Wednesday, October 29, 2014

Sguil 0.9 and Squert 1.5.0 now available!

Sguil 0.9 and Squert 1.5.0 were recently released:
http://sourceforge.net/p/sguil/mailman/message/32230854/
http://www.squertproject.org/summaryofchangesforsquertversion130
http://www.squertproject.org/summaryofchangesforsquertversion140
http://www.squertproject.org/summaryofchangesforsquertversion150

I've updated our packages to include both of these releases.  The new package versions are as follows:

securityonion-capme - 20121213-0ubuntu0securityonion20
securityonion-http-agent - 0.3.1-0ubuntu0securityonion6
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion88
securityonion-ossec-rules - 20120726-0ubuntu0securityonion4
securityonion-setup - 20120912-0ubuntu0securityonion125
securityonion-sguil-agent-ossec - 20120726-0ubuntu0securityonion4
securityonion-sguil-client - 20141004-0ubuntu0securityonion7
securityonion-sguil-sensor - 20141004-0ubuntu0securityonion7
securityonion-sguil-server - 20141004-0ubuntu0securityonion7
securityonion-squert - 20141015-0ubuntu0securityonion3

Issues Resolved

Issue 287: Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=287

Issue 622: Update http_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=622

Issue 623: Update ossec_agent for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=623

Issue 624: Update CapMe for Sguil 0.9 and move from SSL to TLS
https://code.google.com/p/security-onion/issues/detail?id=624

Issue 625: Update NSM for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=625

Issue 626: Update Setup for Sguil 0.9
https://code.google.com/p/security-onion/issues/detail?id=626

Issue 491: Squert 1.5.0
https://code.google.com/p/security-onion/issues/detail?id=491

Issue 638: securityonion-ossec-rules: add rule to ignore Squert POST
https://code.google.com/p/security-onion/issues/detail?id=638

Release Notes
Please note that the Squert interface has changed quite a bit from the previous version.  In particular:

  • To drill into an event to see the payload of the event, click on the value in the Status (ST) column.
  • To generate a full pcap transcript, click on the value in the "Event ID" column.


Updating
The new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Updating packages using "sudo soup"

The new OSSEC rules package will prompt you to restart OSSEC

The new securityonion-sguil-sensor package will prompt you to restart sensor services

The new securityonion-sguil-server package will update your database and import your autocat rules

The new securityonion-sguil-server package will then prompt you to restart server services

The new securityonion-squert package will update your database

Restarting OSSEC using "sudo service ossec-hids-server restart"

Restarting server and sensor processes using "sudo service nsm restart"
The Sguil client is now updated to 0.9...

...and includes an AutoCat Rule Builder...

...and an AutoCat Viewer 
Squert has been updated to 1.5.0


Squert Event tab

In Squert, you can now pivot to ELSA

Pivoting from IP address in Squert to an ELSA query for the IP

Squert now allows you to color code IP addresses

Color-coded IP address

Squert AutoCat Viewer

Squert Summary tab including GeoIP mapping

Squert Views tab with Sankey Diagram


Thanks
Thanks to the following for testing!
Eddy Simons
Mike Pilkington
Landon Lewis
David Zawdie

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion

We also need help testing new packages:
http://groups.google.com/group/security-onion-testing

Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.