Release Notes

2.3.80 Changes

  • FEATURE: Ability to disable Zeek, Suricata #4429
  • FEATURE: Add docs link to Setup #5459
  • FEATURE: Add evtx support in Import Node #2206
  • FEATURE: Consolidate whiptail screens when selecting optional components #5456
  • FEATURE: Distinguish between Zeek generated syslog and normal syslog in hunt for event fields #5403
  • FEATURE: Enable index sorting to increase search speed #5287
  • FEATURE: Expose options for elasticsearch.yml via Salt pillar #1257
  • FEATURE: Role-based access control (RBAC) #5614
  • FEATURE: soup -y for automation #5043
  • FIX: Add new default filebeat module indices to the global pillar. #5526
  • FIX: all.rules file can become empty on non-airgap deployments if manager does not have access to the internet. #3619
  • FIX: Curator cron should run less often #5189
  • FIX: Improve unit test maintainability by refactoring to use Golang assertion library #5604
  • FIX: Invalid password message should also mention dollar signs are not allowed #5381
  • FIX: Max files for steno should use a pillar value for easy tuning. #5393
  • FIX: Remove raid check for official cloud appliances #5449
  • FIX: Remove watermark settings from global pillar. #5520
  • FIX: SOC Username case sensitivity #5154
  • FIX: so-user tool should validate password before adding user to SOC #5606
  • FIX: Switch to new Curator auth params #5273
  • UPGRADE: Curator to 5.8.4 #5272
  • UPGRADE: CyberChef to 9.32.2 #5158
  • UPGRADE: SOC UI 3rd Party dependencies to latest versions #5603
  • UPGRADE: Zeek to 4.0.4 #5630

2.3.70 Hotfix [WAZUH]

  • FIX: wazuh-agent is updated during setup on ISO, which causes service to fail to start #5354

2.3.70 Hotfix [GRAFANA_DASH_ALLOW]

  • FIX: Grafana state trying to create undefined dashboards #5270

2.3.70 Hotfix [CURATOR]

  • FIX: Rolled back curator change for true clustering deployments (will be fixed in next release) #5226
  • FIX: Resolved benign error repeatedly logged to telegraf log file #5195

2.3.70 Changes

  • FEATURE: Add sha.256 to suricata.fileinfo pipeline #4224
  • FEATURE: Allow for adjustment of Kibana sampleSize setting in Discover dashboard #4969
  • FEATURE: Allow for adjustment to automatic patch schedule #4985
  • FEATURE: Require SOC login before allowing users to access playbook and soctopus #4623
  • FEATURE: Scan kratos logs for anomalous login attempts #4710
  • FEATURE: Send PCAP session transcript to CyberChef #5010
  • FEATURE: Show model numbers of cloud-deployed nodes #4898
  • FEATURE: Show warning when a user attempts to use a hostname or web domain entry that is not all lowercase #4791
  • FEATURE: Simplify Grafana dashboard management and redesign dashboards #4674
  • FEATURE: so-firewall needs an option to run apply by itself #4765
  • FEATURE: so-pcap-export #4210
  • FEATURE: SOUP - Prompt user when local modifications are detected #3860
  • FIX: Add mapping to extracted file directory #4622
  • FIX: Clarify missing appliance images message on SOC grid #5118
  • FIX: Curator should only run on manager when set to use true clustering. #2806
  • FIX: Disabled user still shows as active in GUI #5055
  • FIX: Disallow blank passwords during ISO first stage setup (kickstart) #4947
  • FIX: Disallow ctrl-c during the first stage of ISO setup #4948
  • FIX: Improve raid failure detection on SOS Appliances #5064
  • FIX: Improve verbiage for initial IPv4 prompt and so-allow prompt #5138
  • FIX: Jinja the stream.reassembly.depth value in the Suricata defaults.yaml file #4293
  • FIX: Remove so-elastic-features. #4542
  • FIX: SOC login page missing the hide/show password icons #5087
  • FIX: Wazuh data ingest error: data.port #3988

2.3.61 Hotfix [STENO, MSEARCH]

  • FIX: Some browsers refuse to load SOC UI due to CSP blocking wss: protocol #4938
  • FIX: Disabling steno raises errors when applying state.highstate / running soup update #4922
  • FIX: Manager Search does not come up properly with true clustering enabled #4971

