Monday, March 25, 2013

Suricata 1.4.1 package now available


Suricata 1.4.1 was recently released:
http://suricata-ids.org/2013/03/08/suricata-1-4-1-released/

I've packaged Suricata 1.4.1 and it has been tested by the following (thanks!):
Eric Ooi
David Zawdie

The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade

Install Process

The Suricata update will do the following:

  • install some new dependencies (libluajit and libjansson)
  • back up each of your existing suricata.yaml file(s) to suricata.yaml.bak
  • update Suricata to 1.4.1

If you're running Suricata in production, then you'll need to do the following:

  • apply your local customizations to the new suricata.yaml
  • restart Suricata as follows:
sudo nsm_sensor_ps-restart --only-snort-alert

sudo apt-get update && sudo apt-get dist-upgrade

suricata -V

Update suricata.yaml file(s) and then run "sudo nsm_sensor_ps-restart --only-snort-alert"


Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Sunday, March 24, 2013

New PRADS package available

I've packaged a new version of PRADS which changes the way that byte counts are reported.  PRADS will now report total IP bytes, which matches up with the way that NetworkMiner reports byte counts.  It also matches the byte counts in Bro's conn.log in the orig_ip_bytes and resp_ip_bytes fields.  For more details, please see:
https://github.com/gamelinux/prads/issues/30


The new package is now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
After upgrading, you'll need to manually restart PRADS as follows:
sudo nsm_sensor_ps-restart --only-prads
Here's an example using traffic from testmyids.com:
Byte counts in Sguil (provided by PRADS)

Byte counts in NetworkMiner

Byte counts in Bro's conn.log (orig_ip_bytes and resp_ip_bytes fields)

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Monday, March 11, 2013

New PF_RING 5.5.2 packages now available!

PF_RING 5.5.2 was recently released:
http://www.ntop.org/pf_ring/pf_ring-5-5-2-released/

I've packaged PF_RING 5.5.2 and the packages have been tested by the following (thanks!):
Eric Ooi
David Zawdie
Matt Gregory

The new packages are now available in our stable repo. You can initiate the upgrade process using the graphical Update Manager or using the following one-liner:
sudo apt-get update && sudo apt-get dist-upgrade
Warnings
Ubuntu recently released some MySQL updates, so you may also be prompted to update MySQL at the same time.  If so, please cancel the update and use our recommended procedure for updating MySQL:
http://code.google.com/p/security-onion/wiki/MySQLUpdates

UPDATE 2013/03/13: Ubuntu recently released some kernel updates, so you may also be prompted to update your kernel packages at the same time.  If you do so, the PF_RING kernel module will get built for your current kernel and not for the newly installed kernel.  You should install JUST the updated kernel packages, reboot, and then install the updated PF_RING packages so that the module gets built properly for the new kernel.  If you accidentally install both the kernel and PF_RING packages at the same time and then reboot and find out that PF_RING services are failing, you can force PF_RING to build against the new kernel by simply running the update command again:
sudo apt-get update && sudo apt-get dist-upgrade
Install Process
The PF_RING update will do the following:
  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
Upgrade Process
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists