security-onion-solutions / security-onion Goto Github PK

Add stick and/or snot.

http://code.google.com/p/ostinato/

sudo aptitude install argus-client argus-server

Requires 4329kb

What steps will reproduce the problem?
1.  Double-click Setup shortcut.
2.  Have it download ET ruleset.
3.  Notice pulledpork.conf permissions error.

What is the expected output? What do you see instead?
pulledpork.conf should be copied with root privileges.

sudo cp /etc/pulledpork/pulledpork.conf.master /etc/pulledpork/pulledpork.conf

Need a shortcut for updating Metasploit

The following command prevents aptitude from upgrading the tcl/tk packages:
aptitude hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh

However, it doesn't prevent Update Manager from updating them.  

Need to fix for next release.

Suricata was tested and working properly.  Perhaps libraries changed and so now 
Suricata results in "Illegal instruction".  Re-compiling suricata allows it to 
start successfully.

aptitude -y install ethtool

Download OSSEC tarball.
Add OSSEC install.sh to setup script.

Ubuntu 9.04 is old.  Ubuntu 9.10 is the new hotness.  We will have one release 
in the Ubuntu 9.10 
series and then move on to Ubuntu 10.04 after it's released at the end of April.

http://doc.emergingthreats.net/bin/view/Main/SnortValidator

Virtualbox guest tools requires dkms

aptitude install dkms

http://www.tm.uka.de/software/pktanon/

SnortSP is still in beta and therefore should not be used in production. 
We need a DEMO disclaimer that appears when launching SnortSP-Sguil to warn
users against running SnortSP in anything other than a demo mode.

The NSMnow script now creates symlinks for
/nsm/server_data/server1/rules/default and
/nsm/server_data/server1/rules/sensor1 so that rules only have to be
updated in one place.  Now we need a shell script that will prompt the user
for their oinkcode and then download the new rules to /etc/nsm/sensor1/rules/.

http://labs.snort.org/razorback/

svn up

Enable suricata.log in suricata.yaml config file

Upgrade NSMnow to 1.6.2 or better

not having PAE is just nuts in today's memory market.  An alternative would be 
to also offer a 64-bit version, but I imagine that's alot more work since you'd 
have to maintain 2 distros.  One 32-bit distro with PAE would cover both with 
less work.  And please don't assume everyone can simply apt-get something 
that's missing.  Many people work on networks that aren't connected to the 
Internet, yet still want to detect intrusion attempts, either for testing, or 
classified work, or for internal-only detection

Thanks

Probably want the time on my IDS to match the enterprise time so I can 
correlate events properly.  NTP is the generally accepted way of doing so.

For ip2c.tcl to work you will need (these are all for TCL of course): 

   - Tclx, mysqltcl, uri, ftp, ftp::geturl, md5

Revert these two lines:
sed -i 's|//$ip2c = 'no';|$ip2c = 'no';|g' squert/config.php
sed -i 's|$ip2c = 'yes';|//$ip2c = 'yes';|g' squert/config.ph

Request to add the bittwist toolset to Security Onion.

This is a great tool to test IDS systems and also has a invaluable packet 
editor. Further info can be found here.

http://bittwist.sourceforge.net/

Thanks Much- Terron

What steps will reproduce the problem?
1.Try to Install Security Orion on Dell PowerEdge 1955
2. Installation dumps out at bash prompt


What is the expected output? What do you see instead?

Should install on Hard Drive


What version of the product are you using? On what operating system?

security-onion-livecd-20090731.iso 


Please provide any additional information below.

Copy OSSEC source code to /usr/local/src/ossec/
Add /usr/local/src/ossec/install.sh to Setup script

packet-tools script should check for netdude, idswakeup, fragroute*, etc.
before manually installing the .deb

Based on tcpxtract

http://code.google.com/p/nfex/

http://code.google.com/p/hogger/

http://www.geekconnection.org/remastersys/ubuntu.html

"The Remastersys repository needs to be added to your /etc/apt/sources.list

Paste the following into the sources.list:

For Gutsy and Earlier - up to version 2.0.11-1
# Remastersys
deb http://www.geekconnection.org/remastersys/repository remastersys/


For Hardy and Newer with original grub - version 2.0.12-1 and up
# Remastersys
deb http://www.geekconnection.org/remastersys/repository ubuntu/

For Karmic and Newer with grub2 - version 2.0.13-1 and up
# Remastersys
deb http://www.geekconnection.org/remastersys/repository karmic/


Then simply either reload in Synaptic or you can "sudo apt-get update" and 
install remastersys."

Add www.testmyids.com bookmark to Firefox

Xplico PHP Upload limits: 
http://wiki.xplico.org/doku.php?id=faq#why_the_upload_of_pcap_file_fails

Default deny firewall

http://www.xplico.org/archives/795

http://www.inliniac.net/blog/2010/10/21/speeding-up-suricata-with-tcmalloc.html

http://code.google.com/p/logstash/

Seems ridiculous not to have ssh-server installed.  It's extremely likely that 
I'm going to want to ssh INTO my IDS, not from it.  

aptitude install bridge-utils

Might consider reworking the current installation method to use this:
http://www.gamelinux.org/?p=144
http://www.gamelinux.org/?page_id=13

http://leonward.wordpress.com/2010/11/22/pushing-the-openfpc-project-forward/

http://global-security.blogspot.com/2009/10/pulledpork-v025.html

"A new and updated version of pulledpork is out, this version adds 
functionality and also 
addresses a number of previously reported bugs, a few simple examples:

Improved and cleaned up code for efficiency and speed
Do not overwrite local.rules on run
Do not attempt to copy . and .. as rules files
Much more...
The primary feature that has been added allows for the capability to download 
rules from sites 
other than snort.org (VRT). Any url can be specified to download a rules 
tarball from, however 
md5 hash verification will only work when VRT or ET locations are specified. If 
a different 
location (i.e. a local redistribution point) is specified, please be sure to 
specify the -d (do not 
verify md5) option. Please see the README and pulledpork.conf files for more 
information on 
usage of new and existing options and features.

New option runtime flag:
-u Where do you want me to pull the rules tarball from
(ET, Snort.org, see pulledpork config base_url option for value ideas)

A new tarball containing all of the new features will be published today at 
http://code.google.com/p/pulledpork/downloads/list"

# setup script:
#  - ask about IDS engine before rules
#  - if oinkcode, use open-nogpl; otherwise use open
#  - http://rules.emergingthreats.net/open/suricata/
#  - cronjob for automatic rule updates

Snort 2.9.0.1 or higher

Include links to PCAP repositories 
Xplico samples
https://www.openpacket.org/
http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_avai
lable_PCAP_files

To allow for the configuration of multiple NICs for use with TAPs and/or 
SPAN/Mirroring ports on switches.

For example:
A server that has two NICs, where by one is for the internal LAN and the other 
is connected to the monitoring port of a TAP.
The internal LAN NIC is for the management of Security-Onion e.g. eth0 and the 
monitoring NIC eth1 is connected to the TAP/SPAN port for monitoring of traffic 
with Snort and so forth and would be non-ip based in Prom mode.

As per Doug's Instructions, the manual way to do this is to change eth0 to eth1 
in the following files:
/etc/nsm/sensor1/barnyard2.conf:config interface: eth0
/etc/nsm/sensor1/sensor.conf:SENSOR_INTERFACE="eth0"
/etc/nsm/sensortab:sensor1      1       7735    eth0

Then restart the Security Onion services with the following command:
sudo service nsm restart

# http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz
#  Perl Module Requriement Changes:
#  - LWP::Simple no longer
#  - LWP::UserAgent now required
#  - HTTP::Request now required
#  - HTTP::Status now required
#  - SYS::Syslog now required
#  - Crypt::SSLeay now required
#  - Carp now required

Can you please add the latest version of Barnyard 2-1.8 to Security-Onion? I am 
very interested in using the CEF log format.

Thanks much!

-Terron

Metasploit svn up to revision 8971 or better

Add squert for web reporting?

Need new kernel that is not vulnerable to ’sock_sendpage()’ NULL Pointer
Dereference Vulnerability

Upgrade nmap to 5.30BETA1 or better