Balance defense and detection
What's an interesting event for your organization? What events are totally uninteresting?
ProcessMost effective after/during an IDS Policy Review
What action should/do we take on these events?
- True positive
- False positive
- True negative
- False negative
Unified or per sensor configuration? so-salt?
- threshold : squelch or rate-limit, per rule per host
- modify sid: disable, enable, modify rules universally by rule name number or category
- BPF: ignore traffic from host/network/port per service or per sensor
- Snort/suricata/Bro configuration changes
- Document and follow a standard process for specific events/hosts
- sguil autoclass : only works for sguil
Proceedure (low sodium)
- Identify the config file to change and where to change it:
- Server /etc/nsm for most things
- /etc/nsm/pulledpork for modifysid
- /etc/nsm/SENSORNAME/rules for threshold
- /etc/nsm/securityonion/ for sguild changes like autocat
- Sensors for BPF, Snort, Suricata, Bro changes
- /etc/nsm/SENSORNAME for snort, suricata, BPFs
- /opt/bro/etc for node.cfg, networks.cfg
- SSH to that box and open a sudo session
- Backup files before changing them.
- Make some edits and save them.
threshold : squelch or rate-limit, per rule per host
modify sid: disable, enable, modify rules universally by rule name number or category
BPF: ignore traffic from host/network/port per service or per sensor
Snort/suricata/Bro configuration changes
sguil autoclass : only works for sguil
- Test your changes WITHOUT restarting the running services (as possible)
- snort -T -c
- suricata -T -c
- bro … FIXME
- Restart services to reload configuration and make changes live
- broctl load
- Server: mostly harmless (downloads and processes rules) and will give you updated rule statistics
- Sensor: pulls rules, thresh from master and restarts Snort/Suricata and Barnyard services immediately
- Optionally wait for crons to restart/reload services for you if that's better
- Look over status and logs. Run sostat as well as w,top,netstat as needed.
- If all happy, then update saved configs and documentation.