Thursday, May 10, 2012

Security Onion 20120511 now available!

Security Onion 20120511 is now available!  This resolves the following issues:

Issue 205:      Bro's http.log needs to be per-interface

Issue 264:      NSM package is missing the bro cron job

Issue 265:      Upgrade httpry_agent to http_agent to support Bro logs

Issue 266:      Remove httpry from NSM scripts

In summary, this update migrates from the combination of httpry/httpry_agent to Bro/http_agent.  As noted in, this means that networks with VLAN tags will now get HTTP logs in Sguil.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L > ~/ && bash ~/"

Upgrade Process
If you have any questions, please join our mailing list and ask away!

Thanks to Paul Halliday for adding Bro http.log support to http_agent!
Thanks to Seth Hall for the security-onion.bro script for splitting Bro's http.log when necessary!
Thanks to the following for their help in testing this release!
Scott Runnels
Tom De Vries
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:


Paul said...
This comment has been removed by the author.
Doug Burks said...

Hi Paul,

Yes, I believe some folks do use Security Onion as a host.

I don't know of anyone running SELinux on Ubuntu.

Security Onion is robust. It can run on bare metal or in VM, although you will probably get better performance on bare metal.

If you have further questions, please join our mailing list and ask there.


Jamie said...

I haven't used this distro before and I'm trying a few different platforms for SNORT that will feed our SIEM. I have Security Onion set up and it's working perfect, Snorby and SQueRT both are working and displaying events. I'm having a problem when it comes to reading the MySQL database. I point our SIEM to the securityonion_db using the credentials for a user I created and it's not pulling the events. I tried looking for info on reading the MySQL database, but cant really find any.

Any suggestion?

Doug Burks said...

Hi Jamie,

MySQL only listens on localhost by default.

If you have further questions, please join our mailing list and ask there.