Releases: Security-Onion-Solutions/securityonion
Releases · Security-Onion-Solutions/securityonion
2.4.111-20241217
Download the ISO
What's Changed
- Delete uneeded files by @defensivedepth in #14033
Full Changelog: 2.4.110-20241010...2.4.111-20241217
Contributors
defensivedepth
Assets 2
2.4.110-20241010
Download the ISO
What's Changed
- Use ID instead of name for getting integrations from agent policies by @weslambert in #13791
- Update soup by @TOoSmOotH in #13792
Full Changelog: 2.4.110-20241004...2.4.110-20241010
Contributors
TOoSmOotH and weslambert
Assets 2
2.4.110-20241004
Download the ISO
What's Changed
- Update VERSION by @TOoSmOotH in #13577
- Update Github Discussion template by @dougburks in #13583
- Reload Suricata vs restart by @TOoSmOotH in #13574
- Reload both types of rules by @TOoSmOotH in #13590
- Hotfix-2.4.100.20240903 by @defensivedepth in #13598
- remove hotfix from dev branch by @jertel in #13608
- use Elasticsearch version for some containers by @m0duspwnens in #13607
- use correct sig based on es image or not by @m0duspwnens in #13610
- resolve issues with es version pinning by @m0duspwnens in #13615
- ref es version by @m0duspwnens in #13616
- es version shift by @jertel in #13620
- fix es agent update for soup by @m0duspwnens in #13624
- remove -it by @m0duspwnens in #13625
- Upgrade Docker to 27.2.0 by @m0duspwnens in #13635
- add so-suricata container req for rule reload by @m0duspwnens in #13638
- Add destination IP for so-system by @weslambert in #13639
- only elasticsearch image uses es version by @m0duspwnens in #13640
- Make Standalone installs use Suricata for PCAP by @TOoSmOotH in #13648
- es sig pulled from es dir by @jertel in #13652
- Add barracuda and imperva integrations by @weslambert in #13657
- Add annotations for barracuda and imperva by @weslambert in #13658
- Fix annotations typo by @weslambert in #13660
- External Support for Detections by @TOoSmOotH in #13647
- mark specific settings as allowed to include Jinja by @jertel in #13663
- Allow custom IDH skins by @weslambert in #13661
- exit 1 if unable to connect to kibana by @m0duspwnens in #13666
- Upgrade Elastic integrations when new versions are available by @weslambert in #13651
- Clarify enabled settings by @jertel in #13673
- remove colon to avoid yaml parsing problems by @jertel in #13676
- resolve 13247 by @m0duspwnens in #13675
- Fix suricata alerts for opnsense and pfsense by @weslambert in #13686
- enable stig for so desktop by @reyesj2 in #13695
- add missing annotation file by @jertel in #13694
- Initial Support for managing Elastic Defend Filters by @defensivedepth in #13709
- Fix core integration field mappings by @weslambert in #13724
- Disable by default & Airgap by @defensivedepth in #13727
- Use temp summaries branch by @defensivedepth in #13729
- Check if running during soup by @weslambert in #13732
- Add so repo back in by @defensivedepth in #13733
- lowercase email when looking up ID; allow uppercase emails when modif… by @jertel in #13734
- Retry after 1 second by @weslambert in #13736
- Change summaries branch by @defensivedepth in #13737
- Fix location for airgap by @defensivedepth in #13740
- Fix path by @defensivedepth in #13743
- Move Airgap later in setup by @defensivedepth in #13745
- adjustments for support of PKCE OIDC by @jertel in #13757
- Safedir by @m0duspwnens in #13764
Full Changelog: 2.4.100-20240903...2.4.110-20241004
Contributors
defensivedepth, dougburks, and 5 other contributors
Assets 2
2.4.100-20240903
Download the ISO
What's Changed
- Add so-system-mappings by @weslambert in #13586
- Update HOTFIX by @weslambert in #13587
- 2.4.100 hotfix by @TOoSmOotH in #13595
- Hotfix 2.4.100 by @TOoSmOotH in #13596
Full Changelog: 2.4.100-20240829...2.4.100-20240903
Contributors
TOoSmOotH and weslambert
Assets 2
2.4.100-20240829
Download the ISO
What's Changed
- Elastic 8.14.3 by @weslambert in #13347
- Update VERSION by @TOoSmOotH in #13401
- Turn off console messages by @TOoSmOotH in #13381
- Update so-rule-update by @TOoSmOotH in #13373
- Elastic 8.14.3 by @weslambert in #13402
- Provide new setting to require OTP by @jertel in #13406
- Add removed changes by @weslambert in #13407
- Fix fleet setup by @weslambert in #13408
- Fix defender winlog name change by @weslambert in #13409
- Change agent pipeline version by @weslambert in #13410
- Fix system mapping by @weslambert in #13414
- Change name for system component by @weslambert in #13418
- Salt3006.9 by @m0duspwnens in #13425
- retry up to 5 times if reposync fails by @jertel in #13429
- retry up to 5 times if reposync fails by @jertel in #13430
- Issue/13438 by @m0duspwnens in #13441
- correct firewall annotation for kafka by @reyesj2 in #13443
- Cogburn/ai summaries by @coreyogburn in #13453
- fix repo path by @jertel in #13457
- FEATURE: Add warning to soup about ssh #13466 by @dougburks in #13467
- fix issue with reset pw and mfa by @jertel in #13470
- Update SECURITY.md by @dougburks in #13473
- handle suricata network and port vars as string or list by @m0duspwnens in #13478
- Update so-elasticsearch-cluster-space-used for changes in _cat/alloca… by @dougburks in #13481
- Update column number because of changes to API by @weslambert in #13482
- Update registry version by @TOoSmOotH in #13483
- Add influxdb known error by @defensivedepth in #13487
- Ignore older SOC logs before licenseStatus field by @weslambert in #13511
- Add Tenable IO by @weslambert in #13526
- Check for endpoint package by @weslambert in #13531
- Add support for new appliance raid controllers by @TOoSmOotH in #13530
- Create detections.alerts ILM policy with corresponding name by @weslambert in #13528
- notification updates by @jertel in #13535
- FIX: Check Elasticsearch for endpoint component template before loading templates by @weslambert in #13537
- exclude all logstash errors related to license manager init log line by @jertel in #13540
- set kafka.id in common ingest pipeline by @reyesj2 in #13546
- Elastic Fleet refactoring by @defensivedepth in #13547
- Use global@custom from common pipeline by @weslambert in #13548
- FIX: Add so-soc-logs by @weslambert in #13554
- Fix policy load by @defensivedepth in #13556
- annotation updates by @jertel in #13561
- Update pipeline version for EVTX by @weslambert in #13562
- move custom alerters to subgroup; avoid false positives on log check by @jertel in #13565
- Exclude logstash startup errors by @defensivedepth in #13570
Full Changelog: 2.4.90-20240729...2.4.100-20240829
Contributors
defensivedepth, dougburks, and 6 other contributors
Assets 2
2.4.90-20240729
Download the ISO
What's Changed
- Update VERSION by @TOoSmOotH in #13260
- start soup 2.4.90 by @m0duspwnens in #13270
- Elastic 8.14.1 by @weslambert in #13271
- Revert back to 8.10.4 by @weslambert in #13275
- Issue/13073 - disable Logstash on heavynodes by @m0duspwnens in #13278
- FIX: so-rule-update airgap check by @reyesj2 in #13282
- Changes for Elastic 8.14.1 by @weslambert in #13290
- Change name to winlog.winlogs by @weslambert in #13295
- Change name for ILM by @weslambert in #13296
- Delete old user commands by @TOoSmOotH in #13299
- Elastic 8.14.2 by @weslambert in #13314
- FIX: Update MOTD #13317 by @dougburks in #13318
- FIX: Update SOC MOTD #13320 by @dougburks in #13321
- Elastic 8.14.2 by @weslambert in #13316
- Change pipeline version for agent by @weslambert in #13323
- FIX: Kafka configuration updates by @reyesj2 in #13335
- force var to be list of string by @m0duspwnens in #13340
- Revert "Elastic 8.14.2" by @weslambert in #13342
- Revert "Change pipeline version for agent" by @weslambert in #13341
- FEATURE: Add new action to SOC Actions list to allow users to more easily add their own actions #13346 by @dougburks in #13348
- New Config Values for Detections Bulk Indexer by @coreyogburn in #13349
- fix custom indices by @m0duspwnens in #13353
- Kafka influxdb metrics & pillar update by @reyesj2 in #13350
- Exclude policy phases if not defined in defaults by @m0duspwnens in #13355
- kafka soup pillar by @reyesj2 in #13363
- Cogburn/suricata regex support by @coreyogburn in #13365
- fix kafka-logstash cert for searchnodes by @reyesj2 in #13368
- remove unused test parameters from setup by @jertel in #13374
- 2.4.90 by @TOoSmOotH in #13390
- so-detection refresh_interval => 1s by @coreyogburn in #13392
Full Changelog: 2.4.80-20240624...2.4.90-20240729
Contributors
dougburks, TOoSmOotH, and 5 other contributors
Assets 2
2.4.80-20240624
Download the ISO
What's Changed
- Remove references to kafkanode by @reyesj2 in #12792
- Update VERSION by @TOoSmOotH in #13093
- Separate Suricata alerts into a specific data stream by @weslambert in #13101
- Salt3006.8 by @m0duspwnens in #13103
- Added TemplateDetections To Detection ClientParams by @coreyogburn in #13107
- Add templates for .items and .lists indices by @weslambert in #13117
- salt 3006.6 by @m0duspwnens in #13129
- so-tcpreplay now runs if manager is offline by @m0duspwnens in #13134
- move so-tcpreplay from common state to sensor state by @m0duspwnens in #13141
- add ability to retrieve yaml values via so-yaml.py; improve so-minion id matching by @jertel in #13150
- Update soc_suricata.yaml by @TOoSmOotH in #13156
- SOC Proxy Setting by @coreyogburn in #13154
- AdditionalCA and InsecureSkipVerify by @coreyogburn in #13164
- Update defaults.yaml by @TOoSmOotH in #13165
- fix elastic templates not loading due to global_override phases by @m0duspwnens in #13162
- gracefully handle missing parent key by @jertel in #13170
- correct placement of error check override by @jertel in #13171
- upgrade docker by @m0duspwnens in #13182
- Add new bind - suricata all.rules by @defensivedepth in #13179
- remove this \n by @m0duspwnens in #13189
- Fix unnecessary escaping by @coreyogburn in #13183
- Update DOWNLOAD_AND_VERIFY_ISO.md by @dougburks in #13197
- Initial Kafka support by @reyesj2 in #13190
- Fixes for Kafka nodeid assignment and ssl cert generation by @reyesj2 in #13200
- Only comment out so-kafka from so-status when it exists & only run en… by @reyesj2 in #13204
- Initial support for custom suricata urls and local rulesets by @defensivedepth in #13205
- Update rule templates by @defensivedepth in #13208
- Standalone logstash error by @reyesj2 in #13207
- Fix errors on new installs by @reyesj2 in #13209
- FEATURE: Add more links and descriptions to SOC MOTD #13216 by @dougburks in #13217
- suppress fleet policy update in soup by @reyesj2 in #13221
- Update defaults by @defensivedepth in #13223
- update profile by @reyesj2 in #13222
- FEATURE: Add new Process actions #13226 by @dougburks in #13227
- update kafka output policy only on eligible grid types by @reyesj2 in #13231
- fix ca mine_function by @m0duspwnens in #13233
- update receiver node allowed states by @reyesj2 in #13234
- Added license presets to defaults.yaml file by @mc-wright in #13236
- Update defaults.yaml to put Process actions in logical order by @dougburks in #13239
- update kafka annotations by @reyesj2 in #13242
- Update soc_manager.yaml by @TOoSmOotH in #13244
- Add option for detections without a license by @weslambert in #13246
- Fix soup for proxy servers by @TOoSmOotH in #13245
- FIX: update firewall defaults by @reyesj2 in #13251
- Remove unused sbin_jinja for kafka by @reyesj2 in #13253
- 2.4.80 by @TOoSmOotH in #13254
- Fix git by @TOoSmOotH in #13256
- Update .gitleaks.toml by @TOoSmOotH in #13259
- 2.4.80 by @TOoSmOotH in #13255
New Contributors
- @mc-wright made their first contribution in #13236
Full Changelog: 2.4.70-20240529...2.4.80-20240625
Contributors
defensivedepth, dougburks, and 7 other contributors
Assets 2
2.4.70-20240529
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.70-20240529.iso
What's Changed
- Update VERSION by @TOoSmOotH in #12619
- reschedule close/lock jobs by @jertel in #12601
- FIX: Annotations for BPF and Suricata PCAP #12626 by @dougburks in #12627
- Change Detections defaults by @defensivedepth in #12611
- Remove temp YARA by @weslambert in #12632
- FEATURE: Add Events column layout for event.module system #12628 by @dougburks in #12634
- disregard benign telegraf error by @jertel in #12638
- FEATURE: Add event.dataset to all Events column layouts #12641 by @dougburks in #12642
- FIX: Specify that static IP address is recommended #12643 by @dougburks in #12644
- Update ElastAlert Config with Default Repos by @coreyogburn in #12640
- FIX: http.response.status_code by @weslambert in #12650
- Enable Detections by @defensivedepth in #12639
- Allow for additional af-packet tuning options for Suricata by @m0duspwnens in #12651
- FEATURE: pfSense Suricata logs by @weslambert in #12652
- Initial cut to remove Playbook and deps by @defensivedepth in #12658
- Remove Playbook ref by @defensivedepth in #12659
- FEATURE: Include additional groupby fields in Dashboards relating to sankey diagrams #12657 by @dougburks in #12663
- Initial cut to remove Playbook and deps by @defensivedepth in #12660
- Add bindings for sigma repos by @defensivedepth in #12656
- FEATURE: Add Events table columns for event.module elastic_agent #12666 by @dougburks in #12667
- Fix Input Validation to allow for IPv6 by @TOoSmOotH in #12674
- disregard errors in removed applications that occurred before th… by @jertel in #12683
- FEATURE: Add process.command_line to Process Info and Process Ancestry dashboards #12694 by @dougburks in #12695
- New Settings for Manual Sync in Detections by @coreyogburn in #12696
- FEATURE: Add Events table columns for zeek ssl and suricata ssl #12697 by @dougburks in #12698
- FEATURE: Add individual dashboards for Zeek SSL and Suricata SSL logs… by @dougburks in #12700
- Correct YAML by @coreyogburn in #12702
- Add default columns by @defensivedepth in #12720
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12722
- FEATURE: Add Events table columns for event.module playbook #12703 by @dougburks in #12723
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12724
- FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12725
- Feature - auto-enabled Sigma rules by @defensivedepth in #12732
- Add cef by @weslambert in #12735
- Add Elastic Agent Status Metrics by @TOoSmOotH in #12734
- FEATURE: Add dashboard for SOC Login Failures #12738 by @dougburks in #12739
- FEATURE: Add Events table columns for event.module kratos #12740 by @dougburks in #12742
- Change code to allow for non root by @TOoSmOotH in #12741
- SOC Telemetry by @jertel in #12731
- Update SOC Config with State File Paths by @coreyogburn in #12744
- do not prompt about telemetry on airgap installs by @jertel in #12747
- Exclude Elastalert EQL errors by @defensivedepth in #12748
- Clarify annotation description re: Airgap by @jertel in #12749
- FEATURE: Add Events table columns for event.module sigma #12743 by @dougburks in #12751
- Allow 2.3 to update by @TOoSmOotH in #12752
- FEATURE: Add dashboards specific to Elastic Agent #12746 by @dougburks in #12753
- skip telemetry summary in airgap mode by @jertel in #12754
- 2.4/soup playbook by @defensivedepth in #12682
- 2.4/detections defaults by @defensivedepth in #12755
- Use list not string by @defensivedepth in #12756
- Update so-log-check by @TOoSmOotH in #12759
- Detection Author as a Keyword instead of Text by @coreyogburn in #12760
- Ship Defender logs + more by @defensivedepth in #12766
- Enable Detections Adv by default by @defensivedepth in #12780
- Update analyst.json by @TOoSmOotH in #12769
- Fix fingerprint paths by @defensivedepth in #12791
- Add docs for ruleset change by @defensivedepth in #12793
- Update limited-analyst.json by @TOoSmOotH in #12810
- FEATURE: Add queue=True to so-checkin so that it will wait for any ru… by @dougburks in #12817
- FIX: Elastic retention setting not being honored when manager hostname is a subset of search node hostname #12819 by @dougburks in #12820
- Strelka fixes and more by @defensivedepth in #12805
- Kismet integration for WiFi devices by @reyesj2 in #12773
- Temp exclude yara runtime status log by @defensivedepth in #12841
- Fix warm description by @weslambert in #12844
- Fix description, regex, and type for cold, warm, and hot by @weslambert in #12848
- Remove hot max_age by @weslambert in #12852
- Issue/12637 by @m0duspwnens in #12859
- Add runtime status logs by @defensivedepth in #12861
- Change index sorting to account for older so-prefixed indices by @weslambert in #12858
- allow for enabled/disable of so-elasticsearch-indices-delete cronjob by @m0duspwnens in #12860
- Exclude suricata from disk space-based index deletion by @weslambert in #12864
- only apply ulimits to suricata container if user enable mmap-locked by @m0duspwnens in #12865
- check status before stopping service by @petiepooo in #12846
- restrict workflows to so by @jertel in #12875
- Sigma pivot fix and cleanup by @defensivedepth in https://github.com/Security-O...