2.3.61 Changes

  • FIX: Airgap link to Release Notes #4685
  • FIX: CyberChef unable to load due to recent Content Security Policy restrictions #4885
  • FIX: Suricata dns.response.code needs to be renamed to dns.response.code_name #4770
  • UPGRADE: alpine 3.12.1 to latest for Fleet image #4823
  • UPGRADE: Elastic 7.13.4 #4730
  • UPGRADE: Zeek 4.0.3 #4716

2.3.60 Hotfix [ECSFIX, HEAVYNODE, FBPIPELINE, CURATORAUTH] Changes

  • FIX: Curator’s authentication to Elasticsearch was incorrectly configured for the version currently in use.
  • FIX: Some logs from Filebeat were not being properly routed to the correct pipeline causing the log to fill up the disk.
  • FEATURE: All hotfixes going forward will have an ISO so that airgap users can follow the standard soup process as they would for normal releases.
  • FIX: Hotfix to revert Strelka and Wazuh Elastic Common Schema (ECS) changes that weren’t intended for 2.3.60.
  • FIX: Correct SSL certificate common name (CN) to match heavy node hostnames. Only applicable to grids with heavy nodes. May require manual restart of Redis, Elasticsearch, Filebeat, and Logstash containers (in that order), once the heavy nodes have succeeded in applying highstate. For more information see the related blog post at https://blog.securityonion.net/2021/07/security-onion-2360-heavy-node-hotfix.html

2.3.60 Changes

  • FEATURE: Ability to change default SOC timezone instead of using browser’s timezone #4261
  • FEATURE: Add SOC database to the backups #3748
  • FEATURE: Add so-elasticsearch-query tool #4437
  • FEATURE: Create a new Quick Drilldown option in SOC #4469
  • FEATURE: Display Security Onion version number in so-setup #3348
  • FEATURE: Elastic Auth #1423
  • FEATURE: Implement retention policy for InfluxDB #3264
  • FEATURE: New Grafana dashboards for InfluxDB RPs #4609
  • FEATURE: Pillarize Filebeat Modules #3859
  • FEATURE: Pivot from Alerts/Hunt to CyberChef #4081
  • FEATURE: Pivot from SOC PCAP to CyberChef #1596
  • FEATURE: Support adjustable SOC session timeout #4586
  • FIX: Add a prompt when soup requires the path or cdrom device to be input #3551
  • FIX: Add event_data to Elasticsearch template(s) #4012
  • FIX: Allow for spaces in password on kickstart script (ISO) #1079
  • FIX: Change Acknowledge, Escalate, and expandEvent buttons from title to tooltip #4497
  • FIX: Disallow so-suricata-start from running on the manager node #2977
  • FIX: Ensure fixed PCAP files are readable by Suricata during so-import-pcap execution #4636
  • FIX: Fail curl requests if the remote server responds with a failing status code #4266
  • FIX: Implement error handling for soup #3220
  • FIX: Improve PCAP job lookup performance by providing a tighter time range #4320
  • FIX: Improve administrative username password prompt to prevent backspacing into text (ISO) #3099
  • FIX: Improve soup for older installs #4617
  • FIX: Include secure HTTP headers in nginx responses #4267
  • FIX: Increase default search and proxy timeouts to 5 minutes #4321
  • FIX: OS passwords including special characters like $ and ! #4249
  • FIX: Prevent highstate failure during soup #3559
  • FIX: Prevent so-thehive-cortex from continuing to build if an issue is encountered installing Python packages #4032
  • FIX: Setup should not prompt for node description when running import or eval #4004
  • FIX: Trying to delete old pcap job results in error #4528
  • FIX: Websocket session cleanup overly aggressive #4598
  • FIX: so-user should support spaces in passwords for Fleet and TheHive users #4460
  • FIX: zeek leaving post-terminate crash logs on every shutdown #4461
  • UPGRADE: Elastic to 7.13 #4313
  • UPGRADE: Kratos to 0.6.3-alpha.1 #4282
  • UPGRADE: Redmine 4.2 (For Playbook) #4159
  • UPGRADE: Suricata 6.0.3 #4661

