Release Notes
2.3.290 [20240229] Changes
2.3.280 [20231128] Changes
FEATURE: Add 2.3 EOL reminder icon to SOC UI
FEATURE: Add note to soup about 2.3 EOL and 2.4 migration
FIX: 2.3 Field Mapping for CodeIntegrity windows event logs #11807
FIX: Update SSL cert to avoid Google Chrome error (2.3) #11825
UPGRADE: 2.3 Grafana to Latest
UPGRADE: 2.3 Strelka backend to 0.23.09.12
UPGRADE: 2.3 Suricata to 6.0.15
UPGRADE: 2.3 Update Zeek to 6.0
UPGRADE: 2.3 Upgrade Elastic to 8.10.4
UPGRADE: SOC dependency Axios to 1.6.1 #11764
2.3.270 [20231006] Changes
2.3.260 [20230620] Changes
2.3.250 [20230519] Changes
FIX: Bump SOCtopus Flask Version to 2.3.2 #10272
FIX: Improve soup’s local file modification logic #8972
FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305
FIX: Simplify cloud detection #10261
FIX: Strelka YARA Compilation #10271
UPGRADE: Elastic 8.7.1 #10269
UPGRADE: FleetDM 4.31.1 #10379
UPGRADE: Grafana 9.2.17 #10262
UPGRADE: Kratos to 0.13.0 #10309
UPGRADE: SOC external dependencies #10268
UPGRADE: Suricata 6.0.12 #10311
UPGRADE: Zeek 5.0.9 #10374
2.3.240 [20230426] Changes
2.3.230 [20230417] Changes
2.3.220 Hotfix [20230301] Changes
FIX: Curator configuration to align with requirements for Curator 8.0.x #9871
2.3.220 [20230224] Changes
2.3.210 [20230202] Changes
FIX: Add configured_vulns_ext_vars.yar to Strelka YARA exclusion list #9701
FIX: Improve Suricata DHCP parsing and dashboard #9678
UPGRADE: CyberChef 9.55.0 #9673
UPGRADE: Elastic 8.6.1 #9594
UPGRADE: MySQL 5.7.24 to 5.7.41 #9616
UPGRADE: Strelka 0.23.01.07 #9687
UPGRADE: Suricata 6.0.10 #9403
UPGRADE: Zeek 5.0.6 #9695
2.3.200 [20230113] Changes
FEATURE: Add Consumption EPS to default Grid view #9359
FEATURE: Allow custom IDH HTTP Skins #9045
FEATURE: Improve SOC Dashboards #9450
FEATURE: Update Zeek oui.dat during container build #9542
FIX: EPS sorting in SOC Grid #9363
FIX: Ensure file path is ascertainable by localfile.py for localfile analyzer #9342
FIX: RITA number_format_exception “unable to convert to integer” #9503
FIX: Superuser permission check for so-elasticsearch-indices-list #9461
FIX: Sysmon logs are missing event.category and event.dataset #8194
FIX: config.map.jinja updates for highlander setting #9321
FIX: so-import utilities should hyperlink to dashboards #9373
FIX: so-status runs some code before checking for root privileges #9270
UPGRADE: Elastic 8.5.3 #9356
2.3.190 Hotfix [20221207] Changes
FIX: Improve support for Suricata file extraction into Strelka #9318
2.3.190 [20221205] Changes
FEATURE: Add Additional ICS Zeek Packages #9149
FEATURE: Check hashes for duplicates before sending to strelka #9034
FEATURE: Improve local copy of docs in SOC #9097
FEATURE: so-pcap-export can run without needing to be attached to a TTY #8994
FIX: Avoid deprecation warning in Zeek file extraction script #9123
FIX: Change PyYAML .whl file name to comply with Joliet’s 240-character limit/threshold #8995
FIX: Remove JA3er Analyzer #8984
FIX: prevent ISO image from triggering common AV false positives #7297
UPGRADE: CyberChef 9.49.0 #9180
UPGRADE: Grafana 9.2.7 #8950
UPGRADE: Strelka #8996
UPGRADE: Suricata 6.0.9 #9229
UPGRADE: Zeek 5.0.4 #9167
2.3.182 [20221109] Changes
UPGRADE: Zeek 5.0.3 #9100
2.3.181 [20221021] Changes
2.3.180 [20221014] Changes
2.3.170 [20220922] Changes
FEATURE: Events table(s) for Windows Events matching default view #8591
FEATURE: Split the winlog.event_data.Hashes field for Windows sysmon process creation events. #8593
FIX: Mapping error when trying to index Strelka logs generated from ELF files. #8592
UPGRADE: Elastic 8.4.1 #8794
UPGRADE: Zeek 4.0.9 #8774
2.3.160 [20220829] Changes
2.3.150 [20220820] Changes
FIX: Allow Filebeat to be disabled for sensors, idh, and fleet nodes #8404
FIX: Display PCAP menu action on Dashboards page #8343
FIX: Elasticsearch geoip lookups fail for some users in Elastic 8 #8373
FIX: Fix TLP options in Cases to align with TLP 2.0 #8469
FIX: Remove Elastic Pipeline Time graph from Grafana #8369
FIX: Update TALOS rules snapshot version to 29200 #8551
FIX: Use systemd drop-in file for salt-minion.service override #8441
FIX: soup should check for local configurations before modifying anything #8423
FIX: soup should only delete elastalert indices when upgrading from Elastic versions older than 8 #8536
UPGRADE: CyberChef 9.46.0 #8299
UPGRADE: Elastic 8.3.3 #8398
2.3.140 Hotfix [20220812] Changes
FIX: so-curator-closed-delete-delete needs to reference new Elasticsearch directory #8529
2.3.140 Hotfix [20220719] Changes
FIX: Revise Elastalert index check/deletion logic
FIX: Ensure Elastalert is enabled before trying to run ‘so-elastalert-stop’. Also suppress error output for when so-elastalert container is missing.
