You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

Besides that, there are plenty of rumours about a possible Conficker attack on 1st April. I know you may think it’s all hype or scaremongering, and it might well be. But, if you run a large corporate network I’m sure you don’t want to sit down and wait until 1st April to find out.

If that’s the case, you have to know that the Honeynet Project has been working on a way to detect Conficker-infected machines and that they have just released a scanner for this task. The scanner is available as a python script and as a windows .exe executable, and can be used to scan a single host or a whole network range.

When run it on my mac the output looked like this:

# ./scs.py 192.168.1.1 192.168.1.254

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

No resp.: 192.168.1.1:445/tcp.
No resp.: 192.168.1.82:445/tcp.
No resp.: 192.168.1.80:445/tcp.
No resp.: 192.168.1.81:445/tcp.
No resp.: 192.168.1.95:445/tcp.
192.168.1.99 seems to be clean.
192.168.1.101 seems to be clean.
192.168.1.85 seems to be clean.
192.168.1.97 seems to be clean.
192.168.1.106 seems to be clean.

Alternatively, popular scanners like nmap, Nessus and others have quickly updated their plugins to support Conficker detection. At the moment, Nmap 4.85beta5 has all the scripts included, and it’s now ready for download at http://nmap.org/download.html. If you’re are running a Unix-like system you probably want to update nmap from svn:

$ svn co –username=guest –password=” svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install

Then run nmap using the new NSE script:

$ nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d <target>

As of Nessus, use plugin #36036 to detect any variant of Conficker.

The Honeynet Project has also released Snort signatures to detect Conficker.A and Conficker.B traffic. Make sure you update your IDS sensors with these signatures and be ready to monitor your console over the next few days. If you don’t have any IDS technology in place (I will resist the temptation to ask you why by now) but you have access to a network span port, you can still plug any Unix-like box in and run ngrep like this:

$ sudo ngrep -qd eth0 -W single -s 900 -X
<insert shellcode string from here>
‘tcp port 445 and dst net <local network range>‘

Further details about Conficker fingerprint and the detection methods and tools can be found here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Good luck.