2.3.52 Changes

  • FIX: packetloss.sh can cause Zeek to segfault #4398
  • FIX: soup now generates repo tarball with correct folder structure #4368
  • UPGRADE: Zeek 4.0.2 #4395

2.3.51 Changes

  • FIX: Mixed case sensor hostnames lead to incomplete PCAP jobs #4220
  • FIX: Reconcile InfluxDB/Grafana containers in certain setup modes #4207
  • FIX: Turn down log level for Salt States and Zeek #4231
  • FIX: Correct downloaded PCAP filename #4234
  • FIX: Truncate /root/wait_for_web_response.log before each wait invocation #4247

2.3.50 Changes

  • FEATURE: Add EPS Stats for Filebeat #3872
  • FEATURE: Add copy-to-clipboard quick action menu option for copying a single field and value as ‘field:value’ #3937
  • FEATURE: Add raid and so-status monitoring to SOC grid page #3584
  • FEATURE: Add so-status to telegraf script executions and return a value #3582
  • FEATURE: Add zeekctl wrapper script #3441
  • FEATURE: Allow users to set an optional description for the node during setup #2404
  • FEATURE: Initial implementation of enhanced websocket management #3691
  • FEATURE: Combine proxy + package update questions into one menu #3807
  • FEATURE: Configure NTP in Setup #3053
  • FEATURE: Logstash pipeline stats wrapper #3531
  • FEATURE: Need a way to have Hunt/Alerts perform groupbys that can optionally include event’s that don’t have a match for a group #2347
  • FEATURE: Osquery WEL - Differentiate between Event & Ingest Timestamp #3858
  • FEATURE: Provide customizable Login page banner content using markdown format #3659
  • FEATURE: Provide customizable Overview tab content using markdown format #3601
  • FEATURE: Redirect expired login form back to login page instead of showing error #3690
  • FEATURE: Redirect to login when session expires #3222
  • FEATURE: Show final selected options menu at the end of install #3197
  • FEATURE: Show node and overall grid EPS on Grid Page #3823
  • FEATURE: Telegraf should check for additional metrics if it is running on an appliance #2716
  • FEATURE: VIM YAML Syntax Highlighting #3966
  • FEATURE: allow for salt-minion start to be delayed on system start #3543
  • FEATURE: check manager services (salt-master, so-status) during setup on a node #1978
  • FEATURE: soup should check for OS updates #3489
  • FIX: Alerts Total Found value should update when acknowledging or escalating #2494
  • FIX: Alerts severity sort order #1741
  • FIX: Change bro packet loss to be once per 2 minutes vs 30s #3583
  • FIX: Check Zeek index close and delete settings for existing deployments #3575
  • FIX: Firewall rules added via pillar only applies last hostgroup of the defined chain #3709
  • FIX: Hunt not properly escaping special characters in Windows sysmon logs. #3648
  • FIX: Hunt query for HTTP EXE downloads should work for both Zeek and Suricata #3753
  • FIX: Incorrect retry syntax in CA and SSL states #3948
  • FIX: Playbook Alert/Hunt showing incorrect timestamp #2071
  • FIX: Properly handle unauthorized responses during API requests from SOC app #2908
  • FIX: Reformat date/time on Grid and PCAP pages to enable sorting #2686
  • FIX: Rename Fleet link in SOC to FleetDM #3569
  • FIX: Suricata compress script should send it’s output to /dev/null #3917
  • FIX: Suricata cpu-affinity not being set if suriprocs is defined in minion pillar file. #3926
  • FIX: TheHive Case Creation from Kibana Failure #3870
  • FIX: WEL Shipping via Wazuh broken #3857
  • FIX: Zeek Intel not working #3850
  • FIX: ingest.timestamp should be date type #3629
  • FIX: nmcli error during setup on Ubuntu + AMI #3598
  • FIX: salt upgrade failure with versionlock #3501
  • FIX: setup tries to connect to url used for proxy test even if the user chooses not to set one up #3784
  • FIX: so-playbook-sync should only have one instance running #3568
  • FIX: so-ssh-harden needs improvement #3600
  • FIX: soup does not update /etc/soversion on distributed nodes #3602
  • UPGRADE: Elastalert to 0.2.4-alt3 #3947
  • UPGRADE: Salt 3003 #3854
  • UPGRADE: Upgrade Grafana to 7.5.4 #3916
  • UPGRADE: Upgrade external dependencies used by SOC #3545

