now, since a major component of security onion is its I. D s. It's important to know how to manage the rules
to show you the basics of I. D s rule management. I'll pull up the security onion cheat sheet in the moment and a terminal window Turk to our security onion manager,
and we'll see how to add a rule to at CNS um, rules local dot rules How to have You and search downloaded rules in etc. N sm rules downloaded dot rules and how to disable noisy rules and etc. Sm pulled pork
s i d dot com Alright, let's get started.
All right, so I already have my cheat cheat pull up here at zoomed in zoom in a little bit
So we have our rule management section right here
in case you ever forget and don't want to pull up my slides or anything like that stoking apart, cheat, cheat And we have the location of our downloaded rules or custom rules thresholds, disabled rules, modified rules, pulled pork con for
pretty much anything that you could want to do for ideas, rule management and then also the location of Roos SEC rules and a last alert rules.
So with that in mind,
this guy right over here,
just in case I forget. Well, I'm
So the first thing I want to do is
let's take a look at adding rules.
So we want to take a look at
be lazy. And this Copy it.
all right. So this is, uh,
test rule that I threw in here.
It's ah, fairly simple one. That's kind of silly, if you ask me, but
it is what it is. So we have alert TCP any any to our home network over http ports The message. I like peaches so alert when peaches are seen. The reference to our Wikipedia page about peaches
and the content that we're looking for is peach,
the flow to server with no case and, uh,
s I d that I just made up.
And this is revision one.
So just quit out of there. And after running this,
you want to do sudo rule
read the local that rules file and
basically enable it for us.
All right, so we have the flying piggy,
that should hypothetically have
enabled it for us. Assuming that I wrote the rule well,
no promises on that. It's just something that I made up real quick.
All right, so the next thing that we wanted to take a look at was viewing are downloaded rules.
Come back to our cheat, cheat. It's etc. Ns, um rules demoted rules.
Let's just go to that directorial quick.
This is everything that we have here. We want to take a look at demoted rules,
so let's just kept that file,
all right. I don't know about you, but I'm not getting any of that. Let's control see out of that.
let's say that hypothetically, your manager comes up to you one day and asks,
We know that we're vulnerable to the Apache struts.
What rules do we have?
Ah, monitoring that.
So he can come in here.
downloaded our rules and we want to grab her pipe to grab. Will say,
search for Apaches threats. See if we can find.
All right. Looks like there are
a decent few rules that air looking for Apache stretch ETS.
hypothetically, we have decent coverage for alerting for this particular particular vulnerability,
which can be a scary one. Because if I recall, this is how equal fax was compromised through Ah, unpatched Apaches. Threats, vulnerability.
you have security up security, onion up and running and you
are seeing a lot of traffic coming from one rule in particular and you want to disable it? One that I've known to be fairly chatty
Has the society of 210
that is the GPL s an MP public access you d p.
So it's come back over to Archie Cheat.
We have disabled the rules,
at CNN sm pulled pork disable s i d dot com.
So you want to go back? One directory?
Hey, I've got a pulled pork.
You want to look at this abled Assaidi?
All right, so nothing should be disabled right now
except four or Sir Kata, I believe
everything that we have a PPE here in blue. This is all commented out and it is a quick tutorial of quick examples of
how you disabled the rules in here.
disable a specific rule.
You do one colon, then your rule. I d If you want to do ranges, you conduce. Ooh, ranges like that.
Uh, you're free to comment out anything that you want in here.
So it looks like you can do regular expressions as well.
So let's say that you want to
remove or disabled the rule that I mentioned before. It's fairly easy. You do one
Then you check. Make sure that I wrote that, right. Okay.
then. Pseudo rule update again.
And once this finishes running, you
should be good to go. We should be monitoring for Peaches now. And
we should no longer be
looking for this particular rule that we don't care to be monitoring for anymore.
quick overview of working with I. D. S rules.