I'm currently working on building the next version of the Security Onion LiveCD. It will be based on a fully-updated Xubuntu 10.04 and will have all the tools that were in previous versions with one exception: Snort 3.0 (SnortSP) currently does not compile on Ubuntu 10.04. However, the new Suricata IDS/IPS engine does compile so it will be taking the place of SnortSP. You'll be able to choose between the current production version of Snort (2.8.6.1) or Suricata. Regardless of which IDS engine you choose, your alerts will be available for analysis in Sguil.
We've been nearing the limit of a 700MB CD image for some time, so we will be switching to a DVD image to allow for more software. What suggestions do you have for the new version of the Security Onion LiveCD? Please leave a comment here or add your suggestion at the
Security Onion Issue Tracker. Thanks!
Any write up on integrating suricata and sguil?
ReplyDeleteThanks ! :)
Hi Salaz,
ReplyDeleteThe easiest way to integrate Suricata and Sguil is to first use the NSMnow installer to get Snort, Barnyard2, Sguil, etc all installed and configured. Then, install Suricata and configure its output to be identical to Snort (same output directory and unified2 format). Finally, change the startup script to start Suricata instead of Snort.
Regards,
Doug Burks