Contributors
defensivedepth, dougburks, and 7 other contributors
Assets 2
2.3.300-20240401
Merge pull request #12693 from Security-Onion-Solutions/dev 2.3.300
Security Onion 2.4.60-20240320
Download the ISO
https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
What's Changed
- Cogburn/detection playbooks by @defensivedepth in #12296
- 2.4/dev by @defensivedepth in #12357
- Update VERSION by @TOoSmOotH in #12385
- replace correlate icon to avoid confusion with searcheng.in by @jertel in #12386
- Update soup by @TOoSmOotH in #12348
- add lock threads by @jertel in #12396
- add missing template by @jertel in #12408
- Initial Support for Detections Module by @defensivedepth in #12412
- nest under policy by @m0duspwnens in #12411
- Fix Loss Calculation for Stenographer by @TOoSmOotH in #12416
- convert x to . for soc ui to config by @m0duspwnens in #12423
- Feature/sigma pipeline by @defensivedepth in #12430
- Add Detection AutoUpdate config by @defensivedepth in #12431
- Update pattern for endpoint diagnostic template by @weslambert in #12432
- Add multiple endpoint features by @dougburks in #12434
- Airgap Support - Detections module by @defensivedepth in #12437
- Issue/12391 by @m0duspwnens in #12449
- Roll Suricata logs daily to prevent alerts from being deleted when not meeting size threshold by @weslambert in #12450
- Feature/detections airgap by @defensivedepth in #12456
- Manage the repo files by @TOoSmOotH in #12405
- FIX: EA installers not downloadable from SOC & fix logging by @reyesj2 in #12469
- 2.4/sigma pipeline by @defensivedepth in #12482
- Fix FIM by @defensivedepth in #12487
- Suricata PCAP by @TOoSmOotH in #12271
- fix sensoroni for non sensor by @m0duspwnens in #12497
- Update so-minion by @TOoSmOotH in #12502
- Additional Integrations #5 by @weslambert in #12500
- fix oinkcodes with leading zeros by @jertel in #12507
- fix pcapspace function by @m0duspwnens in #12508
- PCAP annotations by @jertel in #12511
- Add Exclusion toggle by @defensivedepth in #12510
- detections annotations by @jertel in #12514
- Change Factoring for so-minion pcap disk space by @TOoSmOotH in #12513
- Add error.message mapping for system.syslog by @weslambert in #12519
- gracefully handle status check failure on ubuntu by @jertel in #12521
- unswap files by @jertel in #12526
- allow managersearch to receiver redis and 5644 by @m0duspwnens in #12537
- FIX: Update SOC annotations for Stenographer PCAP #12539 by @dougburks in #12540
- Fix Space Free for Steno by @TOoSmOotH in #12527
- Updated RulesRepo for New Strelka Structure by @coreyogburn in #12542
- Update soc_pcap.yaml by @dougburks in #12545
- Run scan against default scap security guide so that resulting score is accurate by @reyesj2 in #12553
- Create local salt directory by @reyesj2 in #12555
- pcap improvements by @jertel in #12544
- auto-convert email addresses to lowercase during setup by @jertel in #12560
- transitional pcap by @m0duspwnens in #12561
- Add yara update back by @defensivedepth in #12563
- 2.4/detections defaults by @defensivedepth in #12565
- Update soc_suricata.yaml by @TOoSmOotH in #12564
- Update so-saltstack-update to use 2.4/main by @TOoSmOotH in #12567
- Gen packages post-SOUP by @defensivedepth in #12576
- remove modules if detections disabled by @m0duspwnens in #12577
- Update init.sls by @m0duspwnens in #12579
- removed unused property by @jertel in #12581
- handle airgap when detections not enabled by @jertel in #12584
- Update soc_suricata.yaml by @TOoSmOotH in #12587
Full Changelog: 2.4.50-20240220...2.4.60-20240320
Contributors
defensivedepth, dougburks, and 6 other contributors