Wednesday, August 19, 2015

New rule-update and Setup packages

You may have previously experienced intermittent issues when the daily cron job runs rule-update to update your NIDS ruleset.  Because all Security Onion sensors around the world run their cron job at the same time, this was causing high load on the rule sites and some downloads would occasionally fail.  I've modified rule-update to avoid this issue and the changes are as follows:

  • no changes when running interactively from a shell (sudo rule-update)
  • no changes for sensor-only installations that have salt enabled as they don't use rule-update anyway
  • when running from a cron job:
    • if running on a master server, rule-update will sleep for a random number of minutes (up to 50) to avoid overwhelming rule update sites
    • if running on a sensor with salt disabled, rule-update will sleep for 60 minutes to allow the master server time to download the rules so that the sensor can then scp them

Here are the updated packages:
securityonion-rule-update - 20120726-0ubuntu0securityonion29
securityonion-setup - 20120912-0ubuntu0securityonion156

These new packages resolve the following issues:

Issue 724: /etc/cron.d/rule-update should avoid overwhelming rule sites

Issue 791: sosetup: change rule-update verbiage

These new packages have been tested by Jeff Tehovnik (thanks!).

These new packages are now available in our stable repo.  Please see the following page for full update instructions:

If you have any questions or problems, please use our security-onion mailing list:

Need training?  Please see:

Commercial Support
Need commercial support?  Please see:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:


No comments: