Saturday, July 13, 2013

New NSM and Setup packages allow you to enable/disable sensor services

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to enable/disable sensor services.  When you run Setup, choosing "Quick Setup" will still default to running all sensor services, but if you choose "Advanced Setup", you'll be prompted to select which sensor processes to enable/disable:

IDS Engine

Bro

http_agent

Argus 

Prads

Full Packet Capture

Your choices are then written into configuration files as follows:
/etc/nsm/securityonion.conf
BRO_ENABLED=yes
/etc/nsm/HOSTNAME-INTERFACE/sensor.conf
PCAP_ENABLED="yes"
PCAP_AGENT_ENABLED="yes"
SNORT_AGENT_ENABLED="yes"
IDS_ENGINE_ENABLED="yes"
BARNYARD2_ENABLED="yes"
PRADS_ENABLED="yes"
SANCP_AGENT_ENABLED="yes"
PADS_AGENT_ENABLED="yes"
ARGUS_ENABLED="yes"
HTTP_AGENT_ENABLED="yes"
Disabling Services after Setup
If you've already run Setup and want to disable a certain sensor service, you can simply stop the running service and then change the corresponding config value from "yes" to "no" to prevent it from restarting the next time the NSM scripts are run.

For example, suppose you access Bro's HTTP logs via ELSA, so you want to disable http_agent to prevent those HTTP logs from being duplicated into the Sguil database.  You would first stop the running http_agent service:
sudo nsm_sensor_ps-stop --only-http-agent
You would then edit /etc/nsm/HOSTNAME-INTERFACE/sensor.conf and change:
HTTP_AGENT_ENABLED="yes"
to:
HTTP_AGENT_ENABLED="no"
to prevent http_agent from restarting the next time the NSM scripts are run.  A quick way to do this for all /etc/nsm/*/sensor.conf files on one box is to use the sed command as follows:
sudo sed -i 's|HTTP_AGENT_ENABLED="yes"|HTTP_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
Example Screenshots
Stopping the running service

Disabling the service

Service now disabled
Issues Resolved
These updates resolve the following issues:
Issue 312: Update NSM scripts to allow $SERVICE=yes/no in securityonion.conf and/or sensor.conf
Issue 313: Update Setup so that Advanced Setup asks about enabling/disabling individual services
Issue 268: Update NSM scripts so that OSSEC and Bro sections respect --sensor-name option
Issue 351: Update /etc/init/securityonion.conf to start Xplico (controlled by user in /etc/nsm/securityonion.conf)

Thanks
Thanks to Karolis Cepulis for submitting a patch for Issue 268!
Thanks to the following for testing the new packages!
Matt Gregory
Michal Purzynski

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

Training
Want to learn more about Security Onion?  Sign up for the upcoming 8-hour class in Augusta GA!
http://securityonion.eventbrite.com/

No comments:

Search This Blog

Featured Post

Security Onion 2.4 Feature o' the Day - Configure SOC

Security Onion 2.4 includes lots of new features! SOC's new Configuration interface allows you to configure SOC: You can read more about...

Popular Posts

Blog Archive