Add the IP address using proper BPF format (along with a comment for continiuity)
Peform a manual rule update
# step 2sudo vim /etc/nsm/rules/bpf.conf
# step 3# IP address belongs to our vulnerability scanner# Added by Victor on 22 JUN 2020!(host 192.168.1.69)&&
# step 4sudo salt '*' cmd.run 'rule.update'
Whitelisting in OSSEC
Identify the IP address you want to whitelist
Use a text-editor to open /var/ossec/rules/local_rules.xml
Add the IP address using proper XML format (along with a comment for continiuity)
Peform a manual rule update
# step 2sudo vim /var/ossec/rules/local_rules.xml
<!-- Added by Victor on 22 JUN 2020 --><ruleid="100777"level="0"><if_sid>5706, 5710, 5712</if_sid><srcip>192.168.1.23</srcip><srcip>192.168.1.69</srcip><description>Whitelist: Authorized analyst workstations.</description></rule>
# step 4sudo so-rule-update
Fine-tuning Snort/Suricata
Whitelist an IP Address for a Specific Rule
Identify the IP address you want to whitelist
Identify the SID of the rule you want to fine-tine
Use a text-editor to open /etc/nsm/rules/local.rules on your Master Node
Create a variable for the IP address
Copy/paste the rule with the variable
Use salt to perform a manual rule update across the relevant sensor
Use salt to manually restart Snort/Suricata across the relevant sensor
# step 3sudo vim /etc/nsm/rules/local.rules
# step 4
ipvar WHITELIST_SID_3000001 [192.168.1.23, 192.168.1.69, 192.168.1.86]
alert icmp !WHITELIST_SID_3000001 any -> any any (msg:"ICMP traffic!"; sid:3000001;)# step 4sudo salt 'foxhound-nids1' cmd.run 'so-rule-update'# step 5sudo salt 'foxhound-nids1' cmd.run 'so-nids-restart'
Fine-tuning OSSEC
Find the rule ID you want to disable
Use a text-editor to open /var/ossec/rules/local_rules.xml
Reduce the rule’s alert level to zero
Restart OSSEC
# step 1sudo grep-Ri'Web server 500' /var/ossec/rules/
# step 2sudo vim /var/ossec/rules/local_rules.xml
<!-- Added by Victor on 22 JUN 2020 --><ruleid="100666"level="0"><if_sid>31120</if_sid><description>Ignore 'Web server 500' errors relating to Kibana.</description></rule>
# step 4sudo so-ossec-stop
sudo so-ossec-start
Update NIDS rules
Login to your Master Node
Use a text-editor to set LOCAL_NIDS_RULE_TUNING to yes in /etc/nsm/securityonion.conf
Verify your IDS engine and rule-set
Use a text-editor to specify your desired rule-sets in /etc/nsm/pulledpork/pulledpork.conf
Download the latest rule updates
Copy the rule updates to /tmp/ on your Master Node
Use salt to perform a manual rule update across all of your sensors
# step 2sudo vim /etc/nsm/securityonion.conf
LOCAL_NIDS_TUNING=yes
Use a text-editor to open /etc/nsm/pulledpork/disabledsid.conf
Add the rule using proper Snort/Suricata syntax (along with a comment for continiuity)
Peform a manual rule update
# step 2sudo vim /etc/nsm/pulledpork/disabledsid.conf
# step 3# Added by Victor on 29 JUN 2020
1:2008123
# step 4sudo salt '*' cmd.run 'rule.update'
Elasticsearch queries
# search for a specific source ip
source_ip:192.168.1.69
# search for a specific source subnet
source_ips:192.168.1.*# search for a specific ip address and log
source_ip:192.168.1.69 AND event_type:bro_dns
# search for an ip address and log type during a specific time period# ex: find DNS logs between 0900 to 1700 (on 23 JUN 2020) with '192.168.1.69' as the query source
source_ip:192.168.1.69 AND event_type:bro_dns AND @timestamp:["2020-06-23T09:00" TO "2020-06-23T17:00"]
Change the name of a sensor
Part 1 of 2
Login to the sensor
Stop the salt-minion service on the sensor
Use a text-editor to open /etc/salt/minion-id
Change the minion ID
Restart the salt-minion service on the sensor
# part 1: step 2sudo service salt-minion stop
# part 1: step 3sudo vim /etc/salt/minion-id
# part 1: step 4# example old name = gecko-sensor1# example new name = foxhound-sensor1
# part 1: step 5sudo service salt-minion start
Part 2 of 2
Login to the master
List the currently accepted salt keys
Accept the new key from the previously modified sensor
Delete the old key from the previously modified sensor