snort.conf always overwritten after restart service
255 views
Skip to first unread message
cyril moreau
Jan 23, 2018, 3:08:52 PM1/23/18
to security-onion
Hi,
I have a security onion sensor with the original configuration :
# site specific rules
#include $RULE_PATH/local.rules
include $RULE_PATH/downloaded.rules
I want to uncomment the "include $RULE_PATH/local.rules" line,
but everytime I am doing that and restart the service or execute the snort command I have this line overwrite with this line commented again.
How can I keep the config file that I want?
How do I do to keep my configuration file with "include $RULE_PATH/local.rules" uncommented persistent?
Thank you for your help.
Cyril
Wes
Jan 23, 2018, 3:12:09 PM1/23/18
to security-onion
Cyril,
PulledPork should already manage local.rules.
This means that once you add new rules in /etc/nsm/rules/local.rules and run 'sudo rule-update', your local.rules should be populated into downloaded.rules.
Thanks,
Wes
Is there any reason you don't wish to use it as it stands.
cyril moreau
Jan 23, 2018, 3:31:21 PM1/23/18
to securit...@googlegroups.com
Where Should I execute the rule-update? on the master or on the sensor?
Actually I did both and nothing works.
On the master I have : cat /etc/nsm/rules/local.rules
alert tcp any any -> any any (msg:" 9087 TRANSFER Packet";content:"txtURN";sid:1000006;)
alert tcp any any -> any any (msg:" 9087 TRANSFER Packet";content:"networkextensions";sid:1000007;)
alert icmp 10.30.129.35 any -> 10.30.129.186 any (msg: "HEARTBEAT";sid:1000008;)
On the sensor I have after rule-update :
cat /etc/nsm/rules/local.rules
alert tcp any any -> any any (msg:" 9087 TRANSFER Packet";content:"txtURN";sid:1000006;)
alert tcp any any -> any any (msg:" 9087 TRANSFER Packet";content:"networkextensions";sid:1000007;)
alert icmp 10.30.129.35 any -> 10.30.129.186 any (msg: "HEARTBEAT";sid:1000008;)
But nothing in downloaded.rules :
grep HEARTB /etc/nsm/rules/downloaded.rules
Should I add my rules in the downloaded.rules file manually? Will it be overwritten then?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/5uCKTaeX4LY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Wes Lambert
Jan 23, 2018, 3:53:05 PM1/23/18
to securit...@googlegroups.com
Try the following:
Master
------
sudo rule-update
tail -20 /etc/nsm/rules/downloaded.rules (to make sure rules are in downloaded.rules)
sudo salt '*' state.highstate
Sensor
------
tail -20 /etc/nsm/rules/downloaded.rules
Thanks,
Wes
--------
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
cyril moreau
Jan 23, 2018, 3:55:41 PM1/23/18
to securit...@googlegroups.com
I dont have the salt command. I dont use the salt feature of security-onion
cyril moreau
Jan 23, 2018, 3:59:21 PM1/23/18
to securit...@googlegroups.com
You can find in attachment the result of the rule-update command that i execute on the master
Wes Lambert
Jan 23, 2018, 4:17:57 PM1/23/18
to securit...@googlegroups.com
If you are not using salt, then you should be able to run rule-update on the master, then on the sensor.
It also looks like PP is not liking how some of your rules are written -- would you be able to share those rules in local.rules (redacting, as necessary)? Also, try temporarily removing those rules to see if you continue to see the same error message(s) from PP.
You can also check /var/log/nsm/sensorname-interface/snortu-1.log on the sensor to help identify issues with your rules.
Thanks,
Wes
To post to this group, send email to security-onion@googlegroups.com.
cyril moreau
Jan 23, 2018, 4:39:40 PM1/23/18
to securit...@googlegroups.com
I did not find anything in the log snortu-1.log.
I give you in attachment the log, my local.rule file, and my snort.conf from the sensor
I checked the rule-update script, and I did not see anything like cat /etc/nsm/rules/local.rules > /etc/nsm/rules/downloaded.rules
So I dont know how they merge the two files
Wes Lambert
Jan 23, 2018, 4:48:30 PM1/23/18
to securit...@googlegroups.com
They probably weren't getting copied over by PulledPork to downloaded.rules because PP could not understand them.
alert tcp any any -> any any (msg:"9087 TRANSFER Packet"; content:"txtURN"; sid:1000006;)
alert tcp any any -> any any (msg:"9087 TRANSFER Packet"; content:"networkextensions"; sid:1000007;)
alert icmp 10.30.129.35 any -> 10.30.129.186 any (msg:"HEARTBEAT"; sid:1000008;)
Then run rule-update again.
Thanks,
Wes
cyril moreau
Jan 23, 2018, 5:18:52 PM1/23/18
to securit...@googlegroups.com
Thank you very much.
You found it!!!
The issue was the space in the rules i created.
Reply all
Reply to author
Forward
0 new messages