Thursday, July 11, 2013

New securityonion-bro-scripts and securityonion-capme packages

A new version of our securityonion-bro-scripts package is now available that extends Bro's conn.log to include the hostname and interface that saw the connection.  In addition, a new version of our securityonion-capme package automatically determines if you're pivoting from ELSA and, if so, queries Bro's conn.log via ELSA for the source and destination IP/port.  It then parses the hostname/interface out of the result to locate the pcap and render the transcript.  The net result of these changes is that pivoting to CapMe from ELSA no longer depends on the prads session data in the Sguil sancp table.

This update resolves the following issue:
Issue 348: Update CapME with a new option to query Bro conn.log via ELSA

Thanks
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie
Michal Purzynski

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart Bro:
sudo broctl restart
Screenshots
Upgrade Process
Restarting Bro using "sudo broctl restart"
When pivoting from ELSA, CapMe now defaults to searching ELSA instead of the sancp table
CapMe Transcript
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

No comments:

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive