Tuesday, December 10, 2013

Bro 2.2 and ELSA 1.5 packages now available

We have some new packages available for Bro 2.2 and ELSA 1.5!
ELSA 1.5 with support for Bro 2.2 and more log types
Release Notes

IMPORTANT! If you are upgrading a distributed deployment, it is vitally important that you upgrade the master before upgrading the sensors!  After upgrading the master and all sensors, if the ELSA web interface doesn't show all of your nodes properly, you may need to do the following:

  • restart autossh on each sensor:
    sudo pkill -USR1 autossh
  • stop/start (NOT restart) starman on each sensor:
    sudo service starman stop
    sudo service starman start
  • restart Apache on your master server:
    sudo service apache2 restart

If you have email configured on your sensor and you start getting lots of email from the ELSA cron job, you can fix it by changing the last line of /etc/cron.d/elsa as follows (moving 2>&1 to the end of the line):
* * * * * root perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
If you had previously installed the APT1 scripts per http://blog.securityonion.net/2013/02/seth-halls-bro-module-for-apt1-detection.html, the update will detect this and automatically enable the new version of the APT1 scripts.  If you would like to manually enable the APT1 scripts, do the following:
sudo sed -i 's|#@load apt1|@load apt1|g' /opt/bro/share/bro/site/local.bro
sudo broctl check && sudo broctl install && sudo broctl restart
The new version of Setup asks if you want to configure Bro to extract files (EXEs by default).  If you've already run Setup and want to enable file extraction, do the following:
sudo sed -i 's|#@load file-extraction|@load file-extraction|g' /opt/bro/share/bro/site/local.bro
sudo broctl check && sudo broctl install && sudo broctl restart
The new version of Setup configures Snorby to allow you to pivot from an IP address in Snorby to an ELSA query for that IP address.  If you've already run Setup and want to add this capability to Snorby, click Administration and then click Lookup Sources and add the following (also see screenshot in the Screenshots section):

Issues Resolved

Issue 362: sguil-db-purge - add DAYSTOREPAIR option

Issue 395: Bro 2.2

Issue 426: Update http_agent for Bro 2.2

Issue 420: Setup should no longer disable Bro PF_RING since it should
work in 2.2

Issue 424: Setup should write out changes to /etc/network/interfaces
and then prompt for reboot

Issue 415: Setup should ask user about DAYSTOKEEP and DAYSTOREPAIR

Issue 396: Setup should give the option of enabling file extraction in Bro

Issue 433: Setup should configure Snorby to pivot from an IP address to ELSA

Issue 431: Update APT1 scripts for Bro 2.2

Issue 350: Modify Sguil client to allow pivoting directly to ELSA query

Issue 346: New ELSA packages

Issue 343: Add more Bro logs to ELSA

Issue 434: nsm_sensor_ps-start shouldn't call sensor_cleandisk anymore

New/Updated packages
securityonion-bro - 2.2-0ubuntu0securityonion9
securityonion-bro-scripts - 20121004-0ubuntu0securityonion17
securityonion-elsa - 1090-1ubuntu0securityonion11
securityonion-elsa-extras - 20131117-1ubuntu0securityonion19
securityonion-elsa-node-perl - 20130819-0ubuntu0securityonion2
securityonion-elsa-web-perl - 20131029-0ubuntu0securityonion0ubuntu1
securityonion-http-agent - 0.3.1-0ubuntu0securityonion3
securityonion-libapache-logformat-compiler-perl - 0.13-0ubuntu0securityonion1
securityonion-libcapture-tiny-perl - 0.22-0ubuntu0securityonion0
securityonion-libclass-method-modifiers-perl - 2.04-1ubuntu0securityonion1
securityonion-libcookie-baker-perl - 0.01-1ubuntu0securityonion1
securityonion-libdevel-stacktrace-perl - 1.30-1ubuntu0securityonion0
securityonion-libexception-class-perl - 1.37-1ubuntu0securityonion1
securityonion-libextutils-config-perl - 0.007-1ubuntu0securityonion0
securityonion-libextutils-helpers-perl - 0.021-1ubuntu0securityonion0
securityonion-libextutils-installpaths-perl - 0.009-1ubuntu0securityonion0
securityonion-liblog-log4perl-appender-socket-unix-perl - 1.04-1ubuntu0securityonion0
securityonion-liblog-syslog-constants-perl - 1.02-1ubuntu0securityonion0
securityonion-liblog-syslog-fast-perl - 0.61-1ubuntu0securityonion1
securityonion-libmoo-perl - 1.003-1ubuntu0securityonion1
securityonion-libmoox-types-mooselike-numeric-perl - 1.01-1ubuntu0securityonion1
securityonion-libmoox-types-mooselike-perl - 0.25-1ubuntu0securityonion0
securityonion-libplack-middleware-xforwardedfor-perl - 0.1030-1ubuntu0securityonion0
securityonion-librole-tiny-perl - 1.003-1ubuntu0securityonion1
securityonion-libtest-name-fromline-perl - 0.11-1ubuntu0securityonion1
securityonion-libtest-time-perl - 0.04-1ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion64
securityonion-setup - 20120912-0ubuntu0securityonion89
securityonion-sguil-client - 0.8.0-0ubuntu0securityonion15
securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion7

The new packages have been tested by the following (thanks!):
Heine Lysemose
JP Bourget
Matt Gregory
David Zawdie

Bro update

ELSA update

ELSA update with support for more Bro logs

http_agent update

New Sguil client supports pivoting from IP address to ELSA query

Pivoting from Sguil/Snorby to ELSA

Manually adding ELSA as a Lookup Source after running Setup

Pivoting from Snorby to ELSA
New Setup screen for DAYSTOKEEP

New Setup screen for DAYSTOREPAIR

New Setup screen for enabling Bro file extraction

ELSA query for BRO_FILES


ELSA query for BRO_WEIRD
The new packages are now available in our stable repo.  Please see the following page for full update instructions:

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive