Local snort rules not working using securty onion
226 views
Skip to first unread message
Maarten
May 4, 2018, 6:07:45 AM5/4/18
to security-onion
HI all,
I have recently installed security onion using the ISO on a hyper-v virtual machine. After going through the setup twice to install all services needed i tried to adjust some local snort rules to test the setup. I've configured snort locally and tried to test this by opening sguil and sending some traffic. However no alerts are received.
What i have done.
- in securityonion.conf
adjusted the setting LOCAL_NIDS_RULE_TUNING to yes
- in local.rules
created a test rule to trigger on any ICMP traffic
alert icmp any any <> any any (msg:"Testing ICMP traffic";sid:10001;)
I tested the rule by doing: sudo snort -T -c /etc/nsm/rules/local.rules
The rules is detected and I receive a "snort successfully validated the configuration".
- executed rule-update command.
in the output of the command it does indicate LOCAL_NIDS_RULE_TUNING is set to yes.
However i don't see any output saying the file is written or processed. I'm not sure i should see one.
In sid_change.log i do not see any rules being added with sid 10001 nor find my icmp any any
My sensor interface is currently eth1. When i start wireshark and trace interface eth1 I do see the ICMP traffic.
When i start sguil and open testmyids.com in my browser i do receive an alert. So i think snort is working fine for downloaded rules.
I did read some post indicating issues when running security onion on hyper-v but they all seemed to be related to the span port (mostly on 2012) and this seems OK here.
I assume many have this setup on Hyper-v, so there must be a solution.
Kind regards,
Maarten
I have recently installed security onion using the ISO on a hyper-v virtual machine. After going through the setup twice to install all services needed i tried to adjust some local snort rules to test the setup. I've configured snort locally and tried to test this by opening sguil and sending some traffic. However no alerts are received.
What i have done.
- in securityonion.conf
adjusted the setting LOCAL_NIDS_RULE_TUNING to yes
- in local.rules
created a test rule to trigger on any ICMP traffic
alert icmp any any <> any any (msg:"Testing ICMP traffic";sid:10001;)
I tested the rule by doing: sudo snort -T -c /etc/nsm/rules/local.rules
The rules is detected and I receive a "snort successfully validated the configuration".
- executed rule-update command.
in the output of the command it does indicate LOCAL_NIDS_RULE_TUNING is set to yes.
However i don't see any output saying the file is written or processed. I'm not sure i should see one.
In sid_change.log i do not see any rules being added with sid 10001 nor find my icmp any any
My sensor interface is currently eth1. When i start wireshark and trace interface eth1 I do see the ICMP traffic.
When i start sguil and open testmyids.com in my browser i do receive an alert. So i think snort is working fine for downloaded rules.
I did read some post indicating issues when running security onion on hyper-v but they all seemed to be related to the span port (mostly on 2012) and this seems OK here.
I assume many have this setup on Hyper-v, so there must be a solution.
Kind regards,
Maarten
Wes Lambert
May 4, 2018, 1:20:48 PM5/4/18
to securit...@googlegroups.com
I would set your
LOCAL_NIDS_RULE_TUNING back to "no" so you can get new rules from the internet.
You'll want to check /etc/nsm/rules/downloaded.rules to see if your rule was loaded into there. This is where rules go after PulledPork has processed them.
If it is not there, you'll want to check your syntax, etc. to make sure it is correct, until you see the rule in downloaded.rules.
If it ends up in the downloaded.rules file, but doesn't see to work, try checking the Snort log file in /var/log/nsm/<hostname-iterface>/snortu-x.log for clues/errors.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Maarten
May 7, 2018, 5:25:40 AM5/7/18
to security-onion
Hi Wes,
Thanks for the info. I did check the download.rules and my rule wasn't there. I have copied one of the existing rules in this file and copied it to the local rules (after changing the sid and msg and this seemed to work. It will probably be a syntax error in my Original rule.
Kind regards,
Maarten
Reply all
Reply to author
Forward
0 new messages