Security Onion
https://code.google.com/p/security-onion/wiki/ManagingAlerts
noteworthy
Disable an SID (alert)
Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations.
In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted.
- Edit the disablesid.conf configuration file:
<source lang=text> sudo vi /etc/nsm/pulledpork/disablesid.conf #Security Onion 12.04 sudo vi /etc/pulledpork/disablesid.conf #Security Onion 10.04 </source>
You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password.
- Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1".
<source lang=text>
# Disable the GPL SNMP public access udp signature 1:2101411
</source>
- Run the rule update on the server:
<source lang=text>
sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04
</source>
- Run the rule update on the slave machines:
<source lang=text>
sudo /usr/bin/rule-update #Security Onion 12.04 sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04
</source>