9.4 IDS Rules Management

00:02

now, since a major component of security onion is its I. D s. It's important to know how to manage the rules

00:09

to show you the basics of I. D s rule management. I'll pull up the security onion cheat sheet in the moment and a terminal window Turk to our security onion manager,

00:19

and we'll see how to add a rule to at CNS um, rules local dot rules How to have You and search downloaded rules in etc. N sm rules downloaded dot rules and how to disable noisy rules and etc. Sm pulled pork

00:37

disabled

00:38

s i d dot com Alright, let's get started.

00:46

All right, so I already have my cheat cheat pull up here at zoomed in zoom in a little bit

00:55

So we have our rule management section right here

00:59

in case you ever forget and don't want to pull up my slides or anything like that stoking apart, cheat, cheat And we have the location of our downloaded rules or custom rules thresholds, disabled rules, modified rules, pulled pork con for

01:14

pretty much anything that you could want to do for ideas, rule management and then also the location of Roos SEC rules and a last alert rules.

01:23

So with that in mind,

01:26

move

01:27

this guy right over here,

01:32

just in case I forget. Well, I'm

01:34

showing.

01:37

So the first thing I want to do is

01:42

let's take a look at adding rules.

01:46

So we want to take a look at

01:49

custom rules

01:52

be lazy. And this Copy it.

01:57

Well, it's actually

02:07

all right. So this is, uh,

02:09

test rule that I threw in here.

02:13

It's ah, fairly simple one. That's kind of silly, if you ask me, but

02:19

it is what it is. So we have alert TCP any any to our home network over http ports The message. I like peaches so alert when peaches are seen. The reference to our Wikipedia page about peaches

02:36

and the content that we're looking for is peach,

02:39

the flow to server with no case and, uh,

02:43

s I d that I just made up.

02:45

And this is revision one.

02:52

So just quit out of there. And after running this,

02:55

you want to do sudo rule

03:00

update,

03:04

and this will,

03:07

uh,

03:09

read the local that rules file and

03:15

basically enable it for us.

03:19

All right, so we have the flying piggy,

03:22

and

03:23

that should hypothetically have

03:25

enabled it for us. Assuming that I wrote the rule well,

03:30

no promises on that. It's just something that I made up real quick.

03:32

All right, so the next thing that we wanted to take a look at was viewing are downloaded rules.

03:39

Come back to our cheat, cheat. It's etc. Ns, um rules demoted rules.

03:46

Let's just go to that directorial quick.

03:53

Okay,

03:55

There you go.

03:58

This is everything that we have here. We want to take a look at demoted rules,

04:01

so let's just kept that file,

04:09

all right. I don't know about you, but I'm not getting any of that. Let's control see out of that.

04:15

So

04:17

let's say that hypothetically, your manager comes up to you one day and asks,

04:23

Are we?

04:25

We know that we're vulnerable to the Apache struts.

04:30

Vulnerability?

04:31

What rules do we have?

04:34

Ah, monitoring that.

04:38

So he can come in here.

04:40

He can say

04:41

cat

04:46

downloaded our rules and we want to grab her pipe to grab. Will say,

04:58

search for Apaches threats. See if we can find.

05:05

All right. Looks like there are

05:09

a decent few rules that air looking for Apache stretch ETS.

05:15

So

05:16

hypothetically, we have decent coverage for alerting for this particular particular vulnerability,

05:24

which can be a scary one. Because if I recall, this is how equal fax was compromised through Ah, unpatched Apaches. Threats, vulnerability.

05:36

Now let's say that

05:40

you have security up security, onion up and running and you

05:45

are seeing a lot of traffic coming from one rule in particular and you want to disable it? One that I've known to be fairly chatty

05:57

is

06:00

Has the society of 210

06:05

one poor 11

06:10

Yeah,

06:11

that is the GPL s an MP public access you d p.

06:17

So it's come back over to Archie Cheat.

06:20

We have disabled the rules,

06:24

so we want to edit

06:26

at CNN sm pulled pork disable s i d dot com.

06:30

So you want to go back? One directory?

06:34

Hey, I've got a pulled pork.

06:40

You want to look at this abled Assaidi?

06:50

All right, so nothing should be disabled right now

06:56

except four or Sir Kata, I believe

07:00

everything that we have a PPE here in blue. This is all commented out and it is a quick tutorial of quick examples of

07:11

how you disabled the rules in here.

07:14

So if you want to

07:15

disable a specific rule.

07:19

You do one colon, then your rule. I d If you want to do ranges, you conduce. Ooh, ranges like that.

07:28

Uh, you're free to comment out anything that you want in here.

07:33

So it looks like you can do regular expressions as well.

07:41

So let's say that you want to

07:49

remove or disabled the rule that I mentioned before. It's fairly easy. You do one

07:57

colon.

07:59

I dig it.

08:05

2101411

08:11

Then you check. Make sure that I wrote that, right. Okay.

08:16

All right, Quit,

08:24

then. Pseudo rule update again.

08:33

And once this finishes running, you

08:37

should be good to go. We should be monitoring for Peaches now. And

08:41

we should no longer be

08:45

looking for this particular rule that we don't care to be monitoring for anymore.

08:50

And that is Ah,