New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule-update: disable noisy Suricata events if Setup hasn't already #1153

Closed
dougburks opened this Issue Oct 24, 2017 · 3 comments

Comments

Projects
None yet
1 participant
@dougburks
Contributor

dougburks commented Oct 24, 2017

On 3/14/2016, we released securityonion-setup - 20120912-0ubuntu0securityonion201:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html

This version of Setup disabled noisy Suricata events by appending the following to /etc/nsm/pulledpork/disablesid.conf:

# Added by Security Onion Setup
stream-events
pcre:SURICATA\ ICMPv6

However, this was only for new installations that occurred after 3/14/2016. Older installations that had run Setup before that date did not have these entries in disablesid.conf.

On 10/23/2017, we released securityonion-rule-update - 20151201-1ubuntu1securityonion11:
http://blog.securityonion.net/2017/10/securityonion-rule-update-20151201.html

This update re-enabled Suricata events rules. From #1141:

If you run Setup and choose Snort, it disables the Suricata events rules. If you then switch from Snort to Suricata, those Suricata events rules are still disabled. rule-update needs to enable these rules if necessary.

The net effect of all this is that older installations with Setup run before 3/14/2016 did not have the entries in disablesid.conf and now all of a sudden enabled all of the noisy Suricata events. rule-update needs to disable these noisy Suricata events if Setup hasn't already. We can most likely just copy the code from sosetup that does this:

        # Disable noisy Suricata rules
        if ! grep "Security Onion Setup" /etc/nsm/pulledpork/disablesid.conf >/dev/null 2>&1; then
cat << EOF >> /etc/nsm/pulledpork/disablesid.conf

# Added by Security Onion Setup
stream-events
pcre:SURICATA\ ICMPv6
EOF
        fi

@dougburks dougburks changed the title from rule-update: disable noisy suricata events if Setup hasn't already to rule-update: disable noisy Suricata events if Setup hasn't already Oct 24, 2017

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Oct 24, 2017

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Oct 24, 2017

@dougburks

This comment has been minimized.

Show comment
Hide comment

@dougburks dougburks closed this Oct 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment