Security Onion ruleset tuning
If you’ve ever worked with a NIDS product you’ll know how noisy they can be when first installed. Mostly this is down to rules being fired when they shouldn’t. Perhaps the alerts that are fired are just “normal” and we need to tell the NIDS this.
This is a short tutorial on tuning Security Onion’s ruleset.
I’ve got a couple rules I'd like to tune that are causing lots of alerts and causing the analysts (aka me) alert fatigue.
Tune using SID
Find the rule we need to tune in the SO alerts.
In this example I am going to tune out some ICMP alerts that have been triggering a lot. In the alerts i could see the rule UUID is 2100366
SSH into the SO manager
To check the rule:
grep 2100366 all.rules
We can verify this is the correct rule as it matches what is in SO.
To disable run the following command
sudo so-rule disabled add sid (add the rule matching this sid to the disabled list)
We will grep again to ensure the rule is indeed disabled (shown by a # infront of the rule)
Tune using Regular Expression
In this example I am going to tune out STUN rules using regex instead of a UUID
Grep for matches in all.rules matching “STUN”
grep STUN all.rules
Then to disable these rules, type the following:
so-rule disabled add ‘re:STUN’
grep again and we can now see the STUN rules are disabled (see the # infront of each rule)
grep STUN all.rules