Releases: Security-Onion-Solutions/securityonion
Releases · Security-Onion-Solutions/securityonion
2.4.100-20240903
Download the ISO
What's Changed
- Add so-system-mappings by @weslambert in #13586
- Update HOTFIX by @weslambert in #13587
- 2.4.100 hotfix by @TOoSmOotH in #13595
- Hotfix 2.4.100 by @TOoSmOotH in #13596
Full Changelog: 2.4.100-20240829...2.4.100-20240903
2.4.100-20240829
Download the ISO
What's Changed
- Elastic 8.14.3 by @weslambert in #13347
- Update VERSION by @TOoSmOotH in #13401
- Turn off console messages by @TOoSmOotH in #13381
- Update so-rule-update by @TOoSmOotH in #13373
- Elastic 8.14.3 by @weslambert in #13402
- Provide new setting to require OTP by @jertel in #13406
- Add removed changes by @weslambert in #13407
- Fix fleet setup by @weslambert in #13408
- Fix defender winlog name change by @weslambert in #13409
- Change agent pipeline version by @weslambert in #13410
- Fix system mapping by @weslambert in #13414
- Change name for system component by @weslambert in #13418
- Salt3006.9 by @m0duspwnens in #13425
- retry up to 5 times if reposync fails by @jertel in #13429
- retry up to 5 times if reposync fails by @jertel in #13430
- Issue/13438 by @m0duspwnens in #13441
- correct firewall annotation for kafka by @reyesj2 in #13443
- Cogburn/ai summaries by @coreyogburn in #13453
- fix repo path by @jertel in #13457
- FEATURE: Add warning to soup about ssh #13466 by @dougburks in #13467
- fix issue with reset pw and mfa by @jertel in #13470
- Update SECURITY.md by @dougburks in #13473
- handle suricata network and port vars as string or list by @m0duspwnens in #13478
- Update so-elasticsearch-cluster-space-used for changes in _cat/alloca… by @dougburks in #13481
- Update column number because of changes to API by @weslambert in #13482
- Update registry version by @TOoSmOotH in #13483
- Add influxdb known error by @defensivedepth in #13487
- Ignore older SOC logs before licenseStatus field by @weslambert in #13511
- Add Tenable IO by @weslambert in #13526
- Check for endpoint package by @weslambert in #13531
- Add support for new appliance raid controllers by @TOoSmOotH in #13530
- Create detections.alerts ILM policy with corresponding name by @weslambert in #13528
- notification updates by @jertel in #13535
- FIX: Check Elasticsearch for endpoint component template before loading templates by @weslambert in #13537
- exclude all logstash errors related to license manager init log line by @jertel in #13540
- set kafka.id in common ingest pipeline by @reyesj2 in #13546
- Elastic Fleet refactoring by @defensivedepth in #13547
- Use global@custom from common pipeline by @weslambert in #13548
- FIX: Add so-soc-logs by @weslambert in #13554
- Fix policy load by @defensivedepth in #13556
- annotation updates by @jertel in #13561
- Update pipeline version for EVTX by @weslambert in #13562
- move custom alerters to subgroup; avoid false positives on log check by @jertel in #13565
- Exclude logstash startup errors by @defensivedepth in #13570
Full Changelog: 2.4.90-20240729...2.4.100-20240829
2.4.90-20240729
Download the ISO
What's Changed
- Update VERSION by @TOoSmOotH in #13260
- start soup 2.4.90 by @m0duspwnens in #13270
- Elastic 8.14.1 by @weslambert in #13271
- Revert back to 8.10.4 by @weslambert in #13275
- Issue/13073 - disable Logstash on heavynodes by @m0duspwnens in #13278
- FIX: so-rule-update airgap check by @reyesj2 in #13282
- Changes for Elastic 8.14.1 by @weslambert in #13290
- Change name to winlog.winlogs by @weslambert in #13295
- Change name for ILM by @weslambert in #13296
- Delete old user commands by @TOoSmOotH in #13299
- Elastic 8.14.2 by @weslambert in #13314
- FIX: Update MOTD #13317 by @dougburks in #13318
- FIX: Update SOC MOTD #13320 by @dougburks in #13321
- Elastic 8.14.2 by @weslambert in #13316
- Change pipeline version for agent by @weslambert in #13323
- FIX: Kafka configuration updates by @reyesj2 in #13335
- force var to be list of string by @m0duspwnens in #13340
- Revert "Elastic 8.14.2" by @weslambert in #13342
- Revert "Change pipeline version for agent" by @weslambert in #13341
- FEATURE: Add new action to SOC Actions list to allow users to more easily add their own actions #13346 by @dougburks in #13348
- New Config Values for Detections Bulk Indexer by @coreyogburn in #13349
- fix custom indices by @m0duspwnens in #13353
- Kafka influxdb metrics & pillar update by @reyesj2 in #13350
- Exclude policy phases if not defined in defaults by @m0duspwnens in #13355
- kafka soup pillar by @reyesj2 in #13363
- Cogburn/suricata regex support by @coreyogburn in #13365
- fix kafka-logstash cert for searchnodes by @reyesj2 in #13368
- remove unused test parameters from setup by @jertel in #13374
- 2.4.90 by @TOoSmOotH in #13390
- so-detection refresh_interval => 1s by @coreyogburn in #13392
Full Changelog: 2.4.80-20240624...2.4.90-20240729
2.4.80-20240624
Download the ISO
What's Changed
- Remove references to kafkanode by @reyesj2 in #12792
- Update VERSION by @TOoSmOotH in #13093
- Separate Suricata alerts into a specific data stream by @weslambert in #13101
- Salt3006.8 by @m0duspwnens in #13103
- Added TemplateDetections To Detection ClientParams by @coreyogburn in #13107
- Add templates for .items and .lists indices by @weslambert in #13117
- salt 3006.6 by @m0duspwnens in #13129
- so-tcpreplay now runs if manager is offline by @m0duspwnens in #13134
- move so-tcpreplay from common state to sensor state by @m0duspwnens in #13141
- add ability to retrieve yaml values via so-yaml.py; improve so-minion id matching by @jertel in #13150
- Update soc_suricata.yaml by @TOoSmOotH in #13156
- SOC Proxy Setting by @coreyogburn in #13154
- AdditionalCA and InsecureSkipVerify by @coreyogburn in #13164
- Update defaults.yaml by @TOoSmOotH in #13165
- fix elastic templates not loading due to global_override phases by @m0duspwnens in #13162
- gracefully handle missing parent key by @jertel in #13170
- correct placement of error check override by @jertel in #13171
- upgrade docker by @m0duspwnens in #13182
- Add new bind - suricata all.rules by @defensivedepth in #13179
- remove this \n by @m0duspwnens in #13189
- Fix unnecessary escaping by @coreyogburn in #13183
- Update DOWNLOAD_AND_VERIFY_ISO.md by @dougburks in #13197
- Initial Kafka support by @reyesj2 in #13190
- Fixes for Kafka nodeid assignment and ssl cert generation by @reyesj2 in #13200
- Only comment out so-kafka from so-status when it exists & only run en… by @reyesj2 in #13204
- Initial support for custom suricata urls and local rulesets by @defensivedepth in #13205
- Update rule templates by @defensivedepth in #13208
- Standalone logstash error by @reyesj2 in #13207
- Fix errors on new installs by @reyesj2 in #13209
- FEATURE: Add more links and descriptions to SOC MOTD #13216 by @dougburks in #13217
- suppress fleet policy update in soup by @reyesj2 in #13221
- Update defaults by @defensivedepth in #13223
- update profile by @reyesj2 in #13222
- FEATURE: Add new Process actions #13226 by @dougburks in #13227
- update kafka output policy only on eligible grid types by @reyesj2 in #13231
- fix ca mine_function by @m0duspwnens in #13233
- update receiver node allowed states by @reyesj2 in #13234
- Added license presets to defaults.yaml file by @mc-wright in #13236
- Update defaults.yaml to put Process actions in logical order by @dougburks in #13239
- update kafka annotations by @reyesj2 in #13242
- Update soc_manager.yaml by @TOoSmOotH in #13244
- Add option for detections without a license by @weslambert in #13246
- Fix soup for proxy servers by @TOoSmOotH in #13245
- FIX: update firewall defaults by @reyesj2 in #13251
- Remove unused sbin_jinja for kafka by @reyesj2 in #13253
- 2.4.80 by @TOoSmOotH in #13254
- Fix git by @TOoSmOotH in #13256
- Update .gitleaks.toml by @TOoSmOotH in #13259
- 2.4.80 by @TOoSmOotH in #13255
New Contributors
- @mc-wright made their first contribution in #13236
Full Changelog: 2.4.70-20240529...2.4.80-20240625
2.4.70-20240529
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.70-20240529.iso
What's Changed
- Update VERSION by @TOoSmOotH in #12619
- reschedule close/lock jobs by @jertel in #12601
- FIX: Annotations for BPF and Suricata PCAP #12626 by @dougburks in #12627
- Change Detections defaults by @defensivedepth in #12611
- Remove temp YARA by @weslambert in #12632
- FEATURE: Add Events column layout for event.module system #12628 by @dougburks in #12634
- disregard benign telegraf error by @jertel in #12638
- FEATURE: Add event.dataset to all Events column layouts #12641 by @dougburks in #12642
- FIX: Specify that static IP address is recommended #12643 by @dougburks in #12644
- Update ElastAlert Config with Default Repos by @coreyogburn in #12640
- FIX: http.response.status_code by @weslambert in #12650
- Enable Detections by @defensivedepth in #12639
- Allow for additional af-packet tuning options for Suricata by @m0duspwnens in #12651
- FEATURE: pfSense Suricata logs by @weslambert in #12652
- Initial cut to remove Playbook and deps by @defensivedepth in #12658
- Remove Playbook ref by @defensivedepth in #12659
- FEATURE: Include additional groupby fields in Dashboards relating to sankey diagrams #12657 by @dougburks in #12663
- Initial cut to remove Playbook and deps by @defensivedepth in #12660
- Add bindings for sigma repos by @defensivedepth in #12656
- FEATURE: Add Events table columns for event.module elastic_agent #12666 by @dougburks in #12667
- Fix Input Validation to allow for IPv6 by @TOoSmOotH in #12674
- disregard errors in removed applications that occurred before th… by @jertel in #12683
- FEATURE: Add process.command_line to Process Info and Process Ancestry dashboards #12694 by @dougburks in #12695
- New Settings for Manual Sync in Detections by @coreyogburn in #12696
- FEATURE: Add Events table columns for zeek ssl and suricata ssl #12697 by @dougburks in #12698
- FEATURE: Add individual dashboards for Zeek SSL and Suricata SSL logs… by @dougburks in #12700
- Correct YAML by @coreyogburn in #12702
- Add default columns by @defensivedepth in #12720
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12722
- FEATURE: Add Events table columns for event.module playbook #12703 by @dougburks in #12723
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12724
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12725
- Feature - auto-enabled Sigma rules by @defensivedepth in #12732
- Add cef by @weslambert in #12735
- Add Elastic Agent Status Metrics by @TOoSmOotH in #12734
- FEATURE: Add dashboard for SOC Login Failures #12738 by @dougburks in #12739
- FEATURE: Add Events table columns for event.module kratos #12740 by @dougburks in #12742
- Change code to allow for non root by @TOoSmOotH in #12741
- SOC Telemetry by @jertel in #12731
- Update SOC Config with State File Paths by @coreyogburn in #12744
- do not prompt about telemetry on airgap installs by @jertel in #12747
- Exclude Elastalert EQL errors by @defensivedepth in #12748
- Clarify annotation description re: Airgap by @jertel in #12749
- FEATURE: Add Events table columns for event.module sigma #12743 by @dougburks in #12751
- Allow 2.3 to update by @TOoSmOotH in #12752
- FEATURE: Add dashboards specific to Elastic Agent #12746 by @dougburks in #12753
- skip telemetry summary in airgap mode by @jertel in #12754
- 2.4/soup playbook by @defensivedepth in #12682
- 2.4/detections defaults by @defensivedepth in #12755
- Use list not string by @defensivedepth in #12756
- Update so-log-check by @TOoSmOotH in #12759
- Detection Author as a Keyword instead of Text by @coreyogburn in #12760
- Ship Defender logs + more by @defensivedepth in #12766
- Enable Detections Adv by default by @defensivedepth in #12780
- Update analyst.json by @TOoSmOotH in #12769
- Fix fingerprint paths by @defensivedepth in #12791
- Add docs for ruleset change by @defensivedepth in #12793
- Update limited-analyst.json by @TOoSmOotH in #12810
- FEATURE: Add queue=True to so-checkin so that it will wait for any ru… by @dougburks in #12817
- FIX: Elastic retention setting not being honored when manager hostname is a subset of search node hostname #12819 by @dougburks in #12820
- Strelka fixes and more by @defensivedepth in #12805
- Kismet integration for WiFi devices by @reyesj2 in #12773
- Temp exclude yara runtime status log by @defensivedepth in #12841
- Fix warm description by @weslambert in #12844
- Fix description, regex, and type for cold, warm, and hot by @weslambert in #12848
- Remove hot max_age by @weslambert in #12852
- Issue/12637 by @m0duspwnens in #12859
- Add runtime status logs by @defensivedepth in #12861
- Change index sorting to account for older so-prefixed indices by @weslambert in #12858
- allow for enabled/disable of so-elasticsearch-indices-delete cronjob by @m0duspwnens in #12860
- Exclude suricata from disk space-based index deletion by @weslambert in #12864
- only apply ulimits to suricata container if user enable mmap-locked by @m0duspwnens in #12865
- check status before stopping service by @petiepooo in #12846
- restrict workflows to so by @jertel in #12875
- Sigma pivot fix and cleanup by @defensivedepth in https://github.com/Security-O...
2.3.300-20240401
Merge pull request #12693 from Security-Onion-Solutions/dev 2.3.300
Security Onion 2.4.60-20240320
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
What's Changed
- Cogburn/detection playbooks by @defensivedepth in #12296
- 2.4/dev by @defensivedepth in #12357
- Update VERSION by @TOoSmOotH in #12385
- replace correlate icon to avoid confusion with searcheng.in by @jertel in #12386
- Update soup by @TOoSmOotH in #12348
- add lock threads by @jertel in #12396
- add missing template by @jertel in #12408
- Initial Support for Detections Module by @defensivedepth in #12412
- nest under policy by @m0duspwnens in #12411
- Fix Loss Calculation for Stenographer by @TOoSmOotH in #12416
- convert x to . for soc ui to config by @m0duspwnens in #12423
- Feature/sigma pipeline by @defensivedepth in #12430
- Add Detection AutoUpdate config by @defensivedepth in #12431
- Update pattern for endpoint diagnostic template by @weslambert in #12432
- Add multiple endpoint features by @dougburks in #12434
- Airgap Support - Detections module by @defensivedepth in #12437
- Issue/12391 by @m0duspwnens in #12449
- Roll Suricata logs daily to prevent alerts from being deleted when not meeting size threshold by @weslambert in #12450
- Feature/detections airgap by @defensivedepth in #12456
- Manage the repo files by @TOoSmOotH in #12405
- FIX: EA installers not downloadable from SOC & fix logging by @reyesj2 in #12469
- 2.4/sigma pipeline by @defensivedepth in #12482
- Fix FIM by @defensivedepth in #12487
- Suricata PCAP by @TOoSmOotH in #12271
- fix sensoroni for non sensor by @m0duspwnens in #12497
- Update so-minion by @TOoSmOotH in #12502
- Additional Integrations #5 by @weslambert in #12500
- fix oinkcodes with leading zeros by @jertel in #12507
- fix pcapspace function by @m0duspwnens in #12508
- PCAP annotations by @jertel in #12511
- Add Exclusion toggle by @defensivedepth in #12510
- detections annotations by @jertel in #12514
- Change Factoring for so-minion pcap disk space by @TOoSmOotH in #12513
- Add error.message mapping for system.syslog by @weslambert in #12519
- gracefully handle status check failure on ubuntu by @jertel in #12521
- unswap files by @jertel in #12526
- allow managersearch to receiver redis and 5644 by @m0duspwnens in #12537
- FIX: Update SOC annotations for Stenographer PCAP #12539 by @dougburks in #12540
- Fix Space Free for Steno by @TOoSmOotH in #12527
- Updated RulesRepo for New Strelka Structure by @coreyogburn in #12542
- Update soc_pcap.yaml by @dougburks in #12545
- Run scan against default scap security guide so that resulting score is accurate by @reyesj2 in #12553
- Create local salt directory by @reyesj2 in #12555
- pcap improvements by @jertel in #12544
- auto-convert email addresses to lowercase during setup by @jertel in #12560
- transitional pcap by @m0duspwnens in #12561
- Add yara update back by @defensivedepth in #12563
- 2.4/detections defaults by @defensivedepth in #12565
- Update soc_suricata.yaml by @TOoSmOotH in #12564
- Update so-saltstack-update to use 2.4/main by @TOoSmOotH in #12567
- Gen packages post-SOUP by @defensivedepth in #12576
- remove modules if detections disabled by @m0duspwnens in #12577
- Update init.sls by @m0duspwnens in #12579
- removed unused property by @jertel in #12581
- handle airgap when detections not enabled by @jertel in #12584
- Update soc_suricata.yaml by @TOoSmOotH in #12587
Full Changelog: 2.4.50-20240220...2.4.60-20240320
2.3.290-20240229
Merge pull request #12463 from Security-Onion-Solutions/dev 2.3.290
Security Onion 2.4.50-20240220
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.50-20240220.iso
What's Changed
- Update VERSION by @TOoSmOotH in #12197
- Add Suricata IKE pipeline by @weslambert in #12201
- Add stig state by @reyesj2 in #12202
- Remove need for stig script by @reyesj2 in #12206
- Update metrics for telegraf by @reyesj2 in #12208
- Update soup by @reyesj2 in #12213
- Add stig pillar dir during soup by @reyesj2 in #12214
- Update suricata.common by @TOoSmOotH in #12216
- Disable stigs setting/verifying umask is set to 077. Known issue with … by @reyesj2 in #12220
- Additional integrations #4 by @weslambert in #12221
- Handle non-zero by @reyesj2 in #12230
- RITA Logs by @weslambert in #12227
- Exclude specific Strelka key values by @weslambert in #12241
- UPGRADE: Strelka 0.24.01.18 by @weslambert in #12240
- Fix quote by @weslambert in #12242
- standardize feature names by @jertel in #12248
- Fix PE Flags by @weslambert in #12250
- Add template for endpoint.diagnostic.collection by @weslambert in #12260
- Update soup by @reyesj2 in #12267
- Remove remediate from initial oscap scan by @reyesj2 in #12283
- fix salt lock for airgap version mismatches by @TOoSmOotH in #12293
- Manage custom Elasticsearch and Logstash pipelines in UI by @weslambert in #12297
- Jppffa by @m0duspwnens in #12294
- FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315 by @dougburks in #12316
- FEATURE: Add new dashboards for community_id and firewall auth #12323 by @dougburks in #12324
- Salt3006.6 by @m0duspwnens in #12325
- Fixup shell by @defensivedepth in #12333
- Salt3006.6v2 by @m0duspwnens in #12337
- Add putty to SOD by @reyesj2 in #12332
- Wait for ES to be ready by @defensivedepth in #12343
- Feature/fleet artifacts by @defensivedepth in #12268
- FIX: Remove intca symlink on reinstall by @petiepooo in #12290
- FEATURE: Check for mountpoint during Elastic size limit calculations by @petiepooo in #12308
- Remove unused file by @reyesj2 in #12346
- Fix conflicting id by @defensivedepth in #12349
- FEATURE: Add new SOC action to show process ancestry #12345 by @dougburks in #12350
- Add table columns to process dashboard in defaults.yaml by @dougburks in #12355
- modify soup to update soup scripts using salt by @m0duspwnens in #12354
- `2450soup by @m0duspwnens in #12360
Full Changelog: 2.4.40-20240116...2.4.50-20240220
Security Onion 2.4.40-20240116
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
What's Changed
- Update VERSION by @TOoSmOotH in #11778
- FIX: SOC Hunt HTTP EXE query #11784 by @dougburks in #11785
- avoid startup error by @jertel in #11792
- improve timing of responses by @jertel in #11809
- Merge hoftix back to 2.4/dev by @jertel in #11832
- add support for nested keys by @jertel in #11835
- Jertel/hfm by @jertel in #11855
- Ignore analyzer log by @weslambert in #11891
- Add certificate fingerprints by @weslambert in #11896
- FIX: Update NIDS rule.reference in common.nids pipeline #11846 by @dougburks in #11897
- Sublime Platform Analyzer by @weslambert in #11945
- Add eml observable type by @weslambert in #11950
- Fix indentation for rule_results by @weslambert in #11954
- Sublime Analyzer Documentation by @weslambert in #11955
- Merge Main into Dev by @TOoSmOotH in #11957
- FIX: Documentation links under SOC - Administration - Configuration need updating #11828 by @dougburks in #11960
- Remove Curator close configuration by @weslambert in #11967
- grid page enhancements by @jertel in #11970
- fix import stats by @jertel in #11981
- Remove Curator by @weslambert in #11990
- upgrade cla action by @jertel in #11998
- FIX: Update clear scripts #11991 by @dougburks in #12001
- Additional Integrations #2 by @weslambert in #12000
- more log false alarms by @jertel in #12012
- fix extra_hosts by @m0duspwnens in #12019
- Add force option to integrations by @weslambert in #12020
- FIX: Update dashboard and hunt query for firewall logs #12021 by @dougburks in #12023
- Fix receivers by @m0duspwnens in #12037
- exclude log false positives by @jertel in #12047
- 2.4/dev Analyzers for Threatfox, MalwareBazaar, Echotrail, Elasticsearch by @HoangLongVu in #12003
- FIX: Update dashboard and hunt query for firewall logs #12021 by @dougburks in #12048
- Fix analyzer images by @weslambert in #12052
- 2.4/main by @TOoSmOotH in #12053
- Curator Remove Changes by @weslambert in #12062
- Ignore Curator logs by @weslambert in #12063
- only run the file.absent state if there are files to delete by @jertel in #12067
- exclude transient influxdb error by @jertel in #12071
- show last highstate date/time on grid metrics screen; expose maxUploa… by @jertel in #12090
- Change salt-minion startup_states by @m0duspwnens in #12095
- 2.4/main by @TOoSmOotH in #12102
- Add brasero to packages list for SOD by @reyesj2 in #12109
- Issue/12033 by @m0duspwnens in #12116
- enable startup_states: highstate on managers during setup and not wit… by @m0duspwnens in #12118
- Update so-raid-status for SM based appliances by @TOoSmOotH in #12120
- Fix/fim by @defensivedepth in #12138
- Fix/fleet reset by @defensivedepth in #12141
- Salt3006.5 by @m0duspwnens in #12144
- exempt transient license check errors by @jertel in #12149
- Update so-functions by @TOoSmOotH in #12154
- Fix reinstall & reset stability by @defensivedepth in #12151
- Update soup by @TOoSmOotH in #12155
- Upgrade Navigator and fix Playbook layer by @defensivedepth in #12156
- Additional Supported Integrations #3 by @weslambert in #12160
- Check Kibana API not Web by @defensivedepth in #12161
- Make sure optional integration pillar values are merged with defaults by @weslambert in #12164
- Remove old nav layers by @defensivedepth in #12170
- Merge 2.4 dev by @weslambert in #12171
- Add endpoint metrics templates by @weslambert in #12173
- FIX: OTX pulses template by @weslambert in #12176
- Needsrestarted by @m0duspwnens in #12192
New Contributors
- @HoangLongVu made their first contribution in #12003
Full Changelog: 2.4.30-20231228...2.4.40-20240116