Saturday, October 22, 2011

Security Onion 20111020 now available!

Security Onion 20111020 is now available!  This resolves Issue 133 by updating the NSM scripts to spawn daemonlogger (instead of snort) for full packet capture.  Since daemonlogger is simpler than snort and specifically designed for packet capture, it is more efficient and possibly more secure.

In addition, daemonlogger defaults to a snaplen of 65535, so this is a PARTIAL solution to the problem described here.  I emphasize that this only a partial solution because it only solves the full packet capture problem and not the packet reassembly problem.  NIC offloading should still be disabled to allow Snort to do proper target-based reassembly and thus minimize the likelihood of insertion/evasion attacks.  For more information, please see the Snort manual.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L > ~/ && bash ~/"

Upgrade Process

No comments: