Tuesday, February 28, 2012

Security Onion 20120224 now available!


Problem #1

Suppose you're monitoring traffic that has VLAN tags (in both directions).  By default, when you right-click the Alert ID in Sguil and request the transcript/pcap, you would get nothing.  In order to get transcripts/pcaps to work correctly in Sguil, you would have to manually set VLAN to "1" in pcap_agent.conf.

Problem #2
Suppose you're monitoring traffic that has VLAN tags in one direction but not the other.  When you right-click the Alert ID in Sguil and request the transcript/pcap, you would only get the non-VLAN side of the flow.  If you set VLAN to "1" in pcap_agent.conf, you would then receive just the VLAN side of the flow.

Solution

Security Onion 20120224 is now available!  This resolves the following issues:
Issue 148: Update tcpflow
Issue 222: Modify pcap_agent.tcl to support ip & vlan tagged interfaces

The updated pcap_agent.tcl and tcpflow allow Sguil to transparently support all cases of traffic with VLAN tags, without VLAN tags, and with mixed VLAN tags.  When you right-click the Alert ID and request the transcript/pcap, you should now get the entire flow.

Caveat
httpry doesn't support VLAN tags, so you still won't see HTTP events in Sguil where VLAN tags are involved.  However, we'll soon be removing httpry in favor of Bro's HTTP logging, which does handle VLAN tags properly.  In the meantime, you can query the Bro logs directly from the command-line using something like the following:
zgrep "192.168.123.234" /nsm/bro/logs/*/http*
New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Note
If you had manually set VLAN to "1" in pcap_agent.conf, then you should set it back to the default of 0 and restart pcap_agent:
sudo nsm_sensor_ps-restart --only-pcap-agent
Screenshots

Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Bamm Visscher for the updated pcap_agent.tcl!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to Liam Randall, Scott Runnels, and Eric Ooi for testing this release!

Wednesday, February 22, 2012

Security Onion 20120222 now available!


Security Onion 20120222 is now available!  This resolves the following issues:

Issue 199: Snorby dashboard not updating

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process

Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Dustin Webber for his hard work on Snorby 2.4.0!
Thanks to Scott Runnels for his help in testing this release!

Thursday, February 2, 2012

Byobu and Security Onion

I really like having byobu configured for all my Security Onion SSH sessions, as it gives lots of good health/status information about the server in question:
Before
If you're not already running Byobu, run it by executing "byobu".  Then press the F9 key and set Byobu to launch automatically the next time you logon.

Now let's make byobu even more useful by having it display the Security Onion version number in the status bar at the bottom of the screen.  Copy/paste the following into your terminal:
mkdir -p $HOME/.byobu/bin
cat > $HOME/.byobu/bin/60_so <<EOF
#!/bin/sh
echo -n "Security Onion "
grep VERSION /etc/nsm/securityonion.conf | cut -d\= -f2
EOF
chmod +x $HOME/.byobu/bin/60_so 
Within a few seconds, your terminal should look like this:
After
This could be extended to display interface/packet statistics or any other data you wish.  For more information about Byobu, please see:
https://help.ubuntu.com/community/Byobu

Security Onion 20120202 now available!


Security Onion 20120202 is now available!  This resolves the following issues:

Issue 195: Update nsm scripts to not create /etc/nsm/HOSTNAME-NIC/rules/
Issue 210: nsm_server_user-add doesn't need to ask for server name
Issue 217: nsm_sensor_ps-restart should wait for process to gracefully terminate before rotating log file


New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
In-Place Upgrade
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Scott Runnels for his help in testing this release!