Thursday, December 29, 2011

Security Onion 20111229 now available!


Security Onion 20111229 is now available!  This resolves the following issues:
Issue 109:  Optional PADS or PRADS
Issue 115:  edit nsm_sensor_edit
Issue 162:  Process watchdog
Issue 164:  No sensor status info then server is down
Issue 173:  nsm_sensor_clean cronjob should output date to logfile

Thanks to Karolis for his work on integrating PADS into the distro!

Notes
  • The PADS configuration file (/etc/nsm/SENSOR-NAME/pads.conf) contains a "network" variable which defaults to:
    192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
    You will need to change this variable if you're monitoring public IP space.
  • The new process watchdog runs every 5 minutes and will restart any sensor process that has crashed.  It will move the process's old log file to PROCESS.log.TIMESTAMP so that you can determine why the process crashed. 
New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

PADS events in Sguil

If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Tuesday, December 27, 2011

Security Onion 20111228 now available!


Security Onion 20111228 is now available!  This resolves the following issue:
Issue 151: NetworkMiner

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

NetworkMiner menu entry


If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html


Security Onion 20111227 now available!


Security Onion 20111227 is now available!  This resolves the following issue:
Issue 172: Snorby Export-to-PDF results in error

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process
If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Friday, December 23, 2011

Security Onion 20111222 now available!


Security Onion 20111222 is now available!  This resolves the following issue:
Issue 51: Snorby

Snorby is a modern web interface for Network Security Monitoring:
The new hotness
A few things to note:

  • The Snorby database is totally separate from the Sguil database.  This means that you will have a separate user account to log into Snorby.  It also means that any events that you classify in Snorby are not reflected back into the Sguil database.
  • A new output is added to the barnyard2 configuration to send events to the Snorby database.  Remote sensors establish an SSH tunnel to the server to encrypt the MySQL traffic.
  • This is just the initial integration of Snorby.  In the future we'll add things like full packet capture support and Dustin's new unified2 library.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

The Setup wizard has been updated to support Snorby.  You will create a username for Sguil/Squert and a separate username for Snorby (your email address).  The password that you enter will be used for both Sguil/Squert and Snorby.
Updated Setup Wizard

Entering email address for Snorby

Same password will be used for both Sguil/Squert and Snorby

Double-click the Snorby desktop shortcut

Login using the email address and password you specified in Setup

If necessary, generate some IDS alerts using "curl http://testmyids.com"

View your IDS alerts on the Events tab


In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).


If you have one or more slave sensors reporting to a central master server, always upgrade the master first!

Since Snorby and Sguil have separate databases, your existing Sguil credentials will not allow you to log into Snorby.  The in-place upgrade process will generate a username and random password for your initial Snorby login.  You should immediately login with your temporary credentials and change them.


Completing upgrade of an existing system

Double-click the Snorby desktop shortcut or use the URL shown in the upgrade

Login using the credentials shown in the upgrade

Click "Settings" to change your username/password

Set your new credentials

Login using your new credentials

If necessary, generate some alerts with "curl http://testmyids.com"
View your IDS alerts on the Events tab

If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

Merry Christmas!

Wednesday, December 14, 2011

Security Onion 20111214 now available!


Security Onion 20111214 is now available!  This resolves the following issue:

The previous purging method only removed old pcaps from the dailylogs directories.  The new method removes old pcaps but also purges old argus, httpry, and unified2 files.  

For those running multiple sensors on the same /nsm, the previous purging method would have deleted all pcaps from the first sensor before beginning to purge the second sensor.  The new method tries to delete more evenly across the sensors.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process
Purging
/etc/cron.d/sensor-clean contains a cronjob that runs the purge hourly.  You can manually run the purge as follows:
sudo /usr/local/sbin/nsm --sensor --clean
sudo /usr/local/sbin/nsm --sensor --clean

Monday, December 12, 2011

Security Onion 20111213 now available!


Security Onion 20111213 is now available!  This resolves the following issues:
Issue 168: Suricata 1.1.1

If you are already using Suricata and have customized your suricata.yaml file, please note that it will be backed up to /nsm/backup/20111213/NAME-OF-SENSOR/ and then overwritten with the new config file.  Please copy any of your customizations (HOME_NET, etc.) from /nsm/backup/20111127/NAME-OF-SENSOR/suricata.yaml to the production copy /etc/nsm/NAME-OF-SENSOR/suricata.yaml.

As noted here, Suricata includes some anomaly detection in the form of decoder-events.rules and stream-events.rules.  These two rulesets have been disabled in this update.  You can manually re-enable them if desired.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Switching to Suricata
If you're currently running Snort and would like to switch to Suricata, use the following commands to stop Snort, change the ENGINE variable in the config file, and then run PulledPork to download the Suricata-specific ruleset (if running Emerging Threats rules):
sudo nsm_sensor_ps-stop --only-snort-alert
sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf
sudo /usr/local/bin/pulledpork_update.sh 

Screenshots
Upgrade Process

Thursday, December 1, 2011

Security Onion 20111202 now available!


Security Onion 20111202 is now available!  This resolves the following issue:
Issue 139: Squert needs HTTPS

This update will convert Squert and Xplico to HTTPS.  It will also automatically update any Squert/Xplico shortcuts contained within the Security Onion installation to use HTTPS.  If you have any Squert/Xplico bookmarks on any other computers in your network, you should just need to change them from HTTP to HTTPS.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Security Onion 20111201 now available!


Security Onion 20111201 is now available!  This resolves the following issues:
Issue 157: Update pulledpork.conf.master with new local_rules declaration
Issue 159: NSM scripts are storing initial Sguil credentials in /etc/nsm/securityonion/server.conf

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Wednesday, November 30, 2011

Security Onion 20111130 now available!


Security Onion 20111130 is now available!  This resolves the following issue:
Issue 144 - sguild.email configuration not loading properly

New Users
New users can download and install the new 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Tuesday, November 29, 2011

Notes on Suricata 1.1 Update

A few quick notes on the Suricata 1.1 update and its default suricata.yaml configuration file:

decoder-events.rules and stream-events.rules
By default, suricata.yaml includes the following rules:
 - decoder-events.rules
 - stream-events.rules

This results in alerts like these:
Suricata stream events example
If you don't wish to see these alerts, simply comment out those two rules in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

EXTERNAL_NET
By default, suricata.yaml sets EXTERNAL_NET to "!HOME_NET".  (The Snort default in snort.conf is "EXTERNAL_NET any".)  If you'd like to change this, simply make the change in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

How do I edit suricata.yaml and restart Suricata?
If you have GUI access to your sensor, you can use the "IDS Config" menu entry as described here:
http://securityonion.blogspot.com/2011/09/security-onion-20110909-now-available.html

Otherwise, you can do the following:

  • Modify /etc/nsm/NAME-OF-SENSOR/suricata.yaml using your favorite text editor.
  • Restart Suricata using the following command:
    sudo nsm --sensor --restart --only-snort-alert

Sunday, November 27, 2011

Security Onion 20111127 now available!

Security Onion 20111127 is now available!  This resolves the following issues:
Issue 134 - Upgrade Suricata to 1.1
Issue 153When IDS Engine is Suricata, PulledPork needs to download Suricata version of ET rules

If you are already using Suricata and have customized your suricata.yaml file, please note that it will be backed up to /nsm/backup/20111127/NAME-OF-SENSOR/ and then overwritten with the new config file.  Please copy any of your customizations (HOME_NET, etc.) from /nsm/backup/20111127/NAME-OF-SENSOR/suricata.yaml to the production copy /etc/nsm/NAME-OF-SENSOR/suricata.yaml.

New Users
New users can download and install the 20111103 ISO image using the instructions here.  The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Switching to Suricata
If you're currently running Snort and would like to switch to Suricata, use the following commands to stop Snort, change the ENGINE variable in the config file, and then run PulledPork to download the Suricata-specific ruleset (if running Emerging Threats rules):
sudo nsm_sensor_ps-stop --only-snort-alert
sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf
sudo /usr/local/bin/pulledpork_update.sh 
Screenshots
Upgrade Process

Thursday, November 17, 2011

Follow-up on OSSEC alerts for packet loss


This is a follow-up to my recent post "How do I receive an email when my sensor stops receiving traffic?".  That post explains the core idea which I have since refined.


Refinement #1: Tell me which interface stopped receiving traffic
The first area of refinement is making the output a little more verbose so that, if we have multiple interfaces, we know exactly which interface stopped receiving traffic.  We do that by modifying the "bandwidth" command in /var/ossec/etc/ossec.conf as follows:
  <localfile>
    <log_format>command</log_format>
    <command>grep -v "^#" /etc/nsm/sensortab |awk '{print $1}' |while read SENSOR; do INTERFACE=`echo $SENSOR|cut -d\- -f3`; echo -n "$INTERFACE: "; tail -1 /nsm/sensor_data/$SENSOR/snort.st
ats |cut -d\, -f3; done</command>
    <alias>bandwidth</alias>
  </localfile>
Refinement #2: Give me more flexibility in the OSSEC rule structure
The second area of refinement is implementing a tiered OSSEC rule structure.  This gives us more flexibility and troubleshooting capability.  We do this by editing /var/ossec/rules/local_rules.xml and replacing our previous single rule with these two rules:

 <rule id="100001" level="1">
    <if_sid>530</if_sid>
    <match>ossec: output: 'bandwidth':</match>
    <description>Bandwidth statistics from snort.stats</description>
  </rule>
  <rule id="100002" level="7">
    <if_sid>100001</if_sid>
    <regex>0.000</regex>
    <description>Bandwidth down to 0.000.  Please check interface, cabling, and tap/span!</description>
  </rule>
The first rule just identifies "bandwidth" output and only logs it to disk (level 1 alerts do not generate email by default).  The second rule is a child rule of the first and alerts/emails (level 7) when bandwidth is down to 0.000. 

Since we're now logging all "bandwidth" output, we can search for it in the OSSEC logs:
grep "bandwidth" /var/ossec/logs/alerts/alerts.log
2011 Nov 17 14:28:50 so->bandwidth
ossec: output: 'bandwidth': eth4: 8.940
2011 Nov 17 14:28:50 so->bandwidth
ossec: output: 'bandwidth': eth5: 7.189
2011 Nov 17 14:38:54 so->bandwidth
ossec: output: 'bandwidth': eth4: 8.920
2011 Nov 17 14:38:54 so->bandwidth
ossec: output: 'bandwidth': eth5: 7.223
Refinement #3: Use Linux kernel's built-in packet counters instead of relying on snort.stats
The third area of refinement is not relying on snort.stats but instead using the Linux kernel's built-in packet counters.  (I hinted at this in the previous post.)  This could be used to replace the entire "bandwidth" configuration above, or to complement it for a belt-and-suspenders approach.  We start off by adding the following to /var/ossec/etc/ossec.conf:

  <localfile>
    <log_format>command</log_format>
    <command>grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 300; RX2
=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done</command>
    <alias>packets_received</alias>
  </localfile>
This follows the same format as the "bandwidth" command, but pulls the count of received packets from ifconfig, waits 5 minutes, pulls the RX count from ifconfig a second time, and subtracts the first from the second to get the total number of packets received in the 5-minute interval.

Next, we add these two rules to /var/ossec/rules/local_rules.xml:
  <rule id="100003" level="1">
    <if_sid>530</if_sid>
    <match>ossec: output: 'packets_received':</match>
    <description>Number of packets received in 5-minute interval</description>
  </rule>
<rule id="100004" level="7">
    <if_sid>100003</if_sid>
    <regex> 0</regex>
    <description>Received 0 packets in a 5-minute interval.  Please check interface, cabling, and tap/span!</description>
  </rule>
Since we're now logging all "packets_received" output, we can search for it in the OSSEC logs:
grep "packets_received" /var/ossec/logs/alerts/alerts.log
2011 Nov 17 14:33:50 so->packets_received
ossec: output: 'packets_received': eth4: 70969
2011 Nov 17 14:38:50 so->packets_received
ossec: output: 'packets_received': eth5: 63059
2011 Nov 17 14:43:54 so->packets_received
ossec: output: 'packets_received': eth4: 71030
2011 Nov 17 14:48:54 so->packets_received
ossec: output: 'packets_received': eth5: 67475
When the number of received packets drops to 0, rule 100004 triggers a level 7 alert, generating an email if configured to do so.

Security Onion 20111118 now available!


Security Onion 20111118 is now available!  This resolves the following issue:
Issue 141 - Upgrade Barnyard2

New Users
New users can download and install the new 20111103 ISO image using the instructions here and then follow the In-Place Upgrade instructions below.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Wednesday, November 16, 2011

Security Onion 20111116 now available!


Security Onion 20111116 is now available!  This resolves the following issue:
Issue 150 - Ensure that OSSEC timezone matches the host's timezone

New Users
New users can download and install the new 20111103 ISO image using the instructions here and then follow the In-Place Upgrade instructions below.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots
Upgrade Process

Tuesday, November 15, 2011

How do I receive an email when my sensor stops receiving traffic?

Recently, I logged into Sguil and noticed that a normally busy sensor had no current alerts.  I looked at the full packet capture logs for the sensor and determined that it hadn't received any traffic from the tap in a while.  We resolved the issue with the tap and started seeing traffic again, but I also resolved to create an automated notification for the next time this happens.

Snort is already writing bandwidth statistics to /nsm/sensor_data/$SENSOR/snort.stats and we are going to use OSSEC to monitor the file and send email when the bandwidth drops to 0.  We could possibly write an OSSEC decoder to have it parse snort.stats directly, but let's instead use OSSEC's process monitoring feature so that we can perhaps extend this in the future to use the Linux kernel's built-in packet counters.  For now, we're going to rely on snort.stats.

The first thing we need to do is obtain the full path to the snort.stats file(s) by determining the interfaces that are being monitored by Sguil.  We do this by searching /etc/nsm/sensortab for any lines that are not commented out and piping to awk to print just the first column:
grep -v "^#" /etc/nsm/sensortab |awk '{print $1}'
For each of the sensors in the output of the previous command, we want to look at the most recent bandwidth statistics, so we pipe to a while-loop and use "tail -1" on the respective snort.stats file:
grep -v "^#" /etc/nsm/sensortab |awk '{print $1}' |while read SENSOR; do tail -1 /nsm/sensor_data/$SENSOR/snort.stats; done
snort.stats is a CSV file and we only want the third column of data, so we pipe the previous command to cut and tell it the delimiter is a comma and to output the third field:
grep -v "^#" /etc/nsm/sensortab |awk '{print $1}' |while read SENSOR; do tail -1 /nsm/sensor_data/$SENSOR/snort.stats; done |cut -d\, -f3
Here's some sample output for a sensor with two monitored interfaces:
3.481
0.089
We now have a nice single command that OSSEC can run periodically to retrieve the bandwidth of our monitored interfaces.  We add this as a "command" in /var/ossec/etc/ossec.conf and give it an alias of "bandwidth":
  <localfile>
    <log_format>command</log_format>
    <command>grep -v "^#" /etc/nsm/sensortab |awk '{print $1}' |while read SENSOR; do tail -1 /nsm/sensor_data/$SENSOR/snort.stats; done |cut -d\, -f3</command>
    <alias>bandwidth</alias>
  </localfile>
Upon restart, OSSEC will periodically run the command, but won't do anything with the output until we add a rule to tell it what to do.  We add the following rule to /var/ossec/rules/local_rules.xml to check the output hourly (every 3600 seconds) and see if the bandwidth value has gone down to 0.000:
  <rule id="100001" level="7" ignore="3600">
    <if_sid>530</if_sid>
    <match>ossec: output: 'bandwidth':</match>
    <regex>0.000</regex>
    <description>Bandwidth down to 0.000.  Please check interface, cabling, and tap/span!</description>
  </rule>
If we didn't already have OSSEC configured to send email, we could do so by adding the following to the <global> section of /var/ossec/etc/ossec.conf:
    <email_notification>yes</email_notification>
    <email_to>YOUR.USERNAME@YOUR-DOMAIN.COM</email_to>
    <smtp_server>YOUR-SMTP-RELAY.YOUR-DOMAIN.COM</smtp_server>
    <email_from>OSSEC@YOUR-DOMAIN.COM</email_from>
Next, we restart OSSEC to activate the new configuration:
sudo service ossec restart
Finally, we simulate traffic loss and receive an email like the following:
OSSEC HIDS Notification.
2011 Nov 15 06:47:45
Received From: securityonion->bandwidth
Rule: 100001 fired (level 7) -> "Bandwidth down to 0.000.  Please check interface, cabling, and tap/span!"
Portion of the log(s):
ossec: output: 'bandwidth': 0.000
UpdateA question over on Google+ prompted the following clarification:
Security Onion has Snort's perfmonitor configured for 300-second intervals by default, which means that the value we're inspecting would be the average traffic for 5 minutes. My deployments have enough constant traffic that 0.000 for 5 minutes is a pretty good indicator of failure. YMMV! 

Thursday, November 3, 2011

Security Onion 20111103 now available!


Security Onion 20111103 is now available!  This resolves the following issues:
Issue 138 - Time for a new ISO image
Issue 136 - Setup script should automatically set OS timezone to UTC
Issue 137 - Bro 2.0 Beta

Please note that Bro 2.0 Beta installs to /usr/local/bro/.

For more information about Bro 2.0 Beta, please see:

New Users
New users can download and install the new 20111103 ISO image using the instructions here.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).

Screenshots

Upgrade Process

Completing Upgrade

Bro 2.0 Beta in /usr/local/bro/bin/bro


Friday, October 28, 2011

Security Onion 20111028 now available!


Security Onion 20111028 is now available!  This resolves Issue 135 by updating the NSM scripts to start Snort with the AFPACKET DAQ for higher performance.  For more information about the AFPACKET DAQ, please see:
http://manual.snort.org/node7.html
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive