Jump to content

Locked Security Onion 2.3.30 - Linux distro for intrusion detection


Recommended Posts

This is the hidden content, please

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.

Core Components

Logstash – Parse and format logs.
Elasticsearch – Ingest and index logs.
Kibana – Visualize ingested log data.

Auxiliary Components

Curator – Manage indices through scheduled maintenance.
ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.

Changelog v2.3.30

        Zeek is now at version 3.0.13.
        CyberChef is now at version 9.27.2.
        Elastic components are now at version 7.10.2. This is the last version that uses the Apache license.
        Suricata is now at version 6.0.1.
        Salt is now at version 3002.5.
        Suricata metadata parsing is now vastly improved.
        If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules
        It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules
        The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider.
        Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces.
        so-sensor-clean will no longer spawn multiple instances.
        Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting.
        Fixed a security issue where the backup directory had improper file permissions.
        The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days.
        Strelka logs are now being rotated properly.
        Elastalert can now be customized via a pillar.
        Introduced new script so-monitor-add that allows the user to easily add interfaces to the bond for monitoring.
        Setup now validates all user input fields to give up-front feedback if an entered value is invalid.
        There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install.
        Users are now warned if they try to set “securityonion” as their hostname.
        The ISO should now identify xvda and nvme devices as install targets.
        At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject.
        The text selection of choosing Suricata vs Zeek for metadata is now more descriptive.
        The logic for properly setting the LOG_SIZE_LIMIT variable has been improved.
        When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages.
        The firewall state runs considerably faster now.
        ICMP timestamps are now disabled.
        Copyright dates on all Security Onion specific files have been updated.
        so-tcpreplay (and indirectly so-test) should now work properly.
        The Zeek packet loss script is now more accurate.
        Grafana now includes an estimated EPS graph for events ingested on the manager.
        Updated Elastalert to release 0.2.4-alt2 based on the https://github.com/jertel/elastalert alt branch.
        Pivots from Alerts/Hunts to action links will properly URI encode values.
        Hunt timeline graph will properly scale the data point interval based on the search date range.
        Grid interface will properly show “Search” as the node type instead of “so-node”.
        Import node now supports airgap environments.
        The so-mysql container will now show “healthy” when viewing the docker ps output.
        The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid.
        The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group.
        Add support to so-firewall script to display existing port groups and host groups.
        Hive init during Setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding.
        Changes to the .security analyzer yields more accurate query results when using Playbook.
        Several Hunt queries have been updated.
        The pfSense firewall log parser has been updated to improve compatibility.
        Kibana dashboard hyperlinks have been updated for faster navigation.
        Added a new so-rule script to make it easier to disable, enable, and modify SIDs.
        ISO now gives the option to just configure the network during setup.

This is the hidden content, please

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.