Closed dougburks closed 5 years ago
The following packages are now ready for testing:
securityonion-bro - 2.6.4-1ubuntu1securityonion1
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion13
securityonion-bro-scripts - 20121004-0ubuntu0securityonion73
Please test/verify as follows (watch out for line wrapping):
install the current 16.04 ISO image
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
update:
sudo soup
verify that the package installation scripts display a message about checking configuration and adding back any local customizations and then restarting Bro.
verify that Bro packages were upgraded and new securityonion-bro-afpacket package was installed:
dpkg -l |grep securityonion-bro
if new installation, run through Setup
verify that the package installation scripts backed up the following with a _pre-2.6.4 extension: /opt/bro/etc/ /opt/bro/share/bro/site/local.bro
verify that StatusCmdShowAll has been set to 0 in /opt/bro/etc/broctl.cfg:
grep StatusCmdShowAll /opt/bro/etc/broctl.cfg
verify that "lb_custom.InterfacePrefix=af_packet::" has been added to /opt/bro/etc/broctl.cfg:
grep af_packet /opt/bro/etc/broctl.cfg
Restart Bro as noted by package installation:
sudo so-bro-restart
check status:
sudo so-status
check Bro startup logs for any warnings/errors out of the ordinary:
cat /nsm/bro/logs/current/reporter.log
cat /nsm/bro/logs/current/stdout.log
cat /nsm/bro/logs/current/stderr.log
replay LOTS of traffic:
sudo so-test
verify that files are extracted to /nsm/bro/extracted:
ls -alh /nsm/bro/extracted
verify that /nsm/bro/logs/current/conn.log contains the proper sensorname at the end of each log entry:
cat /nsm/bro/logs/current/conn.log
verify that Bro logs are in the format as they were pre-upgrade (should be JSON by default).
verify that the Elastic Stack is parsing and displaying logs properly
verify that you can pivot to CapMe for both TCP and UDP traffic
check sostat
output for anything out of the ordinary (specifically, check the pf_ring and bro sections for packet loss)
verify that Bro ja3 script is loaded and logging:
grep ja3 /nsm/bro/logs/current/
verify that Bro hassh script is loaded and logging:
grep hassh /nsm/bro/logs/current/
verify that everything else works properly with no regressions
reboot and make sure everything still works properly
Please test in as many different combinations as possible:
Evaluation Mode (Bro Standalone mode) vs Production Mode (Bro cluster mode)
single sniffing interface vs multiple sniffing interfaces
file extraction enabled or disabled
json-logs enabled or disabled
traffic without vlan tags vs traffic with vlan tags
new installation vs upgrade
Bro cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom)
Anything else we missed?
Please record all test results on this github issue. If everything works correctly, please record that. If not, please include detailed information about what you're experiencing.
Thanks in advance for your time and effort!
I ran through all the tests and everything seems to be working great!! :)
Thanks @forgottentq !
Published: https://blog.securityonion.net/2019/09/bro-264-now-available-for-security-onion.html