Thursday, January 26, 2012

Security Onion 20120125 now available!


Security Onion 20120125 is now available!  This resolves the following issues:
Issue 203: New users should have a more sensible default for Sguil client fonts
Issue 204: /usr/local/sbin/nsm_server_del: line 192: [: eq: binary operator expected
Issue 206: /usr/local/sbin/nsm_sensor_clean should purge old Bro logs
Issue 207: Re-install /etc/skel/.bashrc to enable bash coloring
Issue 208: Need a new ISO for NoVA Hackers presentation

New Users
New users can download and install the 20120125 ISO image using the instructions here.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Toolsmith Tool of the Year
If you're a fan of Security Onion, please vote for it for 2011 Toolsmith Tool of the Year!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html

5 comments:

Jason Boss said...

ok...so a little further ahead...i didn't realize it was directory caring for where this was run and such. I moved out of the sql directoy I had landed on.

So I moved back to the /etc/nsm dir and was able to run things. Not sure why on that but for whatever reason it is..

root@secops-desktop:/etc/nsm# nsm --server --status
Status: securityonion
* sguil server [ OK ]
root@secops-desktop:/etc/nsm#


so now I am able to launch this...but under the localhost:3000 I am still unable to see anything happening.

sensors are still showing no love:

root@secops-desktop:/etc/nsm# nsm --sensor --status
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
root@secops-desktop:/etc/nsm#


squil seems to come up fine...

root@secops-desktop:/etc/nsm# nsm_server_ps-status
Status: securityonion
* sguil server [ OK ]
root@secops-desktop:/etc/nsm# nsm_server_ps-restart
Restarting: securityonion
* stopping: sguil server [ OK ]
* starting: sguil server [ OK ]
root@secops-desktop:/etc/nsm#


ossec agent seems to come alive..

root@secops-desktop:/etc/nsm# nsm_sensor_ps-status
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
root@secops-desktop:/etc/nsm# nsm_sensor_ps-start
Starting: HIDS
* starting: ossec_agent (sguil)
==> /var/log/nsm/ossec_agent.log <==
[ OK ]
root@secops-desktop:/etc/nsm# nsm_sensor_ps-status
Status: HIDS
* ossec_agent (sguil)


the logs are lovin me like this:
Feb 2 12:00:01 secops-desktop CRON[5117]: (root) CMD ( date >> /var/log/nsm/watchdog.log ; /usr/local/sbin/nsm_sensor_ps-restart --if-stale >> /var/log/nsm/watchdog.log)
Feb 2 12:00:01 secops-desktop CRON[5119]: (root) CMD (/usr/local/bin/broctl cron)
Feb 2 12:00:01 secops-desktop CRON[5121]: (root) CMD ([ -d /var/lib/mysql/securityonion_db/ ] && /usr/bin/php -e /var/www/squert/.inc/ip2c.php 1 > /dev/null 2>&1)
Feb 2 12:00:01 secops-desktop CRON[5120]: (root) CMD (/usr/local/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log)

currently on the server piece nothing really much is running...the autossh is running on both slaves and appears to be dumping...I must be missing something...

Any help would be a God send.

peace

/j

Doug Burks said...

Hi Jason,

Your "server" is just a "server" and not a "sensor", correct? If that's the case, then the output you're seeing is correct. If you run "nsm_server_ps-status" on one of the "sensor" boxes, do you see processes there?

Hope that helps! If not, let's continue this discussion on the mailing list.

Thanks,
Doug

Jason Boss said...

Your an earlier riser! Must be after some worms! Thanks for the reply!

From the server:

root@secops:~# nsm_server_ps-status
Status: securityonion
* sguil server


On both of the sensor boxes nothing comes up when I do this...

the database does appear to be getting larger...but snorby is campin out with no sensors in there at all...

Doug Burks said...

I meant to say "nsm_sensor_ps-status" on the sensor boxes.

Blog comments are not really conducive to troubleshooting, so please join our mailing list and send an email to continue this process.

Thanks!

Jason Boss said...

10-4 Good Buddy! I was hang on your irc channel lookin for ya as well. So for anyone spamming Doug's Blog...take it to the List Server!


Moved to here:
http://groups.google.com/group/security-onion

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive