Security Onion: Difference between revisions
(Created page with " https://code.google.com/p/security-onion/wiki/ManagingAlerts == noteworthy == ===Disable an SID (alert)=== Security Onion uses PulledPork (a perl script maintained by JJ C...") |
No edit summary |
||
Line 1: | Line 1: | ||
Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! | |||
https://code.google.com/p/security-onion/ | |||
http://securityonion.blogspot.com/ | |||
== noteworthy == | |||
https://code.google.com/p/security-onion/wiki/ManagingAlerts | https://code.google.com/p/security-onion/wiki/ManagingAlerts | ||
===Disable an SID (alert)=== | ===Disable an SID (alert)=== | ||
* Disable vs Suppress: http://seclists.org/snort/2011/q3/583 | |||
Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations. | Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations. | ||
In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted. | In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted. | ||
* Edit the disablesid.conf configuration file: | * Edit the disablesid.conf configuration file: | ||
Line 16: | Line 26: | ||
</source> | </source> | ||
You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password. | You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password. | ||
*Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1". | *Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1". | ||
Line 22: | Line 33: | ||
1:2101411 | 1:2101411 | ||
</source> | </source> | ||
* Run the rule update on the server: | * Run the rule update on the server: | ||
Line 28: | Line 40: | ||
sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 | sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 | ||
</source> | </source> | ||
* Run the rule update on the slave machines: | * Run the rule update on the slave machines: | ||
Line 34: | Line 47: | ||
sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 | sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04 | ||
</source> | </source> | ||
[[Category:Linux]] | |||
[[Category:Networking]] |
Revision as of 01:12, 23 April 2013
Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
https://code.google.com/p/security-onion/
http://securityonion.blogspot.com/
noteworthy
https://code.google.com/p/security-onion/wiki/ManagingAlerts
Disable an SID (alert)
- Disable vs Suppress: http://seclists.org/snort/2011/q3/583
Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations.
In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted.
- Edit the disablesid.conf configuration file:
<source lang=text> sudo vi /etc/nsm/pulledpork/disablesid.conf #Security Onion 12.04 sudo vi /etc/pulledpork/disablesid.conf #Security Onion 10.04 </source>
You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password.
- Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1".
<source lang=text>
# Disable the GPL SNMP public access udp signature 1:2101411
</source>
- Run the rule update on the server:
<source lang=text>
sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04
</source>
- Run the rule update on the slave machines:
<source lang=text>
sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04
</source>