Friday, September 23, 2011

Security Onion 20110922 now available!

Security Onion 20110922 is now available!  This update resolves Issue 126.  It also spawns instances of httpry and httpry_agent for each monitored interface.  Thanks go to Jason Bittel for his work on httpry and Paul Halliday for his work on httpry_agent!

Please note!
httpry is going to be logging all HTTP traffic on every monitored interface and httpry_agent is going to be inserting those HTTP logs into the MySQL database so they can be queried in Sguil and SQueRT.  This may increase the load on your sensors and/or MySQL server.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
 Screenshots

Upgrade Process



httpry events are autocategorized so as not to clutter the main Sguil window

If you're responding to an incident for an IP address, search for the IP and you'll see the httpry events are prefixed with "URL"


Clicking on a URL event will show further information in the Detail pane

Right-clicking on the Alert ID allows you to pull the entire transcript




SQueRT has an httpry search that will show all httpry logs



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.