2014

January 2014
Issue 413 : Extend CapMe? to pull pcap file
Issue 449 : CapMe?: add timeout:0 to ELSA query
Issue 450 : CapMe?: add support for Snorby timezones
Issue 460 : Fix tunnel.log entry in syslog-ng.conf
Issue 455 : securityonion-web-page: update hyperlink
Issue 456 : securityonion-web-page: add example ELSA queries
Issue 466 : securityonion-web-page: change elsa/menu.php to fix Tunnel query
Issue 469 : securityonion-web-page: add SSH queries for country and status
Issue 461 : sostat: improve pf_ring output
Issue 427 : Snort 2.9.5.6
Issue 443 : Suricata 1.4.7
February 2014
Issue 477 : ELSA menu should include BRO_CONN groupby:node
Issue 471 : sostat-redacted should redact IPv6 and MAC addresses
Issue 476 : sostat: add verbosity for troubleshooting ELSA
Issue 463 : sosetup: prompt for ELSA log_size_limit
Issue 470 : sosetup: Add verbiage to ELSA screen about running on sensors
Issue 474 : sosetup: increase default query_timeout in /etc/elsa_web.conf
Issue 388 : sosetup: configure MySQL to create an innodb file per table to prevent ibdata1 growing indefinitely
Issue 416 : sosetup: increase default MySQL open-files-limit
Issue 478 : securityonion-elsa-extras: randomize API key in master's elsa_web.conf
Issue 487 : securityonion-web-page: add DNS zone transfer query
Issue 475 : CapMe? should check for active pcap_agent
Issue 448 : When changing time zone in Squert, it needs to revert to UTC when requesting transcripts
Issue 432 : 12.04.4 ISO image
March 2014
Issue 495 : securityonion-web-page: OSSEC logs query should exclude MARK
Issue 498 : securityonion-web-page: add DNS IXFR query
Issue 505 : rule-update: check to see if barnyard and IDS engine are enabled
Issue 481 : soup: Add skip interactive option
Issue 494 : sostat should display ELSA v_indexes
Issue 497 : sostat should ignore "Cannot set NIC flags!" in netsniff-ng.log
Issue 508 : sostat should include full process output but exclude usernames
Issue 502 : securityonion-elsa-node-perl: add libtext-csv-perl as a dependency
Issue 503 : securityonion-elsa-extras: parsers for BRO_INTEL feed
Issue 485 : sosetup-network: mention MTU and other custom config can be manually added to /etc/network/interfaces
Issue 499 : sosetup-network: fix backup path in /etc/network/interfaces
Issue 511 : sosetup-network: management interface selection should be a radiolist
Issue 489 : sosetup: capture rmmod output
Issue 479 : sosetup: should verify that it can resolve server hostname before trying to connect
Issue 496 : sosetup: VRT policy screen should be a radiolist
Issue 514 : sosetup: fix df /nsm check
April 2014
Issue 506 : securityonion-web-page: add FTP command query
Issue 507 : securityonion-web-page: add queries for BRO_INTEL
Issue 501 : /etc/init/securityonion.conf needs to check that variables were only declared once
Issue 516 : Update sysctl settings
Issue 518 : NSM scripts: run "broctl install" when (re)starting Bro
Issue 520 : Configure /etc/ssh/sshd_config with ClientAliveInterval? 60 and ClientAliveCountMax? 3
Issue 521 : Replace test.com domain in /etc/nsm/ossec/ossec_agent.conf
Issue 519 : onionsalt: improve ids/bro/ossec updates
Issue 524 : Setup should test connection to master server using ssh instead of nc
Issue 528 : Re-running Setup should wipe ELSA databases
Issue 529 : nsm: check for null dns domain before updating ossec_agent.conf
Issue 530 : nsm: change sshd_config ClientAliveInterval? to 30
Issue 483 : sostat-redacted should redact usernames
Issue 509 : sostat-quick
Issue 510 : sostat: change "ELSA Date Range" to "ELSA Index Date Range"
Issue 515 : sostat: avoid displaying "ELSA Log Node SSH Tunnels:" if there are no SSH tunnels
Issue 517 : sostat: only display "Top 50 URLs for yesterday" if http_agent is enabled
Issue 531 : sostat: improve checking of autossh tunnels
May 2014
Issue 533 : sostat-redacted: fix ssh_port redact
June 2014
Issue 542 : Setup: when disabling salt, avoid modifying salt package files
Issue 540 : Update Salt packages/scripts
Issue 537 : sostat-quick: check for root
Issue 406 : sguil-db-purge needs to purge history table as well
Issue 428 : sguil-db-purge should check for existence of tables
Issue 294 : Barnyard2-1.13
Issue 550 : securityonion-server: add barnyard2 as a dependency
Issue 411 : NSM: sensors should not update signature reference table
Issue 551 : rule-update: have server use barnyard2 to update Snorby reference table
Issue 399 : rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true
Issue 544 : rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true
Issue 555 : NSM: replace "2>1" with "2>&1"
Issue 549 : securityonion-web-page: add ELSA query for Sites Hosting CABs
Issue 556 : rule-update: add so-snorby-fix-sigs script
Issue 557 : rule-update: only delete sig_reference table once
July 2014
Issue 390 : PulledPork? 0.7.0
Issue 425 : Pulledpork should request ET rules using proper Suricata version
Issue 552 : rule-update: run PulledPork? with -P option to process tarball
Issue 522 : sosetup should handle more than 10 interfaces correctly
Issue 525 : sosetup: configure all available sniffing interfaces and prompt for which interfaces to enable
Issue 527 : sosetup: when choosing sensor-only and entering server name, don't allow hostname/IP of the sensor itself
Issue 543 : sosetup: if no Internet access, notify user that we're setting LOCAL_NIDS_RULE_TUNING=yes
Issue 539 : sosetup: support more network card naming stuff
Issue 538 : sosetup: add references to sostat, sostat-redacted and sostat-quick
Issue 545 : sosetup: add comments to /etc/nsm/securityonion.conf
Issue 546 : sosetup: change true/false options to yes/no
Issue 564 : sosetup: avoid breaking ELSA syslog-ng.conf
Issue 565 : sosetup: run PulledPork? with -T option if ENGINE=suricata
Issue 560 : rule-update: run PulledPork? with -T option if ENGINE=suricata
Issue 562 : securityonion-web-page: break OSSEC alerts out into separate queries
Issue 563 : securityonion-web-page: add link for training/support
August 2014
Issue 569 : securityonion-server: add p0f as a dependency
Issue 570 : CapMe?: Ignore extra data from ELSA cli.pl
Issue 574 : NSM: prevent checking for new Ubuntu releases
Issue 576 : Setup: restart MySQL to make config changes take effect
Issue 535 : PF_RING 6.0.2 SVN
Issue 462 : Snort 2.9.6.2
Issue 567 : Snort Daq 2.0.2
Issue 465 : Suricata 2.0.3
Issue 445 : Bro 2.3
Issue 484 : securityonion-bro-scripts: update APT1 scripts with Seth's changes for certificate matching
Issue 414 : Bro script should lookup interface in /etc/nsm/sensortab to obtain sensorname
Issue 577 : ELSA: update parsers for Bro 2.3 log changes
September 2014
Issue 568 : New package securityonion-samples-jackcr
Issue 572 : securityonion-et-rules: update for new ISO
Issue 553 : NetworkMiner? 1.6.1
Issue 581 : NSM: avoid filling disk if CRIT_DISK_USAGE exceeded in one day
Issue 582 : NSM: only run "broctl cron" if Bro is enabled
Issue 587 : Setup: allow for automated setup using answer file
Issue 412 : OSSEC 2.8
Issue 573 : OSSEC setmaxagents
Issue 330 : ossec.conf changes
Issue 536 : ISO: deleting desktop icons for live user sometimes doesn't work properly
Issue 584 : ISO: 14.04 HWE stack
Issue 554 : 12.04.5 ISO image
Issue 590 : Setup: sosetup.conf SALT="yes"
Issue 586 : Bro 2.3.1
Issue 612 : securityonion-bro-scripts: include ShellShock? detection
Issue 606 : securityonion-bro-scripts: create /opt/bro/share/bro/intel/
Issue 579 : Update salt
Issue 580 : onionsalt should copy OSSEC agent.conf and local_decoder.xml
Issue 609 : Onionsalt should copy /opt/bro/share/bro/intel/
Issue 613 : sosetup: if user chooses VRT rules, enable Community as well
Issue 600 : Suricata 2.0.4
Issue 616 : securityonion-bro-scripts: ShellShock? Qmail SMTP "MAIL FROM" attack vector
October 2014
Issue 617 : securityonion-web-page: add queries for Bro ShellShock? Notices
Issue 583 : securityonion-web-page: update "All OSSEC Logs" query
Issue 599 : securityonion-web-page: highlight current ELSA query
Issue 618 : securityonion-bro-scripts: ShellShock? Add shellscripts as a post-exploit detection mechanism
Issue 589 : OSSEC 2.8.1
Issue 621 : sostat: add sostat-interface
Issue 628 : securityonion-web-page: add ELSA queries for SSLv3
Issue 629 : securityonion-web-page: disable SSLv3 in Apache ssl.conf
Issue 627 : securityonion-web-page: separate syslog-ng into program and host queries
Issue 631 : securityonion-web-page: collapse query categories by default
Issue 634 : securityonion-web-page: add queries for ssl_version and ssl_cipher
Issue 633 : securityonion-elsa-extras: parse ssl_version and ssl_cipher out of Bro ssl.log
Issue 640 : securityonion-web-page: previous update broke ssl symlink
Issue 287 : Sguil 0.9
Issue 622 : Update http_agent for Sguil 0.9 and move from SSL to TLS
Issue 623 : Update ossec_agent for Sguil 0.9 and move from SSL to TLS
Issue 624 : Update CapMe? for Sguil 0.9 and move from SSL to TLS
Issue 625 : Update NSM for Sguil 0.9
Issue 626 : Update Setup for Sguil 0.9
Issue 491 : Squert 1.5.0
Issue 638 : securityonion-ossec-rules: add rule to ignore Squert POST
November 2014
Issue 382 : Argus 3.0.8
Issue 620 : NSM: stop netsniff-ng only after checking all interfaces for pcaps to delete
Issue 647 : NSM: rotate netsniff-ng.log
Issue 597 : nsm_all_del_quick: delete /nsm/bro/logs and /nsm/bro/extracted
Issue 595 : NSM: prevent Bro version warning
Issue 611 : nsm_sensor_clean: replace server with sensor
December 2014
Issue 636 : Snort 2.9.7.0
Issue 637 : Snort DAQ 2.0.4
Issue 648 : Rebuild securityonion-pfring-daq for new DAQ
Issue 646 : Sguil client highlighting issue
Issue 513 : securityonion-elsa-extras: when adding sources to syslog-ng.conf, do not search-and-replace using "log"
Issue 575 : ELSA: parsers for new Bro logs added in Bro 2.3
Issue 578 : securityonion-web-page: add ELSA queries for new Bro 2.3 logs
Issue 639 : rule-update should disable Suricata rules if running Snort
Issue 650 : rule-update: wipe snort_dynamicrules directory