Suricata: DataSets for IOCs

 After reviewing MalTrail, I wanted to see if there were other ways to provide the same/close to the same type of information based on software I was already using.  This led me to Suricata and IPREP, and DATASETS.  

While reading up, I found an article over at IDSTower about Datasets, and figured this would be a good starting point for comparing the two applications.   

The article was setting up Datasets for bad domains, and  based on the instructions it would be an easy add to Security Onion without having to really mess with any of the Salt files (I believe IPREP I will have to make some changes to Salt files, but that will be another article.)

Overall the process was pretty simple, I did change one thing, instead of adding iocs.rules, I added my rule to local.rules, and ran so-rule-update.   I believe to add the iocs.rules as a separate source I will have to edit the Salt file for the IDSTools Docker. 

After I had set up the new rule, I did a nslookup to a bad site:  (From the Alerts Pane).  

I think I will have to make a custom alert to see more information on these, or maybe a dashboard might work.  

I would like to see the name of the bad IP/DNS entry, and possibly the country/region for the IP/DNS for a quick alert view pane.  

Now MalTrail looks like:  (screen capture taken from their Demo)

I would think to get the "info" section I would need to break out the DataSets per type of IOC as the Alert Description, the other ones are pretty standard fields I could pull.

Next, I think I will try and pull the MalTrail data into Logstash in SecurityOnion, think I read somewher e there is a Logstash setting in MalTrail, or it should be pretty easy to use the data file created from MalTrail to ingest into Logstash.  

MalTrail - Day 2

 So back on working on MalTrail for the second day.  I am able to access the web front end, but still no data is coming through.  

First thing I tried was to edit the interfaces in the maltrail.conf from any to ens34 (The current sniffing interface on Security Onion).  It might be better to use Bond0 as in 2.3 they use a bonded interface.  

Restarting the docker (Docker restart maltrail).    No new errors in the /var/log/maltrail/error.log, but also no traffic showing in the application. 

Next step:  docker exec -it maltrail bash to get into the Docker container.  I am going to kill both python programs and try and restart them. 

• pkill server.py
• pkill sensor.py
• python server.py

Well starting server.py crashes the python program as it cannot find ens34.  So now to the next question how do I bond a passive interface to a Docker container?

I decided to look at how the Suricata Docker container is being used.  

docker inspect so-suricata

Looks like it's an environment variable setting it to the bond0.   

Reading up on setting up a Docker container per-interface looks like you have to have an ip address associated with the interface (could be wrong). 

Next, I read up on --net=host, but that might also cause other issues as the ports are dropped possibly between the Docker container and the host? (That's how I read it)

I do know that Security Onion uses a Docker network, but like before trying to keep things on the same server but separate.  

MalTrail - SecurityOnion@Home (Try)

 I was reading up on MalTrail, and wanted to get that up and operational on my SecurityOnion VM (I know it probably can't handle it, but there is no fun in that).  At the moment I am not sure how cpu/ram intensive MalTrail is,  but I did see that it has been dockerized.  

One thing of note, is I am going into this knowing that it will be unsupported by the SecurityOnion team,  which is understandable.  

So with that, I am playing on my home setup of SecurityOnion, which I often test things with.  

Below is a screenshot of the Docker instructions.  

Seems easy enough, I made a slight change to the export location. and skipped the apt parts :), since I am using CentOS, and would like to limit the application installed.   

The for line I also skipped as the the sniffing port is already set to promisc

I could have added the Docker container into SecurityOnion elastic-net, but that could cause other issues down the road.  

The install went pretty easy, no errors that I could see, but I could not access the site.  

http://localhost:8338  

My thoughts were that I needed to open the firewall for this.    Reading up on SecurityOnion looks like I needed to create a Portgroup, and then add it to the INPUT for Standalone? 

*This is a standalone install of SecurityOnion

• so-firewall addportgroup maltrail
• so-firewall addport 8338
• salt system_standalone state.apply firewall

 Tried again to access http://localhost:8338  (No Success)

Next I tried  netstat -tulnp | grep LISTEN

Which looks like this:

This is the file I edited: /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml.

Reading more into this, I think I needed to add the ports to the Analyst Role, but I could be getting confused, cause I also see that its referencing the file: /opt/so/saltstack/local/pillar/minions/<HOSTNAME>_<ROLE>.sls

------------------

After this whole write-up, I figured it out.  I used the documentation from SecurityOnion and this section.  

Basically I added the maltrail port group to the Analyst role for the standalone machine through the standalone.sls file.   

---Now to figure out why its not actually reporting anything.  

SecurityOnion@Home - Alerts

 It's been a bit of time with my SecurityOnion server monitoring my network (out-of-band) and wanted to do an update on the type of alerts that I am seeing, and at least try to identify what some of them might be.

Below is a screen shot of some of the alerts.  I also noticed that I am having issues Pivoting to PCAP inside SecurityOnion right now, not sure if it is something I possibly did, or just something with the .130 update (I have not done PCAP since the upgrade)   

 1.  GPL WEB_SERVER:  This looks like my Lenovo Smart Hub is trying to talk to something else on my network (Which is currently not on since I use DHCP, might switch them all to static for better tracking).  But it looks like to trying to talk to these other devices about youtube.

2.  I pay for Spotify for the family, so not really going to delve to deep on this one.

3.  The next 2x are discord which I know is in use also

4.  .cloud - Family is mostly Apple, and a quick look they are all the apple devices.

5.  Microsoft Update - Validated

6.  ET-DNS as Non-Compliant DNS traffic -  Well this is my new cell phone, unsure what is doing.

7.  DNS Query TOR Hidden (.onion) - Also my cell phone.  

***Cell phone is Samsung 22 Ultra (Unlocked) on Tmobile.   I will have to do some more research on these two to see what the phone is doing.  

SecurityOnion@Home - Custom Alert Queries

 After the update to 2.3.130, I saw a discussion post about sorting and not staying on Alerts, which lead me down a rabbit hole about alerts.  I noticed that there were a few prebuilt alerts, but how do I add new ones?  

After a few minutes, I found a discussion post that referenced the alerts.queries.json file.  Did some searching, and like all the other files that are customizable for the soc they are under: 

/opt/so/saltstack/default/salt/soc/files/soc/

The three files currently are: alerts.queries.json, dashboard.queries.json, and hunt.queries.json.

An example was I added geodata to the alerts.queries.json

{ "name": "Group By Source IP/Port/Geo, Destination IP/Port/Geo, Name", "query": "* | groupby source.ip source.port source.geo.region_iso_code destination.ip destination.port destination.geo.region_iso_code rule.name" },

So I now have a new alert that can do checks on (This was just proof that it was available because at the time there was no reference in the documentation.  

I took the next step and forked the Securityonion docs, and made a change to add the Custom Queries, which the SecurityOnion team merged with the official 2.3 documentation.   After reviewing the update I saw that they added the dashboard/hunt queries reference  (At the time I did not know those were also available) 

SecurityOnion@Home - Mass Export PCAP?

 Another day, another task to try.  I have a requirement to store PCAP offline, and n 16.04 there were folders for PCAP /nsm/*/dailylogs which I could rsync over to another storage device.  In 2.3 there is a folder path for PCAP /NSM/PCAP but the files are not truly PCAP data files.  

The files are created from Stenographer and can be converted back to PCAP (that's my understanding at least).  That's how the SOC interfaces pull the PCAP based off of Alerts.   But what if you wanted to copy all PCAP data.  

Going through the SecurityOnion documentation and the discussion forums, I found mention of a  script created by the SecurityOnion team called so-pcap-export.   From the documentation:

I tested it with sudo so-pcap-export 'after 30m ago' output (leave off the .pcap as it is added in the script.

This created the file inside of the /nsm/pcapout folder.  So this works for exporting, but it looks to only create one file at the moment.  It would be nice to have the ability to create PCAP on set intervals, from the files created with Stenographer. 

More searching led me to this script on the discussion forums for SecurityOnion.  

https://github.com/Security-Onion-Solutions/securityonion/discussions/4038

Its a python script created by a Rob Hackworth, that I am still trying to get to work at the moment but it looks like it uses the same Stenoquery, just adds the ability to break up the PCAP by intervals.  So far when I have tried it and it does create multiple PCAPs based off intervals.  The only issue is that this version looks to only do by dates, and does not do by saying 24h, so I could copy days worth of PCAP. 

One item of note from the script: 

The time interval is critical as Steno will only let you export ~76G before it fails

Now I am not sure where that information comes from, maybe the users testing.    The next set of testing would be to see how CPU intensive the converting of the files to PCAP is on the system, and then the addition of a possible rsync to this.  

Currently trying to think of better ways, different ways to accomplish the task.    I was thinking maybe using an NFS share and having the script copy the files directly to the shared folder (This might be heavy intensive, especially in the current build-out of our SecurityOnion.  

I wonder if it's possible also someone set a marker on the last set of steno files that you converted back to PCAP so you are not recreating the same PCAP files.  

SecurityOnion@Home - Adding Warning Banner

 I did a little digging on the SecurityOnion discussion forms and found out they have added a way to include a warning banner on the Login Page of Security Onion 2.3.  It looks like it was an undocumented add with 2.3.30 (but was not stable as the unique path would get overwritten on updates. 

In 2.3.50 they have added banner.md and it can be updated the same as the Motd.md (Part of the SOC Customization).  The file itself is a Markdown file, and here is the  Markdown Guide.

   

To customize the Login Banner content, copy banner.md as follows and then edit /opt/so/saltstack/local/salt/soc/files/soc/banner.md 

sudo cp /opt/so/saltstack/default/salt/soc/files/soc/banner.md /opt/so/saltstack/local/salt/soc/files/soc/

SecurityOnion@Home - Suricata Include

 At work we started to use the include statement in our Suricata.yaml file while we were using SecurityOnion 16.04 and with the switch to SecurityOnion 2.3, I wanted to see how easy this would be to implement.  

First things first, we go from having a Suricata.yaml for each interface to having one bonded interface, so that makes updating simple.  With the bonded interface there is no more /etc/nsm/interface/suricata.yaml. I did find a suricata.yaml file under /opt/so/conf/suricata/ but it's created and managed with Salt, which means I probably cannot/should not edit that file directly. 

I am running a standalone version of SecurityOnion at my house so the steps might be a little different in a distributed environment.   

In the salt configuration first place I found a reference to the suricata yaml file was at:

/opt/so/saltstack/default/salt/suricata/default.yaml  which build out the suricata.yaml to /opt/so/conf/suricata.  

I decided to put the test_var.yaml @ /opt/so/conf/suricata/ 

Lets see what happens when I add the include file directly to the default.yaml file.  

1. After the update you run:  salt minionname_standalone state.highstate
2. Run:  so-status 

             3. Run: so-suricata-start

     4. Run: docker logs so-suricata

 It's looking for the file in the /etc/suricata/ folder (Which does not exist on-base OS, but it does exist on the Docker container for Suricata.  

We can validate this with docker inspect so-suricata (Looking for Binds)

As you can see that there is a /etc/suricata (The right side of the bind, which is the Docker container).  Looks like for the most part there are files that are bound between the Docker image and the core OS of SecurityOnion. 

I thought about putting the include file on the docker file @ /etc/suricata, but this does not sound like a good option for two reasons:

1. Upgrades would erase this
2. Probably more important, unsure if the included file inside the docker would work due to connecting the core OS.  

 From the last image it looks like I could potentially put the file in two directory locations:

1.  /nsm/suricata ---> This is where the eve.json files are, so probably not the best location
2.  /opt/so/conf/suricata/rules -->  which maps to /etc/suricata/rules on the docker container

Back to salt to make some updates to the sls files.   I am editing the /opt/so/saltstack/local/pillars/minions/name_standalone.sls

Note: Remember spacing (2) on yaml files

1. Edit the sls at the end:

            suricata:
              config:

                include:/etc/suricata/rules/test_var.yaml

1. Next I copy the test_var.yaml -> /opt/so/conf/suricata/rules
2. Then I run: salt minionname_standalone state.highstate
3. Check Docker containers with so-status (All good)
4. And validate with docker logs so-suricata
   
   
   

Now I have an include file as part of SecurityOnion, and my local teams can update that file which could cause Suricata to fail, but it's better than them trying to update the sls files under minions to add/remove variables in my opinion (which could break more functionality besides Suricata)

SecurityOnion@Home: Sostat

If you haven't noticed, my attention span jumps around a bit, it's currently focused on SecurityOnion 2.3, but I fall down a lot of rabbit holes, today it looks like sostat is what I was curious about.  With that, sostat is one of the scripts that I currently miss from moving from 16.04 is sostat.  It was widely used by the remote teams for troubleshooting.  With a copy of sostat and maybe a few other choice logs it was easy to diagnose what was wrong with a remote system.  

I know that there is a task in the backlogs to re-add sostat which would be great.   Till then I had some time and started to try and re-create the magic.  (It's not very good), but it gets the job done.  Still struggling with trying to get Stenographer stats via the log file (Need some learning on cat/awk).   

Most of it was just taking the 16.04 sostat and replaying it on my 2.3, locating file locations, changing a few things.   

A few things I noticed so far based on 16.04 sostat:  (Most of the ones here I asked on the Github Discussion to validate in the last day or so)

1. No sensortab file 
2. No securityonion.conf
3. No interfaces folder breakouts (Per PCAP/Suricata)
4. I see mysql, but there is no mysql command (Do Uncategorized events exist?)

Easy ones to move over were (May not be 100% the same, or correct) 

• so-status 
• Link Statistics
• Disk Space
• CPU Usage
• Version Info - Changed to:  cat /etc/soversion
• Zeek Packet - Changed to so-zeek-status (Might not be 100% the same)
• Suricata Packet Drops - Changed LATEST_STATS to grep /opt/so/log/suricata.stats.log (Seems to work)

Ones that I could not figure out:

• Stenographer - Tried to compare to the Netsniff (need to remind myself about sed/awk I think)
• Network Sockets - No Lsof on SecurityOnion 2.3
• Top 20 Alerts/Uncategorized 
• Log Archive - Doesn't look like it breaks out daily logs.

A preview of the tail end of it for now

SecurityOnion@Home: Splunk Forwarder

So SecurityOnion 2.3 does come with Kibana, but I also like Splunk and want to get more experience with Splunk.  My plan is to add a Splunk Forwarder to SecurityOnion.   I have two paths I can take to accomplish this.

1.  Install it on the machine as a normal application

2.  Install a Docker Container of the Splunk Forwarder.  

I have chosen two, cause one is too easy to complete.   Plus this could give me more experience with Docker.  

Step 1:  docker pull splunk/universalforwarder:latest

Step 2:  docker run --name uf --hostname uf -p 9997:9997 -e "SPLUNK_PASSWORD=<PASSWORD>" -e "SPLUNK_START_ARGS=--accept license" -e "SPLUNK_FORWARD_SERVER=XX.XX.XX.XX:9997" -d splunk/universalforwarder:latest

The docker container started, and is still operational, but don't see anything on my main Splunk Server.  Also since I have the free version of Splunk, I do not have forwarder management, so can't see in Splunk if it's talking to each other.

I did try docker logs uf which looks like a bunch of ansible scripts, not the splunkd.log which I was looking for.  

Next, I went and typed: docker exec -it -u splunk uf /bin/bash to access the container.  I viewed the splunkd.log there but did find anything just yet of use.  

I need to figure out how to add a folder to watch the docker container (Zeek/Suricata) for now.   Might try and add the docker container to the SecurityOnion group of containers (If it benefits anything that is).  

SecurityOnion@Home: Alerts Day 1

 After a few reloads I have SecurityOnion 2.3 on my home network.  I have set up a TAP between my Netgear Mesh MR60 and the TP-LINK SG108 Switch.  90% of my traffic is WiFi, with only a few dedicated hard-wired machines.  

Hardwired machines:  My desktop, My Work Computer, Phillips Hue, and backhaul for one of the MS60 (Netgear Mesh).

Wifi: Everything else (TVs, Garage Door, Roku's, Apple TV, Phones (a lot), Tablets, 4x Laptops)

Currently, I am wondering if I should move the TAP from between the LAN/Switch, to the WAN/Modem side.  From there I could possibly create a spanning port on the switch (Which is getting replaced soon with Zyxel GS1100 16) for the rest of the traffic.

Below is my current alerts (I cut off the IPs).    

The first alert I noticed (not in the image) was:

ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted. (IP was my router).  

            * This was because my web access to the router was set at HTTP only, not HTTPS.   

The next batch of alerts are below: 

1.  ET POLICY External Lookup Domain (myip.opendns)  - I use OpenDns for my kids laptops for a some blocking. 

2.  ET POLICY HTTP Traffic on port 443 (This looks like it going to Amazon)  - Identified.

3.  ET TOR Know TOR relay/Router (Not Exit)/Exit Node Group 98 -  Plex Server using the Remote Access Port identified in Settings

        * Read that this could be NTP related, need to identify what it does

4.  ET SCAN MS Terminal Server Traffic on Non-Standard Port  - Plex Server using the Remote Access Port identified in Settings

5.  ET TOR Known TOR exit Node Traffic group 76 - Plex Server using the Remote Access Port identified in Settings

I think I was expecting more alerts on my network, but it could be just the TAP placement.  

Home Setup - Initial

 I have been using all these sites (TryHackMe, BlueLabsOnline, HacktheBox) to try and learn but I think the best way to get some knowledge is to monitor my own internet and see what kind of alerts I am getting and research them.   The other day I purchased a new switch (16 ports) up from the 8 port switch that I currently use.   Really I only needed like 10 ports but it was hard to find a 10 or 12-port switch.  The Zyxel GS-1100 16 switch I purchased was used (40$ vice MSRP of about 100$).  

I figured I could use it to create a spanning port for now, or try and acquire a cheap TAP (whereas I would not need the extra ports).     In the TAP scenario, I figure the best place to TAP would be between the router and the modem.  For spanning, I would span port 1 (the one coming from the router). 

I already have an extra NIC in my main computer, and planning on building a new SecurityOnion 2.3 VM to start with.  I thought of SecurityOnion 16.04, but believe it's better to go newer. I might also build a few other VMs.  Currently thinking also of building a Splunk VM, but curious to think of what other VMs for monitoring traffic might be best.  

I have seen other systems like OpenNSM, and DynamiteNSM, or I could try and roll something myself.  That could be interesting, not sure I know what I would be doing or what I would want in the system.

SecurityOnion 16.04 - Squild

  Interesting issue arose today while trying to validate an installation of SecurityOnion 16.04.  I was not seeing any traffic except SURICATA rules (even though ET PRO is installed).  I decided to make my own rule in local.rules.  

Get ready for some fun here, cause about 6Gb of ingest and I decided to write this without thinking:

alert any any -> any any (msg:"TEST TEST"; flow:established; classtype:misc_attack; sid:"999999"; rev:1;)

Then I ran sudo rule-update

Not starting that any any will just about kill the system as it alerts everything, but I also think the SID number was too low to use, which might have caused other issues.  

Five minutes into it and I am seeing in Squert 1K alert, 10 minutes I am at 40K alerts, but interesting enough some ET PRO rules also are now firing.     I removed the local.rules alert, reran sudo rule-update (no more TEST rules). 

TEST Alert is now showing 150K in Squert.  

Here are the commands I typed (From Suricata gone wild)

1. sudo so-sguild-stop
2. sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
3. SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status=0 GROUP BY signature ORDER BY cnt DESC LIMIT 20;   (Top 20)

Interesting find here now under uncategorized events : 

TEST Rule 150K    999999

Snort Alert [1:999999:1]  999999

So I have two alerts now for the same issues (This is because mid-stream I removed the TEST rule from my local.rules which deleted it out of my download.rules

1. UPDATE event SET status=1, WHERE event.status=0 and event.signature LIKE 'TEST%';
2. exit
3. sudo so-squid-start

This cleaned up the TEST alert, but I still had the Snort Alert. I wanted to wait for full processing then delete the Snort Alert to see if it came back

About an hour later I validated that traffic was done processing and that Snort Alert was still there.

1. sudo so-sguild-stop
2. sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
3. UPDATE event SET status=1, WHERE event.status=0 and event.signature_id='999999';
4. exit
5. sudo so-squid-start

My system was now clean from the ghost SID.  

SecurityOnion 16.04 -- Strelka Install

 First and foremost, I know SecurityOnion 16.04 for EOL/EOS.  We are trying to move away from it, it takes time.   So I am trying to add new capabilities to the system.  One is Strelka, which I did find a GitHub from Wes (SecurityOnion).  Figured this would be an almost straightforward install (Never is).  

Link to Github

Also found the old 16.04 documentation.  Strelka was not a supported add-on to SecurityOnion (No Support), doesn't matter, stated earlier SecurityOnion 16.04 went EOL/EOS over a year ago now.  

Next, I found an old ISO of Security Onion 16.04.6.2 (A few numbers off from the last official version).  I am going to run setup for Stand-Alone(Basic setup Zeek/Suricata/Elastic).  And then run a sudo soup before I start and try to make any changes to the system. 

The previous VM I tried to run the Strelka install failed with Kibana issues, and then Docker issues so was unsure how this was going forward. Granted that was 16.04.2.  

I ran the following from the terminal

• wget https://raw.githubusercontent.com/weslambert/securityonion-strelka/master/install_strelka && sudo chmod +x install_strelka && sudo ./install_strelka

20 minutes later with a lot of RED, the install completed successfully per the output on the screen.  The next step was to pump some data through it.  With it being a new VM I didn't have it set up for traffic, so decided to just use sudo so-replay which pumped a lot of sample PCAP through the system.   

Now the moment of truth, I opened up Kibana and looked for Strelka data (There is now a link in the left hand navigation window).   

Clicked the link and it showed the next two images

So it seems to be sort of working, none of the other fields really filled in on this dashboard (could be the PCAP data was not good, or the actual install was not 100% installed).  I guess I will have to go through the error logs and see if there is anything that makes sense.  

Udemy: Snort Intrusion Detection

The other day I started a Udemy course: Snort Intrustion Detection, Rule Writing, and PCAP Analysis. In the lesson they use VirtualBox, I chose to use VMware, as that is what I have installed currently on my machine. Second was that a few of the sections were about setting up SecurityOnion and Kali (Both of which I already have active VMs for). That enabled me to shave off some of the time running through the training as they were setup as vanilla load, the only exception is that I have been using Suricata vice Snort, but for the most part I did not have an issue. One of the first rules was about SPAM, which we created a basic rule, and then added offset, and depth which he was able to explain. Suricata did not like the depth talked about in the video, stating it was shorter then the content (+1) to that number, and seemed to work with no ill effect. I need to read up more about offset/depth with reguards to Suricata, and see if it was just something I was doing wrong, or if there is a true differance between Snort and Suricata. Following that we did some other rules, and validated rules against VMs with known vulernabilities. I think this course helped a bit in understanding how the rulesets work, and will help with my current job.

Zeek CommunityID - SecurityOnion 16.04

Having recently found out about the Zeek CommunityID, I have been trying to get this implemented in SecurityOnion 16.04. Before anyone even says anything, yes I know that SecurityOnion 2.3 already has the Zeek CommunityID enabled. Lets just say I am currenlty stuck to use 16.04. I can do minor updates/adds to the system. So I am currently on SecurityOnion 16.0.4.7 and figured it would be easy to implement, boy have I been wrong. First things first SO does not have the Zeek Package Manager installed by default, which means I need to try and get the plugin installed with out the package manager also (Plugins are minor, apllications are more of a hassle). I found a site which walks through the steps on installing the plugin https://dactiv.llc/blog/enable-zeek-community-id/ Of course this states in a normal install of Zeek. Tried to go through the steps, and got stuck on ./configure && make && make install. The system failed with the error Either 'zeek-config' must be in PATH or '--zeek-dist=' used. So I went to the Zeek Community, and SecurityOnion community and asked for some help, thier first response was to upgrade SO. Cant, so back to square one. SecurityOnion folks mentioned to put it in /policy but that did not seem to work. So talking with Corelight I have been attempting to get this operational, still trying, if anyone has suggestions please let me know. I understand its a restricted playground to get it operational.

Apt-Cacher-NG SecurityOnion

I built out a SecuriyOnion Master server 16.04.2 (wanted an older copy), and wanted to use Master Server since this is what I work on mostly. I am pretty sure they renamed it from Master server, but off the top of my head I cannot remember what is the new term. From there I ran the full setup and made sure that SecurityOnion was able to process data, next I installed Apt-cacher-NG on this machine. The setup was pretty strait forward. sudo apt get apt-cacher-ng edit the apng.conf file sudo ufw allow 3142 (the port for other machines to talk to the caching server) Next I ran sudo-soup and watched the updates come in. Verified it was updated to SecurityOnion 16.04.07. After this I built a second machine running SecurityOnion 16.04.2 and edited the sources.list, adding the IP address of the primary client to the front end of each of the repo locations. From there I ran sudo soup, and watched it connect to the primary SecurityOnion server and process all the updates. After reboot I verified that this was brought up to SecurityOnion 16.04.7 also. One issue/question that I have right now is that I believe docker is not part of the repo checking, and that it looks somewhere else to do those updates. I will need to figure out how to do the docker updates on the "repo" so that I can do the docker in an offline update. I think next I am going to download a vanillia version of ubuntu and verify that I can pull updates from the SecurityOnion "Repo" server to update that to the newest version of Ubuntu (16.04). I know that I am running older versions of software, but I am locked into a certain version of software, so I have to work with what I am allowed.

SecurityOnion/Ubuntu Repo for Offline Updates?

 I am back at it working on a solution for updating multiple instances of SecurityOnion that are disconnected from the internet.    In previous tries, I was using Apt-Catcher-NG and from the looks of it SecurityOnion 2.0 uses Apt-Catcher-NG for its offline updates, but I need to see how this would work for multiple single instances of SecurityOnion.  

Aside from that, I think I would need a 2nd machine as the actual machine that touches the internet.  This machine would be the "update" machine where all the patches are downloaded, and then burned to the Primary SecurityOnion repo maybe?   

I would need some way to hash the updates that are transferred over from the internet machine to the "primary".  Is there a way to send patches over a one-way tap and received at the other end?  Guess its time to do some more research.   

Security Onion 16.04.6

Finally doing some upgrades to my SO VM at the house, not going 100% to the newest (though I do have a copy of Hybrid Hunter that I spin up just to check it out).   I like to have a few different versions of SecurityOnion running in VM's so I can see what has changed/improved over time. 

Working with SecurityOnion almost daily I like to also have a copy of what I work with so I can test new things, or try pulling in different types of data. 

I went with a pretty standard install, switched from Snort to Suricata, but I left out Salts (need to do some more research on that part and see if it's needed in a single master install, considering the Sosetup pretty much builds the system for you. 

I have also updated my Splunk install (7.3.1), I used a recent version I had, didn't realize they were already up to 8.0.  Added the Splunk forwarder on the SO server.  Things look good both in Kibana and Splunk now. 

It's nice to be able to have the ability to look at the traffic through my house in both Kibana and Splunk, but to be fair I need to learn how to do searches better in Kibana then Splunk.  Not saying I am great at Splunk, but I do find it easier for creating lookup tables and general search strings. 

Now to figure out the most common issues that go along with Security Onion 16 that are different than what was common in 14. 

Offline SecurityOnion

I have a VM built with SecurityOnion  14 running Apt-Cacher-NG which was able to download all the updates for this version and cache thing for other boxes. 

I will be running a bunch of offline SecurityOnion (currently using an older version 14) which I would like to try and keep updated (at the 14 level) as much as possible, but I cannot use sudo soup to download any updates from the internet. 

I have done this before but I didn't take any notes on how it was done (except the first part which was to use apt-cacher-ng).  Now I am on step two and not sure what to do. 

I was hoping there was an easy way to burn the cached file to a DVD and then load them on the stand-alone, but I cannot find any information that would help (doesn't help that I am not an expert on things, I usually only look up stuff when I am trying to solve an issue), I get by mostly though.  My friend Google is pretty helpful, guess I am not searching for the right words in this one. 

I can't use the apt-cacher-ng as a proxy server either.  This will be just one machine that gets updated, no other machines will be touching that one.   

If anyone has any idea's to let me know.  Like I said I am currently at the stage of using apt-cacher-ng.  Now trying to figure out how to export the information to use on another machine.