tcpflow - 1.4.5+repack1-1ubuntu1securityonion2 is now available and should resolve the following issue:
update tcpflow #1507
https://github.com/Security-Onion-Solutions/security-onion/issues/1507
Thanks
Thanks to Wes Lambert for testing!
Updating
Please see the following page for full update instructions:
https://securityonion.net/docs/Upgrade
Training
We have a 4-day Security Onion Basic Training class coming up in Costa Mesa CA! If you can't make it to an onsite class, we have a new online training platform. For more information and other training options, please see:
https://securityonionsolutions.com
Appliances
We now offer hardware appliances! For more information, please see:
https://blog.securityonion.net/2018/10/introducing-security-onion-solutions.html
Documentation
We've got a brand new documentation site! Please let us know if anything needs to be updated:
https://securityonion.net/docs
Support
Need support? Please see:
https://securityonion.net/docs/Support
Thanks!
Showing posts with label tcpflow. Show all posts
Showing posts with label tcpflow. Show all posts
Monday, April 29, 2019
Tuesday, June 19, 2018
tcpflow - 1.4.5+repack1-1ubuntu1securityonion1 now available for Security Onion 16.04!
tcpflow - 1.4.5+repack1-1ubuntu1securityonion1 is now available for Security Onion 16.04 and should resolve the following issues:
tcpflow -c should print a dot for non-printable chars #1260
https://github.com/Security-Onion-Solutions/security-onion/issues/1260
Thanks
Thanks to Wes Lambert for testing this new package!
Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade
Training
We have 4-day Security Onion training classes coming up in Maryland and Georgia! For more information and other training options, please see:
https://securityonionsolutions.com
Support
Need support? Please see:
https://securityonion.net/wiki/Support
Thanks!
tcpflow -c should print a dot for non-printable chars #1260
https://github.com/Security-Onion-Solutions/security-onion/issues/1260
Thanks
Thanks to Wes Lambert for testing this new package!
Updating
Please see the following page for full update instructions:
https://securityonion.net/wiki/Upgrade
Training
We have 4-day Security Onion training classes coming up in Maryland and Georgia! For more information and other training options, please see:
https://securityonionsolutions.com
Support
Need support? Please see:
https://securityonion.net/wiki/Support
Thanks!
Friday, April 20, 2012
Security Onion 20120418 now available!
Security Onion 20120418 is now available! This resolves the following issue:
Issue 254: tcpflow 1.1.1 connection counter breaks Sguil's transcript window
Notes
This update installs the new tcpflow 1.2.6 at /usr/local/bin/tcpflow and a shim at /usr/bin/tcpflow. The shim is just a bash script that runs the following:
/usr/local/bin/tcpflow -T%A.%a-%B.%b $@
The new version of tcpflow has a new output format so we execute the shim to call tcpflow with the correct -T options to produce the original tcpflow format that Sguil is expecting.
New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.
In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the proxy page of our FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Screenshots
 |
| Upgrade Process |
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion
Thanks!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to the following for their help in testing this release!
Sunil Gupta
Heine Lysemose
Tom De Vries
Help Wanted!
Security Onion needs you! Please see the new Team Members page on the wiki!
Want to learn more about Intrusion Detection?
Doug Burks will be teaching SANS 503 Intrusion Detection In-Depth in Augusta, GA in June! For more information, please see:
http://securityonion.blogspot.com/2012/03/sans-is-coming-to-augusta-ga-in-june.html
Tuesday, February 28, 2012
Security Onion 20120224 now available!
Problem #1
Suppose you're monitoring traffic that has VLAN tags (in both directions). By default, when you right-click the Alert ID in Sguil and request the transcript/pcap, you would get nothing. In order to get transcripts/pcaps to work correctly in Sguil, you would have to manually set VLAN to "1" in pcap_agent.conf.
Problem #2
Suppose you're monitoring traffic that has VLAN tags in one direction but not the other. When you right-click the Alert ID in Sguil and request the transcript/pcap, you would only get the non-VLAN side of the flow. If you set VLAN to "1" in pcap_agent.conf, you would then receive just the VLAN side of the flow.
Solution
Security Onion 20120224 is now available! This resolves the following issues:
Issue 148: Update tcpflow
Issue 222: Modify pcap_agent.tcl to support ip & vlan tagged interfaces
The updated pcap_agent.tcl and tcpflow allow Sguil to transparently support all cases of traffic with VLAN tags, without VLAN tags, and with mixed VLAN tags. When you right-click the Alert ID and request the transcript/pcap, you should now get the entire flow.
Caveat
httpry doesn't support VLAN tags, so you still won't see HTTP events in Sguil where VLAN tags are involved. However, we'll soon be removing httpry in favor of Bro's HTTP logging, which does handle VLAN tags properly. In the meantime, you can query the Bro logs directly from the command-line using something like the following:
zgrep "192.168.123.234" /nsm/bro/logs/*/http*New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.
In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
Note
If you had manually set VLAN to "1" in pcap_agent.conf, then you should set it back to the default of 0 and restart pcap_agent:
sudo nsm_sensor_ps-restart --only-pcap-agent
Screenshots
 |
| Upgrade Process |
If you have any questions, please join our mailing list and ask away!
http://groups.google.com/group/security-onion
Thanks
Thanks to Bamm Visscher for the updated pcap_agent.tcl!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to Liam Randall, Scott Runnels, and Eric Ooi for testing this release!
Subscribe to:
Posts (Atom)