Monday, October 6, 2014

OSSEC 2.8.1

OSSEC 2.8.1 was recently released:
http://www.ossec.net/?p=1135

Notice in the comments there is an additional patch which has now been applied to OSSEC on github:
https://github.com/ossec/ossec-hids/pull/315

I've packaged OSSEC 2.8.1 (with the patch from github) and also fixed a performance issue in our OSSEC configuration.  Our OSSEC configuration now uses a new script called /usr/bin/sostat-interface to detect if an interface hasn't received any packets within a specific time interval (10 minutes by default).

The new package versions are as follows:

ossec-hids-server - 2.8.1-ubuntu10securityonion8
securityonion-sostat - 20120722-0ubuntu0securityonion31

The new packages have been tested by the following (thanks!):
David Zawdie

UPDATE 20141006 13:01
Scott F. found an issue in the postinst script:
https://groups.google.com/d/topic/security-onion/5LbonKad-88/discussion

This issue has been resolved and additional error handling has been added.  The new package version is:
ossec-hids-server - 2.8.1-ubuntu10securityonion10

Issues Resolved

Issue 589: OSSEC 2.8.1
https://code.google.com/p/security-onion/issues/detail?id=589

Issue 621: sostat: add sostat-interface
https://code.google.com/p/security-onion/issues/detail?id=621

Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

After installing the new OSSEC package, you'll need to double-check /var/ossec/etc/ossec.conf and add back any local customizations.  You can then restart OSSEC as follows:
sudo service ossec-hids-server restart

Screenshots

Update Process

After updating, add back any local customization to ossec.conf and then run "sudo service ossec-hids-server restart"

OSSEC now runs /usr/bin/sostat-interface every 10 minutes to check for interfaces not receiving any traffic

When OSSEC sees that an interface hasn't received any packets, it alerts

OSSEC alert in Sguil

sostat now reports on the number of packets received during the last monitoring interval


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Training
Only 13 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.