Monday, June 16, 2014

New Barnyard2, NSM, rule-update, and securityonion-server packages

You may have noticed previously that when barnyard2 started up, it would consume a large amount of CPU (on both the sensor and the server) for a while (more than a minute in some cases) while it updated Snorby's reference table.  Multiply this by several barnyard instances per interface and several interfaces per physical sensor and you now have multiple instances fighting each other for scarce CPU resources.

To alleviate this, the barnyard2 folks introduced a new option called disable_signature_reference_table that allows you to disable the reference table update on all sensors, leaving just one barnyard2 instance on the server itself to update Snorby's reference table, avoiding the duplication of effort.  I packaged the latest version of barnyard2 (version 2.1.13 Build 333) which contains this option and also updated the NSM scripts to add the new option to all barnyard2.conf files on all sensors. rule-update has been modified such that right after the master downloads new rules from the Internet, it will use barnyard2 to update Snorby's reference table.  Finally, since we're now forcing the server to use barnyard2 to update Snorby's reference table, I updated the securityonion-server metapackage to require securityonion-barnyard2 as a dependency.

The updated package versions are as follows:
securityonion-barnyard2 - 20140531-0ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion76
securityonion-rule-update - 20120726-0ubuntu0securityonion15
securityonion-server - 20120722-0ubuntu0securityonion11

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie
Kevin Branch

Issues Resolved
Issue 294: Barnyard2-1.13
https://code.google.com/p/security-onion/issues/detail?id=294

Issue 550: securityonion-server: add barnyard2 as a dependency
https://code.google.com/p/security-onion/issues/detail?id=550

Issue 411: NSM: have only one copy of barnyard2 that updates signature
reference table
https://code.google.com/p/security-onion/issues/detail?id=411

Issue 551: rule-update: have server use barnyard2 to update Snorby
reference table
https://code.google.com/p/security-onion/issues/detail?id=551

Issue 399: rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true
https://code.google.com/p/security-onion/issues/detail?id=399

Issue 544: rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true
https://code.google.com/p/security-onion/issues/detail?id=544

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

2 comments:

Hurgh said...

Hi Doug,

So does this mean we should go and modify all our barnyard2 config files and add "disable_signature_reference_table"

I noticed now that when I run "rule-update" it runs a barnyard2 instance, with s separate config file. Also this now takes an extremely long time, is there any way to speed this up?

Thanks

Doug Burks said...

Hi Hurgh,

No, you do not need to manually modify your barnyard2 config files to add "disable_signature_reference_table". As mentioned in the blog post, the updated NSM scripts should automatically do that for you.

Yes, rule-update now runs its own barnyard2 instance (also mentioned in the blog post).

We have an updated version of rule-update coming soon which should speed this up.

If you have any further questions or problems, please use our mailing list.

Thanks,
Doug

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive