Editing
Security Onion
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! https://code.google.com/p/security-onion/ http://securityonion.blogspot.com/ == noteworthy == https://code.google.com/p/security-onion/wiki/ManagingAlerts ===Disable an SID (alert)=== * Disable vs Suppress: http://seclists.org/snort/2011/q3/583 Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations. In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted. * Edit the disablesid.conf configuration file: <source lang=text> sudo vi /etc/nsm/pulledpork/disablesid.conf #Security Onion 12.04 sudo vi /etc/pulledpork/disablesid.conf #Security Onion 10.04 </source> You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password. *Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1". <source lang=text> # Disable the GPL SNMP public access udp signature 1:2101411 </source> * Run the rule update on the server: <source lang=text> sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 </source> * Run the rule update on the slave machines: <source lang=text> sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 </source> === Suppress SID === * this is usefull to disable alerts based on src_ip,dst_ip. Otherwise, I'd suggest to disable the rule entirely SecurityOnion 12.04 based version use /etc/nsm/rules/threshold.conf): <source> suppress gen_id 1, sig_id 2101411, track by_src, ip 172.16.42.109 </source> * Once the correct suppression has been placed in threshold.conf, restart the alert engine: <source> sudo nsm_sensor_ps-restart --only-snort-alert </source> [[Category:Linux]] [[Category:Networking]]
Summary:
Please note that all contributions to RARForge may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
RARForge:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Home
All Pages
All Files
View Categories
Recent changes
Random page
Edit this menu
Tools
What links here
Related changes
Special pages
Page information