2.3.50 Known Issues

2.3.40 Changes

  • FEATURE: Add option for HTTP Method Specification/POST to Hunt/Alerts Actions #2904
  • FEATURE: Add option to configure proxy for various tools used during setup + persist the proxy configuration #529
  • FEATURE: Alerts/Hunt - Provide method for base64-encoding pivot value #1749
  • FEATURE: Allow users to customize links in SOC #1248
  • FEATURE: Display user who requested PCAP in SOC #2775
  • FEATURE: Make SOC browser app connection timeouts adjustable #2408
  • FEATURE: Move to FleetDM #3483
  • FEATURE: Reduce field cache expiration from 1d to 5m, and expose value as a salt pillar #3537
  • FEATURE: Refactor docker_clean salt state to use loop w/ inspection instead of hardcoded image list #3113
  • FEATURE: Run so-ssh-harden during setup #1932
  • FEATURE: SOC should only display links to tools that are enabled #1643
  • FEATURE: Update Sigmac Osquery Field Mappings #3137
  • FEATURE: User must accept the Elastic licence during setup #3233
  • FEATURE: soup should output more guidance for distributed deployments at the end #3340
  • FEATURE: soup should provide some initial information and then prompt the user to continue #3486
  • FIX: Add cronjob for so-suricata-eve-clean script #3515
  • FIX: Change Elasticsearch heap formula #1686
  • FIX: Create a post install version loop in soup #3102
  • FIX: Custom Kibana settings are not being applied properly on upgrades #3254
  • FIX: Hunt query issues with quotes #3320
  • FIX: IP Addresses don’t work with .security #3327
  • FIX: Improve DHCP leases query in Hunt #3395
  • FIX: Improve Setup verbiage #3422
  • FIX: Improve Suricata DHCP logging and parsing #3397
  • FIX: Keep RELATED,ESTABLISHED rules at the top of iptables chains #3288
  • FIX: Populate http.status_message field #3408
  • FIX: Remove “types removal” deprecation messages from elastic log. #3345
  • FIX: Reword + fix formatting on ES data storage prompt #3205
  • FIX: SMTP shoud read SNMP on Kibana SNMP view #3413
  • FIX: Sensors can temporarily show offline while processing large PCAP jobs #3279
  • FIX: Soup should log to the screen as well as to a file #3467
  • FIX: Strelka port 57314 not immediately relinquished upon restart #3457
  • FIX: Switch SOC to pull from fieldcaps API due to field caching changes in Kibana 7.11 #3502
  • FIX: Syntax error in /etc/sysctl.d/99-reserved-ports.conf #3308
  • FIX: Telegraf hardcoded to use https and is not aware of elasticsearch features #2061
  • FIX: Zeek Index Close and Delete Count for curator #3274
  • FIX: so-cortex-user-add and so-cortex-user-enable use wrong pillar value for api key #3388
  • FIX: so-rule does not completely apply change #3289
  • FIX: soup should recheck disk space after it tries to clean up. #3235
  • UPGRADE: Elastic 7.11.2 #3389
  • UPGRADE: Suricata 6.0.2 #3217
  • UPGRADE: Zeek 4 #3216
  • UPGRADE: Zeek container to use Python 3 #1113
  • UPGRADE: docker-ce to latest #3493

2.3.40 Known Issues

2.3.30 Changes

  • Zeek is now at version 3.0.13.
  • CyberChef is now at version 9.27.2.
  • Elastic components are now at version 7.10.2. This is the last version that uses the Apache license.
  • Suricata is now at version 6.0.1.
  • Salt is now at version 3002.5.
  • Suricata metadata parsing is now vastly improved.
  • If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules
  • It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples here: https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules
  • The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider.
  • Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces.
  • so-sensor-clean will no longer spawn multiple instances.
  • Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting.
  • Fixed a security issue where the backup directory had improper file permissions.
  • The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days.
  • Strelka logs are now being rotated properly.
  • Elastalert can now be customized via a pillar.
  • Introduced new script so-monitor-add that allows the user to easily add interfaces to the bond for monitoring.
  • Setup now validates all user input fields to give up-front feedback if an entered value is invalid.
  • There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install.
  • Users are now warned if they try to set “securityonion” as their hostname.
  • The ISO should now identify xvda and nvme devices as install targets.
  • At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject.
  • The text selection of choosing Suricata vs Zeek for metadata is now more descriptive.
  • The logic for properly setting the LOG_SIZE_LIMIT variable has been improved.
  • When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages.
  • The firewall state runs considerably faster now.
  • ICMP timestamps are now disabled.
  • Copyright dates on all Security Onion specific files have been updated.
  • so-tcpreplay (and indirectly so-test) should now work properly.
  • The Zeek packet loss script is now more accurate.
  • Grafana now includes an estimated EPS graph for events ingested on the manager.
  • Updated Elastalert to release 0.2.4-alt2 based on the https://github.com/jertel/elastalert alt branch.
  • Pivots from Alerts/Hunts to action links will properly URI encode values.
  • Hunt timeline graph will properly scale the data point interval based on the search date range.
  • Grid interface will properly show “Search” as the node type instead of “so-node”.
  • Import node now supports airgap environments.
  • The so-mysql container will now show “healthy” when viewing the docker ps output.
  • The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid.
  • The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group.
  • Add support to so-firewall script to display existing port groups and host groups.
  • Hive init during Setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding.
  • Changes to the .security analyzer yields more accurate query results when using Playbook.
  • Several Hunt queries have been updated.
  • The pfSense firewall log parser has been updated to improve compatibility.
  • Kibana dashboard hyperlinks have been updated for faster navigation.
  • Added a new so-rule script to make it easier to disable, enable, and modify SIDs.
  • ISO now gives the option to just configure the network during setup.

2.3.30 Known Issues

2.3.21 Changes

  • soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases.
  • soup now has awareness of Elastic Features and now downloads the appropriate Docker containers.
  • The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes.
  • Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline.
  • Grid interface now includes the IP and Role of each node in the grid.
  • Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor.
  • The Grid description field can now be customized via the local minion pillar file for each node.
  • SOC will now draw attention to an unhealthy situation within the grid or with the connection between the user’s browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tab’s title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the user’s web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem.
  • Docker has been upgraded to the latest version.
  • Docker should be more reliable now as Salt is now managing daemon.json.
  • You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls.
  • You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minion’s sls file. You will need to create a curator job to re-tag the indexes based on your criteria.
  • Telegraf has been updated to version 1.16.3.
  • Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities.
  • Grafana graphs have been changed to graphs vs guages so alerting can be set up.
  • Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs here: https://securityonion.net/docs/grafana
  • Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location.
  • Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again.
  • Strelka daily rule updates are now logged to /nsm/strelka/log/yara-update.log
  • Several changes to the setup script to improve install reliability.
  • Airgap now supports the import node type.
  • Custom Zeek file extraction values in the pillar now work properly.
  • TheHive has been updated to support Elastic 7.
  • Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer.
  • Hunt and Alert quick action menu has been refactored into submenus.
  • New clipboard quick actions now allow for copying fields or entire events to the clipboard.
  • PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details.
  • PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the so-import-pcap script).
  • Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion.
  • PCAP job interface now shows additional job filter criteria when expanding the job filter details.
  • Upgraded authentication backend to Kratos 0.5.5.
  • SOC tables with the “Rows per Page” dropdown no longer show truncated page counts.
  • Several Hunt errors are now more descriptive, particularly those around malformed queries.
  • SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable.
  • Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field.
  • New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs.
  • Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms.
  • Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs.
  • Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application.
  • Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency.
  • The so-elastalert-test script has been refactored to work with Security Onion 2.3.
  • The included Logstash image now includes Kafka plugins.
  • Wazuh agent registration process has been improved to support slower hardware and networks.
  • An Elasticsearch ingest pipeline has been added for suricata.ftp_data.
  • Elasticsearch’s indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard.
  • On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version.
  • Setup will gather any errors found during a failed install into /root/errors.log for easy copy/paste and debugging.
  • Selecting Suricata as the metadata engine no longer results in the install failing.
  • so-rule-update now accepts arguments to idstools. For example, so-rule-update -f will force idstools to pull rules, ignoring the default 15-minute pull limit.

