Offline Setup & Rule Updates

[Chris Johanson]

I have a problem I have been attempting to solve on my own for some time. I am attempting to install & configure Security Onion in a completely offline state. This is due to government systems at security reasons. I have reviewed many previous post about this topic and have even looked at https://github.com/bryant-treacle/securityonion-airgap, and a few other options. I have figured out how to update Suricata rules offline, but I am still running into issues with the following.

- ip2c updates 

- Geo IP Data

- Wazuh Rules

- Any other rules or data I might be missing

[Bryant Treacle]

Chris,  

Thanks for reaching out.

- ip2c updates - This one is a little tricky.  Sguil collects the geo ip data via a tcl script that downloads the data via ftp and then puts it in the sguil database. The script that does that is located below:

 

        /var/www/so/squert/.scripts/ip2c.tcl.

    If you wanted to do it without modifying the script you could set up a ftp server on the airgaped network with the updated files and create dns records that will resolve the below sites to that server. 

       set site1 "AFRINIC ftp://ftp.afrinic.net/pub/stats/afrinic/ delegated-afrinic-extended-latest"

       set site2 "APNIC ftp://ftp.apnic.net/pub/stats/apnic/ delegated-apnic-extended-latest"

       set site3 "ARIN ftp://ftp.arin.net/pub/stats/arin/ delegated-arin-extended-latest"

       set site4 "LACNIC ftp://ftp.lacnic.net/pub/stats/lacnic/ delegated-lacnic-extended-latest"

       set site5 "RIPE ftp://ftp.ripe.net/ripe/stats/ delegated-ripencc-extended-latest" 

- Geo IP Data -  The Geo IP data for Elasticsearch is stored in the so-elasticsearch docker container and is updated when we build a new docker container.  You can utilize the so-airgap-update script provided at https://github.com/bryant-treacle/securityonion-airgap to ensure you have the most up-to-date elasticsearch container.  If you would like to update the databases manually, these links should get you started.  

    

      Elastic Ingest (AKA logstash_minimal):  https://www.elastic.co/guide/en/elasticsearch/reference/6.8/geoip-processor.html#using-ingest-geoip 

      Logstash plugin : https://www.elastic.co/guide/en/logstash/6.8/plugins-filters-geoip.html

- Wazuh Rules - You can check for updated rules by going to https://github.com/wazuh/wazuh-ruleset.  Make sure that you choose the branch that corresponds with the version of Wazuh you are running.  Download theses rules and place them in the /var/ossec/rules directory.  Then restart the hids service.

 

Hope this helps.

Bryant