adric.net

TuningSOSensors
Login

Background


Intelligence 

Balance defense and detection

 

What's an interesting event for your organization? What events are totally uninteresting?

Process

Most effective after/during an IDS Policy Review
What action should/do we take on these events?

Fidelity

 

Technology

Unified or per sensor configuration? so-salt?


Toolset


Proceedure (low sodium)

  1. Identify the config file  to change and where to change it:
  1. SSH to that box and open a sudo session
  1. Backup files before changing them.
  1. Make some edits and save them.

threshold : squelch or rate-limit, per rule per host

/etc/nsm/rules/threshold.conf

##

modify sid: disable, enable, modify rules universally by rule name number or category

ModifySIDs

/etc/nsm/pulledpork/disablesid.conf

##

BPF: ignore traffic from host/network/port per service or per sensor

/etc/nsm/SENSORNAME/bpf.conf

##

Snort/suricata/Bro configuration changes

/etc/nsm/SENSORNAME/snort.conf

/etc/nsm/SENSORNAME/suricata.yaml

##

sguil autoclass : only works for sguil

FIXME

##

  1. Test your changes WITHOUT restarting the running services (as possible)
  1. Restart services to reload configuration and make changes live
  1. Look over status and logs. Run sostat as well as w,top,netstat as needed.
  1. If all happy, then update saved configs and documentation.

References:

https://code.google.com/p/security-onion/wiki/ManagingAlerts

http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html

http://taosecurity.blogspot.com/2006/08/more-snort-and-sguil-tuning.html