Tuesday, August 27, 2013

New Squert 1.1 and other packages

Paul Halliday recently released Squert 1.1:
http://www.squertproject.org/

I've packaged Squert 1.1 and updated a few other packages at the same time.  The following updated packages are now available:
securityonion-et-rules
securityonion-rule-update
securityonion-setup
securityonion-squert
securityonion-squert-cron

These packages should resolve the following issues:

Issue 240: Squert 1.1
https://code.google.com/p/security-onion/issues/detail?id=240

Issue 366: Setup doesn't need to prompt if there is no Internet connection
https://code.google.com/p/security-onion/issues/detail?id=366

Issue 371: sosetup-network should require the user to choose static/DHCP for management interface
https://code.google.com/p/security-onion/issues/detail?id=371

Issue 373: Setup doesn't correctly configure VRT+ETNOGPL
https://code.google.com/p/security-onion/issues/detail?id=373

Issue 380: Update securityonion-et-rules package and include tarball
https://code.google.com/p/security-onion/issues/detail?id=380

Issue 381: Update Setup so that if no Internet access, run pulledpork -n
https://code.google.com/p/security-onion/issues/detail?id=381

Notes
Please note that Squert now has the ability to retrieve transcripts and categorize events, but you'll need to edit /var/www/squert/.inc/config.php and insert your Sguil username/password to enable this functionality.

Thanks
Thanks to the following for testing the new packages:
David Zawdie
JP Bourget

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshots
Squert 1.1

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Monday, August 19, 2013

New securityonion-bro-scripts package fixes a race condition

A new version of our securityonion-bro-scripts package is now available that fixes a possible race condition.

This update resolves the following issue:
Issue 374: Update hostname.bro and interface.bro

Thanks
Thanks to Jon Siwek for the new Bro scripts!
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart Bro:
sudo broctl restart

Screenshots
Under certain conditions, the old Bro scripts would fail to determine the hostname and interface...

...resulting in Bro's conn.log containing an invalid "sensorname" field (should be hostname-interface)

Installing new securityonion-bro-scripts package

Restarting Bro

Bro now properly determines hostname and interface resulting in...
...conn.log having the correct sensorname (hostname-interface)


Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Friday, August 16, 2013

New securityonion-sguil-server and securityonion-capme packages allow tcpflow/bro rendering

New versions of our securityonion-sguil-server and securityonion-capme packages are now available! After installing these packages and restarting sguild, you'll notice that CapMe now gives you the option to choose tcpflow or bro for transcript rendering.

This update resolves the following issue:
Issue 375: Update CapMe so that the user can choose between tcpflow and Bro for transcript rendering

Thanks
Thanks to the following for testing the new packages!
Matt Gregory
David Zawdie

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new packages, you'll need to restart sguild:
sudo nsm_server_ps-restart

Screenshots
New "Transcript" option defaults to "tcpflow" 
"tcpflow -cr" doesn't decode gzip decoding, so click the "close" button to go back
Select "bro" and click "submit"

Bro decodes gzip encoding
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Wednesday, August 14, 2013

New securityonion packages

New versions of the following packages are now available!
securityonion-nsmnow-admin-scripts
securityonion-sguild-add-user
securityonion-sostat
These new packages resolve the following issues:

Issue 370: soup: a script to handle Ubuntu/SO updates properly (mysql-server and pfring)
You can now run a single command to update your system without having to worry about mysql/pfring updates:
sudo soup
Issue 323: Create sguild-passwd-user script
You can now reset a user's Sguil/Squert/ELSA password using the following:
sudo nsm_server_user-passwd
Issue 363: netsniff-ng: log and print statistics
At the next daily restart, netsniff-ng will begin using the --verbose option to log statistics.  sostat has been updated to report on those statistics:
sudo sostat
Thanks
Thanks to Jon Schipp for submitting the netsniff-ng patches for the NSM and sostat scripts!
Thanks to JP Bourget for submitting the sguild-passwd-user patches!
Thanks to the following for testing the new packages!
David Zawdie
Matt Gregory
JP Bourget

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Tuesday, August 13, 2013

New securityonion-capme package

A new version of our securityonion-capme package is now available!

This new package resolves the following issues:
Issue 365: CapMe red/blue color coding should match Sguil's transcript
Issue 364: Remove "after 1000" from CapMe's cliscript.tcl

Thanks
Thanks to the following for testing the new package!
David Zawdie
Matt Gregory
JP Bourget

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

New securityonion-networkminer package updates NetworkMiner to 1.5

NetworkMiner was recently updated to 1.5:
http://www.netresec.com/?page=Blog&month=2013-08&post=Security-Advisory%3a-Two-Vulnerabilities-in-NetworkMiner

I've packaged NetworkMiner 1.5 and this resolves the following issue:
Issue 372: NetworkMiner 1.5

Thanks
Thanks to the following for testing the new package!
David Zawdie
Matt Gregory
JP Bourget

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

New securityonion-rule-update package fixes a bug when running Suricata

A new version of our securityonion-rule-update package is now available that resolves the following issue:
Issue 368: /usr/bin/rule-update should check for "Suricata"

Thanks
Thanks to David Zawdie for testing the new package!

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!