Skip to content
This repository was archived by the owner on Apr 16, 2021. It is now read-only.

PostInstallation

Jump to bottom
weslambert edited this page Jun 15, 2016 · 47 revisions

Verify services are running:
sudo service nsm status

If any services are not running, try starting them:
sudo service nsm start

Tuning / Miscellaneous

  • Are you monitoring network traffic that has VLAN tags? If so, take a look at our VLAN page.
  • If you’re monitoring IP address ranges other than private RFC1918 address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12), you should update your sensor configuration with the correct IP ranges. Sensor configuration files can be found in `/etc/nsm/$HOSTNAME-$INTERFACE/`. Modify either `snort.conf` or `suricata.yaml` (depending on which IDS engine you chose during `sosetup`) and update the `HOME_NET` variable. You may also want to consider updating the `EXTERNAL_NET` variable. Also update the `home_nets` variable in `prads.conf`. Then update Bro’s network configuration in `/opt/bro/etc/networks.cfg`. Restart the sensor processes:
    sudo nsm_sensor_ps-restart
    1. If you have Internet access, create an IDS alert by typing the following at a terminal:
      curl http://testmyids.com
    2. As of securityonion-setup - 20120912-0ubuntu0securityonion201, Setup now defaults to only opening port 22 in the firewall. If you need to connect OSSEC agents, syslog devices, or analyst VMs, you can run the new `so-allow` utility which will walk you through creating firewall rules to allow these devices to connect. For more information, please see the [firewall](Firewall) page.
    3. Full-time analysts should install Security Onion in a VM on their workstation (run through the Ubuntu installer, but do not run our Setup wizard). This gives you a local copy of Wireshark, NetworkMiner, and our customized Sguil client. Launch the Sguil client and connect to the IP/hostname of your production Sguil sensor (you may need to run so-allow as described in the previous step). This allows you to investigate pcaps without fear of impacting your production server/sensors. To change the resolution of your Security Onion VM, install the Virtual Tools for your virtualization solution or use xrandr. For a list of available screen resolutions, simply execute “xrandr”. To set the screen resolution (replace W and H with the actual Width and Height desired):
      xrandr -s WxH
    4. Login to Sguil and review your IDS alerts. Squert and ELSA can be accessed by visiting https://server/ for additional in-depth analysis.
    5. Run the following to see how your sensor is coping with the load. You should check this on a daily basis to make sure your sensor is not dropping packets. Consider adding it to a cronjob and having it emailed to you (see the “configure email” link below).
      sudo sostat | less
    6. Please note that any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see [ManagingAlerts](ManagingAlerts). You should only run the signatures you really care about.
    7. Also note that you should be looking at and categorizing events every day with the goal being to categorize all events every day. Even if you don’t use the Sguil console for your primary analysis, you need to log into it periodically and F8 old events to keep the real time queue from getting too big. Neglecting to do so will result in database/Sguil issues as the number of uncategorized events continues to increase on a daily basis. Please see the Sguil client page on NSMwiki.
    8. On the server running the Sguil database, set the `DAYSTOKEEP` variable in `/etc/nsm/securityonion.conf` to however many days you want to keep in your archive. The default is 30, but you may need to adjust it based on your organization’s detection/response policy and your available disk space.
    9. If you enabled [http_agent](http_agent), you should tune it using http_agent.conf. If you're running ELSA, you already have all the Bro HTTP logs available there, so you might want to disable http_agent to avoid duplicating those logs in the Sguil database:
      # Terminate the running http_agent
      
sudo nsm_sensor_ps-stop --only-http-agent
      
# Disable http_agent
      
sudo sed -i 's|HTTP_AGENT_ENABLED="yes"|HTTP_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
    10. [Disable any unneeded sensor processes](DisablingProcesses)
    11. Tune the number of PF_RING instances for Snort/Suricata and Bro: [PF_RING](PF_RING)
    12. *Optional:* exclude unnecessary traffic from your monitoring using [BPF](BPF).
    13. *Optional:* add new Sguil user accounts with the following:
      sudo nsm_server_user-add
    14. *Optional*, but highly recommended: configure [Email](email) for alerting and reporting.
    15. *Optional*, but highly recommended: place `/etc` under version control. If your organization doesn't already have a standard version control tool, you can use [bazaar](https://help.ubuntu.com/12.04/serverguide/bazaar.html), [git](http://git-scm.com/), etckeeper:
      sudo apt-get install etckeeper
    16. *Optional:* need “remote desktop” access to your Security Onion sensor or server? We recommend SSH X-Forwarding as shown above, but if you want something more rdp-like, you can install [FreeNX](https://github.com/Security-Onion-Solutions/security-onion/wiki/FreeNX) or xrdp: ``` sudo apt-get install xrdp ``` Please note that we do not support FreeNX or xrdp.
    17. Read more about the tools contained in Security Onion: [Tools](Tools)

      18. Getting Started

      Update/Upgrade

      Analyst Tools

      Network Visibility

      Host Visibility

      Elastic Stack

      Customizing for your network

      Tuning

      Tricks and Tips

      Help

      Issues

      Other

      Scripts

      Clone this wiki locally