2.3.10 Changes

  • UEFI installs with multiple disks should work as intended now.
  • Telegraf scripts will now make sure they are not already running before execution.
  • You are now prompted during setup if you want to change the docker IP range. If you change this it needs to be the same on all nodes in the grid.
  • Soup will now download the new containers before stopping anything. If anything fails it will now exit and leave the grid at the current version.
  • All containers are now hosted on quay.io to prevent pull limitations. We are now using GPG keys to determine if the image is from Security Onion.
  • Osquery installers have been updated to osquery 4.5.1
  • Fix for bug where Playbook was not removing the Elastalert rules for inactive Plays
  • Exifdata reported by Strelka is now constrained to a single multi-valued field to prevent mapping explosion (scan.exiftool).
  • Resolved issue with Navigator layer(s) not loading correctly.
  • Wazuh authd is now started by default on port 1515/tcp.
  • Wazuh API default credentials are now removed after setup. Scripts have been added for API user management.
  • Upgraded Salt to 3002.2 due to CVEs.
  • If salt-minion is unable to apply states after the defined threshold, we assume salt-minion is in a bad state and the salt-minion service will be restarted.
  • Fixed bug that prevented mysql from installing for Fleet if Playbook wasn’t also installed.
  • so-status will now show STARTING or WAIT_START, instead of ERROR if so-status is run before a salt highstate has started or finished for the first time after system startup
  • Stenographer can now be disabled on a sensor node by setting the pillar steno:enabled:false in its minion.sls file or globally if set in the global.sls file
  • Added so-ssh-harden script that runs the commands listed in SSH.
  • NGINX now redirects the browser to the hostname/IP address/FQDN based on global:url_base
  • MySQL state now waits for MySQL server to respond to a query before completing
  • Added Analyst option to network installs
  • Acknowledging (and Escalating) alerts did not consistently remove the alert from the visible list; this has been corrected.
  • Escalating alerts that have a rule.case_template field defined will automatically assign that case template to the case generated in TheHive.
  • Alerts and Hunt interface quick action bar has been converted into a vertical menu to improve quick action option clarity. Related changes also eliminated the issues that occurred when the quick action bar was appearing to the left of the visible browser area.
  • Updated Go to newer version to fix a timezone, daylight savings time (DST) issue that resulted in Alerts and Hunt interfaces not consistently showing results.
  • Improved Hunt and Alert table sorting.
  • Alerts interface now allows absolute time searches.
  • Alerts interface ‘Hunt’ quick action is now working as intended.
  • Alerts interface ‘Ack’ icon tooltip has been changed from ‘Dismiss’ to ‘Acknowledge’ for consistency.
  • Hunt interface bar charts will now show the quick action menu when clicked instead of assuming the click was intended to add an include filter.
  • Hunt interface quick action will now cast a wider net on field searches.
  • Now explicitly preventing the use of a dollar sign ($) character in web user passwords during setup.
  • Cortex container will now restart properly if the SO host was not gracefully shutdown.
  • Added syslog plugin to the logstash container; this is not in-use by default but available for those users that choose to use it.
  • Winlogbeat download package is now available from the SOC Downloads interface.
  • Upgraded Kratos authentication system.
  • Added new Reset Defaults button to the SOC Profile Settings interface which allows users to reset all local browser SOC customizations back to their defaults. This includes things like default sort column, sort order, items per page, etc.

2.3.10 Known Issues

  • For Ubuntu, non master nodes, you may need to ssh to each node and run salt-call state.highstate in order initiate the update. To verify if this needs to be done on remote nodes, from the master, run salt \* pkg.version salt-minion after 30 minutes following the initial soup update. If the node does not return that is it running Salt 3002.2, then the node will need to manually be highstated locally from the node to complete the update.
  • During soup, you may see the following during the first highstate run, it can be ignored: Rendering SLS '<some_sls_here>' failed: Jinja variable 'list object' has no attribute 'values'. The second highstate will complete without that error.
  • During install or soup, there is a false positive failure condition that can occur. It is caused by [ERROR   ] Failed to add job <job_name> to schedule.. This error indicates that Salt was unable to add a job to a schedule. If you see this in setup or soup log, it can be confirmed if this is false positive or not by running salt-call schedule.list on the node that saw the error. If the job isn’t in the schedule list, run salt-call state.highstate and check if the job was added after it completes.

