Security Onion

From RARForge
Revision as of 01:08, 23 April 2013 by Robertr (talk | contribs) (Created page with " https://code.google.com/p/security-onion/wiki/ManagingAlerts == noteworthy == ===Disable an SID (alert)=== Security Onion uses PulledPork (a perl script maintained by JJ C...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

https://code.google.com/p/security-onion/wiki/ManagingAlerts

noteworthy

Disable an SID (alert)

Security Onion uses PulledPork (a perl script maintained by JJ Cummings) that downloads new signatures every night and processes them against a set list of user generated configurations.

In a Server/Slave Security Onion environment, you only need to change the configuration file on the server and the rule-update script will sync with the signatures from the Server. As mentioned before, take care in disabling signatures as it can be likely that a more appropriate response is warranted.

  • Edit the disablesid.conf configuration file:

<source lang=text> sudo vi /etc/nsm/pulledpork/disablesid.conf #Security Onion 12.04 sudo vi /etc/pulledpork/disablesid.conf #Security Onion 10.04 </source>

You can also access the disablesid.conf file by clicking Applications->IDS Rules->Disable Downloaded Rules. You will need to provide your password.
  • Append the signature you wish to disable in the format gid:sid. The generator ID is most likely going to be a "1" in most cases. You can check the generator ID by checking the exact signature. If a gid is not listed, it is assumed to be "1".

<source lang=text>

    # Disable the GPL SNMP public access udp signature
    1:2101411

</source>

  • Run the rule update on the server:

<source lang=text>

    sudo /usr/bin/rule-update                #Security Onion 12.04
    sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04

</source>

  • Run the rule update on the slave machines:

<source lang=text>

    sudo /usr/bin/rule-update                #Security Onion 12.04
    sudo /usr/local/bin/pulledpork_update.sh #Security Onion 10.04

</source>