To alleviate this, the barnyard2 folks introduced a new option called disable_signature_reference_table that allows you to disable the reference table update on all sensors, leaving just one barnyard2 instance on the server itself to update Snorby's reference table, avoiding the duplication of effort. I packaged the latest version of barnyard2 (version 2.1.13 Build 333) which contains this option and also updated the NSM scripts to add the new option to all barnyard2.conf files on all sensors. rule-update has been modified such that right after the master downloads new rules from the Internet, it will use barnyard2 to update Snorby's reference table. Finally, since we're now forcing the server to use barnyard2 to update Snorby's reference table, I updated the securityonion-server metapackage to require securityonion-barnyard2 as a dependency.
The updated package versions are as follows:
securityonion-barnyard2 - 20140531-0ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion76
securityonion-rule-update - 20120726-0ubuntu0securityonion15
securityonion-server - 20120722-0ubuntu0securityonion11
These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie
Kevin Branch
Issues Resolved
Issue 294: Barnyard2-1.13
https://code.google.com/p/security-onion/issues/detail?id=294
Issue 550: securityonion-server: add barnyard2 as a dependency
https://code.google.com/p/security-onion/issues/detail?id=550
Issue 411: NSM: have only one copy of barnyard2 that updates signature
reference table
https://code.google.com/p/security-onion/issues/detail?id=411
Issue 551: rule-update: have server use barnyard2 to update Snorby
reference table
https://code.google.com/p/security-onion/issues/detail?id=551
Issue 399: rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true
https://code.google.com/p/security-onion/issues/detail?id=399
Issue 544: rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true
https://code.google.com/p/security-onion/issues/detail?id=544
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Training
Want to get the most out of your Security Onion deployment? Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion
We also need help testing new packages:
http://groups.google.com/group/security-onion-testing
Thanks!
2 comments:
Hi Doug,
So does this mean we should go and modify all our barnyard2 config files and add "disable_signature_reference_table"
I noticed now that when I run "rule-update" it runs a barnyard2 instance, with s separate config file. Also this now takes an extremely long time, is there any way to speed this up?
Thanks
Hi Hurgh,
No, you do not need to manually modify your barnyard2 config files to add "disable_signature_reference_table". As mentioned in the blog post, the updated NSM scripts should automatically do that for you.
Yes, rule-update now runs its own barnyard2 instance (also mentioned in the blog post).
We have an updated version of rule-update coming soon which should speed this up.
If you have any further questions or problems, please use our mailing list.
Thanks,
Doug
Post a Comment