Tuesday, June 25, 2013

New securityonion-rule-update package distributes OSSEC local_rules.xml and allows for per-sensor NIDS/HIDS rule tuning

A new version of our securityonion-rule-update package is now available that distributes OSSEC's local_rules.xml from master server to slave sensors by default and also allows for NIDS/HIDS rule tuning per physical sensor.

This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output

NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor.  This new version of rule-update allows for ruleset tuning per physical sensor.  If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
The next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.

HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default.  If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration.  If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
What if I've already modified OSSEC's local_rules.xml on the sensor?  Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package.  If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml.  You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.

Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose

The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:

If you have any questions or problems, please use our mailing list:

Found bugs in rule-update or want to add new features?  rule-update is now on github:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments: