Friday, September 11, 2015

New securityonion-elsa-extras and securityonion-web-page packages add support for new Bro 2.4 logs

The recent Bro 2.4 package includes some new Bro logs such as mysql.log, kerberos.log, rdp.log, pe.log, and sip.log.  These new logs are now parsed properly with the new securityonion-elsa-extras package and the new securityonion-web-page package adds new queries that take advantage of this new parsing.

Here are the updated packages:
securityonion-elsa-extras - 20131117-1ubuntu0securityonion112
securityonion-web-page - 20141015-0ubuntu0securityonion28
These packages have been tested by the following (thanks!):
James Taylor
Josh Brower
Simone Bonetti

These new packages resolve the following issues:

Issue 755: securityonion-elsa-extras: add parser for Bro 2.4 mysql.log
https://github.com/Security-Onion-Solutions/security-onion/issues/755

Issue 756: securityonion-elsa-extras: add parser for Bro 2.4 kerberos.log
https://github.com/Security-Onion-Solutions/security-onion/issues/756

Issue 757: securityonion-elsa-extras: add parser for Bro 2.4 rdp.log
https://github.com/Security-Onion-Solutions/security-onion/issues/757

Issue 758: securityonion-elsa-extras: add parser for Bro 2.4 pe.log
https://github.com/Security-Onion-Solutions/security-onion/issues/758

Issue 759: securityonion-elsa-extras: add parser for Bro 2.4 sip.log
https://github.com/Security-Onion-Solutions/security-onion/issues/759

Issue 780: securityonion-elsa-extras: add parser for IIS logs
https://github.com/Security-Onion-Solutions/security-onion/issues/780

Issue 782: securityonion-elsa-extras: update sysmon parser
https://github.com/Security-Onion-Solutions/security-onion/issues/782

Issue 776: securityonion-elsa-extras: set version 3.3 in syslog-ng.conf
https://github.com/Security-Onion-Solutions/security-onion/issues/776

Issue 796: securityonion-elsa-extras: Add script to fix ELSA syslogs_archive_1 issue
https://github.com/Security-Onion-Solutions/security-onion/issues/796

Issue 801: securityonion-web-page: add queries for Bro kerberos logs
https://github.com/Security-Onion-Solutions/security-onion/issues/801

Issue 802: securityonion-web-page: add queries for Bro mysql logs
https://github.com/Security-Onion-Solutions/security-onion/issues/802

Issue 803: securityonion-web-page: add queries for Bro pe logs
https://github.com/Security-Onion-Solutions/security-onion/issues/803

Issue 804: securityonion-web-page: add queries for Bro rdp logs
https://github.com/Security-Onion-Solutions/security-onion/issues/804

Issue 805: securityonion-web-page: add queries for Bro sip logs
https://github.com/Security-Onion-Solutions/security-onion/issues/805

Issue 794: securityonion-web-page: add DHCP Servers query
https://github.com/Security-Onion-Solutions/security-onion/issues/794

Issue 798: securityonion-web-page: add HTTP sites hosting SWF
https://github.com/Security-Onion-Solutions/security-onion/issues/798

Screenshots
Mysql - Top Arguments

Kerberos - Top Services

PE - Sections

RDP - Result

RDP - Keyboard Layout

RDP - Client Build

SIP - Status Msg


Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

No comments:

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive