Suppose you're monitoring traffic that has VLAN tags (in both directions). By default, when you right-click the Alert ID in Sguil and request the transcript/pcap, you would get nothing. In order to get transcripts/pcaps to work correctly in Sguil, you would have to manually set VLAN to "1" in pcap_agent.conf.
Suppose you're monitoring traffic that has VLAN tags in one direction but not the other. When you right-click the Alert ID in Sguil and request the transcript/pcap, you would only get the non-VLAN side of the flow. If you set VLAN to "1" in pcap_agent.conf, you would then receive just the VLAN side of the flow.
Security Onion 20120224 is now available! This resolves the following issues:
Issue 148: Update tcpflow
Issue 222: Modify pcap_agent.tcl to support ip & vlan tagged interfaces
The updated pcap_agent.tcl and tcpflow allow Sguil to transparently support all cases of traffic with VLAN tags, without VLAN tags, and with mixed VLAN tags. When you right-click the Alert ID and request the transcript/pcap, you should now get the entire flow.
httpry doesn't support VLAN tags, so you still won't see HTTP events in Sguil where VLAN tags are involved. However, we'll soon be removing httpry in favor of Bro's HTTP logging, which does handle VLAN tags properly. In the meantime, you can query the Bro logs directly from the command-line using something like the following:
zgrep "192.168.123.234" /nsm/bro/logs/*/http*New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
If you had manually set VLAN to "1" in pcap_agent.conf, then you should set it back to the default of 0 and restart pcap_agent:
sudo nsm_sensor_ps-restart --only-pcap-agent
If you have any questions, please join our mailing list and ask away!
Thanks to Bamm Visscher for the updated pcap_agent.tcl!
Thanks to Simson Garfinkel for the updated tcpflow!
Thanks to Liam Randall, Scott Runnels, and Eric Ooi for testing this release!