2.3.140 Changes
FEATURE: Provide ability to maximize view of a groupby chart or table #8176
FEATURE: Remember the state of the left menu (visible or hidden) between SOC refreshes #8186
FEATURE: Remove disabled accounts from Case Assignee list #8184
FEATURE: SOUP should not let you update to 2.3.140 or above unless you have updated to at least 2.3.110 #8239
FEATURE: Support bulk observable data entry #8210
FIX: Add ID to Filestream Inputs #8006
FIX: Add event.category field to pfsense firewall logs #8112
FIX: Add jinja to localfile.yaml #8196
FIX: IDH ISO Disk partitions #8144
FIX: Improve default dashboards #8136
FIX: Strip whitespace after analyzer input strings (observable values) #8208
FIX: Support group-by sorting memory on first group only #8133
FIX: Using so-firewall to list default port groups #8264
FIX: pam.d lastlog module breaks BPF capability #8188
FIX: Ensure so-kibana indices can be cleaned up on search nodes #8262
UPGRADE: Kratos to 0.10.1 #8227
UPGRADE: Salt 3004.2 #8166
UPGRADE: Suricata 6.0.6 #8279
UPGRADE: Elastic 8.3.2 #7563
UPGRADE: Redmine to 4.2.7 #8308
2.3.130 Changes
FEATURE: Add “observable” button next to hash for case attachments #7222
FEATURE: Add set of default analyzers #7945
FEATURE: Make classification.config user-configurable #7918
FEATURE: Native analyzer infrastructure #7944
FEATURE: Playbook False Positive Tuning #8059
FEATURE: SOC Dashboards #1211
FIX: Allow quick actions on a field value with the number 0 #8023
FIX: Elastalert query in Hunt #8049
FIX: Ensure failed elastic queries show an error on the SOC UI #7846
FIX: Firefox OQL edits should release focus after pressing ENTER #8063
UPGRADE: ElastAlert 2 from 2.2.2 to 2.5.0 #8008
UPGRADE: Elastic 7.17.4 #8002
UPGRADE: FleetDM 4.14.0 #8012
UPGRADE: Kratos 0.8.2-alpha.1 to 0.9.0-alpha.3 #7943
UPGRADE: TensorFlow from 2.5 to 2.9.1 #8009
UPGRADE: attack-navigator v4.6.4 #7977
UPGRADE: Zeek 4.0.6 to 4.0.7 #8067
2.3.120 Changes
FEATURE: Add ISO option to the installer for analyst workstation #7502
FEATURE: Add new Hunt query for SOC logins #7327
FEATURE: Add strelka-fileshot and strelka-oneshot binaries to analyst workstation #7670
FEATURE: Expose Case user info (email address) in SOC Alert/Hunt/Cases results instead of user ID #7548
FEATURE: Have Observables inherit their case’s TLP by default #7642
FEATURE: IDH - Separate MGT & IDH NIC #7589
FEATURE: Remove thehive and cortex dockers #7501
FEATURE: Stop hive related services in soup to 120 #7599
FIX: Create .keyword shim for additional process fields #7633
FIX: Elasticsearch & Logstash logs not compressed or cleaned #6932
FIX: Failure of influxdb state if default shell is zsh #7730
FIX: Hunt OR queries should work without parentheses #7540
FIX: Improve Hunt query when pivoting from Cases Observables #7405
FIX: Improve Zeek file extraction #7829
FIX: Management IP is sometimes null at the end of setup #7113
FIX: Prevent multiple instances of so-sensor-clean and so-playbook-sync #6622
FIX: Prevent users from running so-setup iso on Ubuntu #7601
FIX: Remove TheHive deps from Playbook #7483
FIX: Run telegraf as non-root #7468
FIX: Salt error during setup - [ERROR ] Unable to connect pusher: Stream is closed #7203
FIX: Update syslog ingest pipeline per #5251 #6912
FIX: remove soremote access after analyst install joins grid #7639
FIX: soup should ensure salt-master service is running prior to running #7763
FIX: surilogcompress not working correctly on some systems #7133
UPGRADE: CyberChef 9.37.3 #7817
UPGRADE: Elastic 7.17.3 #7807
UPGRADE: FleetDM 4.12.1 #7725
UPGRADE: Suricata 6.0.5 #7836
UPGRADE: Zeek 4.0.6 #7839
UPGRADE: nginx 1.20.2 #7808
2.3.110 Hotfix [20220407] Changes
FIX: Previously failed Ubuntu minions will now be able to get the proper repo for install
FIX: Fixed a regression in AIRGAP that was preventing salt from upgrading
2.3.110 Hotfix [20220407] Known Issues
If you had a previous failed soup please ensure that the salt-master service is running before you run soup again.
2.3.110 Hotfix [20220405] Changes
FIX: Change the salt bootstrap script to pull from the proper location for Ubuntu
2.3.110 Hotfix [20220401] Changes
FIX: Updated Saltstack to 3004.1 to address CVE-2022-22934 #7701
2.3.110 Changes
FEATURE: Full ECS data type compliance #6747
FEATURE: Intrusion Detection Honeypot Node #7138
FEATURE: Multi-Factor Authentication (MFA) for Security Onion #7316
FEATURE: Populate Zeek’s networks.cfg with $HOME_NET #6854
FEATURE: SOC authentication logs will now be ingested into Elasticsearch #7354
FEATURE: sort indices list alphabetically by index name #6969
FIX: ACNG should clear the cache on restart #7114
FIX: Abort so-user sync if Kratos database is locked #7459
FIX: Add Endgame Index settings to the global.sls on new installs #7293
FIX: Allow downgrades during docker_install #7228
FIX: Avoid telegraf apparmor issues #2560
FIX: Composable Templates #4644
FIX: Increase minimum password length from 6 to 8 characters #7352
FIX: Navigator should ship with all needed files #1162
FIX: Prevent Elasticsearch deprecation notices from causing installation failures #7353
FIX: Random passwords generated at setup contain character combinations that cause problems with some containers #7233
FIX: curator should exclude so-case* indices #7270
FIX: so-ip-update needs to update Kibana dashboards #7237
FIX: so-status TTY improvements #7355
UPGRADE: Elastic 7.17.1 #7137
UPGRADE: FleetDM to 4.10.0 #7245
UPGRADE: Grafana 8.4.1 #7281
UPGRADE: Kratos 0.8.2-alpha.1 #7351
2.3.100 Hotfix [20220301] Changes
FIX: Prevent curator from pruning case indices #7270
2.3.100 Hotfix [20220203] Changes
FIX: SSLError for Logstash connecting to Redis if manager hostname contains uppercase #7103
FIX: Add mixed case hostnames to automated testing
2.3.100 Hotfix [20220202] Changes
FIX: Add new salt URL to the ACNG config for SSL passthrough
FIX: Managers with capitals in the hostname will now properly pull from the salt mine #7081
2.3.100 Changes
FEATURE: Add verbiage to soup to denote which branch is being used #6763
FEATURE: Allow for an easy way to add a local repo directory for Elastic snapshots #7034
FEATURE: Install Elasticsearch plugin - repository-s3 #6139
FEATURE: Introduce new Cases module for native case management #7019
FEATURE: Introduce new Receiver node type #6469
FEATURE: Open event from Kibana in hunt #6748
FEATURE: SOC error messages should show regardless of how far down the user has scrolled #6977
FEATURE: Support sort order in Elasticsearch queries #2577
FIX: Reinstall on Ubuntu 18.04 fails on docker install #6467
FIX: Cleanup Invalid Kolide messages in nginx logs #3989
FIX: Disable Wazuh on sensors if it is disabled globally #7016
FIX: During a reinstall, remove existing certs and keys generated by the ssl and ca states #7010
FIX: Enable SANs for all certificates #6381
FIX: Fleet broken when default Docker IP range changed #6603
FIX: Generate .security subfield for message field #5106
FIX: Improve support for grouping by fields with spaces #6724
FIX: Logstash inputs beats deprication #5194
FIX: Playbook Field Mappings #3660
FIX: Prevent the .security keyword from being added to the rule.uuid field in Playbook #6276
FIX: Reduce excessive Elasticsearch log growth #5190
FIX: Reinstall should not try to patch python3-influxdb modules if already patched. #6765
FIX: Remove manager from /etc/hosts during install prompts #6492
FIX: Remove xml header from ossec.conf #6658
FIX: SOUP should check that en_US.UTF-8 is available before switching to it #6599
FIX: Salt does not generate a fleet.crt file with CUSTOM_FLEET_HOSTNAME #4319
FIX: Typo in so-image-common output #6563
FIX: Wazuh WEL Parsing #6829
FIX: _id fielddata deprecated message #6703
FIX: elastic_curl_config depends on elastic_curl_config_distributed #6811
FIX: prevent the need for adding roles in a specific order when using so-user #6505
FIX: so-preflight tries to run curl before it is installed #6899
FIX: so-user update should automatically sync #6659
UPGRADE: CyberChef 9.32.3 #6434
UPGRADE: Elastic components to 7.16.3 #6860
UPGRADE: FleetDM 4.8.0 #6828
UPGRADE: Grafana 8.3.2 #6321
UPGRADE: Salt to 3004 #6810
UPGRADE: Zeek to 4.0.5 #6983
2.3.91 Changes
UPGRADE: Elastic to 7.16.2 for log4j vulnerability mitigation
2.3.90 Hotfix [20211213]
FIX: Remove JndiLookup class from Elasticsearch and Logstash jar files to address additional log4j attack vectors
2.3.90 Hotfix [20211210]
FIX: Mitigate vulnerability in log4j
2.3.90 Hotfix [20211206]
FIX: soup should now properly update 2.3.90 installs that had an issue with xml headers in the ossec.conf
FIX: soup now has more logging
FIX: soup now checks for the existence of the endgame group before trying to apply it on a re-soup
FIX: so-elasticsearch-pipelines now uses the proper value for applying the pipelines
2.3.90 Hotfix [AIRGAPFIX]
FIX: Airgap repo was created on distributed iso nodes even in non-airgap installs #6415
2.3.90 Hotfix [WAZUH]
FIX: so-allow should not be modifying ossec.conf when Wazuh isn’t installed #6317
FIX: so-allow should not be writing an XML header to the ossec.conf file #6325
FIX: Correct “exisiting” typo on whiptail prompt
FIX: Soup will no longer attempt to validate a successful salt upgrade if salt wasn’t upgraded on this soup run
2.3.90 Changes
FEATURE: Add ASN annotation for GeoIP #5068
FEATURE: Add Endgame Support for Security Onion #6166
FEATURE: Add TI Module #5916
FEATURE: Add additional flags to stenographer config #5851
FEATURE: Add filebeat, auditbeat, and metricbeat downloads to SOC Download screen #5849
FEATURE: Add logstash and redis input plugins to telegraf #5960
FEATURE: Add so-deny script for removing access from firewall and other apps #4621
FEATURE: Add support for escalation to Elastic Cases #6048
FEATURE: Allow for Kibana customizations via pillar #3933
FEATURE: Allow users to set their profile information #5846
FEATURE: Allow vlan tagged NICs to be used as management interface #3687
FEATURE: Create Pipeline Overview Dashboard for Grafana #6177
FEATURE: Create script to reset elastic auth passwords #6206
FEATURE: Enable Kibana Settings for encryption #6146
FEATURE: Expose new user profile field for specifying a custom note about a user #5847
FEATURE: HTTP module for SOC event escalation #5791
FEATURE: Increase password lengths, provide a way to change existing passwords #6043
FEATURE: Indicate that setup has completed at the very end of sosetup.log #5032
FEATURE: Prevent SOUP from running if there is an issue with the manager pillar #5809
FEATURE: Provide quick-select date ranges from Hunt/Alerts date range picker #5953
FEATURE: SOC Hunt Timeline/Charts should be collapsible #5114
FEATURE: Support Ubuntu 20.04 #601
FEATURE: setup should run so-preflight #3497
FIX: ACNG sometimes returns 503 errors when updating Ubuntu through the manager #6151
FIX: Add details to Setup for Install Type menus #6105
FIX: Adjust timeout in check_salt_minion_status in so-functions #5818
FIX: All templates should honor replica settings #6005
FIX: Clear holds on Ubuntu installs #5588
FIX: Consider making the airgap option only settable on the manager #5914
FIX: Docker containers should not start unless file events are completed #5955
FIX: Ensure soc_users_roles file is cleaned up if incorrectly mounted by Docker #5952
FIX: Favor non-aggregatable data type when a cache field has multiple conflicting data types #5962
FIX: Firefox tooltips stuck on Hunt and Alerts screens #6010
FIX: Grafana sensor graphs only show interface graphs when selected individually #6007
FIX: Kibana saved objects #5193
FIX: Modify Steno packet loss calculation to show point in time packet loss #6060
FIX: Remove CURCLOSEDAYS prompt in Setup since it is no longer used #6084
FIX: Remove references to xenial (Ubuntu 16.04) from setup #4292
FIX: Remove unnecessary screens from Analyst Setup #5615
FIX: SOC docker should not start until file managed state runs #5954
FIX: SOC unable to acknowledge alerts when not grouped by rule.name #5221
FIX: Setup should ask if new or existing distributed deployment #6115
FIX: Setup should prevent invalid characters in Node Description field #5937
FIX: Support non-WEL Beats #6063
FIX: Unnecessary Port Binding for so-steno #5981
FIX: Use yaml.safe_load() in so-firewall (thanks to @clairmont32) #5750
FIX: Zeek state max depth not working #5558
FIX: so-ip-update should grant mysql root user access on new IP #4811
FIX: docker group can be given gid used by salt created groups #6071
FIX: packetloss.sh gives an error every 10 min though ZEEK is disabled #5759
FIX: so-import-evtx elastic creds & logging #6065
FIX: so-user delete function causes re-migration of user roles #5897
FIX: wazuh-register-agent times out after 15 minutes lower to 5 minutes #5794
FIX: yum pkg.clean_metadata occasionally fails during setup #6113
UPGRADE: ElastAlert to 2.2.2 #5751
UPGRADE: Elastic to 7.15.2 #5752
UPGRADE: FleetDM to 4.5 #6188
UPGRADE: Grafana to 8.2.3 #5852
UPGRADE: Kratos to 0.7.6-alpha.1 #5848
UPGRADE: Redis to 6.2.6 #6140
UPGRADE: Suricata to 6.0.4 #6274
UPGRADE: Telegraf to 1.20.3 #6075
2.3.80 Changes
FEATURE: Ability to disable Zeek, Suricata #4429
FEATURE: Add docs link to Setup #5459
FEATURE: Add evtx support in Import Node #2206
FEATURE: Consolidate whiptail screens when selecting optional components #5456
FEATURE: Distinguish between Zeek generated syslog and normal syslog in hunt for event fields #5403
FEATURE: Enable index sorting to increase search speed #5287
FEATURE: Expose options for elasticsearch.yml via Salt pillar #1257
FEATURE: Role-based access control (RBAC) #5614
FEATURE: soup -y for automation #5043
FIX: Add new default filebeat module indices to the global pillar. #5526
FIX: all.rules file can become empty on non-airgap deployments if manager does not have access to the internet. #3619
FIX: Curator cron should run less often #5189
FIX: Improve unit test maintainability by refactoring to use Golang assertion library #5604
FIX: Invalid password message should also mention dollar signs are not allowed #5381
FIX: Max files for steno should use a pillar value for easy tuning. #5393
FIX: Remove raid check for official cloud appliances #5449
FIX: Remove watermark settings from global pillar. #5520
FIX: SOC Username case sensitivity #5154
FIX: so-user tool should validate password before adding user to SOC #5606
FIX: Switch to new Curator auth params #5273
UPGRADE: Curator to 5.8.4 #5272
UPGRADE: CyberChef to 9.32.2 #5158
UPGRADE: SOC UI 3rd Party dependencies to latest versions #5603
UPGRADE: Zeek to 4.0.4 #5630
2.3.70 Hotfix [WAZUH]
FIX: wazuh-agent is updated during setup on ISO, which causes service to fail to start #5354
2.3.70 Hotfix [GRAFANA_DASH_ALLOW]
FIX: Grafana state trying to create undefined dashboards #5270
2.3.70 Hotfix [CURATOR]
2.3.70 Changes
FEATURE: Add sha.256 to suricata.fileinfo pipeline #4224
FEATURE: Allow for adjustment of Kibana sampleSize setting in Discover dashboard #4969
FEATURE: Allow for adjustment to automatic patch schedule #4985
FEATURE: Require SOC login before allowing users to access playbook and soctopus #4623
FEATURE: Scan kratos logs for anomalous login attempts #4710
FEATURE: Send PCAP session transcript to CyberChef #5010
FEATURE: Show model numbers of cloud-deployed nodes #4898
FEATURE: Show warning when a user attempts to use a hostname or web domain entry that is not all lowercase #4791
FEATURE: Simplify Grafana dashboard management and redesign dashboards #4674
FEATURE: so-firewall needs an option to run apply by itself #4765
FEATURE: so-pcap-export #4210
FEATURE: SOUP - Prompt user when local modifications are detected #3860
FIX: Add mapping to extracted file directory #4622
FIX: Clarify missing appliance images message on SOC grid #5118
FIX: Curator should only run on manager when set to use true clustering. #2806
FIX: Disabled user still shows as active in GUI #5055
FIX: Disallow blank passwords during ISO first stage setup (kickstart) #4947
FIX: Disallow ctrl-c during the first stage of ISO setup #4948
FIX: Improve raid failure detection on SOS Appliances #5064
FIX: Improve verbiage for initial IPv4 prompt and so-allow prompt #5138
FIX: Jinja the stream.reassembly.depth value in the Suricata defaults.yaml file #4293
FIX: Remove so-elastic-features. #4542
FIX: SOC login page missing the hide/show password icons #5087
FIX: Wazuh data ingest error: data.port #3988
2.3.61 Hotfix [STENO, MSEARCH]
2.3.61 Changes
FIX: Airgap link to Release Notes #4685
FIX: CyberChef unable to load due to recent Content Security Policy restrictions #4885
FIX: Suricata dns.response.code needs to be renamed to dns.response.code_name #4770
UPGRADE: alpine 3.12.1 to latest for Fleet image #4823
UPGRADE: Elastic 7.13.4 #4730
UPGRADE: Zeek 4.0.3 #4716
2.3.60 Hotfix [ECSFIX, HEAVYNODE, FBPIPELINE, CURATORAUTH] Changes
FIX: Curator’s authentication to Elasticsearch was incorrectly configured for the version currently in use.
FIX: Some logs from Filebeat were not being properly routed to the correct pipeline causing the log to fill up the disk.
FEATURE: All hotfixes going forward will have an ISO so that airgap users can follow the standard soup process as they would for normal releases.
FIX: Hotfix to revert Strelka and Wazuh Elastic Common Schema (ECS) changes that weren’t intended for 2.3.60.
