Tuesday, June 25, 2013

New securityonion-rule-update package distributes OSSEC local_rules.xml and allows for per-sensor NIDS/HIDS rule tuning

A new version of our securityonion-rule-update package is now available that distributes OSSEC's local_rules.xml from master server to slave sensors by default and also allows for NIDS/HIDS rule tuning per physical sensor.

This update resolves the following issues:
Issue 342: Allow more granular rule tuning (per physical sensor)
Issue 325: rule-update needs to check for privileges
Issue 326: rule-update needs to check for /etc/nsm/rules/backup/
Issue 349: rule-update needs to copy OSSEC local_rules.xml from master to sensor
Issue 353: rule-update should remove unneeded messages from PulledPork output

NIDS Rules
Previously, rule-update in distributed deployments would copy NIDS rules from the master server to slave sensors but wouldn't allow you to tune the ruleset per sensor.  This new version of rule-update allows for ruleset tuning per physical sensor.  If you'd like to enable this, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_NIDS_RULE_TUNING=true
The next time rule-update runs, it should copy the raw NIDS rules from the master server and run Pulledpork locally making changes to the ruleset as you've configured in /etc/nsm/pulledpork/ on the sensor itself.

HIDS Rules
Another change in this new rule-update is that OSSEC's local_rules.xml is now copied from the master server to slave sensors by default.  If local_rules.xml has changed since the previous run of rule-update, it will then automatically restart OSSEC to activate the new configuration.  If you want to tune local_rules.xml per physical sensor, set the following option in /etc/nsm/securityonion.conf on the sensor:
LOCAL_HIDS_RULE_TUNING=true
What if I've already modified OSSEC's local_rules.xml on the sensor?  Will my changes be overwritten?
If you had previously tuned OSSEC's local_rules.xml on the sensor itself and don't want those changes to be overwritten when the new version of rule-update runs, set LOCAL_HIDS_RULE_TUNING=true before upgrading the rule-update package.  If you have already upgraded rule-update without setting LOCAL_HIDS_RULE_TUNING=true, your custom local_rules.xml should have been backed up to /var/ossec/rules/local_rules_orig.xml.  You can then set LOCAL_HIDS_RULE_TUNING=true and copy /var/ossec/rules/local_rules_orig.xml to /var/ossec/rules/local_rules.xml.

Thanks
Thanks to Chris White for the granular NIDS rule tuning patch!
Thanks to the following for testing the new package:
David Zawdie
Heine Lysemose

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Github
Found bugs in rule-update or want to add new features?  rule-update is now on github:
https://github.com/Security-Onion/securityonion-rule-update

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Did you know Security Onion scales to the enterprise? Security Onion is designed to scale from simple standalone deployments all the way up ...

Popular Posts

Blog Archive