Thursday, January 20, 2011

Security Onion nsm_all_del script

This blog post will demonstrate the nsm_all_del script.  If you ran through Setup and configured your sensors but decide that you need to re-run Setup for some reason (perhaps you want to choose Advanced Setup to choose specific interfaces), then you need to run nsm_all_del first.  nsm_all_del will delete your current sensor configuration in preparation for running Setup again.

Suppose I ran through Setup using Quick Setup which enumerated my ethernet interfaces and created Sguil sensors for eth0, eth1, and eth2.

Now suppose I want eth0 to be just a management interface with no Sguil sensor.  I need to run Setup again and choose Advanced Setup to exclude eth0, but first I need to run nsm_all_del to delete the current Sguil configuration.

Once clicked, nsm_all_del displays a warning.

It then begins deleting sensors, asking for confirmation along the way.

Once nsm_all_del completes, I then run Setup again and choose Advanced Setup so that I can choose which network interfaces should have Sguil sensors.

Once Setup completes, I login to Sguil and see that I only have Sguil sensors for eth1 and eth2.


Anonymous said...

Man, your really making life so easy !

Thanks a lot for everything you wrote.

Anonymous said...

Do you get two rule sets, one for each interface or just one (downloaded.rules) for both interfaces?

Doug Burks said...

Currently, it's just one ruleset for the entire box (all interfaces use that one ruleset). You could certainly manually configure different rulesets for different interfaces.