Monday, July 15, 2013

New securityonion-sguil-client and securityonion-sguil-server packages include Bro Transcript functionality

New versions of our securityonion-sguil-client and securityonion-sguil-server packages are now available that add a new "Bro" option to the Sguil client's right-click context menu.  This option will run the pcap through a Bro script that will mimic the existing tcpflow transcript option but with a couple of very important changes:

  • any gzipped server responses are automatically unzipped
  • transcripts are rendered for not only tcp but also udp traffic

This update resolves the following issue:
Issue 347: New Sguil client transcript option to run through tcpudpflow.bro

Thanks to Scott Runnels for his work on the Bro script and changes to the sguil packages!
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie

The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:

After installing the new packages, you'll need to restart sguild:
sudo nsm_server_ps-restart

Upgrade Process

Restarting sguild

Existing Transcript option

Existing Transcript option doesn't handle gzip encoded server responses
New Bro option

New Bro option unzips any gzip encoded server responses

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive