Security Onion 20111222 is now available! This resolves the following issue:
Issue 51: Snorby
Snorby is a modern web interface for Network Security Monitoring:
|
The new hotness |
A few things to note:
- The Snorby database is totally separate from the Sguil database. This means that you will have a separate user account to log into Snorby. It also means that any events that you classify in Snorby are not reflected back into the Sguil database.
- A new output is added to the barnyard2 configuration to send events to the Snorby database. Remote sensors establish an SSH tunnel to the server to encrypt the MySQL traffic.
- This is just the initial integration of Snorby. In the future we'll add things like full packet capture support and Dustin's new unified2 library.
New Users
New users can download and install the 20111103 ISO image using the instructions
here. The step marked "Install Security Onion updates" will automatically install this update.
The Setup wizard has been updated to support Snorby. You will create a username for Sguil/Squert and a separate username for Snorby (your email address). The password that you enter will be used for both Sguil/Squert and Snorby.
|
Updated Setup Wizard |
|
Entering email address for Snorby |
|
Same password will be used for both Sguil/Squert and Snorby |
|
Double-click the Snorby desktop shortcut |
|
Login using the email address and password you specified in Setup |
|
If necessary, generate some IDS alerts using "curl http://testmyids.com" |
|
View your IDS alerts on the Events tab |
In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note that the upgrade script is cumulative and will upgrade any older version of Security Onion to the most recent version (including any updates in between).
If you have one or more slave sensors reporting to a central master server, always upgrade the master first!
Since Snorby and Sguil have separate databases, your existing Sguil credentials will not allow you to log into Snorby. The in-place upgrade process will generate a username and random password for your initial Snorby login. You should immediately login with your temporary credentials and change them.
|
Completing upgrade of an existing system |
|
Double-click the Snorby desktop shortcut or use the URL shown in the upgrade |
|
Login using the credentials shown in the upgrade |
|
Click "Settings" to change your username/password |
|
Set your new credentials |
|
Login using your new credentials |
|
If necessary, generate some alerts with "curl http://testmyids.com" |
|
View your IDS alerts on the Events tab |
If you're a fan of Security Onion, don't forget to vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html
Merry Christmas!
Christmas came early! This has been on my Security Onion wish list for a while. Sweet and much thanks!
ReplyDeleteDoug you rock! Great job as usual and another awesome addition to Security Onion!
ReplyDeleteMark M
wow i just came across this site today for the first time. downloading my onion right now! can't wait to try it. thanks Doug!!
ReplyDelete