Security Onion 20120329 is now available! This resolves the following issues:
Issue 114: Provide single location for configuring BPF filters
Issue 224: typo in nsm_sensor-ps-start
Issue 242: Set Suricata runmode to autofp
Issue 243: Remove VLAN setting from pcap_agent.conf
As you can see in the screenshot below, this update will create a bpf.conf file for each sensor interface on your system. For example, if you have two sensor interfaces (eth0 and eth1), you'll now have two bpf.conf files:
The NSM scripts now pass the "-F /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to Snort and Suricata and "-f /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to daemonlogger. However, Suricata's afpacket mode currently doesn't support bpf. I've created Suricata feature request #440 for this.
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
If you have any questions, please join our mailing list and ask away!
Thanks to the following for their help in testing this release!
Security Onion needs you! Please see the new Team Members page on the wiki!
Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see: