Wednesday, October 1, 2014

New securityonion-bro-scripts and securityonion-web-page packages

As mentioned previously, Seth Hall has developed some comprehensive ShellShock detection scripts for Bro:
"This script detects successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock". It's more comprehensive than most of the detections around in that it's watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."

https://github.com/broala/bro-shellshock
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html
http://blog.securityonion.net/2014/09/securityonion-bro-scripts-now-detects.html

Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism.":
https://github.com/broala/bro-shellshock/commit/4be009f9b7bf8ce9b99533cb4c7b8dd76aba87b7

I've updated the securityonion-bro-scripts package to include these changes.  I've also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".

New package versions:
securityonion-bro-scripts - 20121004-0ubuntu0securityonion38
securityonion-web-page - 20120722-0ubuntu0securityonion25

Issues Resolved
Issue 618: securityonion-bro-scripts: ShellShock Add shellscripts as a post-exploit detection mechanism
https://code.google.com/p/security-onion/issues/detail?id=618

Issue 617: securityonion-web-page: add queries for Bro ShellShock Notices
https://code.google.com/p/security-onion/issues/detail?id=617

Issue 583: securityonion-web-page: update "All OSSEC Logs" query
https://code.google.com/p/security-onion/issues/detail?id=583

Issue 599: securityonion-web-page: highlight current ELSA query
https://code.google.com/p/security-onion/issues/detail?id=599

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro

Screenshots
Update Process

Restarting Bro with "sudo nsm_sensor_ps-restart --only-bro"



New ELSA Query for Notice - ShellShock Exploits

New ELSA Query for Notice - ShellShock Scanners


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 15 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.