Monday, September 12, 2011

Security Onion 20110909 now available

Security Onion 20110909 is now available!  This upgrade adds some new menu entries to make IDS tuning a little easier.  

  • The "IDS Rules" menu now has a new entry called "Add Local Rules" which will open /etc/nsm/rules/local.rules for editing using the "mousepad" GUI editor.  You can then add any rules that you want to maintain locally (outside of the downloaded VRT or Emerging Threats rulesets).
  • A new menu called "IDS Config" was added with a new menu entry called "Configure IDS engine(s)".  This will list all of the IDS engines on your system and allow you to choose one to configure.  It will then open the proper config file for whatever IDS engine you're running.  After you save and close the config file, it will offer to restart the IDS engine for you.

    • Example #1
      • Suppose you're currently running Snort and you choose eth0.  The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth0/snort.conf for editing using the "mousepad" GUI editor.
    • Example #2
      • Suppose you're currently running Suricata and you choose eth1.  The program will open /etc/nsm/NAME_OF_YOUR_SENSOR-eth1/suricata.yaml for editing using the "mousepad" GUI editor.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command 
(if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

sudo -i "curl -L > ~/ && bash ~/"

New "Add Local Rules" menu entry under "IDS Rules"

Clicking the above menu entry opens /etc/nsm/rules/local.rules for editing

New "IDS Config" menu with "Configure IDS engine(s)" menu entry

"Configure IDS engine(s)" allows you to pick which engine to configure

Selecting an engine opens that engine's config file for editing

After saving and closing the config file, you will have the option to restart the engine

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive