Jump to content

Locked Security Onion 2.3.21 - Linux distro for intrusion detection


Recommended Posts

This is the hidden content, please

Security Onion 2.3.21 - Linux distro for intrusion detection, enterprise security monitoring, and log management

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.

Core Components

Logstash – Parse and format logs.
Elasticsearch – Ingest and index logs.
Kibana – Visualize ingested log data.

Auxiliary Components

Curator – Manage indices through scheduled maintenance.
ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.

Changelog v2.3.21

        soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases.
        soup now has awareness of Elastic Features and now downloads the appropriate Docker containers.
        The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes.
        Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline.
        Grid interface now includes the IP and Role of each node in the grid.
        Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor.
        The Grid description field can now be customized via the local minion pillar file for each node.
        SOC will now draw attention to an unhealthy situation within the grid or with the connection between the user’s browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tab’s title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the user’s web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem.
        Docker has been upgraded to the latest version.
        Docker should be more reliable now as Salt is now managing daemon.json.
        You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls.
        You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minion’s sls file. You will need to create a curator job to re-tag the indexes based on your criteria.
        Telegraf has been updated to version 1.16.3.
        Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities.
        Grafana graphs have been changed to graphs vs guages so alerting can be set up.
        Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs here: https://securityonion.net/docs/grafana
        Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location.
        Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again.
        Strelka daily rule updates are now logged to /nsm/strelka/log/yara-update.log
        Several changes to the setup script to improve install reliability.
        Airgap now supports the import node type.
        Custom Zeek file extraction values in the pillar now work properly.
        TheHive has been updated to support Elastic 7.
        Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer.
        Hunt and Alert quick action menu has been refactored into submenus.
        New clipboard quick actions now allow for copying fields or entire events to the clipboard.
        PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details.
        PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the so-import-pcap script).
        Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion.
        PCAP job interface now shows additional job filter criteria when expanding the job filter details.
        Upgraded authentication backend to Kratos 0.5.5.
        SOC tables with the “Rows per Page” dropdown no longer show truncated page counts.
        Several Hunt errors are now more descriptive, particularly those around malformed queries.
        SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable.
        Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field.
        New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs.
        Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms.
        Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs.
        Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application.
        Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency.
        The so-elastalert-test script has been refactored to work with Security Onion 2.3.
        The included Logstash image now includes Kafka plugins.
        Wazuh agent registration process has been improved to support slower hardware and networks.
        An Elasticsearch ingest pipeline has been added for suricata.ftp_data.
        Elasticsearch’s indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard.
        On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version.
        Setup will gather any errors found during a failed install into /root/errors.log for easy copy/paste and debugging.
        Selecting Suricata as the metadata engine no longer results in the install failing.
        so-rule-update now accepts arguments to idstools. For example, so-rule-update -f will force idstools to pull rules, ignoring the default 15-minute pull limit.

This is the hidden content, please


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.