This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor. This new version of rule-update allows for ruleset tuning per physical sensor. If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_NIDS_RULE_TUNING=trueThe next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default. If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration. If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_HIDS_RULE_TUNING=trueWhat if I've already modified OSSEC's local_rules.xml on the sensor? Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package. If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml. You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
The new package is now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
If you have any questions or problems, please use our mailing list:
Found bugs in rule-update or want to add new features? rule-update is now on github:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!