Search the Community

This isn't a new thing in the pentesting scene, it's been around for a while. I figured I'd post it here though 😉 If you don't use arch linux, be sure to read the supplied wiki for information on how to install and some basic usage. Try it out in a VM and have some fun 😛

Security Onion Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Changelog v2.3.170 FEATURE: Events table(s) for Windows Events matching default view #8591 FEATURE: Split the winlog.event_data.Hashes field for Windows sysmon process creation events. #8593 FIX: Mapping error when trying to index Strelka logs generated from ELF files. #8592 UPGRADE: Elastic 8.4.1 #8794 UPGRADE: Zeek 4.0.9 #8774 [hide][Hidden Content]]

Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Changelog v2.3.110 FEATURE: Full ECS data type compliance #6747 FEATURE: Intrusion Detection Honeypot Node #7138 FEATURE: Multi-Factor Authentication (MFA) for Security Onion #7316 FEATURE: Populate Zeek’s networks.cfg with $HOME_NET #6854 FEATURE: SOC authentication logs will now be ingested into Elasticsearch #7354 FEATURE: sort indices list alphabetically by index name #6969 FIX: ACNG should clear the cache on restart #7114 FIX: Abort so-user sync if Kratos database is locked #7459 FIX: Add Endgame Index settings to the global.sls on new installs #7293 FIX: Allow downgrades during docker_install #7228 FIX: Avoid telegraf apparmor issues #2560 FIX: Composable Templates #4644 FIX: Increase minimum password length from 6 to 8 characters #7352 FIX: Navigator should ship with all needed files #1162 FIX: Prevent Elasticsearch deprecation notices from causing installation failures #7353 FIX: Random passwords generated at setup contain character combinations that cause problems with some containers #7233 FIX: curator should exclude so-case* indices #7270 FIX: so-ip-update needs to update Kibana dashboards #7237 FIX: so-status TTY improvements #7355 UPGRADE: Elastic 7.17.1 #7137 UPGRADE: FleetDM to 4.10.0 #7245 UPGRADE: Grafana 8.4.1 #7281 UPGRADE: Kratos 0.8.2-alpha.1 #7351 [hide][Hidden Content]]

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.3.90 Changes FEATURE: Add ASN annotation for GeoIP #5068 FEATURE: Add Endgame Support for Security Onion #6166 FEATURE: Add TI Module #5916 FEATURE: Add additional flags to stenographer config #5851 FEATURE: Add filebeat, auditbeat, and metricbeat downloads to SOC Download screen #5849 FEATURE: Add logstash and redis input plugins to telegraf #5960 FEATURE: Add so-deny script for removing access from firewall and other apps #4621 FEATURE: Add support for escalation to Elastic Cases #6048 FEATURE: Allow for Kibana customizations via pillar #3933 FEATURE: Allow users to set their profile information #5846 FEATURE: Allow vlan tagged NICs to be used as management interface #3687 FEATURE: Create Pipeline Overview Dashboard for Grafana #6177 FEATURE: Create script to reset elastic auth passwords #6206 FEATURE: Enable Kibana Settings for encryption #6146 FEATURE: Expose new user profile field for specifying a custom note about a user #5847 FEATURE: HTTP module for SOC event escalation #5791 FEATURE: Increase password lengths, provide a way to change existing passwords #6043 FEATURE: Indicate that setup has completed at the very end of sosetup.log #5032 FEATURE: Prevent SOUP from running if there is an issue with the manager pillar #5809 FEATURE: Provide quick-select date ranges from Hunt/Alerts date range picker #5953 FEATURE: SOC Hunt Timeline/Charts should be collapsible #5114 FEATURE: Support Ubuntu 20.04 #601 FEATURE: setup should run so-preflight #3497 FIX: ACNG sometimes returns 503 errors when updating Ubuntu through the manager #6151 FIX: Add details to Setup for Install Type menus #6105 FIX: Adjust timeout in check_salt_minion_status in so-functions #5818 FIX: All templates should honor replica settings #6005 FIX: Clear holds on Ubuntu installs #5588 FIX: Consider making the airgap option only settable on the manager #5914 FIX: Docker containers should not start unless file events are completed #5955 FIX: Ensure soc_users_roles file is cleaned up if incorrectly mounted by Docker #5952 FIX: Favor non-aggregatable data type when a cache field has multiple conflicting data types #5962 FIX: Firefox tooltips stuck on Hunt and Alerts screens #6010 FIX: Grafana sensor graphs only show interface graphs when selected individually #6007 FIX: Kibana saved objects #5193 FIX: Modify Steno packet loss calculation to show point in time packet loss #6060 FIX: Remove CURCLOSEDAYS prompt in Setup since it is no longer used #6084 FIX: Remove references to xenial (Ubuntu 16.04) from setup #4292 FIX: Remove unnecessary screens from Analyst Setup #5615 FIX: SOC docker should not start until file managed state runs #5954 FIX: SOC unable to acknowledge alerts when not grouped by rule.name #5221 FIX: Setup should ask if new or existing distributed deployment #6115 FIX: Setup should prevent invalid characters in Node Description field #5937 FIX: Support non-WEL Beats #6063 FIX: Unnecessary Port Binding for so-steno #5981 FIX: Use yaml.safe_load() in so-firewall (thanks to @clairmont32) #5750 FIX: Zeek state max depth not working #5558 FIX: so-ip-update should grant mysql root user access on new IP #4811 FIX: docker group can be given gid used by salt created groups #6071 FIX: packetloss.sh gives an error every 10 min though ZEEK is disabled #5759 FIX: so-import-evtx elastic creds & logging #6065 FIX: so-user delete function causes re-migration of user roles #5897 FIX: wazuh-register-agent times out after 15 minutes lower to 5 minutes #5794 FIX: yum pkg.clean_metadata occasionally fails during setup #6113 UPGRADE: ElastAlert to 2.2.2 #5751 UPGRADE: Elastic to 7.15.2 #5752 UPGRADE: FleetDM to 4.5 #6188 UPGRADE: Grafana to 8.2.3 #5852 UPGRADE: Kratos to 0.7.6-alpha.1 #5848 UPGRADE: Redis to 6.2.6 #6140 UPGRADE: Suricata to 6.0.4 #6274 UPGRADE: Telegraf to 1.20.3 #6075 [hide][Hidden Content]]

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.3.80 FEATURE: Ability to disable Zeek, Suricata #4429 FEATURE: Add docs link to Setup #5459 FEATURE: Add evtx support in Import Node #2206 FEATURE: Consolidate whiptail screens when selecting optional components #5456 FEATURE: Distinguish between Zeek generated syslog and normal syslog in hunt for event fields #5403 FEATURE: Enable index sorting to increase search speed #5287 FEATURE: Expose options for elasticsearch.yml via Salt pillar #1257 FEATURE: Role-based access control (RBAC) #5614 FEATURE: soup -y for automation #5043 FIX: Add new default filebeat module indices to the global pillar. #5526 FIX: all.rules file can become empty on non-airgap deployments if manager does not have access to the internet. #3619 FIX: Curator cron should run less often #5189 FIX: Improve unit test maintainability by refactoring to use Golang assertion library #5604 FIX: Invalid password message should also mention dollar signs are not allowed #5381 FIX: Max files for steno should use a pillar value for easy tuning. #5393 FIX: Remove raid check for official cloud appliances #5449 FIX: Remove watermark settings from global pillar. #5520 FIX: SOC Username case sensitivity #5154 FIX: so-user tool should validate password before adding user to SOC #5606 FIX: Switch to new Curator auth params #5273 UPGRADE: Curator to 5.8.4 #5272 UPGRADE: CyberChef to 9.32.2 #5158 UPGRADE: SOC UI 3rd Party dependencies to latest versions #5603 UPGRADE: Zeek to 4.0.4 #5630 [hide][Hidden Content]]

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Changelog v2.3.61 FIX: Airgap link to Release Notes #4685 FIX: CyberChef unable to load due to recent Content Security Policy restrictions #4885 FIX: Suricata dns.response.code needs to be renamed to dns.response.code_name #4770 UPGRADE: alpine 3.12.1 to latest for Fleet image #4823 UPGRADE: Elastic 7.13.4 #4730 UPGRADE: Zeek 4.0.3 #4716 [hide][Hidden Content]]

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.3.30 Zeek is now at version 3.0.13. CyberChef is now at version 9.27.2. Elastic components are now at version 7.10.2. This is the last version that uses the Apache license. Suricata is now at version 6.0.1. Salt is now at version 3002.5. Suricata metadata parsing is now vastly improved. If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here: [Hidden Content] It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here: [Hidden Content] The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider. Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces. so-sensor-clean will no longer spawn multiple instances. Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting. Fixed a security issue where the backup directory had improper file permissions. The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days. Strelka logs are now being rotated properly. Elastalert can now be customized via a pillar. Introduced new script so-monitor-add that allows the user to easily add interfaces to the bond for monitoring. Setup now validates all user input fields to give up-front feedback if an entered value is invalid. There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install. Users are now warned if they try to set “securityonion” as their hostname. The ISO should now identify xvda and nvme devices as install targets. At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject. The text selection of choosing Suricata vs Zeek for metadata is now more descriptive. The logic for properly setting the LOG_SIZE_LIMIT variable has been improved. When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages. The firewall state runs considerably faster now. ICMP timestamps are now disabled. Copyright dates on all Security Onion specific files have been updated. so-tcpreplay (and indirectly so-test) should now work properly. The Zeek packet loss script is now more accurate. Grafana now includes an estimated EPS graph for events ingested on the manager. Updated Elastalert to release 0.2.4-alt2 based on the [Hidden Content] alt branch. Pivots from Alerts/Hunts to action links will properly URI encode values. Hunt timeline graph will properly scale the data point interval based on the search date range. Grid interface will properly show “Search” as the node type instead of “so-node”. Import node now supports airgap environments. The so-mysql container will now show “healthy” when viewing the docker ps output. The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid. The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group. Add support to so-firewall script to display existing port groups and host groups. Hive init during Setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding. Changes to the .security analyzer yields more accurate query results when using Playbook. Several Hunt queries have been updated. The pfSense firewall log parser has been updated to improve compatibility. Kibana dashboard hyperlinks have been updated for faster navigation. Added a new so-rule script to make it easier to disable, enable, and modify SIDs. ISO now gives the option to just configure the network during setup. [hide][Hidden Content]]

Security Onion 2.3.21 - Linux distro for intrusion detection, enterprise security monitoring, and log management Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.3.21 soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases. soup now has awareness of Elastic Features and now downloads the appropriate Docker containers. The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes. Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline. Grid interface now includes the IP and Role of each node in the grid. Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor. The Grid description field can now be customized via the local minion pillar file for each node. SOC will now draw attention to an unhealthy situation within the grid or with the connection between the user’s browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tab’s title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the user’s web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem. Docker has been upgraded to the latest version. Docker should be more reliable now as Salt is now managing daemon.json. You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls. You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minion’s sls file. You will need to create a curator job to re-tag the indexes based on your criteria. Telegraf has been updated to version 1.16.3. Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities. Grafana graphs have been changed to graphs vs guages so alerting can be set up. Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs here: [Hidden Content] Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location. Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again. Strelka daily rule updates are now logged to /nsm/strelka/log/yara-update.log Several changes to the setup script to improve install reliability. Airgap now supports the import node type. Custom Zeek file extraction values in the pillar now work properly. TheHive has been updated to support Elastic 7. Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer. Hunt and Alert quick action menu has been refactored into submenus. New clipboard quick actions now allow for copying fields or entire events to the clipboard. PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details. PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the so-import-pcap script). Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion. PCAP job interface now shows additional job filter criteria when expanding the job filter details. Upgraded authentication backend to Kratos 0.5.5. SOC tables with the “Rows per Page” dropdown no longer show truncated page counts. Several Hunt errors are now more descriptive, particularly those around malformed queries. SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable. Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field. New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs. Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms. Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs. Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application. Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency. The so-elastalert-test script has been refactored to work with Security Onion 2.3. The included Logstash image now includes Kafka plugins. Wazuh agent registration process has been improved to support slower hardware and networks. An Elasticsearch ingest pipeline has been added for suricata.ftp_data. Elasticsearch’s indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard. On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version. Setup will gather any errors found during a failed install into /root/errors.log for easy copy/paste and debugging. Selecting Suricata as the metadata engine no longer results in the install failing. so-rule-update now accepts arguments to idstools. For example, so-rule-update -f will force idstools to pull rules, ignoring the default 15-minute pull limit. [hide][Hidden Content]]

[Hidden Content]

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.2 RC3 First, we have a new so-analyst script that will optionally install a GNOME desktop environment, Chromium web browser, NetworkMiner, Wireshark, and many other analyst tools. Next, we’ve collapsed Hunt filter icons and action links into a new quick action bar that will appear when you click a field value. Actions include: Filtering the hunt query Pivot to PCAP Create an alert in TheHive Google search for the value Analyze the value on VirusTotal.com Finally, we’ve greatly improved support for airgap deployments. There is more work to be done in the next release, but we’re getting closer! [hide][Hidden Content]]

Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v2.0 RC1 Re-branded 2.0 to give it a fresh look All documentation has moved to our docs site soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date. so-import-pcap is back! See the so-import-pcap docs here. Fixed issue with so-features-enable Users can now pivot to PCAP from Suricata alerts ISO install now prompts users to create an admin/sudo user instead of using a default account name The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet Fixed issue with disk cleanup Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files Locked down access to certain SSL keys Suricata logs now compress after they roll over Users can now easily customize shard counts per index Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS) Elastic nodes are now “hot” by default, making it easier to add a warm node later so-allow now runs at the end of an install so users can enable access right away Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity: 1-Low / 2-Medium / 3-High / 4-Critical Initial implementation of alerting queues: Low & Medium alerts are accessible through Kibana & Hunt High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis ATT&CK Navigator is now a statically-hosted site in the nginx container Playbook All Sigma rules in the community repo (500+) are now imported and kept up to date Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing) Updated UI Theme Once authenticated through SOC, users can now access Playbook with analyst permissions without login Kolide Launcher has been updated to include the ability to pass arbitrary flags – new functionality sponsored by SOS Fixed issue with Wazuh authd registration service port not being correctly exposed Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot) Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from [Hidden Content] Added the ability to use custom Zeek scripts Renamed “master server” to “manager node” Improved unification of Zeek and Strelka file data [hide][Hidden Content]]

Security Onion 16.04.6.5 - Linux distro for intrusion detection, enterprise security monitoring, and log management Security Onion Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack. Core Components Logstash – Parse and format logs. Elasticsearch – Ingest and index logs. Kibana – Visualize ingested log data. Auxiliary Components Curator – Manage indices through scheduled maintenance. ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc. DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. Changelog v16.04.6.5 Zeek 3.0.3 Suricata 4.1.7 Elastic 6.8.7 CyberChef 9.18.2 [Hidden Content]

AttifyOS is a distro intended to help you perform a security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. The new version is based on Ubuntu 18.04 64-Bit – that also means that you’ll receive updates for this version till April 2023. Tools Included Arduino Baudrate BDAddr BetterCap Binwalk Create_AP Cutter DspectrumGUI Dump1090 Firmadyne Firmware Analysis Toolkit Firmware Analysis Toolkit (FAT) Firmware-Mod-Kit (FMK) GHIDRA GNURadio GQRX GR-GSM GR-Paint HackRF Tools HackRF tools Inspectrum JADx Kalibrate-RTL KillerBee LibMPSSE Liquid-DSP LTE-Cell-Scanner NMAP OOK-Decoder Qiling radare2 RFCat RouterSploit RTL-433 RTL-SDR tools Scapy Spectrum Painter Ubertooth tools- URH (Universal Radio Hacker) [HIDE][Hidden Content]]

[Hidden Content]

ArcoLinux is an Arch Linux based distro that uses Arch Linux as a base elements from the AUR (applications from github, debian (deb), redhat (rpm), compressed files, etc…) ArcoLinux created elements (themes, icons, conky’s, tweaks and configs) Features Provide an operating system with all applications with personal theming installed but also bluetooth, printers, … After the installation no fuss and all fun. Provide a continuous stream of tutorials and knowledge on ArcoLinux. Easy setup. No technical knowledge. Low in cpu and memory consumption Provide all icons, themes, cursors, wallpapers, … out of the box. Provide Windows users a comfortable transition to the (Arch) Linux world. Blazing fast. Linux Arch Linux xfce openbox i3wm awesome budgie cinnamon gnome mate bspwm Changelog CALAMARES NEW VERSION 3.2.8 NEW PROJECT ARCOLINUXB XFCE BARE QTILE TUTORIALS AND PROJECTS QTILE OBLOGOUT QTILE MEMORY WIDGET QTILE NET GRAPH WIDGET QTILE NET WIDGET QTILE BATTERY QTILE SUPER + SHIFT + X BREAKING BAD CONKY MAINTENANCE OF GITHUBS NEW IN .BIN GENERAL IMPROVEMENTS FUTURE EFFORTS STAY ROLLING More… [HIDE][Hidden Content]]

Introduction Pentoo Linux is a Live CD and Live USB, based on Gentoo Linux and designed for penetration testing and security assessment. Therefore, it contains plenty of security-focused and pentesting tools. If you’re looking for Kali Linux or BlackArch alternative, Pentoo Linux might be the right choice for you since it brings a rich hacking software repository for your daily security and hacking tasks. In addition, it’s available for both 32 bit and 64 bit architecture. Pentoo Linux might not be the most beginner-friendly distribution, but for all linux enthisiastics it’ll be adventurous voyage for sure. When it come to the Pentoo flavors, you have to choose between two main: hardened, default or i686. Give this Gentoo Linux Overlay a chance and see how it’ll work for you. Pentoo 2019.0 Current Features : Full UEFI including secure boot support Unetbootin et al support, including "Ubuntu only" changes saving 🙂 OpenCL Enhanced cracking software including John The Ripper and Hashcat Kernel 4.20.2 and all needed patches for injection including the latest 802.11ac drivers XFCE 4.12 Full tools list to the right -> All the latest tools and a responsive development team! [HIDE][Hidden Content]]

How to Install a Complete Linux Distro on Android [Hidden Content]

BackBox Linux: Security Assessment and Penetration Testing Distro [HIDE][Hidden Content]] BackBox is fast and easy to use penetration testing and security assessments distribution based on Ubuntu core. With its own software repositories, you’ll have access to all necessary tools (regularly updated), that you need for your pentesting and security analysis tasks, organized in three main categories: auditing, services and anonymous. Features: Lightweight Linux distribution based on Ubuntu (should work well even on the old hardware). Standard Xfce desktop environment. Launchpad repository core, constantly updated to the latest stable version of the most known and used ethical hacking tools. Includes some of the most commonly known/used hacking and security analysis tools (web application analysis, network analysis, stress tests, sniffing, vulnerability assessment, forensic analysis, exploitation tools, etc.). Built-in anonymous mode. Well organized and designed menu, intuitive, friendly and easy to use (also suitable for beginners). You can change/modify it to suit your needs, and install additional tools, thet aren’t present in the repositories. and so much more. System requirements: 32-bit or 64-bit processor 1024 MB of system memory (RAM) 10 GB of disk space for installation Graphics card capable of 800×600 resolution DVD-ROM drive or USB port (3 GB) Some of the BackBox Linux Tools Information Gathering arping arp-scan ike-scan p0f Vulnerability Assessment nikto skipfish Miscellaneous scapy Exploitation BeEF sqlmap msfconsole WPscan Privilege Excalation Xhydra John The Ripper medusa dsniff Ettercap Wireshark arp-spoof dns-spoof