Comments (4)
How To Start Testing
-
install the 16.04.4.2 ISO image (has old Logstash templates which we need to test removal of):
https://github.com/Security-Onion-Solutions/security-onion/blob/master/old/Verify_ISO_16.04.4.2.md -
snapshot the VM if possible
-
run Setup
-
snapshot the VM if possible
-
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
- change DOCKERHUB from
securityonionsolutions
tosecurityonionsolutionstest
(OSS license):
sudo sed -i 's|DOCKERHUB="securityonionsolutions"|DOCKERHUB="securityonionsolutionstest"|g' /etc/nsm/elasticdownload.conf
(OR change DOCKERHUB to securityonionsolutionselastest
for Elastic Features license)
- update:
sudo soup
from security-onion.
How To Verify Proper Elastic Operation
Please test in as many different combinations as possible:
-
verify that traditional Logstash parsing correctly parses Zeek logs in JSON or TSV format and Sysmon logs via Winlogbeat and Wazuh
-
verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format and Sysmon logs via Winlogbeat and Wazuh
-
verify that ElastAlert works properly
-
verify Kibana dashboards visualize those parsed logs correctly (for dashboards that have search hits, visualizations should show data and NO errors...for dashboards that have NO search hits, visualizations should show NO data and NO errors)
-
verify Squert and Logout links work properly
-
verify pivoting to Indicator dashboard
-
verify that each Kibana dashboard has a default query in the upper left
-
verify that lucene is still the default query language for both Dashboards and Discover
-
verify that you can now switch from dark mode to light mode via Kibana Advanced Settings and that the old dark and light scripts are gone
-
verify pivoting to CapMe works from all network data types
-
verify templates look correct
-
verify Curator close and delete work properly
-
check elasticsearch, logstash, and kibana logs in /var/log/ for anything out of the ordinary
-
so-import-pcap vs sosetup-minimal vs traditional Setup
-
Setup GUI vs CLI
-
Evaluation Mode vs Production Mode - when testing Evaluation Mode, make sure that
Domainstats
andFreqserver
are generating data properly, here is a pcap that should generate data on the DomainStats dashboard:
https://www.malware-traffic-analysis.net/2021/01/12/2021-01-12-Hancitor-infection-with-Cobalt-Strike.pcap.zip -
standalone vs distributed deployments
-
new installation vs upgrade
-
Elastic OSS vs Elastic Features license (use
so-elastic-features
to switch from OSS to Features) -
SSO vs Elastic native auth (use
so-elastic-auth
to switch to Elastic native auth) -
fully test all features in Kibana (both OSS and Features) to make sure we've got all the new URLs that Kibana added
-
test upgrading a machine that already has Elastic native auth enabled
-
test upgrading to Elastic 7.10.2 and then doing a full upgrade to Security Onion 2
-
16.04.4.2 includes the old Logstash templates. When you install this update, it should automatically remove those old Logstash templates so new logs should come in without having to manually remove old templates.
Please make sure so-curator-closed-delete-delete gets tested thoroughly in at least the following scenarios:
- if we haven't reached LOG_SIZE_LIMIT, it should do nothing
- if we have reached LOG_SIZE_LIMIT but there are no closed indices, it should do nothing
- if there are closed indices but we haven't reached LOG_SIZE_LIMIT, it should do thing
- if we have reached LOG_SIZE_LIMIT and there are closed indices, it should delete closed indices until we are below LOG_SIZE_LIMIT or there are no more closed indices
from security-onion.
All testing conducted using the above guidance.
-
verify that traditional Logstash parsing correctly parses Zeek logs in JSON or TSV format and Sysmon logs via Winlogbeat and Wazuh - No issues
-
verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format and Sysmon logs via Winlogbeat and Wazuh - No issues
-
verify that ElastAlert works properly - No issues
-
verify Kibana dashboards visualize those parsed logs correctly - No issues
-
verify Squert and Logout links work properly - No issues
-
verify pivoting to Indicator dashboard - No issues
-
verify that each Kibana dashboard has a default query in the upper left - No issues
-
verify that lucene is still the default query language for both Dashboards and Discover - No issues
-
verify that you can now switch from dark mode to light mode via Kibana Advanced Settings and that the old dark and light scripts are gone - No issues
-
verify pivoting to CapMe works from all network data types - No issues
-
verify templates look correct - No issues
-
check elasticsearch, logstash, and kibana logs in /var/log/ for anything out of the ordinary - No issues
-
so-import-pcap vs traditional Setup - No issues
-
Setup GUI vs CLI - No issues
-
Evaluation Mode vs Production Mode - No issues
-
standalone vs distributed deployments - No issues
-
Elastic OSS vs Elastic Features license (use so-elastic-features to switch from OSS to Features) - No issues
-
SSO vs Elastic native auth (use so-elastic-auth to switch to Elastic native auth) - No issues
-
fully test all features in Kibana (both OSS and Features) to make sure we've got all the new URLs that Kibana added - No issues
-
test upgrading to Elastic 7.10.2 and then doing a full upgrade to Security Onion 2 - No issues (Standalone and Distributed)
-
16.04.4.2 includes the old Logstash templates. When you install this update, it should automatically remove those old Logstash templates so new logs should come in without having to manually remove old templates. - No issues
-
verify Curator close and delete work properly - No issues
Please make sure so-curator-closed-delete-delete gets tested thoroughly in at least the following scenarios:
-
if we haven't reached LOG_SIZE_LIMIT, it should do nothing - No issues
-
if we have reached LOG_SIZE_LIMIT but there are no closed indices, it should do nothing - No issues
-
if there are closed indices but we haven't reached LOG_SIZE_LIMIT, it should do nothing - No issues
-
if we have reached LOG_SIZE_LIMIT and there are closed indices, it should delete closed indices until we are below LOG_SIZE_LIMIT or there are no more closed indices - No issues
from security-onion.
Published:
https://blog.securityonion.net/2021/02/elastic-stack-7102-now-available-for.html
from security-onion.
Related Issues (20)
- soup: work around Docker change HOT 4
- pinguybuilder: increment version to 16.04.7.2 HOT 1
- Update docs and cheat sheet for 16.04.7.2 HOT 3
- Test 16.04.7.2 ISO image HOT 3
- ubuntu 18.04 security onion the repository does not have a release file HOT 6
- Elastic 7.10.2 HOT 1
- Update Kibana dashboard hyperlinks to new url format HOT 1
- Delete old Logstash templates HOT 1
- Update Apache proxy for Elastic 7.10.2 HOT 1
- Update Kibana settings for 7.10.2 HOT 2
- Update docs and cheat sheet for 16.04.7.3 HOT 1
- pinguybuilder: increment version to 16.04.7.3 HOT 1
- Update Elastic auth settings for Elastic 7.10.2 HOT 1
- integrating elk-hole with security onion 2.3 HOT 1
- Update CyberChef to latest version HOT 1
- Attempting to install Security Onion 2.3.21 as a hyper-v guest. HOT 2
- Zeek 3.0.13 HOT 6
- Suricata 5.0.6 HOT 5
- Test 16.04.7.3 ISO image HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-onion.