http://www.ossec.net/?p=1135
Notice in the comments there is an additional patch which has now been applied to OSSEC on github:
https://github.com/ossec/ossec-hids/pull/315
I've packaged OSSEC 2.8.1 (with the patch from github) and also fixed a performance issue in our OSSEC configuration. Our OSSEC configuration now uses a new script called /usr/bin/sostat-interface to detect if an interface hasn't received any packets within a specific time interval (10 minutes by default).
The new package versions are as follows:
ossec-hids-server - 2.8.1-ubuntu10securityonion8
securityonion-sostat - 20120722-0ubuntu0securityonion31
The new packages have been tested by the following (thanks!):
David Zawdie
UPDATE 20141006 13:01
Scott F. found an issue in the postinst script:
https://groups.google.com/d/topic/security-onion/5LbonKad-88/discussion
This issue has been resolved and additional error handling has been added. The new package version is:
ossec-hids-server - 2.8.1-ubuntu10securityonion10
Issues Resolved
Issue 589: OSSEC 2.8.1
https://code.google.com/p/security-onion/issues/detail?id=589
Issue 621: sostat: add sostat-interface
https://code.google.com/p/security-onion/issues/detail?id=621
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations. You can then restart OSSEC as follows:
sudo service ossec-hids-server restart
Screenshots
 |
| Update Process |
 |
| After updating, add back any local customization to ossec.conf and then run "sudo service ossec-hids-server restart" |
 |
| OSSEC now runs /usr/bin/sostat-interface every 10 minutes to check for interfaces not receiving any traffic |
 |
| When OSSEC sees that an interface hasn't received any packets, it alerts |
 |
| OSSEC alert in Sguil |
 |
| sostat now reports on the number of packets received during the last monitoring interval |
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Training
Only 13 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/
Commercial Support
Need commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion
We also need help testing new packages:
http://groups.google.com/group/security-onion-testing
Thanks!
No comments:
Post a Comment