I've updated our packages to reflect the latest version of ELSA:
securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25
These new packages resolve the following issues:
Issue 657: ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/657
This version of ELSA fixes many bugs in our previous version of ELSA.
Issue 447: ELSA syslog-ng.conf rewrite r_pipes
https://github.com/Security-Onion-Solutions/security-onion/issues/447
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.
Issue 512: ELSA syslog-ng.conf filter f_bro_headers
https://github.com/Security-Onion-Solutions/security-onion/issues/512
Syslog-ng will now filter out headers in Bro logs.
Issue 726: ELSA syslog-ng.conf - add filesystem destinations
https://github.com/Security-Onion-Solutions/security-onion/issues/726
Syslog-ng will now output some logs to their standard filesystem locations. This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.
Issue 674: ELSA - update bro_notice parser to parse src and dst fields
https://github.com/Security-Onion-Solutions/security-onion/issues/674
Syslog-ng will now parse src and dst fields out of Bro Notices.
Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
https://github.com/Security-Onion-Solutions/security-onion/issues/722
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.
Issue 723: CapMe: Update for new ELSA API
https://github.com/Security-Onion-Solutions/security-onion/issues/723
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.
Issue 500: sosetup: restart starman
https://github.com/Security-Onion-Solutions/security-onion/issues/500
When running Setup and choosing sensor-only, starman should now restart properly.
Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
https://github.com/Security-Onion-Solutions/security-onion/issues/504
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.
Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
https://github.com/Security-Onion-Solutions/security-onion/issues/547
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.
Issue 740: sosetup: sensor should use sudo to restart apache on master
https://github.com/Security-Onion-Solutions/security-onion/issues/740
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.
Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
https://github.com/Security-Onion-Solutions/security-onion/issues/741
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.
These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose
Updating
These new packages are now available in our stable repo. Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade
Screenshots
|
Update process |
|
"About ELSA" now shows ELSA Rev 1205 |
|
New ELSA Query "HTTP: Sites Hosting JARs" |
|
New ELSA Query "HTTP: Sites Hosting ZIPs" |
|
Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing |
|
Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing |
|
Bro Scanning Notices should now be parsed correctly |
|
CapME now uses the ELSA JSON API and provides better error handling |
|
Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force |
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists
Training
Need training? Please see:
http://securityonionsolutions.com
Commercial Support
Need commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers
Thanks!