FIX: Correct SSL certificate common name (CN) to match heavy node hostnames. Only applicable to grids with heavy nodes. May require manual restart of Redis, Elasticsearch, Filebeat, and Logstash containers (in that order), once the heavy nodes have succeeded in applying highstate. For more information see the related blog post at https://blog.securityonion.net/2021/07/security-onion-2360-heavy-node-hotfix.html
2.3.60 Changes
FEATURE: Ability to change default SOC timezone instead of using browser’s timezone #4261
FEATURE: Add SOC database to the backups #3748
FEATURE: Add so-elasticsearch-query tool #4437
FEATURE: Create a new Quick Drilldown option in SOC #4469
FEATURE: Display Security Onion version number in so-setup #3348
FEATURE: Elastic Auth #1423
FEATURE: Implement retention policy for InfluxDB #3264
FEATURE: New Grafana dashboards for InfluxDB RPs #4609
FEATURE: Pillarize Filebeat Modules #3859
FEATURE: Pivot from Alerts/Hunt to CyberChef #4081
FEATURE: Pivot from SOC PCAP to CyberChef #1596
FEATURE: Support adjustable SOC session timeout #4586
FIX: Add a prompt when soup requires the path or cdrom device to be input #3551
FIX: Add event_data to Elasticsearch template(s) #4012
FIX: Allow for spaces in password on kickstart script (ISO) #1079
FIX: Change Acknowledge, Escalate, and expandEvent buttons from title to tooltip #4497
FIX: Disallow so-suricata-start from running on the manager node #2977
FIX: Ensure fixed PCAP files are readable by Suricata during so-import-pcap execution #4636
FIX: Fail curl requests if the remote server responds with a failing status code #4266
FIX: Implement error handling for soup #3220
FIX: Improve PCAP job lookup performance by providing a tighter time range #4320
FIX: Improve administrative username password prompt to prevent backspacing into text (ISO) #3099
FIX: Improve soup for older installs #4617
FIX: Include secure HTTP headers in nginx responses #4267
FIX: Increase default search and proxy timeouts to 5 minutes #4321
FIX: OS passwords including special characters like $ and ! #4249
FIX: Prevent highstate failure during soup #3559
FIX: Prevent so-thehive-cortex from continuing to build if an issue is encountered installing Python packages #4032
FIX: Setup should not prompt for node description when running import or eval #4004
FIX: Trying to delete old pcap job results in error #4528
FIX: Websocket session cleanup overly aggressive #4598
FIX: so-user should support spaces in passwords for Fleet and TheHive users #4460
FIX: zeek leaving post-terminate crash logs on every shutdown #4461
UPGRADE: Elastic to 7.13 #4313
UPGRADE: Kratos to 0.6.3-alpha.1 #4282
UPGRADE: Redmine 4.2 (For Playbook) #4159
UPGRADE: Suricata 6.0.3 #4661
2.3.52 Changes
2.3.51 Changes
FIX: Mixed case sensor hostnames lead to incomplete PCAP jobs #4220
FIX: Reconcile InfluxDB/Grafana containers in certain setup modes #4207
FIX: Turn down log level for Salt States and Zeek #4231
FIX: Correct downloaded PCAP filename #4234
FIX: Truncate /root/wait_for_web_response.log before each wait invocation #4247
2.3.50 Changes
FEATURE: Add EPS Stats for Filebeat #3872
FEATURE: Add copy-to-clipboard quick action menu option for copying a single field and value as ‘field:value’ #3937
FEATURE: Add raid and so-status monitoring to SOC grid page #3584
FEATURE: Add so-status to telegraf script executions and return a value #3582
FEATURE: Add zeekctl wrapper script #3441
FEATURE: Allow users to set an optional description for the node during setup #2404
FEATURE: Initial implementation of enhanced websocket management #3691
FEATURE: Combine proxy + package update questions into one menu #3807
FEATURE: Configure NTP in Setup #3053
FEATURE: Logstash pipeline stats wrapper #3531
FEATURE: Need a way to have Hunt/Alerts perform groupbys that can optionally include event’s that don’t have a match for a group #2347
FEATURE: Osquery WEL - Differentiate between Event & Ingest Timestamp #3858
FEATURE: Provide customizable Login page banner content using markdown format #3659
FEATURE: Provide customizable Overview tab content using markdown format #3601
FEATURE: Redirect expired login form back to login page instead of showing error #3690
FEATURE: Redirect to login when session expires #3222
FEATURE: Show final selected options menu at the end of install #3197
FEATURE: Show node and overall grid EPS on Grid Page #3823
FEATURE: Telegraf should check for additional metrics if it is running on an appliance #2716
FEATURE: VIM YAML Syntax Highlighting #3966
FEATURE: allow for salt-minion start to be delayed on system start #3543
FEATURE: check manager services (salt-master, so-status) during setup on a node #1978
FEATURE: soup should check for OS updates #3489
FIX: Alerts Total Found value should update when acknowledging or escalating #2494
FIX: Alerts severity sort order #1741
FIX: Change bro packet loss to be once per 2 minutes vs 30s #3583
FIX: Check Zeek index close and delete settings for existing deployments #3575
FIX: Firewall rules added via pillar only applies last hostgroup of the defined chain #3709
FIX: Hunt not properly escaping special characters in Windows sysmon logs. #3648
FIX: Hunt query for HTTP EXE downloads should work for both Zeek and Suricata #3753
FIX: Incorrect retry syntax in CA and SSL states #3948
FIX: Playbook Alert/Hunt showing incorrect timestamp #2071
FIX: Properly handle unauthorized responses during API requests from SOC app #2908
FIX: Reformat date/time on Grid and PCAP pages to enable sorting #2686
FIX: Rename Fleet link in SOC to FleetDM #3569
FIX: Suricata compress script should send it’s output to /dev/null #3917
FIX: Suricata cpu-affinity not being set if suriprocs is defined in minion pillar file. #3926
FIX: TheHive Case Creation from Kibana Failure #3870
FIX: WEL Shipping via Wazuh broken #3857
FIX: Zeek Intel not working #3850
FIX: ingest.timestamp should be date type #3629
FIX: nmcli error during setup on Ubuntu + AMI #3598
FIX: salt upgrade failure with versionlock #3501
FIX: setup tries to connect to url used for proxy test even if the user chooses not to set one up #3784
FIX: so-playbook-sync should only have one instance running #3568
FIX: so-ssh-harden needs improvement #3600
FIX: soup does not update /etc/soversion on distributed nodes #3602
UPGRADE: Elastalert to 0.2.4-alt3 #3947
UPGRADE: Salt 3003 #3854
UPGRADE: Upgrade Grafana to 7.5.4 #3916
UPGRADE: Upgrade external dependencies used by SOC #3545
2.3.50 Known Issues
If you had previously enabled Elastic Features and then upgrade to Security Onion 2.3.50 or higher, you may notice some features missing in Kibana. You can enable or disable features as necessary by clicking the main menu in the upper left corner, then click “Stack Management”, then click “Spaces”, then click “Default”. For more information, please see https://www.elastic.co/guide/en/kibana/master/xpack-spaces.html#spaces-control-feature-visibility.
If you have node names in mixed case (rather than all lower case), the Grid page may show the nodes as being in the
Fault
state. This is a cosmetic issue and has been resolved with a hotfix: https://blog.securityonion.net/2021/05/security-onion-2350-hotfix-available.html
2.3.40 Changes
FEATURE: Add option for HTTP Method Specification/POST to Hunt/Alerts Actions #2904
FEATURE: Add option to configure proxy for various tools used during setup + persist the proxy configuration #529
FEATURE: Alerts/Hunt - Provide method for base64-encoding pivot value #1749
FEATURE: Allow users to customize links in SOC #1248
FEATURE: Display user who requested PCAP in SOC #2775
FEATURE: Make SOC browser app connection timeouts adjustable #2408
FEATURE: Move to FleetDM #3483
FEATURE: Reduce field cache expiration from 1d to 5m, and expose value as a salt pillar #3537
FEATURE: Refactor docker_clean salt state to use loop w/ inspection instead of hardcoded image list #3113
FEATURE: Run so-ssh-harden during setup #1932
FEATURE: SOC should only display links to tools that are enabled #1643
FEATURE: Update Sigmac Osquery Field Mappings #3137
FEATURE: User must accept the Elastic licence during setup #3233
FEATURE: soup should output more guidance for distributed deployments at the end #3340
FEATURE: soup should provide some initial information and then prompt the user to continue #3486
FIX: Add cronjob for so-suricata-eve-clean script #3515
FIX: Change Elasticsearch heap formula #1686
FIX: Create a post install version loop in soup #3102
FIX: Custom Kibana settings are not being applied properly on upgrades #3254
FIX: Hunt query issues with quotes #3320
FIX: IP Addresses don’t work with .security #3327
FIX: Improve DHCP leases query in Hunt #3395
FIX: Improve Setup verbiage #3422
FIX: Improve Suricata DHCP logging and parsing #3397
FIX: Keep RELATED,ESTABLISHED rules at the top of iptables chains #3288
FIX: Populate http.status_message field #3408
FIX: Remove “types removal” deprecation messages from elastic log. #3345
FIX: Reword + fix formatting on ES data storage prompt #3205
FIX: SMTP shoud read SNMP on Kibana SNMP view #3413
FIX: Sensors can temporarily show offline while processing large PCAP jobs #3279
FIX: Soup should log to the screen as well as to a file #3467
FIX: Strelka port 57314 not immediately relinquished upon restart #3457
FIX: Switch SOC to pull from fieldcaps API due to field caching changes in Kibana 7.11 #3502
FIX: Syntax error in /etc/sysctl.d/99-reserved-ports.conf #3308
FIX: Telegraf hardcoded to use https and is not aware of elasticsearch features #2061
FIX: Zeek Index Close and Delete Count for curator #3274
FIX: so-cortex-user-add and so-cortex-user-enable use wrong pillar value for api key #3388
FIX: so-rule does not completely apply change #3289
FIX: soup should recheck disk space after it tries to clean up. #3235
UPGRADE: Elastic 7.11.2 #3389
UPGRADE: Suricata 6.0.2 #3217
UPGRADE: Zeek 4 #3216
UPGRADE: Zeek container to use Python 3 #1113
UPGRADE: docker-ce to latest #3493
2.3.40 Known Issues
There was a typo in the Zeek index close and delete settings. We’ve fixed this for new installs in https://github.com/Security-Onion-Solutions/securityonion/issues/3274. If your deployment has more than 45 days of open Zeek indices, you may want to review these settings in
/opt/so/saltstack/local/pillar/global.sls
and modify them as necessary. This is being tracked in https://github.com/Security-Onion-Solutions/securityonion/issues/3575.If you had previously enabled Elastic Features and then upgrade to Security Onion 2.3.40 or higher, you may notice some features missing in Kibana. You can enable or disable features as necessary by clicking the main menu in the upper left corner, then click “Stack Management”, then click “Spaces”, then click “Default”. For more information, please see https://www.elastic.co/guide/en/kibana/master/xpack-spaces.html#spaces-control-feature-visibility.
If you upgrade to 2.3.40 and then Kibana says
Kibana server is not ready yet
even after waiting a few minutes for it to fully initialize, then take a look at the Diagnostic Logging section of the Kibana section.
2.3.30 Changes
Zeek is now at version 3.0.13.
CyberChef is now at version 9.27.2.
Elastic components are now at version 7.10.2. This is the last version that uses the Apache license.
Suricata is now at version 6.0.1.
Salt is now at version 3002.5.
Suricata metadata parsing is now vastly improved.
If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules
It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules
The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider.
Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces.
so-sensor-clean will no longer spawn multiple instances.
Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting.
Fixed a security issue where the backup directory had improper file permissions.
The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days.
Strelka logs are now being rotated properly.
Elastalert can now be customized via a pillar.
Introduced new script
so-monitor-add
that allows the user to easily add interfaces to the bond for monitoring.Setup now validates all user input fields to give up-front feedback if an entered value is invalid.
There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install.
Users are now warned if they try to set “securityonion” as their hostname.
The ISO should now identify xvda and nvme devices as install targets.
At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject.
The text selection of choosing Suricata vs Zeek for metadata is now more descriptive.
The logic for properly setting the LOG_SIZE_LIMIT variable has been improved.
When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages.
The firewall state runs considerably faster now.
ICMP timestamps are now disabled.
Copyright dates on all Security Onion specific files have been updated.
so-tcpreplay (and indirectly so-test) should now work properly.
The Zeek packet loss script is now more accurate.
Grafana now includes an estimated EPS graph for events ingested on the manager.
Updated Elastalert to release 0.2.4-alt2 based on the https://github.com/jertel/elastalert alt branch.
Pivots from Alerts/Hunts to action links will properly URI encode values.
Hunt timeline graph will properly scale the data point interval based on the search date range.
Grid interface will properly show “Search” as the node type instead of “so-node”.
Import node now supports airgap environments.
The so-mysql container will now show “healthy” when viewing the docker ps output.
The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid.
The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group.
Add support to so-firewall script to display existing port groups and host groups.
Hive init during Setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding.
Changes to the .security analyzer yields more accurate query results when using Playbook.
Several Hunt queries have been updated.
The pfSense firewall log parser has been updated to improve compatibility.
Kibana dashboard hyperlinks have been updated for faster navigation.
Added a new
so-rule
script to make it easier to disable, enable, and modify SIDs.ISO now gives the option to just configure the network during setup.
2.3.30 Known Issues
Heavy Nodes are currently not compatible with Elastic true clustering: https://github.com/Security-Onion-Solutions/securityonion/issues/3226
Custom Kibana settings are not being applied properly on upgrades: https://github.com/Security-Onion-Solutions/securityonion/issues/3254
2.3.21 Changes
soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases.
soup now has awareness of Elastic Features and now downloads the appropriate Docker containers.
The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes.
Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline.
Grid interface now includes the IP and Role of each node in the grid.
Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor.
The Grid description field can now be customized via the local minion pillar file for each node.
SOC will now draw attention to an unhealthy situation within the grid or with the connection between the user’s browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tab’s title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the user’s web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem.
Docker has been upgraded to the latest version.
Docker should be more reliable now as Salt is now managing daemon.json.
You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls.
You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minion’s sls file. You will need to create a curator job to re-tag the indexes based on your criteria.
Telegraf has been updated to version 1.16.3.
Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities.
Grafana graphs have been changed to graphs vs guages so alerting can be set up.
Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs here: https://securityonion.net/docs/grafana
Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location.
Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again.
