security-onion-solutions / security-onion Goto Github PK
View Code? Open in Web Editor NEWSecurity Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
Home Page: https://securityonion.net
Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
Home Page: https://securityonion.net
Need a shortcut for updating Metasploit
Original issue reported on code.google.com by [email protected]
on 3 Nov 2010 at 7:14
What steps will reproduce the problem?
1. Double-click Setup shortcut.
2. Have it download ET ruleset.
3. Notice pulledpork.conf permissions error.
What is the expected output? What do you see instead?
pulledpork.conf should be copied with root privileges.
sudo cp /etc/pulledpork/pulledpork.conf.master /etc/pulledpork/pulledpork.conf
Original issue reported on code.google.com by [email protected]
on 26 Oct 2010 at 6:21
Download OSSEC tarball.
Add OSSEC install.sh to setup script.
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 5:14
http://code.google.com/p/hogger/
Original issue reported on code.google.com by [email protected]
on 6 Apr 2010 at 2:15
Metasploit svn up to revision 8971 or better
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 3:01
Ubuntu 9.04 is old. Ubuntu 9.10 is the new hotness. We will have one release
in the Ubuntu 9.10
series and then move on to Ubuntu 10.04 after it's released at the end of April.
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 2:51
Can you please add the latest version of Barnyard 2-1.8 to Security-Onion? I am
very interested in using the CEF log format.
Thanks much!
-Terron
Original issue reported on code.google.com by [email protected]
on 20 Sep 2010 at 3:10
Add www.testmyids.com bookmark to Firefox
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:48
Based on tcpxtract
http://code.google.com/p/nfex/
Original issue reported on code.google.com by [email protected]
on 17 Nov 2010 at 2:59
http://doc.emergingthreats.net/bin/view/Main/SnortValidator
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:47
Include links to PCAP repositories
Xplico samples
https://www.openpacket.org/
http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_avai
lable_PCAP_files
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 8:15
Upgrade nmap to 5.30BETA1 or better
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 2:57
What steps will reproduce the problem?
1.Try to Install Security Orion on Dell PowerEdge 1955
2. Installation dumps out at bash prompt
What is the expected output? What do you see instead?
Should install on Hard Drive
What version of the product are you using? On what operating system?
security-onion-livecd-20090731.iso
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 15 Dec 2009 at 6:32
http://www.inliniac.net/blog/2010/10/21/speeding-up-suricata-with-tcmalloc.html
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:39
aptitude -y install ethtool
Original issue reported on code.google.com by [email protected]
on 18 Nov 2010 at 8:43
# http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz
# Perl Module Requriement Changes:
# - LWP::Simple no longer
# - LWP::UserAgent now required
# - HTTP::Request now required
# - HTTP::Status now required
# - SYS::Syslog now required
# - Crypt::SSLeay now required
# - Carp now required
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:38
http://labs.snort.org/razorback/
Original issue reported on code.google.com by [email protected]
on 3 Nov 2010 at 12:04
Copy OSSEC source code to /usr/local/src/ossec/
Add /usr/local/src/ossec/install.sh to Setup script
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:38
Need new kernel that is not vulnerable to ’sock_sendpage()’ NULL Pointer
Dereference Vulnerability
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:41
http://global-security.blogspot.com/2009/10/pulledpork-v025.html
"A new and updated version of pulledpork is out, this version adds
functionality and also
addresses a number of previously reported bugs, a few simple examples:
Improved and cleaned up code for efficiency and speed
Do not overwrite local.rules on run
Do not attempt to copy . and .. as rules files
Much more...
The primary feature that has been added allows for the capability to download
rules from sites
other than snort.org (VRT). Any url can be specified to download a rules
tarball from, however
md5 hash verification will only work when VRT or ET locations are specified. If
a different
location (i.e. a local redistribution point) is specified, please be sure to
specify the -d (do not
verify md5) option. Please see the README and pulledpork.conf files for more
information on
usage of new and existing options and features.
New option runtime flag:
-u Where do you want me to pull the rules tarball from
(ET, Snort.org, see pulledpork config base_url option for value ideas)
A new tarball containing all of the new features will be published today at
http://code.google.com/p/pulledpork/downloads/list"
Original issue reported on code.google.com by [email protected]
on 14 Oct 2009 at 6:32
SnortSP is still in beta and therefore should not be used in production.
We need a DEMO disclaimer that appears when launching SnortSP-Sguil to warn
users against running SnortSP in anything other than a demo mode.
Original issue reported on code.google.com by [email protected]
on 2 Sep 2009 at 9:41
# setup script:
# - ask about IDS engine before rules
# - if oinkcode, use open-nogpl; otherwise use open
# - http://rules.emergingthreats.net/open/suricata/
# - cronjob for automatic rule updates
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:43
Might consider reworking the current installation method to use this:
http://www.gamelinux.org/?p=144
http://www.gamelinux.org/?page_id=13
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 12:31
http://www.xplico.org/archives/795
Original issue reported on code.google.com by [email protected]
on 7 Dec 2010 at 4:22
The following command prevents aptitude from upgrading the tcl/tk packages:
aptitude hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh
However, it doesn't prevent Update Manager from updating them.
Need to fix for next release.
Original issue reported on code.google.com by [email protected]
on 18 Nov 2010 at 3:41
Virtualbox guest tools requires dkms
aptitude install dkms
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:35
http://www.tm.uka.de/software/pktanon/
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 8:17
To allow for the configuration of multiple NICs for use with TAPs and/or
SPAN/Mirroring ports on switches.
For example:
A server that has two NICs, where by one is for the internal LAN and the other
is connected to the monitoring port of a TAP.
The internal LAN NIC is for the management of Security-Onion e.g. eth0 and the
monitoring NIC eth1 is connected to the TAP/SPAN port for monitoring of traffic
with Snort and so forth and would be non-ip based in Prom mode.
As per Doug's Instructions, the manual way to do this is to change eth0 to eth1
in the following files:
/etc/nsm/sensor1/barnyard2.conf:config interface: eth0
/etc/nsm/sensor1/sensor.conf:SENSOR_INTERFACE="eth0"
/etc/nsm/sensortab:sensor1 1 7735 eth0
Then restart the Security Onion services with the following command:
sudo service nsm restart
Original issue reported on code.google.com by [email protected]
on 9 Nov 2010 at 5:04
Snort 2.9.0.1 or higher
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 4:59
Add stick and/or snot.
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:48
Probably want the time on my IDS to match the enterprise time so I can
correlate events properly. NTP is the generally accepted way of doing so.
Original issue reported on code.google.com by [email protected]
on 19 Jul 2010 at 6:19
Suricata was tested and working properly. Perhaps libraries changed and so now
Suricata results in "Illegal instruction". Re-compiling suricata allows it to
start successfully.
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 5:13
http://code.google.com/p/ostinato/
Original issue reported on code.google.com by [email protected]
on 11 Apr 2010 at 2:12
For ip2c.tcl to work you will need (these are all for TCL of course):
- Tclx, mysqltcl, uri, ftp, ftp::geturl, md5
Revert these two lines:
sed -i 's|//$ip2c = 'no';|$ip2c = 'no';|g' squert/config.php
sed -i 's|$ip2c = 'yes';|//$ip2c = 'yes';|g' squert/config.ph
Original issue reported on code.google.com by [email protected]
on 13 Nov 2010 at 3:48
http://code.google.com/p/logstash/
Original issue reported on code.google.com by [email protected]
on 17 Nov 2010 at 11:09
Add squert for web reporting?
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:49
http://leonward.wordpress.com/2010/11/22/pushing-the-openfpc-project-forward/
Original issue reported on code.google.com by [email protected]
on 22 Nov 2010 at 9:54
packet-tools script should check for netdude, idswakeup, fragroute*, etc.
before manually installing the .deb
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:47
Xplico PHP Upload limits:
http://wiki.xplico.org/doku.php?id=faq#why_the_upload_of_pcap_file_fails
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:36
svn up
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 7:50
sudo aptitude install argus-client argus-server
Requires 4329kb
Original issue reported on code.google.com by [email protected]
on 16 Sep 2009 at 10:47
not having PAE is just nuts in today's memory market. An alternative would be
to also offer a 64-bit version, but I imagine that's alot more work since you'd
have to maintain 2 distros. One 32-bit distro with PAE would cover both with
less work. And please don't assume everyone can simply apt-get something
that's missing. Many people work on networks that aren't connected to the
Internet, yet still want to detect intrusion attempts, either for testing, or
classified work, or for internal-only detection
Thanks
Original issue reported on code.google.com by [email protected]
on 19 Jul 2010 at 6:22
Seems ridiculous not to have ssh-server installed. It's extremely likely that
I'm going to want to ssh INTO my IDS, not from it.
Original issue reported on code.google.com by [email protected]
on 19 Jul 2010 at 6:18
The NSMnow script now creates symlinks for
/nsm/server_data/server1/rules/default and
/nsm/server_data/server1/rules/sensor1 so that rules only have to be
updated in one place. Now we need a shell script that will prompt the user
for their oinkcode and then download the new rules to /etc/nsm/sensor1/rules/.
Original issue reported on code.google.com by [email protected]
on 17 Aug 2009 at 1:45
http://www.geekconnection.org/remastersys/ubuntu.html
"The Remastersys repository needs to be added to your /etc/apt/sources.list
Paste the following into the sources.list:
For Gutsy and Earlier - up to version 2.0.11-1
# Remastersys
deb http://www.geekconnection.org/remastersys/repository remastersys/
For Hardy and Newer with original grub - version 2.0.12-1 and up
# Remastersys
deb http://www.geekconnection.org/remastersys/repository ubuntu/
For Karmic and Newer with grub2 - version 2.0.13-1 and up
# Remastersys
deb http://www.geekconnection.org/remastersys/repository karmic/
Then simply either reload in Synaptic or you can "sudo apt-get update" and
install remastersys."
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 3:08
aptitude install bridge-utils
Original issue reported on code.google.com by [email protected]
on 21 Nov 2010 at 3:17
Upgrade NSMnow to 1.6.2 or better
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 3:02
Default deny firewall
Original issue reported on code.google.com by [email protected]
on 13 Nov 2010 at 2:45
Enable suricata.log in suricata.yaml config file
Original issue reported on code.google.com by [email protected]
on 1 Nov 2010 at 8:40
Request to add the bittwist toolset to Security Onion.
This is a great tool to test IDS systems and also has a invaluable packet
editor. Further info can be found here.
http://bittwist.sourceforge.net/
Thanks Much- Terron
Original issue reported on code.google.com by [email protected]
on 4 Nov 2010 at 11:45
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.