Offline Setup & Rule Updates

140 views
Skip to first unread message

Chris Johanson

unread,
May 28, 2020, 4:08:04 PM5/28/20
to security-onion
I have a problem I have been attempting to solve on my own for some time. I am attempting to install & configure Security Onion in a completely offline state. This is due to government systems at security reasons. I have reviewed many previous post about this topic and have even looked at https://github.com/bryant-treacle/securityonion-airgap, and a few other options. I have figured out how to update Suricata rules offline, but I am still running into issues with the following.

- ip2c updates 
- Geo IP Data
- Wazuh Rules
- Any other rules or data I might be missing


Bryant Treacle

unread,
Jun 15, 2020, 3:05:27 PM6/15/20
to security-onion
Chris,  

Thanks for reaching out.

- ip2c updates - This one is a little tricky.  Sguil collects the geo ip data via a tcl script that downloads the data via ftp and then puts it in the sguil database. The script that does that is located below:
 
        /var/www/so/squert/.scripts/ip2c.tcl.

    If you wanted to do it without modifying the script you could set up a ftp server on the airgaped network with the updated files and create dns records that will resolve the below sites to that server. 
       set site1 "AFRINIC ftp://ftp.afrinic.net/pub/stats/afrinic/ delegated-afrinic-extended-latest"
       set site2 "APNIC ftp://ftp.apnic.net/pub/stats/apnic/ delegated-apnic-extended-latest"
       set site3 "ARIN ftp://ftp.arin.net/pub/stats/arin/ delegated-arin-extended-latest"
       set site4 "LACNIC ftp://ftp.lacnic.net/pub/stats/lacnic/ delegated-lacnic-extended-latest"
       set site5 "RIPE ftp://ftp.ripe.net/ripe/stats/ delegated-ripencc-extended-latest" 

- Geo IP Data -  The Geo IP data for Elasticsearch is stored in the so-elasticsearch docker container and is updated when we build a new docker container.  You can utilize the so-airgap-update script provided at https://github.com/bryant-treacle/securityonion-airgap to ensure you have the most up-to-date elasticsearch container.  If you would like to update the databases manually, these links should get you started.  
    

- Wazuh Rules - You can check for updated rules by going to https://github.com/wazuh/wazuh-ruleset.  Make sure that you choose the branch that corresponds with the version of Wazuh you are running.  Download theses rules and place them in the /var/ossec/rules directory.  Then restart the hids service.
 
Hope this helps.

Bryant 
Reply all
Reply to author
Forward
0 new messages