snort.conf site specific rules issue
D Pitts
Long time lurker, first time poster.
Here's my issue.
Things were running well. I put some entries in local.rules that actually worked. So, I made some additions in local.rules. I noticed the alerts were not showing up in sguil. I checked snort.conf and noticed the "include $RULE_PATH/local.rules" line was commented out. I am the only admin so no one else could have commented it out. I will leave my mental acuity for another discussion, but I uncommented the line and ran a rule update. I go back into snort.conf and the "include $RULE_PATH/local.rules" is commented out again. The line comments itself out whenever I run a rule update or restart the nsm.
I was making changes in pulledpork.conf to enable state_order, but I commented that out again, with no change in the issue.
I have combed through logs and configs trying to figure out where I screwed up, but I clue free and at the point of reinstalling.
Has anyone run into this before?
I turning on troubleshooting verbosity in pulledpork.pl, but didn't get any clues.
Thanks,
D
Wes
D,
The commenting of that line is likely related to this:
https://github.com/Security-Onion-Solutions/security-onion/issues/1062
I would try looking for errors in /var/log/nsm/[hostname-interface]/snortu-x.log
Are you able to see any recent alerts in Squert or ELSA?
Last, try changing the following line in pulledpork.conf and re-run rule-update to see if that helps:
local_rules=/etc/nsm/rules/local.rules,/etc/nsm/rules/decoder-events.rules,/etc/nsm/rules/stream-events.rules,/etc/nsm/rules/http-events.rules,/etc/nsm/rules/smtp-events.rules
to
local_rules=/etc/nsm/rules/local.rules
Ref: https://github.com/Security-Onion-Solutions/security-onion/issues/1073
Thanks,
Wes
D Pitts
Thanks for getting back to me.
For background, I switched from using Snort to Suricata about a month ago and made the changes noted in the FAQ's. Things went smoothly with the changeover.
I checked the snortu-x log and found no errors.
I am getting alerts from the downloaded rules, but nothing from local.rules. I find the line "include $RULE_PATH/local.rules" in snort.conf and "- local.rules" in suricata both commented out. When I enable one or the other, they re-comment themselves out.
The line change suggested for pulledpork.conf was already in place.
Wes
D,
Since you are now running Suricata, you'll want to try checking /var/log/nsm/[hostname-interface]/suricata.log for errors.
Also, please attach the output of sostat-redacted for the machine, attaching as a text file, or using a service like Pastebin.com.
Thanks,
Wes
D Pitts
Being something of a Pavlovian dog I was still focusing on snort logs. I took a look in the suricata.log and found errors in my rule syntax. Fixing that got the rules to start firing, but I am still confused because local.rules still comments itself out in suricata.yaml and snort.conf. Are the local.rules called from somewhere else?
I included the sostat even though the issue is fixed, in case it is helpful. I can turn up the verbosity in necessary.
Thanks!
D
I found an error in the log and
Wes Lambert
D,
PulledPork 0.7.3 already copies local.rules to downloaded.rules, so it is not necessary to include local.rules in the Snort/Suricata configuration files.
See: https://groups.google.com/d/topic/security-onion/-kedlgAxri8/discussion
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
D Pitts
Well that answers that question nicely. Thanks!
Can my extraneous rule files still be called out in Snort/Suricata config or do I need to now pile everything into local.rules?
Also, thanks so much to you, Doug and the rest of the folks here for awesome assistance and great a NSM tool! I have learned so much from all the great information here.
D
>
> To post to this group, send email to securit...@googlegroups.com.
Wes
Which rule files are you referring to?
/etc/nsm/rules should be pulled in by Snort/Suricata
Thanks,
Wes
D Pitts
I was under the impression we could put additional xxx.rules files in that directory, call them out in the snort/suri confirm files and they would be applied. Is that incorrect?
D
Wes Lambert
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.