Monday, August 24, 2015

New NSM and Setup packages

The recent Bro 2.4 package had new default settings for SpoolDir and LogDir in broctl.cfg which required updates to our NSM and Setup scripts.  Pete also submitted a pull request for the NSM scripts:
https://github.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/pull/2

Here are the updated packages:
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion122
securityonion-setup - 20120912-0ubuntu0securityonion157
These new packages resolve the following issues:

Issue 797: NSM: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/797

Issue 799: NSM: add stderr redirect to stdout on adduser
https://github.com/Security-Onion-Solutions/security-onion/issues/799

Issue 800: Setup: update SpoolDir and LogDir in broctl.cfg
https://github.com/Security-Onion-Solutions/security-onion/issues/800

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 20, 2015

New securityonion-libcapture-tiny-perl package avoids conflict with x2go

Users trying to install x2go have reported conflicts with our securityonion-libcapture-tiny-perl package.  I've updated this package to avoid these conflicts.  The new package version is:
securityonion-libcapture-tiny-perl - 0.22-0ubuntu0securityonion1

This new package resolves the following issue:

Issue 728: securityonion-libcapture-tiny-perl should Provides: libcapture-tiny-perl
https://github.com/Security-Onion-Solutions/security-onion/issues/728

This new package has been tested by Tommy Dew and James Taylor (thanks!).

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Wednesday, August 19, 2015

New rule-update and Setup packages

You may have previously experienced intermittent issues when the daily cron job runs rule-update to update your NIDS ruleset.  Because all Security Onion sensors around the world run their cron job at the same time, this was causing high load on the rule sites and some downloads would occasionally fail.  I've modified rule-update to avoid this issue and the changes are as follows:

  • no changes when running interactively from a shell (sudo rule-update)
  • no changes for sensor-only installations that have salt enabled as they don't use rule-update anyway
  • when running from a cron job:
    • if running on a master server, rule-update will sleep for a random number of minutes (up to 50) to avoid overwhelming rule update sites
    • if running on a sensor with salt disabled, rule-update will sleep for 60 minutes to allow the master server time to download the rules so that the sensor can then scp them

Here are the updated packages:
securityonion-rule-update - 20120726-0ubuntu0securityonion29
securityonion-setup - 20120912-0ubuntu0securityonion156

These new packages resolve the following issues:

Issue 724: /etc/cron.d/rule-update should avoid overwhelming rule sites
https://github.com/Security-Onion-Solutions/security-onion/issues/724

Issue 791: sosetup: change rule-update verbiage
https://github.com/Security-Onion-Solutions/security-onion/issues/791

These new packages have been tested by Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Tuesday, August 18, 2015

Snort 2.9.7.5 now available for Security Onion!

Snort 2.9.7.5 was recently released:
http://blog.snort.org/2015/07/snort-2975-is-now-available-on-snortorg.html

I've updated our Snort packages:
securityonion-snort - 2.9.7.5-0ubuntu0securityonion1
securityonion-daq - 2.0.6-0ubuntu0securityonion1

These new packages resolve the following issues:

Issue 784: Snort 2.9.7.5
https://github.com/Security-Onion-Solutions/security-onion/issues/784

Issue 788: DAQ 2.0.6
https://github.com/Security-Onion-Solutions/security-onion/issues/788

These new packages have been tested by James Taylor and Jeff Tehovnik (thanks!).

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

These updates will back up each of your existing snort.conf files to snort.conf.bak and migrate your HOME_NET and EXTERNAL_NET variables.  You'll then need to do the following:

  • re-apply any other local customizations to your snort.conf files
  • update ruleset and restart Snort as follows:
    sudo rule-update

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Monday, August 17, 2015

Snorby 2.6.3 package now available (final update before it is removed from Security Onion)

Snorby 2.6.3 was recently released to resolve some XSS issues:
https://github.com/Snorby/snorby/commit/5a3a33cf496b66be7ef4bd7d3cce0a996e1d2112

I've packaged Snorby 2.6.3 and the new package version is as follows:
securityonion-snorby - 20150704-0ubuntu0securityonion5

This new package has been tested by James Taylor.  Thanks, James!

PLEASE NOTE!  This will most likely be our last Snorby package update.  The creator and lead developer of Snorby has left the project and so Snorby is now considered unmaintained.  Snorby will be removed from Security Onion in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA.  If you'd like to go ahead and disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby

Issues Resolved

Issue 766: Snorby 2.6.3
https://github.com/Security-Onion-Solutions/security-onion/issues/766

Updating
This new package is now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

Thursday, August 6, 2015

Monday, August 3, 2015

Bro 2.4 now available for Security Onion!

Bro 2.4 was recently released:
http://blog.bro.org/2015/06/bro-24-released.html

I've packaged Bro 2.4 and updated the securityonion-bro-scripts, securityonion-elsa-extras, and securityonion-capme packages.  The new packages are as follows:
securityonion-bro - 2.4-0ubuntu0securityonion2
securityonion-bro-scripts - 20121004-0ubuntu0securityonion43
securityonion-elsa-extras - 20131117-1ubuntu0securityonion99
securityonion-capme - 20121213-0ubuntu0securityonion23  
These packages resolve the following issues:

Issue 743: Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/743

Issue 752: securityonion-bro-scripts: update sensortab.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/752

Issue 753: securityonion-bro-scripts: update shellshock module for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/753

Issue 754: securityonion-bro-scripts: update extract.bro for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/754

Issue 762: securityonion-elsa-extras: update bro_conn parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/762

Issue 765: securityonion-elsa-extras: update bro_intel parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/765

Issue 768: securityonion-elsa-extras: update bro_ssl parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/768

Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4
https://github.com/Security-Onion-Solutions/security-onion/issues/774

Issue 773: securityonion-elsa-extras: add Windows and Cisco parsers from Brian Kellogg
https://github.com/Security-Onion-Solutions/security-onion/issues/773

Issue 793: CapMe: Update for Bro 2.4 conn.log
https://github.com/Security-Onion-Solutions/security-onion/issues/793

These packages have been tested by the following (thanks!):
James Taylor
Jay Swan
Heine Lysemose
Tommy Dew
Brian Kellogg

Updating
These new packages are now available in our stable repo.  Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists

Training
Need training?  Please see:
http://securityonionsolutions.com

Commercial Support
Need commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TeamMembers

Thanks!

UPDATED 2015-08-10 to add securityonion-capme required due to new field in Bro conn.log.

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive