Looking for assistance in getting CommunityID installed. I am using SecurityOnion 16.04, due to EOL on that system not much details are available. I wanted to see if anyone has been able to get it up and running.
Looks like SO does not have the Package manager installed (Is it possible to install a plugin without having to install the package manager)?
Thanks
Hi David,
Looking for assistance in getting CommunityID installed. I am using
SecurityOnion 16.04, due to EOL on that system not much details are
available. I wanted to see if anyone has been able to get it up and
running.Looks like SO does not have the Package manager installed (Is it possible
to install a plugin without having to install the package manager)?
If upgrading is an option for you, then consider SO 2, which supports Community ID out of the box in Zeek and Suricata:
https://docs.securityonion.net/en/2.3/community-id.html
If installing via zkg is not an option, you can try to do it manually, but it'll be a bit fiddly. You can generally build plugins separately (take a look at the build_command entry in zkg.meta for the entrypoint), but Zeek packages usually ship with additional scripting around the plugins. That's true for Community ID as well -- the plugin alone just gives you a BiF for the hash computation, but doesn't add the ID string to conn.log.
So, in a nutshell, it's probably possible, but depends on a lot of details, and will be pretty low-level.
Hope this helps,
Christian