Mike Reeves edited this page Jan 25, 2019 · 64 revisions

Hybrid Hunter 1.0.6 


  • Updated Elastic Stack Components to 6.5.2
  • Fixed an issue that was causing custom dashboards not to load.
  • Fixed a salt race condition that would fail applying firewall rules resulting in the install to fail. Detail found here.
  • Added additional wait time when starting the Kibana docker so it can fully initialize before applying dashboards. This only applies on first install or when you add a new custom dashboard to salt.
  • Suricata updated to 4.1.2
  • Zeek updates:
    • Updated version to 2.6.1. The last "Bro" version.
    • Removed proxy calculation code from salt because this is no longer needed.
    • Now using logger to write the log files.
    • Added HASSH support.
  • Removed firewall rules for analyst that are no longer needed now that NGINX proxies the connections.
  • Updated to the latest Fleet version to 2.0.2.
  • Fully integrated Fleet support. You can now pivot by clicking LiveQuery in Kibana to the fleet interface to interact directly with hosts. Follow this guide to set it up.
  • Added Osquery rule packs from Palantir. Their repo is here.


  • If upgrading from 1.0.5 you will need to remove the local.bro from the exclude list text file. There are changes to bro to load hassh.
  • The Palantir rule packs are not enabled by default. You will need to add hosts to this inside of Fleet.
  • Current dashboards for Osquery data are extremely basic. Look for these to get better over time. Better yet please submit your dashboards and its possible that it will wind up in the distro!

Hybrid Hunter 1.0.5 


  • Access to web components is now done through port 443.
  • CentOS will now use the local docker registry.
  • Curator should trim the ES indexes on storage nodes.
  • Elastalert should now be configured to read rules from /opt/so/rules/elastalert and log to /opt/so/log/elastalert for master nodes and Eval Mode.
  • Eval Mode now uses Filebeat instead of a file input for sending logs to Logstash.
  • Fleet installation for Master role to manage OSQuery endpoints through API port 8080.
  • General Salt state module cleanup.
  • MySQL container for Fleet and roadmap items (e.g. user auth, potential alert data, etc).
  • Nginx proxying based on app name (e.g. /kibana, /grafana,/fleet).
  • NIDS Alert search adjusted to query new ids event_type.
  • Re-Install process completely reworked.
  • Wazuh manager and agent installed to provide host-based monitoring for all roles.


  • In 1.0.5 you can now re-install over top of an existing install and fully retain the data in ES, MySQL, Fleet etc. Do not delete the /opt/so on the master before a re-install or you will lose access to fleet and mysql. It will also retain the current SSL certificates. This is important because once you deploy osquery agents they are locked to the original cert.
  • The TLS server certificate presented when adding a new host in Fleet is actually the Nginx proxy certificate and will not allow certificate validation from osquery endpoints (Launcher will work using the --insecure flag). The Fleet certificate that should be distributed is located here: /etc/pki/fleet.crt.

Hybrid Hunter 1.0.4


  • Checkins every 15 minutes are now working.
  • Fixed an issue with storage nodes only using 1 pipeline worker. You should see a performance boost on dedicated storage nodes.
  • Grafana, InfluxDB, Telegraf. Monitor all the things! See the docs here.
  • Improved Parsing. All Suricata data should now be parsing correctly.
  • Bro now uses JSON to send logs.
  • Setting the MTU for a sensor in advanced install will now actually set the MTU.
  • You can now re-run setup and re-configure a device. Details
  • Advanced setup option for master setup.
  • Ability to change which bro logs you want sent in during advanced master install.
  • Move PCAP tmp directory under /nsm.
  • Create PCAP out directory for pulling pcaps. This is in preparation for the API coming in a later version.


  • Due to a lot of changes in the pillars you will need to sync the repo and re-run setup on all existing HH nodes. All of your ES data etc should remain the same.
  • Scheduling is now working properly in salt. This means if you stop a required service it will automatically restart when it checks in again within 15 minutes. This won't fix an issue with why a service is crashing but will restart it.

Hybrid Hunter 1.0.3


  • Suricata 4.1.0!
  • You can now choose Suricata as a meta data source instead of Zeek/Bro - See Notes.
  • Suricata will now restart automatically when changes are made to suricata.yaml or the rules.
  • Custom logstash parsers will auto load on restart if you drop them in the proper custom directory.
  • Logstash will restart if you make changes to the configs.
  • Elastic Components are now 6.4.2.
  • All dockers install from our official HH repo.
  • Filebeat will now restart if changes are made to filebeat.yml.
  • Zeek/Bro will now restart when changes are made to local.bro, node.cfg, or any policy.
  • so-core docker will restart automatically when changes are made to nginx.conf
  • Basic upgrade script. See the docs here
  • Change install temp directory to a more secure location.
  • Delete the salt key so you can re-install.
  • Reduce the verbosity of some install components.
  • Fix a bug in eval mode with Stenographer not setting the proper interface. Thanks Dustin Lee!

Known issues:

  • NIDS dashboard display is limited to count and over time. This will continue to improve in follow up releases.
  • If you are doing an eval install and don't have DNS on your network make sure you add the external IP and the hostname of the box to the hosts file.


  • Suricata Meta Data support adds the ability to use Suricata instead of Zeek/Bro for gathering meta data. Don't expect much to work in this first version as far as parsing or dashboards. We will continue to reel this in as we go forward. If you choose Suricata it will still prompt you for bro pins/processes.

Hybrid Hunter 1.0.2


  • Correct parsing of Suricata events. Thanks Wes Lambert!
  • Turned off some extra Suricata logging that was redundant.
  • eve.json should rotate now.
  • Changed Logstash docker container to new naming convention in the sls.
  • New Logstash docker that includes the new parser.


You will need to re-install your VMs for this update. Upgrade script is planned for 1.0.3

Hybrid Hunter 1.0.1


  • Full CentOS 7 support.
  • Evaluation Mode is now here! You can now install everything on a single VM.
  • General setup script cleanup and formatting to improve readability.
  • Cancel should work more reliably during setup.
  • Changed the name from "Technology Preview" to "Hybrid Hunter"

Known issues:

Hybrid Hunter 1.0.0

General differences

  • All services run in their own docker containers.
  • Support for Ubuntu 16.04 and CentOS 7.
  • Removed the need for any GUI components.
  • All management of Sensors is now centralized.
  • No longer utilize AutoSSH for communication. Replaced with SSL.

What hasn't been added yet?

  • Sensors will "self heal" every 15 minutes.
  • Snort support.
  • Sguil support.
  • PCAP support.


  • Suricata now runs in a docker container.
  • We now use AF_Packet instead of pf_ring for packet acquisition.
  • General tweaking of settings is now located in the specific sensor sls file.
  • New location for suricata.yaml


  • Bro now runs in a docker container.
  • Bro now uses AF_Packet for packet acquisition.
  • SMB, JA3, and JA3S are now enabled by default.
  • Support for CPU pinning.

Community Bro

  • Added Community Bro 1.0.0 to Security Onion.
  • Community Bro runs in a docker container.
  • Community Bro uses AF_Packet for packet acquisition.


  • Default policies are now contained inside the docker container.
  • Filebeat and SSL are used to get events from sensors.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.