Strelka daily rule updates are now logged to /nsm/strelka/log/yara-update.log
Several changes to the setup script to improve install reliability.
Airgap now supports the import node type.
Custom Zeek file extraction values in the pillar now work properly.
TheHive has been updated to support Elastic 7.
Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer.
Hunt and Alert quick action menu has been refactored into submenus.
New clipboard quick actions now allow for copying fields or entire events to the clipboard.
PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details.
PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the so-import-pcap script).
Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion.
PCAP job interface now shows additional job filter criteria when expanding the job filter details.
Upgraded authentication backend to Kratos 0.5.5.
SOC tables with the “Rows per Page” dropdown no longer show truncated page counts.
Several Hunt errors are now more descriptive, particularly those around malformed queries.
SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable.
Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field.
New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs.
Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms.
Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs.
Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application.
Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency.
The so-elastalert-test script has been refactored to work with Security Onion 2.3.
The included Logstash image now includes Kafka plugins.
Wazuh agent registration process has been improved to support slower hardware and networks.
An Elasticsearch ingest pipeline has been added for suricata.ftp_data.
Elasticsearch’s indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard.
On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version.
Setup will gather any errors found during a failed install into /root/errors.log for easy copy/paste and debugging.
Selecting Suricata as the metadata engine no longer results in the install failing.
so-rule-update now accepts arguments to idstools. For example,
so-rule-update -f
will force idstools to pull rules, ignoring the default 15-minute pull limit.
2.3.10 Changes
UEFI installs with multiple disks should work as intended now.
Telegraf scripts will now make sure they are not already running before execution.
You are now prompted during setup if you want to change the docker IP range. If you change this it needs to be the same on all nodes in the grid.
Soup will now download the new containers before stopping anything. If anything fails it will now exit and leave the grid at the current version.
All containers are now hosted on quay.io to prevent pull limitations. We are now using GPG keys to determine if the image is from Security Onion.
Osquery installers have been updated to osquery 4.5.1
Fix for bug where Playbook was not removing the Elastalert rules for inactive Plays
Exifdata reported by Strelka is now constrained to a single multi-valued field to prevent mapping explosion (scan.exiftool).
Resolved issue with Navigator layer(s) not loading correctly.
Wazuh authd is now started by default on port 1515/tcp.
Wazuh API default credentials are now removed after setup. Scripts have been added for API user management.
Upgraded Salt to 3002.2 due to CVEs.
If salt-minion is unable to apply states after the defined threshold, we assume salt-minion is in a bad state and the salt-minion service will be restarted.
Fixed bug that prevented mysql from installing for Fleet if Playbook wasn’t also installed.
so-status will now show
STARTING
orWAIT_START
, instead ofERROR
if so-status is run before a salt highstate has started or finished for the first time after system startupStenographer can now be disabled on a sensor node by setting the pillar
steno:enabled:false
in itsminion.sls
file or globally if set in theglobal.sls
fileAdded
so-ssh-harden
script that runs the commands listed in SSH.NGINX now redirects the browser to the hostname/IP address/FQDN based on
global:url_base
MySQL state now waits for MySQL server to respond to a query before completing
Added Analyst option to network installs
Acknowledging (and Escalating) alerts did not consistently remove the alert from the visible list; this has been corrected.
Escalating alerts that have a
rule.case_template
field defined will automatically assign that case template to the case generated in TheHive.Alerts and Hunt interface quick action bar has been converted into a vertical menu to improve quick action option clarity. Related changes also eliminated the issues that occurred when the quick action bar was appearing to the left of the visible browser area.
Updated Go to newer version to fix a timezone, daylight savings time (DST) issue that resulted in Alerts and Hunt interfaces not consistently showing results.
Improved Hunt and Alert table sorting.
Alerts interface now allows absolute time searches.
Alerts interface ‘Hunt’ quick action is now working as intended.
Alerts interface ‘Ack’ icon tooltip has been changed from ‘Dismiss’ to ‘Acknowledge’ for consistency.
Hunt interface bar charts will now show the quick action menu when clicked instead of assuming the click was intended to add an include filter.
Hunt interface quick action will now cast a wider net on field searches.
Now explicitly preventing the use of a dollar sign ($) character in web user passwords during setup.
Cortex container will now restart properly if the SO host was not gracefully shutdown.
Added syslog plugin to the logstash container; this is not in-use by default but available for those users that choose to use it.
Winlogbeat download package is now available from the SOC Downloads interface.
Upgraded Kratos authentication system.
Added new Reset Defaults button to the SOC Profile Settings interface which allows users to reset all local browser SOC customizations back to their defaults. This includes things like default sort column, sort order, items per page, etc.
2.3.10 Known Issues
For Ubuntu, non master nodes, you may need to ssh to each node and run
salt-call state.highstate
in order initiate the update. To verify if this needs to be done on remote nodes, from the master, runsalt \* pkg.version salt-minion
after 30 minutes following the initial soup update. If the node does not return that is it running Salt 3002.2, then the node will need to manually be highstated locally from the node to complete the update.During soup, you may see the following during the first highstate run, it can be ignored:
Rendering SLS '<some_sls_here>' failed: Jinja variable 'list object' has no attribute 'values'
. The second highstate will complete without that error.During install or soup, there is a false positive failure condition that can occur. It is caused by
[ERROR ] Failed to add job <job_name> to schedule.
. This error indicates that Salt was unable to add a job to a schedule. If you see this in setup or soup log, it can be confirmed if this is false positive or not by runningsalt-call schedule.list
on the node that saw the error. If the job isn’t in the schedule list, runsalt-call state.highstate
and check if the job was added after it completes.
2.3.2 Changes
Elastic components have been upgraded to 7.9.3.
Fixed an issue where curator was unable to delete a closed index.
Cheat sheet is now available for airgap installs.
2.3.1 Changes
Fixed a SOC issue in airgap mode that was preventing people from logging in.
Downloading Elastic features images will now download the correct images.
Winlogbeat download no longer requires Internet access.
Adjusted Alerts quick action bar to allow searching for a specific value while remaining in Alerts view.
/nsm will properly display disk usage on the standalone Grafana dashboard.
The manager node now has syslog listener enabled by default (you’ll still need to allow syslog traffic through the firewall of course).
Fixed an issue when creating host groups with so-firewall.
2.3.1 Known Issues
It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.
In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:
Delete all the data on the ES nodes (preserving all of your other settings such as BPFs) by running
sudo so-elastic-clear
on all the search nodes.Re-index the data. This is not a quick process but you can find more information at https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing
Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at https://securityonion.net/discuss.
Once you update your grid to 2.3, any new nodes that join the grid must be 2.3 so if you try to join an older node it will fail. For best results, use the latest 2.3 ISO (or 2.3 installer from github) when joining to a 2.3 grid.
Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.
When running soup to upgrade from older versions to 2.3, there is a Salt error that may occur during the final highstate. This error is related to the patch_os_schedule and can be ignored as it should not occur again in subsequent highstates.
When Search Nodes are upgraded from older versions to 2.3, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:
Stop elasticsearch -
sudo so-elasticsearch-stop
Run the SSL state -
sudo salt-call state.apply ssl
Restart elasticsearch -
sudo so-elasticsearch-restart
If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:
Stop the Docker registry -
sudo docker stop so-dockerregistry
Remove the container -
sudo docker rm so-dockerregistry
Run the registry state -
sudo salt-call state.apply registry
2.3.0 Changes
We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly.
Kibana no longer presents the option to create alerts from events, but instead allows creation of cases from events.
Our Security Onion ISO now works for UEFI as well as Secure Boot.
Airgap deployments can now be updated using the latest ISO. Please read this documentation carefully.
Suricata has been updated to version 5.0.4.
Zeek has been updated to version 3.0.11.
Stenographer has been updated to the latest version.
soup will now attempt to clean up old docker images to free up space.
Hunt actions can be customized via
hunt.actions.json
.Hunt queries can be customized via
hunt.queries.json
.Hunt event fields can be customized via
hunt.eventfields.json
.Alerts actions can be customized via
alerts.actions.json
.Alerts queries can be customized via
alerts.queries.json
.Alerts event fields can be customized via
alerts.eventfields.json
.This help documentation is now viewable offline for airgap installations.
The script so-user-add will now validate the password is acceptable before attempting to create the user.
Playbook and Grafana no longer use static passwords for their admin accounts.
Analyst VM now comes with NetworkMiner 2.6 installed.
Strelka YARA matches now generate alerts that can be viewed through the Alerts interface .
2.2.0 Changes
Setup now includes an option for airgap installations
Playbook now works properly when installed in airgap mode
Added so-analyst script to create an analyst workstation with GNOME desktop, Chromium browser, Wireshark, and NetworkMiner
Upgraded Zeek to version 3.0.10 to address a recent security issue
Upgraded Docker to latest version
Re-worked IDSTools to make it easier to modify
Added so-* tools to the default path so you can now tab complete
so-status can now be run from a manager node to get the status of a remote node. Run salt <target> so.status
Salt now prevents states from running on a node that it shouldn’t so you can’t, for example, accidentally apply the elasticsearch state on a forward node
Added logic to check for Salt mine corruption and recover automatically
Collapsed Hunt filter icons and action links into a new quick action bar that will appear when a field value is clicked; actions include:
Filtering the hunt query
Pivot to PCAP
Create an alert in TheHive
Google search for the value
Analyze the value on VirusTotal.com
Fixed minor bugs in Hunt user interface relating to most-recently used queries, tooltips, and more
so-user-add
now automatically adds users to Fleet and TheHive (in addition to SOC)Introduced
so-user-disable
andso-user-enable
commands which allows administrators to lock out users that are no longer permitted to use Security OnionAdded icon to SOC Users list representing their active or locked out status
Removed User delete action from SOC interface in favor of disabling users for audit purposes
Prune old PCAP job data from sensors once the results are streamed back to the manager node
Hunt filtering to a specific value will search across all fields instead of only the field that was originally clicked
Limiting PCAP jobs to extract at most 2GB from a sensor to avoid users accidentally requesting unreasonably large PCAP via the web interface
so-test
is back - run it to easily replay PCAPs and verify that all the components are working as expectedNew Elasticsearch subfield (
.security
) based on the new community-driven analyzer from @neu5ron - https://github.com/neu5ron/es_stkPlaybook now uses the new .security subfield for case-insensitive wildcard searches
2.1.0 Changes
Fixed an issue where the console was timing out and making it appear that the installer was hung
Introduced Import node type ideal for running so-import-pcap to import pcap files and view the resulting logs in Hunt or Kibana
Moved static.sls to global.sls to align the name with the functionality
Traffic between nodes in a distributed deployment is now fully encrypted
Playbook
Elastalert now runs active Plays every 3 minutes
Changed default rule-update config to only import Windows rules from the Sigma Community repo
Lots of bug fixes & stability improvements
Ingest Node parsing updates for Osquery and Winlogbeat - implemented single pipeline for Windows eventlogs & sysmon logs
Upgraded Osquery to 4.4 and re-enabled auto-updates
Upgraded to Salt 3001.1
Upgraded Wazuh to 3.13.1
Hunt interface now shows the timezone being used for the selected date range
Fixed Cortex initialization so that TheHive integration and initial user set is correctly configured
Improved management of TheHive/Cortex credentials
SOC now allows for arbitrary, time-bounded PCAP job creation, with optional filtering by host and port
2.0.3 Changes
Resolved an issue with large drives and the ISO install
Modified ISO installation to use Logical Volume Management (LVM) for disk partitioning
Updated Elastic Stack components to version 7.8.1
Updated Zeek to version 3.0.8
2.0.2 Changes
- Sensoroni fails on 2.0.1 ISO EVAL installation #1089
2.0.1 Changes
- Security Fix: variables.txt from ISO install stays on disk for 10 days
- Security Fix: Remove user values from static.sls
- Fix distributed deployment sensor interval issue allowing PCAP
- Support for passwords that start with special characters
Minor soup updates
2.0.0 Changes
This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond!
Re-branded 2.0 to give it a fresh look
All documentation has moved to our docs site
soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date
so-import-pcap is back! See the docs here
Fixed issue with so-features-enable
Users can now pivot to PCAP from Suricata alerts
ISO install now prompts users to create an admin/sudo user instead of using a default account name
The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
Fixed issue with disk cleanup
Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
Locked down access to certain SSL keys
Suricata logs now compress after they roll over
Users can now easily customize shard counts per index
Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
Elastic nodes are now “hot” by default, making it easier to add a warm node later
so-allow now runs at the end of an install so users can enable access right away
Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
1-Low / 2-Medium / 3-High / 4-Critical
Initial implementation of alerting queues:
Low & Medium alerts are accessible through Kibana & Hunt
High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
ATT&CK Navigator is now a statically-hosted site in the nginx container
Playbook
All Sigma rules in the community repo (500+) are now imported and kept up to date
Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
Updated UI Theme
Once authenticated through SOC, users can now access Playbook with analyst permissions without login
Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
Fixed issue with Wazuh authd registration service port not being correctly exposed
Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
Added the ability to use custom Zeek scripts
Renamed “master server” to “manager node”
Improved unification of Zeek and Strelka file data