Security Onion 20110922 is now available! This update resolves Issue 126. It also spawns instances of httpry and httpry_agent for each monitored interface. Thanks go to Jason Bittel for his work on httpry and Paul Halliday for his work on httpry_agent!
Please note!
httpry is going to be logging all HTTP traffic on every monitored interface and httpry_agent is going to be inserting those HTTP logs into the MySQL database so they can be queried in Sguil and SQueRT. This may increase the load on your sensors and/or MySQL server.
In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Screenshots
|
Upgrade Process
|
httpry events are autocategorized so as not to clutter the main Sguil window |
|
|
If you're responding to an incident for an IP address, search for the IP and you'll see the httpry events are prefixed with "URL"
|
|
Clicking on a URL event will show further information in the Detail pane
|
|
Right-clicking on the Alert ID allows you to pull the entire transcript
|
|
SQueRT has an httpry search that will show all httpry logs |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.