Monday, December 8, 2014

New version of securityonion-rule-update resolves two issues

I've updated the securityonion-rule-update package to resolve two issues:

Issue 639: rule-update should disable Suricata rules if running Snort
https://code.google.com/p/security-onion/issues/detail?id=639

Issue 650: rule-update: wipe snort_dynamicrules directory
https://code.google.com/p/security-onion/issues/detail?id=650

 The new package version is as follows:

securityonion-rule-update - 20120726-0ubuntu0securityonion23

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, December 3, 2014

ELSA now parses Bro's RADIUS, SNMP, and X.509 logs

I've added ELSA parsers for Bro RADIUS, SNMP, and X.509 logs.  The new packages are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion50
securityonion-web-page - 20141015-0ubuntu0securityonion10

These new packages should resolve the following issues:

Issue 513: securityonion-elsa-extras: when adding sources to
syslog-ng.conf, do not search-and-replace using "log"
https://code.google.com/p/security-onion/issues/detail?id=513

Issue 575: ELSA: parsers for new Bro logs added in Bro 2.3
https://code.google.com/p/security-onion/issues/detail?id=575

Issue 578: securityonion-web-page: add ELSA queries for new Bro 2.3 logs
https://code.google.com/p/security-onion/issues/detail?id=578

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

Screenshots
Update Process 

X.509 logs grouped by Certificate Key Length

X.509 logs grouped by Certificate Key Algorithm

X.509 logs grouped by Certificate Signature Algorithm

X.509 logs grouped by Certificate Key Type

SNMP logs grouped by Community
RADIUS logs grouped by username


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, December 2, 2014

New Sguil client resolves an issue

Scott F. found an issue in the Sguil client:
https://groups.google.com/d/topic/security-onion/P57oKu02tI4/discussion

I've updated the Sguil client with Bamm's patch and the new version
numbers are as follows:
securityonion-sguil-client - 20141004-0ubuntu0securityonion9
securityonion-sguil-sensor - 20141004-0ubuntu0securityonion9
securityonion-sguil-server - 20141004-0ubuntu0securityonion9
(since client, sensor, and server all come from the same tarball, a change in one causes a full rebuild of all 3 packages)

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie

These packages should resolve the following issue:
https://code.google.com/p/security-onion/issues/detail?id=646

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, December 1, 2014

Snort 2.9.7 and Daq 2.0.4 now available!

Snort 2.9.7 and Daq 2.0.4 were recently released:
http://blog.snort.org/2014/10/snort-297-has-been-released.html

I've updated our packages:
securityonion-daq - 2.0.4-0ubuntu0securityonion2
securityonion-pfring-daq - 20121107-0ubuntu0securityonion9
securityonion-snort - 2.9.7.0-0ubuntu0securityonion4

These new packages should resolve the following issues:

Issue 636: Snort 2.9.7.0
https://code.google.com/p/security-onion/issues/detail?id=636

Issue 637: Snort DAQ 2.0.4
https://code.google.com/p/security-onion/issues/detail?id=637

Issue 648: Rebuild securityonion-pfring-daq for new DAQ
https://code.google.com/p/security-onion/issues/detail?id=648

The new packages have been tested by the following (thanks!):
Eddy Simons
Ronny Vaningh
David Zawdie

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak.  You'll then need to do the following:

  • re-apply any local customizations to your snort.conf files
  • update ruleset and restart Snort/Suricata as follows:
sudo rule-update
If you get an error like the following:
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/chat.so" version 1.0 compiled with dynamic engine library version 2.1 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.4.
then please see:
https://code.google.com/p/security-onion/wiki/FAQ#I_just_updated_Snort_and_it's_now_saying_'ERROR:_The_d

Screenshots
"sudo soup" will ask you to check/update your snort.conf file(s)

"sudo rule-update" will download the updated ruleset and restart Snort

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Cyber Monday discount for 3-day Security Onion training in Augusta GA

Today is Cyber Monday, so here is a discount code good for $400 off the 3-day Security Onion training in Augusta GA!

cyber-monday-4443

This discount is good through Friday December 5!

For more information and to register, please see:

Monday, November 17, 2014

New NSM package resolves 5 issues

I've updated our NSM package and the new package version is:

securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion91

Issues Resolved

Issue 620: NSM: stop netsniff-ng only after checking all interfaces for pcaps to delete
https://code.google.com/p/security-onion/issues/detail?id=620

Issue 647: NSM: rotate netsniff-ng.log
https://code.google.com/p/security-onion/issues/detail?id=647

Issue 597: nsm_all_del_quick: delete /nsm/bro/logs and /nsm/bro/extracted
https://code.google.com/p/security-onion/issues/detail?id=597

Issue 595: NSM: prevent Bro version warning
https://code.google.com/p/security-onion/issues/detail?id=595

Issue 611: nsm_sensor_clean: replace server with sensor
https://code.google.com/p/security-onion/issues/detail?id=611


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Thanks
Thanks to the following for testing!
Joe Lane
Ronny Vaningh
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, November 11, 2014

Argus 3.0.8 packages now available!

Argus 3.0.8 was recently released:
http://qosient.com/argus/

I've updated our Argus packages and the new package versions are as follows:

securityonion-argus-server - 3.0.8-0ubuntu0securityonion1
securityonion-argus-clients - 3.0.8-0ubuntu0securityonion2

Issues Resolved

Issue 382: Update Argus packages
https://code.google.com/p/security-onion/issues/detail?id=382

Release Notes
Please note that raips and raplot are no longer installed by default and this is by design according to Carter Bullard:
http://article.gmane.org/gmane.network.argus/10830

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Thanks
Thanks to the following for testing!
Eddy Simons
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Need training?  Please see:
https://security-onion-class-20141215.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

$400 Early Bird discount for 3-day Security Onion Training Class in Augusta GA

Our 3-day Security Onion training class will be in Augusta GA next month.  If you register by Friday November 21, you can use the following discount code for $400 off!

early-bird-57912

For more details and to register, please see:
https://security-onion-class-20141215.eventbrite.com/

If you have any questions, please use the Contact link on the bottom of the Eventbrite page.

Wednesday, October 29, 2014

Sguil 0.9 and Squert 1.5.0 now available!

Sguil 0.9 and Squert 1.5.0 were recently released:
http://sourceforge.net/p/sguil/mailman/message/32230854/
http://www.squertproject.org/summaryofchangesforsquertversion130
http://www.squertproject.org/summaryofchangesforsquertversion140
http://www.squertproject.org/summaryofchangesforsquertversion150

I've updated our packages to include both of these releases.  The new package versions are as follows:

securityonion-capme - 20121213-0ubuntu0securityonion20
securityonion-http-agent - 0.3.1-0ubuntu0securityonion6
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion88
securityonion-ossec-rules - 20120726-0ubuntu0securityonion4
securityonion-setup - 20120912-0ubuntu0securityonion125
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion4
securityonion-sguil-client - 20141004-0ubuntu0securityonion7
securityonion-sguil-sensor - 20141004-0ubuntu0securityonion7
securityonion-sguil-server - 20141004-0ubuntu0securityonion7
securityonion-squert - 20141015-0ubuntu0securityonion3

Issues Resolved

Issue 287: Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=287

Issue 622: Update http_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=622

Issue 623: Update ossec_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=623

Issue 624: Update CapMe for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=624

Issue 625: Update NSM for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=625

Issue 626: Update Setup for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=626

Issue 491: Squert 1.5.0
https://code.google.com/p/security-onion/issues/detail?id=491

Issue 638: securityonion-ossec-rules: add rule to ignore Squert POST
https://code.google.com/p/security-onion/issues/detail?id=638

Release Notes
Please note that the Squert interface has changed quite a bit from the previous version.  In particular:

  • To drill into an event to see the payload of the event, click on the value in the Status (ST) column.
  • To generate a full pcap transcript, click on the value in the "Event ID" column.


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating packages using "sudo soup"

The new OSSEC rules package will prompt you to restart OSSEC

The new securityonion-sguil-sensor package will prompt you to restart sensor services

The new securityonion-sguil-server package will update your database and import your autocat rules

The new securityonion-sguil-server package will then prompt you to restart server services

The new securityonion-squert package will update your database

Restarting OSSEC using "sudo service ossec-hids-server restart"

Restarting server and sensor processes using "sudo service nsm restart"
The Sguil client is now updated to 0.9...

...and includes an AutoCat Rule Builder...

...and an AutoCat Viewer 
Squert has been updated to 1.5.0


Squert Event tab

In Squert, you can now pivot to ELSA

Pivoting from IP address in Squert to an ELSA query for the IP

Squert now allows you to color code IP addresses

Color-coded IP address

Squert AutoCat Viewer

Squert Summary tab including GeoIP mapping

Squert Views tab with Sankey Diagram


Thanks
Thanks to the following for testing!
Eddy Simons
Mike Pilkington
Landon Lewis
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Tuesday, October 28, 2014

New securityonion-web-page package fixes an issue in the Apache configuration

Yesterday, we released a new version of the securityonion-web-page package:
http://blog.securityonion.net/2014/10/new-securityonion-web-page-and.html

That package updated the Apache configuration to disable SSLv3.  However, the package used "sed" to update /etc/apache2/mods-enabled/ssl.conf, which is a symlink to /etc/apache2/mods-available/ssl.conf.  When sed operates on a symlinked file, it replaces the symlink with a copy of the file and then makes its modifications.  The broken symlink would have caused issues with future package updates, so I've released a new version of the securityonion-web-page package that fixes the symlink and updates the original file properly.

The new package version is as follows:

securityonion-web-page - 20141015-0ubuntu0securityonion7

Issues Resolved

Issue 640: securityonion-web-page: previous update broke ssl symlink
https://code.google.com/p/security-onion/issues/detail?id=629

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating using "sudo soup"

Verifying that the update fixed the ssl.conf hyperlink

Verifying that SSLProtocol excludes SSLv3

Restarting Apache using "sudo service apache2 restart"

Verifying that SSLv3 is disabled using "openssl s_client -connect localhost:443 -ssl3"

Thanks
Thanks to David Zawdie for testing!

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, October 27, 2014

New securityonion-web-page and securityonion-elsa-extras packages provide more SSL visibility

A vulnerability in SSLv3 was recently announced (nicknamed POODLE):
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://www.wired.com/2014/10/poodle-explained/
https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
https://www.imperialviolet.org/2014/10/14/poodle.html

In response to this, we recently added some SSLv3 queries:
http://blog.securityonion.net/2014/10/new-securityonion-web-page-package-adds.html

Today, we're adding some additional ELSA queries to allow you to see your SSL traffic grouped by version or by cipher.

SSL - Top SSL Versions

SSL - Top SSL Ciphers

Today's update will also reconfigure Security Onion's Apache instance to no longer accept connections using SSLv3.

The new package versions are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion45
securityonion-web-page - 20141015-0ubuntu0securityonion2

Issues Resolved

Issue 629: securityonion-web-page: disable SSLv3 in Apache ssl.conf
https://code.google.com/p/security-onion/issues/detail?id=629

Issue 627: securityonion-web-page: separate syslog-ng into program and host queries
https://code.google.com/p/security-onion/issues/detail?id=627

Issue 631: securityonion-web-page: collapse query categories by default
https://code.google.com/p/security-onion/issues/detail?id=631

Issue 634: securityonion-web-page: add queries for ssl_version and ssl_cipher
https://code.google.com/p/security-onion/issues/detail?id=634

Issue 633: securityonion-elsa-extras: parse ssl_version and ssl_cipher out of Bro ssl.log
https://code.google.com/p/security-onion/issues/detail?id=633

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating with "sudo soup"

Restarting Apache with "sudo service apache2 restart"

Verifying that Apache no longer accepts SSLv3 connections

Thanks
Thanks to Lee Sharp for providing the new collapsible query categories!
Thanks to Eddy Simons and David Zawdie for testing!

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, October 15, 2014

New securityonion-web-page package adds queries to monitor SSLv3

A vulnerability in SSLv3 was recently announced (nicknamed POODLE):
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://www.wired.com/2014/10/poodle-explained/
https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
https://www.imperialviolet.org/2014/10/14/poodle.html

I've added a couple of ELSA queries to help you monitor your network for SSLv3:

SSL - Top SSLv3 DST IPs

The new package version is as follows:

securityonion-web-page - 20120722-0ubuntu0securityonion26

Issues Resolved

Issue 628: securityonion-web-page: add ELSA queries for SSLv3
https://code.google.com/p/security-onion/issues/detail?id=628

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Tomorrow is the LAST day to sign up for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Monday, October 6, 2014

OSSEC 2.8.1

OSSEC 2.8.1 was recently released:
http://www.ossec.net/?p=1135

Notice in the comments there is an additional patch which has now been applied to OSSEC on github:
https://github.com/ossec/ossec-hids/pull/315

I've packaged OSSEC 2.8.1 (with the patch from github) and also fixed a performance issue in our OSSEC configuration.  Our OSSEC configuration now uses a new script called /usr/bin/sostat-interface to detect if an interface hasn't received any packets within a specific time interval (10 minutes by default).

The new package versions are as follows:

ossec-hids-server - 2.8.1-ubuntu10securityonion8
securityonion-sostat - 20120722-0ubuntu0securityonion31

The new packages have been tested by the following (thanks!):
David Zawdie

UPDATE 20141006 13:01
Scott F. found an issue in the postinst script:
https://groups.google.com/d/topic/security-onion/5LbonKad-88/discussion

This issue has been resolved and additional error handling has been added.  The new package version is:
ossec-hids-server - 2.8.1-ubuntu10securityonion10

Issues Resolved

Issue 589: OSSEC 2.8.1
https://code.google.com/p/security-onion/issues/detail?id=589

Issue 621: sostat: add sostat-interface
https://code.google.com/p/security-onion/issues/detail?id=621

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Screenshots

Update Process

After updating, add back any local customization to ossec.conf and then run "sudo service ossec-hids-server restart"

OSSEC now runs /usr/bin/sostat-interface every 10 minutes to check for interfaces not receiving any traffic

When OSSEC sees that an interface hasn't received any packets, it alerts

OSSEC alert in Sguil

sostat now reports on the number of packets received during the last monitoring interval


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 13 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Wednesday, October 1, 2014

New securityonion-bro-scripts and securityonion-web-page packages

As mentioned previously, Seth Hall has developed some comprehensive ShellShock detection scripts for Bro:
"This script detects successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock". It's more comprehensive than most of the detections around in that it's watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."

https://github.com/broala/bro-shellshock
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html
http://blog.securityonion.net/2014/09/securityonion-bro-scripts-now-detects.html

Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism.":
https://github.com/broala/bro-shellshock/commit/4be009f9b7bf8ce9b99533cb4c7b8dd76aba87b7

I've updated the securityonion-bro-scripts package to include these changes.  I've also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".

New package versions:
securityonion-bro-scripts - 20121004-0ubuntu0securityonion38
securityonion-web-page - 20120722-0ubuntu0securityonion25

Issues Resolved
Issue 618: securityonion-bro-scripts: ShellShock Add shellscripts as a post-exploit detection mechanism
https://code.google.com/p/security-onion/issues/detail?id=618

Issue 617: securityonion-web-page: add queries for Bro ShellShock Notices
https://code.google.com/p/security-onion/issues/detail?id=617

Issue 583: securityonion-web-page: update "All OSSEC Logs" query
https://code.google.com/p/security-onion/issues/detail?id=583

Issue 599: securityonion-web-page: highlight current ELSA query
https://code.google.com/p/security-onion/issues/detail?id=599

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro

Screenshots
Update Process

Restarting Bro with "sudo nsm_sensor_ps-restart --only-bro"



New ELSA Query for Notice - ShellShock Exploits

New ELSA Query for Notice - ShellShock Scanners


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 15 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

Search This Blog

Featured Post

1-month End Of Life (EOL) reminder for Security Onion 2.3

In October of last year, we announced the End Of Life (EOL) date for Security Onion 2.3: https://blog.securityonion.net/2023/10/6-month-eol-...

Popular Posts

Blog Archive