Security Onion Blog
Showing posts with label httpry. Show all posts
Showing posts with label httpry. Show all posts

Thursday, May 10, 2012

Security Onion 20120511 now available!


Security Onion 20120511 is now available!  This resolves the following issues:

Issue 205:      Bro's http.log needs to be per-interface
http://code.google.com/p/security-onion/issues/detail?id=205

Issue 264:      NSM package is missing the bro cron job
http://code.google.com/p/security-onion/issues/detail?id=264

Issue 265:      Upgrade httpry_agent to http_agent to support Bro logs
http://code.google.com/p/security-onion/issues/detail?id=265

Issue 266:      Remove httpry from NSM scripts
http://code.google.com/p/security-onion/issues/detail?id=266

In summary, this update migrates from the combination of httpry/httpry_agent to Bro/http_agent.  As noted in http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.html, this means that networks with VLAN tags will now get HTTP logs in Sguil.

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the Proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
Feedback
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion

Thanks
Thanks to Paul Halliday for adding Bro http.log support to http_agent!
Thanks to Seth Hall for the security-onion.bro script for splitting Bro's http.log when necessary!
Thanks to the following for their help in testing this release!
Scott Runnels
Tom De Vries
David Zawdie

Help Wanted!
Security Onion needs you!  Please see the new Team Members page on the wiki!

Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June!  For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html

at 4 comments:
Labels: , , , , ,

Monday, October 17, 2011

In Search Of Evil User Agents

I've got a guest blog post over at PaulDotCom describing how to find evil User Agents on your network using the new httpry functionality in Security Onion:
In Search Of Evil User Agents
at 2 comments:
Labels: ,

Friday, October 14, 2011

Security Onion 20111013 now available!


Security Onion 20111013 is now available!  This simple update resolves Issue 131.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Screenshots
Upgrade Process
at No comments:
Labels: ,

Friday, September 23, 2011

Security Onion 20110922 now available!

Security Onion 20110922 is now available!  This update resolves Issue 126.  It also spawns instances of httpry and httpry_agent for each monitored interface.  Thanks go to Jason Bittel for his work on httpry and Paul Halliday for his work on httpry_agent!

Please note!
httpry is going to be logging all HTTP traffic on every monitored interface and httpry_agent is going to be inserting those HTTP logs into the MySQL database so they can be queried in Sguil and SQueRT.  This may increase the load on your sensors and/or MySQL server.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
 Screenshots

Upgrade Process



httpry events are autocategorized so as not to clutter the main Sguil window

If you're responding to an incident for an IP address, search for the IP and you'll see the httpry events are prefixed with "URL"


Clicking on a URL event will show further information in the Detail pane

Right-clicking on the Alert ID allows you to pull the entire transcript




SQueRT has an httpry search that will show all httpry logs



at No comments:
Labels: ,

Friday, September 16, 2011

Security Onion 20110915 now available!

Security Onion 20110915 is now available!  This update does the following:
In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Screenshots
New Argus menu
at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Search This Blog

Featured Post

Quick Malware Analysis: NETSUPPORT RAT pcap from 2025-08-20

Thanks to Brad Duncan for sharing this pcap from 2025-08-20 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive