Comments (6)
List of packages to be tested:
- securityonion-bro - 3.0.13-1ubuntu1securityonion1 (Zeek 3.0.13)
- securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion33
- securityonion-bro-scripts - 20121004-0ubuntu0securityonion112
An overview of the testing process can be found in the comments below.
Please record all testing results via comments on this issue.
Thanks in advance for your time and effort!
from security-onion.
How To Start Testing
-
install the current 16.04 ISO image
-
snapshot the VM if possible
-
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
- update:
sudo soup
from security-onion.
How To Verify Proper Zeek Operation
-
first, please note that Bro has been renamed to Zeek but the packages still adhere to the traditional bro naming convention
-
as the Zeek packages install, verify that the package installation scripts display a message about checking configuration and adding back any local customizations
-
verify that Bro packages were upgraded:
dpkg -l |grep securityonion-bro
-
verify that the new Zeek packages create symlinks as necessary so that the new zeek paths resolve to the traditional bro locations (for example:
/opt/zeek
is a symlink to/opt/bro
,/nsm/zeek
is a symlink to/nsm/bro
, etc.) -
verify that the new Zeek packages create symlinks as necessary so that well known bro files resolve to the new zeek locations (for example:
/opt/bro/etc/broctl.cfg
is a symlink tozeekctl.cfg
, so it can be accessed via/opt/bro/etc/broctl.cfg
or/opt/zeek/etc/zeekctl.cfg
) -
if new installation, run through Setup
-
verify that the package installation scripts backed up
/opt/bro/etc/
with a_pre-3.0.13
extension -
verify that
StatusCmdShowAll
has been set to0
in/opt/zeek/etc/zeekctl.cfg
:
grep StatusCmdShowAll /opt/zeek/etc/zeekctl.cfg
- verify that
lb_custom.InterfacePrefix=af_packet::
has been added to/opt/zeek/etc/zeekctl.cfg
:
grep af_packet /opt/zeek/etc/zeekctl.cfg
- Restart Zeek:
sudo so-zeek-restart
- check status:
sudo so-status
- check Zeek startup logs for any warnings/errors out of the ordinary:
cat /nsm/zeek/logs/current/reporter.log
cat /nsm/zeek/logs/current/stdout.log
cat /nsm/zeek/logs/current/stderr.log
- replay LOTS of traffic:
sudo so-test
- verify that files are extracted to
/nsm/zeek/extracted
:
ls -alh /nsm/zeek/extracted
- verify that
/nsm/zeek/logs/current/conn.log
contains the proper sensorname at the end of each log entry:
cat /nsm/zeek/logs/current/conn.log
-
verify that Zeek logs are in the same format as they were pre-upgrade (should be JSON by default).
-
verify that the Elastic Stack is parsing and displaying Zeek logs properly (whether JSON or TSV format)
-
verify that you can pivot to CapMe for both TCP and UDP traffic
-
check
sostat
output for anything out of the ordinary (specifically, check thepf_ring
andZeek
sections for packet loss) -
verify that Zeek ja3 script is loaded and logging:
grep ja3 /nsm/zeek/logs/current/*
- verify that Zeek hassh script is loaded and logging:
grep hassh /nsm/zeek/logs/current/*
-
verify that
/etc/cron.d/bro
has been moved to/etc/cron.d/zeek
and that it works properly -
verify that
/opt/samples/zeek
is a symlink to/opt/samples/bro
-
verify that everything else works properly with no regressions
-
reboot and make sure everything still works properly
Please test in as many different combinations as possible:
-
Evaluation Mode (Zeek Standalone mode) vs Production Mode (Zeek cluster mode)
-
single sniffing interface vs multiple sniffing interfaces
-
file extraction enabled or disabled
-
json-logs enabled or disabled
-
traffic without vlan tags vs traffic with vlan tags
-
new installation vs upgrade
-
Zeek cluster mode - PF_RING (
lb_method=pf_ring
) vs AF_PACKET (lb_method=custom
)
from security-onion.
Testing guidelines were verified and all symlinks, settings, files, and logs were validated on all tests.
Evaluation Mode: no Issues
Production Mode: (Standalone and Distributed) no issues
Single sniffing interface: no issues
Multiple sniffing interfaces: no issues
File extraction enabled or disabled: no issues
json-logs enabled or disabled: no issues
New installation: no issues
Upgrade: no issues
Zeek cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom): no issues
from security-onion.
Thanks @cm-ops !
from security-onion.
Published:
https://blog.securityonion.net/2021/02/zeek-3013-now-available-for-security.html
from security-onion.
Related Issues (20)
- soup: work around Docker change HOT 4
- pinguybuilder: increment version to 16.04.7.2 HOT 1
- Update docs and cheat sheet for 16.04.7.2 HOT 3
- Test 16.04.7.2 ISO image HOT 3
- ubuntu 18.04 security onion the repository does not have a release file HOT 6
- Elastic 7.10.2 HOT 1
- Update Kibana dashboard hyperlinks to new url format HOT 1
- Delete old Logstash templates HOT 1
- Update Apache proxy for Elastic 7.10.2 HOT 1
- Update Kibana settings for 7.10.2 HOT 2
- Update docs and cheat sheet for 16.04.7.3 HOT 1
- pinguybuilder: increment version to 16.04.7.3 HOT 1
- Test Elastic 7.10.2 HOT 4
- Update Elastic auth settings for Elastic 7.10.2 HOT 1
- integrating elk-hole with security onion 2.3 HOT 1
- Update CyberChef to latest version HOT 1
- Attempting to install Security Onion 2.3.21 as a hyper-v guest. HOT 2
- Suricata 5.0.6 HOT 5
- Test 16.04.7.3 ISO image HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-onion.