Monday, June 23, 2014

New securityonion-rule-update package resolves two issues

We recently released new barnyard2 and rule-update packages:
http://blog.securityonion.net/2014/06/new-barnyard2-nsm-rule-update-and.html 

Some folks have reported a few issues since updating to these new packages, so we're releasing a new version of rule-update which should help with these issues.

The first issue is that rule-update takes longer now.  Per the barnyard2 developers, all entries in the sig_reference table must be deleted when upgrading to this new version of barnyard2.  rule-update then uses barnyard2 to re-populate this table.  Depending on the size of your Snorby database, this may take a while.  The new version of rule-update (released today) will only do a full delete of the sig_reference table once, so subsequent runs of rule-update should be much faster.

The second issue is that users running the Snort engine with the VRT ruleset are experiencing barnyard2 failing with errors like "Returned signature_id is not equal to updated signature_id".  This is due to some wrong entries in the database left by the previous version of barnyard2.  One of the barnyard2 developers wrote a MySQL script to fix these entries and I've packaged it into a shell script called so-snorby-fix-sigs and included it in today's rule-update package.  If you're running the Snort engine with the VRT ruleset, please run so-snorby-fix-sigs and follow the directions (including shutting down all barnyard2 instances).

The updated package version is as follows:
securityonion-rule-update - 20120726-0ubuntu0securityonion20

This new package has been tested by the following (thanks!):
David Zawdie

Issues Resolved

Issue 556: rule-update: add so-snorby-fix-sigs script
https://code.google.com/p/security-onion/issues/detail?id=556

Issue 557: rule-update: only delete sig_reference table once
https://code.google.com/p/security-onion/issues/detail?id=557

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Want to learn more about Security Onion?  Check out our 2-day training class:
http://blog.securityonion.net/p/training_2.html

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

No comments:

Search This Blog

Featured Post

State of the Onion 2024

We usually have our State of the Onion at the annual Security Onion Conference, but we had to cancel the conference due to Hurricane Helene ...

Popular Posts

Blog Archive