Security Onion ruleset tuning

If you’ve ever worked with a NIDS product you’ll know how noisy they can be when first installed. Mostly this is down to rules being fired when they shouldn’t. Perhaps the alerts that are fired are just “normal” and we need to tell the NIDS this.

This is a short tutorial on tuning Security Onion’s ruleset.

I’ve got a couple rules I'd like to tune that are causing lots of alerts and causing the analysts (aka me) alert fatigue.

Tune using SID

Find the rule we need to tune in the SO alerts.
In this example I am going to tune out some ICMP alerts that have been triggering a lot. In the alerts i could see the rule UUID is 2100366

SO alerts - the UUID is on the right

SSH into the SO manager

To check the rule:
grep 2100366 all.rules

Checking the rule within the rulebase

We can verify this is the correct rule as it matches what is in SO.
To disable run the following command

sudo so-rule disabled add sid (add the rule matching this sid to the disabled list)

Adding the rule to the disabled list using so-rule

We will grep again to ensure the rule is indeed disabled (shown by a # infront of the rule)

Disabled rule

Tune using Regular Expression

In this example I am going to tune out STUN rules using regex instead of a UUID

Grep for matches in all.rules matching “STUN”

grep STUN all.rules

Grep for STUN rules

Then to disable these rules, type the following:

so-rule disabled add ‘re:STUN’

Disabling STUN rules using regex

grep again and we can now see the STUN rules are disabled (see the # infront of each rule)

grep STUN all.rules

grepping for STUN rules that are disabled