Wednesday, June 10, 2015

ELSA 1205 now available!

I've updated our packages to reflect the latest version of ELSA:

securityonion-capme - 20121213-0ubuntu0securityonion21
securityonion-elsa - 1205-1ubuntu0securityonion4
securityonion-elsa-extras - 20131117-1ubuntu0securityonion88
securityonion-libdata-google-visualization-datatable-perl - 0.11-0ubuntu0securityonion1
securityonion-libdata-serializable-perl - 0.41.0-0ubuntu0securityonion1
securityonion-libmodule-pluggable-perl - 5.1-0ubuntu0securityonion1
securityonion-libmoosex-classattribute-perl - 0.27-0ubuntu0securityonion1
securityonion-libnet-ldap-express-perl - 0.12-0ubuntu0securityonion1
securityonion-libnet-openssh-perl - 0.64-0ubuntu0securityonion1
securityonion-libplack-builder-conditionals-perl - 0.05-0ubuntu0securityonion4
securityonion-libplack-middleware-crossorigin-perl - 0.012-0ubunt0securityonion3
securityonion-libsearch-queryparser-sql-perl - 0.010-0ubuntu0securityonion2
securityonion-libsocket-perl - 2.019-0ubuntu0securityonion2
securityonion-libsys-hostname-fqdn-perl - 0.12-0ubuntu0securityonion2
securityonion-libtime-hires-perl - 1.9726-0ubuntu0securityonion2
securityonion-liburi-encode-perl - 1.0.1-0ubuntu0securityonion1
securityonion-liburl-encode-perl - 0.03-0ubuntu0securityonion1
securityonion-setup - 20120912-0ubuntu0securityonion141
securityonion-web-page - 20141015-0ubuntu0securityonion25

These new packages resolve the following issues:

Issue 657: ELSA 1205
This version of ELSA fixes many bugs in our previous version of ELSA.

Issue 447: ELSA syslog-ng.conf rewrite r_pipes
Syslog-ng will now rewrite any vertical pipes found in Bro logs to ensure correct parsing.

Issue 512: ELSA syslog-ng.conf filter f_bro_headers
Syslog-ng will now filter out headers in Bro logs.

Issue 726: ELSA syslog-ng.conf - add filesystem destinations
Syslog-ng will now output some logs to their standard filesystem locations.  This allows OSSEC to monitor those logs and detect, for example, SSH brute forcing.

Issue 674: ELSA - update bro_notice parser to parse src and dst fields
Syslog-ng will now parse src and dst fields out of Bro Notices.

Issue 722: securityonion-web-page: update HTTP mime type queries for ELSA 1205
This fixes some of the existing ELSA queries to work with ELSA 1205 and also adds some new queries.

Issue 723: CapMe: Update for new ELSA API
CapME now queries the ELSA JSON API and also handles error conditions much more gracefully.

Issue 500: sosetup: restart starman
When running Setup and choosing sensor-only, starman should now restart properly.

Issue 504: sosetup: avoid writing ELSA_PORT twice in SSH_CONF
When running Setup and choosing sensor-only, Setup should only write ELSA_PORT in SSH_CONF once.

Issue 547: sosetup: if enabling salt on a sensor, check top.sls to make sure it doesn't already exist
When re-running Setup on a sensor, it should no longer duplicate the sensor's entry in top.sls on the master server.

Issue 740: sosetup: sensor should use sudo to restart apache on master
When running Setup and choosing sensor-only and selecting to update the ELSA server, it should now properly restart Apache on the master server using sudo.

Issue 741: sosetup: sometimes local salt-minion doesn't check in with local salt-master quickly enough
When running Setup and choosing Advanced Setup and then Master-only or Standalone and enabling Salt, Setup should now check to see if the salt-minion has checked in every second, waiting up to 60 seconds before timing out.

These new packages have been tested by the following (thanks!).
Simone Bonetti
Brian Kellogg
David Zawdie
Heine Lysemose

These new packages are now available in our stable repo.  Please see the following page for full update instructions:

Update process

"About ELSA" now shows ELSA Rev 1205

New ELSA Query "HTTP: Sites Hosting JARs"

New ELSA Query "HTTP: Sites Hosting ZIPs"

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Syslog-ng should now replace vertical pipes in Bro logs to allow more consistent parsing

Bro Scanning Notices should now be parsed correctly

CapME now uses the ELSA JSON API and provides better error handling

Syslog-ng now outputs certain logs to their standard filesystem locations, allowing OSSEC to monitor for SSH brute force

If you have any questions or problems, please use our security-onion mailing list:

Need training?  Please see:

Commercial Support
Need commercial support?  Please see:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:


No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive