FEATURE: Add Additional ICS Zeek Packages #9149

[Nazmin-Gilki]

As per the title the features have been added in 2.4 version of SO, how can I add FEATURE: Add Additional ICS Zeek Packages #9149 in 2.3.170 standalone? @weslambert @dougburks
Please refer issue id #9149

[lock-wire]

Those features were integrated into 2.3.190. Here are the Release Notes. You should be able to upgrade to that release and have those features.

[utkarshborawake]

Hi @lock-wire, I understand that features are integrated. But what if I want to add them to my Security Onion version 2.3.170 without upgrading to 2.3.190

[Nazmin-Gilki]

yes, @lock-wire I want the ICS features to be part of my 2.3.190 version itself. Please guide me on achieving this.

[TOoSmOotH]

@utkarshborawake You must upgrade to at least .190 to get the features. However if you are upgrading I would suggest the latest .280 since there have been several critical security fixes since .170. Also keep in mind that 2.3 will be EOL in April and these ICS parsers are integrated into 2.4.

@Nazmin-Gilki Unless you are overwriting something in your zeek local file the support is turned on by default.

[utkarshborawake]

I got the point @TOoSmOotH, but as of now we cannot upgrade my SO, but I need these features. Can you please suggest any workaround so I can integrate s7comm and cotp protocol support in my 170 version? Or how can I integrate new zeek features in my 170 version?
Thanks

[TOoSmOotH]

@utkarshborawake There is no manual workaround for this. Packages must be built into the zeek container when we build it. There are changes to elastic and filebeat that need to occur to ingest these new logs. You would need to cherry pick all of those changes and build a new docker container. This would be a lot of work and you would end up in an unsupported state. I would focus that energy on upgrading. 170 is over 1 year old and you are missing several important security fixes in elastic, zeek, and suricata.