Assuming you have Internet access, Security Onion will automatically update your NIDS rules on a daily basis. If you need to manually update your rules, you can run the following on your manager node:
sudo so-rule-update
If you have a distributed deployment and you update the rules on your manager node, then those rules will automatically replicate from the manager node to your sensors within 15 minutes. If you don't want to wait 15 minutes, you can force the sensors to update immediately by running the following command on your manager node:
sudo salt \* state.highstate
You can modify your rule configuration by going to administration
--> Configuration --> idstools.
Security Onion offers the following choices for rulesets to be used by suricata
.
- optimized for
suricata
- free
https://rules.emergingthreats.net/open/
- optimized for
suricata
- rules retrievable as released
- license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)
https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
- NOT optimized for
suricata
- community-contributed rules
- free
https://www.snort.org/downloads/#rule-downloads
https://www.snort.org/faq/what-are-community-rules
- NOT optimized for
suricata
- Snort SO (Shared Object) rules do NOT work with
suricata
- same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release
- free
Since Shared Object rules won't work with suricata
, you may want to disable them using a regex like 're:soid [0-9]+'
as described in the managing-alerts
section.
https://www.snort.org/downloads/#rule-downloads
https://snort.org/documents/registered-vs-subscriber
- NOT optimized for
suricata
- Snort SO (Shared Object) rules do NOT work with
suricata
- rules retrievable as released
- license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)
Since Shared Object rules won't work with suricata
, you may want to disable them using a regex like 're:soid [0-9]+'
as described in the managing-alerts
section.
https://www.snort.org/downloads/#rule-downloads
https://snort.org/documents/registered-vs-subscriber
- not officially managed/supported by Security Onion
- license fee may or may not apply