securityonion-web-page: add SSL Top Subjects query #767

debian/changelog

@@ -1,3 +1,15 @@
+securityonion-web-page (20141015-0ubuntu0securityonion26) precise; urgency=low
+
+  * securityonion-web-page: add SSL Top Subjects query #767 
+
+ -- Doug Burks <[email protected]>  Sat, 04 Jul 2015 09:55:47 -0400
+
+securityonion-web-page (20141015-0ubuntu0securityonion25) precise; urgency=low
+
+  * add HTTP Potential SQL Injection query 
+
+ -- Doug Burks <[email protected]>  Sat, 30 May 2015 06:26:02 -0400
+
 securityonion-web-page (20141015-0ubuntu0securityonion24) precise; urgency=low
 
   * add ELSA queries for JARs and ZIPs 

debian/patches/add-HTTP-Potential-SQL-Injection-query

@@ -0,0 +1,60 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-web-page (20141015-0ubuntu0securityonion25) precise; urgency=low
+ .
+   * add HTTP Potential SQL Injection query
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-web-page-20141015.orig/elsa/menu.php
++++ securityonion-web-page-20141015/elsa/menu.php
+@@ -47,14 +47,14 @@ function showhide(tspan, tri) {
+ 		background-color:#A3C3E0;
+ 	}
+
+-	@media all and (min-width: 0px) and (max-width: 150px) {
++	@media all and (min-width: 0px) and (max-width: 230px) {
+ 		.tab {
+ 			font-size:12px;
+ 			margin:0px;
+ 		}
+ 	}
+
+-	@media all and (min-width: 151px) {
++	@media all and (min-width: 231px) {
+ 		.tab {
+ 			margin:25px;
+ 		}
+@@ -76,7 +76,6 @@ function showhide(tspan, tri) {
+ <a href="javascript:showhide('conn','tri_conn')"><img src="tri_c.gif" id="tri_conn" width="14" height="10" border="0" alt=""></a>
+ <a href="javascript:showhide('conn','tri_conn')" title="<?php echo $descr ?>" class="navlnk">Connections</a><br />
+ <span id="conn" style="display: none">
+-	<a href="<?php echo $h1; ?>class=BRO_CONN icmp or tcp or udp groupby:node"			<?php echo $h2; ?>>Grouped by Node</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_CONN icmp or tcp or udp groupby:srcip"			<?php echo $h2; ?>>Top SRC IPs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_CONN icmp or tcp or udp groupby:dstip"			<?php echo $h2; ?>>Top DST IPs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_CONN icmp or tcp or udp groupby:dstport"			<?php echo $h2; ?>>Top DST Ports</a><br />
+@@ -179,6 +178,7 @@ function showhide(tspan, tri) {
+ 	<a href="<?php echo $h1; ?>class=BRO_HTTP BRO_HTTP.mime_type=java-archive groupby:site"	<?php echo $h2; ?>>Sites hosting JARs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_HTTP BRO_HTTP.mime_type=x-rar groupby:site"	<?php echo $h2; ?>>Sites hosting RARs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_HTTP BRO_HTTP.mime_type=zip groupby:site"	<?php echo $h2; ?>>Sites hosting ZIPs</a><br />
++	<a href="<?php echo $h1; ?>class=BRO_HTTP &quot;HTTP::URI_SQLI&quot; &quot;URI_SQLI&quot;"	<?php echo $h2; ?>>Potential SQL Injection</a><br />
+ </span><br />
+
+ <!-- 'Intel' ELSA Queries -->

debian/patches/securityonion-web-page:-add-SSL-Top-Subjects-query-#767

@@ -0,0 +1,35 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-web-page (20141015-0ubuntu0securityonion26) precise; urgency=low
+ .
+   * securityonion-web-page: add SSL Top Subjects query #767
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-web-page-20141015.orig/elsa/menu.php
++++ securityonion-web-page-20141015/elsa/menu.php
+@@ -300,6 +300,7 @@ function showhide(tspan, tri) {
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:dstip"				<?php echo $h2; ?>>Top DST IPs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:dstport"				<?php echo $h2; ?>>Top DST Ports</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:hostname"			<?php echo $h2; ?>>Top Hostnames</a><br />
++	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:subject"				<?php echo $h2; ?>>Top Subjects</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:srcip"			<?php echo $h2; ?>>Top SSLv3 SRC IPs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:dstip"			<?php echo $h2; ?>>Top SSLv3 DST IPs</a><br />
+ 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:hostname"			<?php echo $h2; ?>>Top SSLv3 Hostnames</a><br />

debian/patches/series

@@ -16,3 +16,5 @@ new-formatting-from-BBCan177-and-add-descriptions-to-categories
 fix-typos
 fix-HTTP-mime-type-queries-for-new-ELSA
 add-ELSA-queries-for-JARs-and-ZIPs
+add-HTTP-Potential-SQL-Injection-query
+securityonion-web-page:-add-SSL-Top-Subjects-query-#767

elsa/menu.php

@@ -300,6 +300,7 @@ function showhide(tspan, tri) {
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:dstip"				<?php echo $h2; ?>>Top DST IPs</a><br />
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:dstport"				<?php echo $h2; ?>>Top DST Ports</a><br />
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:hostname"			<?php echo $h2; ?>>Top Hostnames</a><br />
+	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;-&quot; groupby:subject"				<?php echo $h2; ?>>Top Subjects</a><br />
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:srcip"			<?php echo $h2; ?>>Top SSLv3 SRC IPs</a><br />
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:dstip"			<?php echo $h2; ?>>Top SSLv3 DST IPs</a><br />
 	<a href="<?php echo $h1; ?>class=BRO_SSL &quot;sslv3&quot; groupby:hostname"			<?php echo $h2; ?>>Top SSLv3 Hostnames</a><br />