2.3.2 Changes

  • Elastic components have been upgraded to 7.9.3.
  • Fixed an issue where curator was unable to delete a closed index.
  • Cheat sheet is now available for airgap installs.

2.3.1 Changes

  • Fixed a SOC issue in airgap mode that was preventing people from logging in.
  • Downloading Elastic features images will now download the correct images.
  • Winlogbeat download no longer requires Internet access.
  • Adjusted Alerts quick action bar to allow searching for a specific value while remaining in Alerts view.
  • /nsm will properly display disk usage on the standalone Grafana dashboard.
  • The manager node now has syslog listener enabled by default (you’ll still need to allow syslog traffic through the firewall of course).
  • Fixed an issue when creating host groups with so-firewall.

2.3.1 Known Issues

  • It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.
  • In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:
  • Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at https://securityonion.net/discuss.
  • Once you update your grid to 2.3, any new nodes that join the grid must be 2.3 so if you try to join an older node it will fail. For best results, use the latest 2.3 ISO (or 2.3 installer from github) when joining to a 2.3 grid.
  • Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.
  • When running soup to upgrade from older versions to 2.3, there is a Salt error that may occur during the final highstate. This error is related to the patch_os_schedule and can be ignored as it should not occur again in subsequent highstates.
  • When Search Nodes are upgraded from older versions to 2.3, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:
    • Stop elasticsearch - sudo so-elasticsearch-stop
    • Run the SSL state - sudo salt-call state.apply ssl
    • Restart elasticsearch - sudo so-elasticsearch-restart
  • If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:
    • Stop the Docker registry - sudo docker stop so-dockerregistry
    • Remove the container - sudo docker rm so-dockerregistry
    • Run the registry state - sudo salt-call state.apply registry

2.3.0 Changes

  • We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly.
  • Kibana no longer presents the option to create alerts from events, but instead allows creation of cases from events.
  • Our Security Onion ISO now works for UEFI as well as Secure Boot.
  • Airgap deployments can now be updated using the latest ISO. Please read this documentation carefully.
  • Suricata has been updated to version 5.0.4.
  • Zeek has been updated to version 3.0.11.
  • Stenographer has been updated to the latest version.
  • soup will now attempt to clean up old docker images to free up space.
  • Hunt actions can be customized via hunt.actions.json.
  • Hunt queries can be customized via hunt.queries.json.
  • Hunt event fields can be customized via hunt.eventfields.json.
  • Alerts actions can be customized via alerts.actions.json.
  • Alerts queries can be customized via alerts.queries.json.
  • Alerts event fields can be customized via alerts.eventfields.json.
  • This help documentation is now viewable offline for airgap installations.
  • The script so-user-add will now validate the password is acceptable before attempting to create the user.
  • Playbook and Grafana no longer use static passwords for their admin accounts.
  • Analyst VM now comes with NetworkMiner 2.6 installed.
  • Strelka YARA matches now generate alerts that can be viewed through the Alerts interface .

2.2.0 Changes

  • Setup now includes an option for airgap installations
  • Playbook now works properly when installed in airgap mode
  • Added so-analyst script to create an analyst workstation with GNOME desktop, Chromium browser, Wireshark, and NetworkMiner
  • Upgraded Zeek to version 3.0.10 to address a recent security issue
  • Upgraded Docker to latest version
  • Re-worked IDSTools to make it easier to modify
  • Added so-* tools to the default path so you can now tab complete
  • so-status can now be run from a manager node to get the status of a remote node. Run salt <target> so.status
  • Salt now prevents states from running on a node that it shouldn’t so you can’t, for example, accidentally apply the elasticsearch state on a forward node
  • Added logic to check for Salt mine corruption and recover automatically
  • Collapsed Hunt filter icons and action links into a new quick action bar that will appear when a field value is clicked; actions include:
    • Filtering the hunt query
    • Pivot to PCAP
    • Create an alert in TheHive
    • Google search for the value
    • Analyze the value on VirusTotal.com
  • Fixed minor bugs in Hunt user interface relating to most-recently used queries, tooltips, and more
  • so-user-add now automatically adds users to Fleet and TheHive (in addition to SOC)
  • Introduced so-user-disable and so-user-enable commands which allows administrators to lock out users that are no longer permitted to use Security Onion
  • Added icon to SOC Users list representing their active or locked out status
  • Removed User delete action from SOC interface in favor of disabling users for audit purposes
  • Prune old PCAP job data from sensors once the results are streamed back to the manager node
  • Hunt filtering to a specific value will search across all fields instead of only the field that was originally clicked
  • Limiting PCAP jobs to extract at most 2GB from a sensor to avoid users accidentally requesting unreasonably large PCAP via the web interface
  • so-test is back - run it to easily replay PCAPs and verify that all the components are working as expected
  • New Elasticsearch subfield (.security) based on the new community-driven analyzer from @neu5ron - https://github.com/neu5ron/es_stk
  • Playbook now uses the new .security subfield for case-insensitive wildcard searches

2.1.0 Changes

  • Fixed an issue where the console was timing out and making it appear that the installer was hung
  • Introduced Import node type ideal for running so-import-pcap to import pcap files and view the resulting logs in Hunt or Kibana
  • Moved static.sls to global.sls to align the name with the functionality
  • Traffic between nodes in a distributed deployment is now fully encrypted
  • Playbook
    • Elastalert now runs active Plays every 3 minutes
    • Changed default rule-update config to only import Windows rules from the Sigma Community repo
    • Lots of bug fixes & stability improvements
  • Ingest Node parsing updates for Osquery and Winlogbeat - implemented single pipeline for Windows eventlogs & sysmon logs
  • Upgraded Osquery to 4.4 and re-enabled auto-updates
  • Upgraded to Salt 3001.1
  • Upgraded Wazuh to 3.13.1
  • Hunt interface now shows the timezone being used for the selected date range
  • Fixed Cortex initialization so that TheHive integration and initial user set is correctly configured
  • Improved management of TheHive/Cortex credentials
  • SOC now allows for arbitrary, time-bounded PCAP job creation, with optional filtering by host and port

2.0.3 Changes

  • Resolved an issue with large drives and the ISO install
  • Modified ISO installation to use Logical Volume Management (LVM) for disk partitioning
  • Updated Elastic Stack components to version 7.8.1
  • Updated Zeek to version 3.0.8

2.0.2 Changes

2.0.1 Changes

2.0.0 Changes

  • This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond!
  • Re-branded 2.0 to give it a fresh look
  • All documentation has moved to our docs site
  • soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date
  • so-import-pcap is back! See the docs here
  • Fixed issue with so-features-enable
  • Users can now pivot to PCAP from Suricata alerts
  • ISO install now prompts users to create an admin/sudo user instead of using a default account name
  • The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
  • Fixed issue with disk cleanup
  • Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
  • Locked down access to certain SSL keys
  • Suricata logs now compress after they roll over
  • Users can now easily customize shard counts per index
  • Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
  • Elastic nodes are now “hot” by default, making it easier to add a warm node later
  • so-allow now runs at the end of an install so users can enable access right away
  • Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
    • 1-Low / 2-Medium / 3-High / 4-Critical
  • Initial implementation of alerting queues:
    • Low & Medium alerts are accessible through Kibana & Hunt
    • High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
  • ATT&CK Navigator is now a statically-hosted site in the nginx container
  • Playbook
    • All Sigma rules in the community repo (500+) are now imported and kept up to date
    • Initial implementation of automated testing when a Play’s detection logic has been edited (i.e., Unit Testing)
    • Updated UI Theme
    • Once authenticated through SOC, users can now access Playbook with analyst permissions without login
  • Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
  • Fixed issue with Wazuh authd registration service port not being correctly exposed
  • Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
  • Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)
  • Added default YARA rules for Strelka – default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
  • Added the ability to use custom Zeek scripts
  • Renamed “master server” to “manager node”
  • Improved unification of Zeek and Strelka file data