Monday, October 27, 2014

New securityonion-web-page and securityonion-elsa-extras packages provide more SSL visibility

A vulnerability in SSLv3 was recently announced (nicknamed POODLE):
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://www.wired.com/2014/10/poodle-explained/
https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
https://www.imperialviolet.org/2014/10/14/poodle.html

In response to this, we recently added some SSLv3 queries:
http://blog.securityonion.net/2014/10/new-securityonion-web-page-package-adds.html

Today, we're adding some additional ELSA queries to allow you to see your SSL traffic grouped by version or by cipher.

SSL - Top SSL Versions

SSL - Top SSL Ciphers

Today's update will also reconfigure Security Onion's Apache instance to no longer accept connections using SSLv3.

The new package versions are as follows:

securityonion-elsa-extras - 20131117-1ubuntu0securityonion45
securityonion-web-page - 20141015-0ubuntu0securityonion2

Issues Resolved

Issue 629: securityonion-web-page: disable SSLv3 in Apache ssl.conf
https://code.google.com/p/security-onion/issues/detail?id=629

Issue 627: securityonion-web-page: separate syslog-ng into program and host queries
https://code.google.com/p/security-onion/issues/detail?id=627

Issue 631: securityonion-web-page: collapse query categories by default
https://code.google.com/p/security-onion/issues/detail?id=631

Issue 634: securityonion-web-page: add queries for ssl_version and ssl_cipher
https://code.google.com/p/security-onion/issues/detail?id=634

Issue 633: securityonion-elsa-extras: parse ssl_version and ssl_cipher out of Bro ssl.log
https://code.google.com/p/security-onion/issues/detail?id=633

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating with "sudo soup"

Restarting Apache with "sudo service apache2 restart"

Verifying that Apache no longer accepts SSLv3 connections

Thanks
Thanks to Lee Sharp for providing the new collapsible query categories!
Thanks to Eddy Simons and David Zawdie for testing!

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.