Thursday, May 10, 2012

Security Onion 20120511 now available!


Security Onion 20120511 is now available!  This resolves the following issues:

Issue 205:      Bro's http.log needs to be per-interface
http://code.google.com/p/security-onion/issues/detail?id=205

Issue 264:      NSM package is missing the bro cron job
http://code.google.com/p/security-onion/issues/detail?id=264

Issue 265:      Upgrade httpry_agent to http_agent to support Bro logs
http://code.google.com/p/security-onion/issues/detail?id=265

Issue 266:      Remove httpry from NSM scripts
http://code.google.com/p/security-onion/issues/detail?id=266

In summary, this update migrates from the combination of httpry/httpry_agent to Bro/http_agent.  As noted in http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.html, this means that networks with VLAN tags will now get HTTP logs in Sguil.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Paul Halliday for adding Bro http.log support to http_agent!
Thanks to Seth Hall for the security-onion.bro script for splitting Bro's http.log when necessary!
Thanks to the following for their help in testing this release!
Scott Runnels
Tom De Vries
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

4 comments:

Anonymous said...
This comment has been removed by a blog administrator.
Doug Burks said...

Hi Paul,

Yes, I believe some folks do use Security Onion as a host.

I don't know of anyone running SELinux on Ubuntu.

Security Onion is robust. It can run on bare metal or in VM, although you will probably get better performance on bare metal.

If you have further questions, please join our mailing list and ask there.

Thanks,
Doug

Jamie said...

I haven't used this distro before and I'm trying a few different platforms for SNORT that will feed our SIEM. I have Security Onion set up and it's working perfect, Snorby and SQueRT both are working and displaying events. I'm having a problem when it comes to reading the MySQL database. I point our SIEM to the securityonion_db using the credentials for a user I created and it's not pulling the events. I tried looking for info on reading the MySQL database, but cant really find any.

Any suggestion?

Doug Burks said...

Hi Jamie,

MySQL only listens on localhost by default.

If you have further questions, please join our mailing list and ask there.

Thanks,
Doug

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive