the Sguil server and a username that has sudo permissions on the server. A terminal window will appear prompting you to login to the server to complete the server configuration.

Demo
Download the latest ISO image from here.
Boot the Security Onion ISO and choose Install from the boot menu.
Standard Ubuntu installer appears. Follow the prompts to complete your installation.
Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
Double-click the Setup desktop shortcut.
Administrative password prompt appears. Enter your password and click OK.

Welcome screen appears. Press Enter.

Quick Setup screen appears. Press Enter.

Username screen appears. Enter your desired Sguil username and press Enter.

Password screen appears. Enter your desired Sguil password and press Enter.

Password confirmation screen appears. Confirm your desired Sguil password and press Enter.

Settings confirmation screen appears. Press Enter.

Setup creates the Sguil server and sensors and then starts all services.

Setup Complete screen appears. Press Enter.

Double-click the Sguil desktop shortcut. Login window appears. Enter the Sguil username/password you specified in Setup.

Sensors window appears. Click "Select All" and then click "Start Sguil".

Sguil main window appears. Simulate an attack by going to a terminal and typing "curl http://testmyids.com".

A new alert should appear in the Sguil window. Notice that the sensor is named server-eth0, where "server" is the hostname and "eth0" is the interface that saw the traffic.

We've now verified that the Sguil server is running correctly. Let's go to our second machine and build a sensor.

Boot the Security Onion ISO and choose Install from the boot menu.

Standard Ubuntu installer appears. Follow the prompts to complete your installation.

Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.

Double-click the Setup desktop shortcut.

Administrative password prompt appears. Enter your password and click OK.

Welcome screen appears. Press Enter.

Quick Setup screen appears. Click "No, use Advanced Setup".

Components screen appears. Click "Sensor" and click "OK".

Server Hostname screen appears. Enter server hostname/address and press Enter.

SSH Username screen appears. Enter username on server and press Enter.

IDS Engine screen appears. Press Enter.

Interfaces screen appears. Select your desired interface(s) and click OK.

Confirm Settings screen appears. Click "Yes, proceed with the changes!".

Terminal appears prompting to accept SSH key of server. Type "yes" and press Enter.

Password prompt appears. Enter password and press Enter.

Sudo prompt appears. Enter password and press Enter.

Setup creates the Sguil sensor(s).

Setup starts all Sguil services.

Setup Complete screen appears. Press Enter.

Simulate an attack by opening a terminal and typing "curl http://testmyids.com".

At this point, we can return to our server. In the Sguil window, click File and then click "Change monitored networks".

Sensor selection window appears. Notice that there are new sensors named sensor-eth0, sensor-eth1, sensor-eth2, and sensor-ossec. Select the new sensors and click "Start Sguil".

Click the "Agent Status" tab and verify that the the new sensors are checking in.

Notice that there is a new alert with a sensor name of sensor-eth0, where "sensor" is the hostname of the sensor and "eth0" is the interface which saw the traffic.

In this blog post, we've demonstrated how Security Onion can build an army of distributed Sguil sensors in just a few minutes.

Security Onion 20110222 Resolves 2 Issues

2011-02-23T06:45:00.001-05:00

I've uploaded a new security-onion-upgrade.sh script which resolves a couple of issues:

http://code.google.com/p/security-onion/issues/detail?id=80
http://code.google.com/p/security-onion/issues/detail?id=87

To download and run the upgrade script, open a terminal and execute the following:

Security Onion 20110122 fixes DNS error in Sguil

2011-01-22T13:36:00.001-05:00

I received Issue 77 in the Security Onion Issue Tracker. The Issue describes an error when enabling Reverse DNS queries in Sguil. I was able to duplicate the issue.

I consulted with Bamm Visscher and he said this was due to Ubuntu's libudp-tcl package. I removed libudp-tcl and Reverse DNS queries started working again.

I've released a new upgrade script that fixes this issue automatically. Just download security-onion-upgrade.sh from http://sourceforge.net/projects/security-onion/files/ and run it like so:
sudo bash security-onion-upgrade.sh

It will then upgrade your Security Onion installation to version 20110122 and Reverse DNS queries should start working correctly.

Introduction to Sguil and Squert: Part 4

2011-01-20T07:10:00.001-05:00

This post is the fourth in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in the previous posts in this series:
Introduction to Sguil and Squert: Part 1
Introduction to Sguil and Squert: Part 2
Introduction to Sguil and Squert: Part 3

In Part 3, we saw Sguil's killer feature of being able to pull session transcripts from the full packet captures to show an entire attack from beginning to end. In Part 4, we're going to see one of Squert's killer features: alert visualization.

Using the alerts from yesterday's demo, we display them in Squert.

Right above the alerts, we click "create" and are then prompted for some options. We give it a name and keep the other options at their default settings.

We then click the "create" button and then a graph is generated of the alert data.

We can then click on the graph to open a larger version and see more detail.

Security Onion nsm_all_del script

2011-01-20T06:44:00.000-05:00

This blog post will demonstrate the nsm_all_del script. If you ran through Setup and configured your sensors but decide that you need to re-run Setup for some reason (perhaps you want to choose Advanced Setup to choose specific interfaces), then you need to run nsm_all_del first. nsm_all_del will delete your current sensor configuration in preparation for running Setup again.

Suppose I ran through Setup using Quick Setup which enumerated my ethernet interfaces and created Sguil sensors for eth0, eth1, and eth2.

Now suppose I want eth0 to be just a management interface with no Sguil sensor. I need to run Setup again and choose Advanced Setup to exclude eth0, but first I need to run nsm_all_del to delete the current Sguil configuration.

Once clicked, nsm_all_del displays a warning.

It then begins deleting sensors, asking for confirmation along the way.

Once nsm_all_del completes, I then run Setup again and choose Advanced Setup so that I can choose which network interfaces should have Sguil sensors.

Once Setup completes, I login to Sguil and see that I only have Sguil sensors for eth1 and eth2.

Security Onion Upgrade Script

2011-01-20T06:25:00.000-05:00

This is a quick blog post to demonstrate the Security Onion Upgrade Script. If you're running Security Onion 20110101 or newer, you can download and run the Security Onion Upgrade script to do an in-place upgrade. In the screenshot below, you can see that I started with Security Onion 20110116 and then ran the following commands:

wget http://downloads.sourceforge.net/project/security-onion/security-onion-upgrade.sh

sudo bash security-onion-upgrade.sh

The upgrade script then upgraded the system to 20110117 and then to 20110118.

Introduction to Sguil and Squert: Part 3

2011-01-19T06:49:00.002-05:00

This post is the third in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in Introduction to Sguil and Squert: Part 1 and Introduction to Sguil and Squert: Part 2.

In Parts 1 and 2, we compared Sguil and Squert and showed how you can accomplish the same thing in both. In Part 3, we're going to contrast them and see why we need both.

Let's start with Sguil. Sguil's killer feature is the ability to take an alert and pull a full session transcript. By doing this, we not only see the traffic that triggered the alert, but also the traffic in the session that occurred before and after the alert.

Time for an example. Download "Scan of the Month 19" from the Honeynet Project:
wget http://old.honeynet.org/scans/scan19/scan19.tar.gz

Expand the tarball:
tar zxvf scan19.tar.gz

If you haven't already, log into Sguil so that you'll be able to see the alerts as they populate. Now use tcpreplay to replay newdat3.log onto your eth0 interface (you may need/want to use a different interface, just make sure it's one that's being monitored by Sguil):
sudo tcpreplay -i eth0 -t newdat3.log

As soon as you hit Enter, switch over to your Sguil console so that you can see the alerts. You should see something like this:

Go to either of the "GPL FTP SITE ..." events, right-click the Alert ID, and click Transcript. A new window will appear like this:

It may take a few seconds to pull the entire transcript. Once it does, you'll be able to scroll down and see the entire FTP attack, from the buffer overflow to the attacker catting the passwd file:

Can your commercial IDS do that? Come back tomorrow to see one of the killer features that Squert has.