Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:02
now, since a major component of security onion is its I. D s. It's important to know how to manage the rules
00:09
to show you the basics of I. D s rule management. I'll pull up the security onion cheat sheet in the moment and a terminal window Turk to our security onion manager,
00:19
and we'll see how to add a rule to at CNS um, rules local dot rules How to have You and search downloaded rules in etc. N sm rules downloaded dot rules and how to disable noisy rules and etc. Sm pulled pork
00:37
disabled
00:38
s i d dot com Alright, let's get started.
00:46
All right, so I already have my cheat cheat pull up here at zoomed in zoom in a little bit
00:55
So we have our rule management section right here
00:59
in case you ever forget and don't want to pull up my slides or anything like that stoking apart, cheat, cheat And we have the location of our downloaded rules or custom rules thresholds, disabled rules, modified rules, pulled pork con for
01:14
pretty much anything that you could want to do for ideas, rule management and then also the location of Roos SEC rules and a last alert rules.
01:23
So with that in mind,
01:26
move
01:27
this guy right over here,
01:32
just in case I forget. Well, I'm
01:34
showing.
01:37
So the first thing I want to do is
01:42
let's take a look at adding rules.
01:46
So we want to take a look at
01:49
custom rules
01:52
be lazy. And this Copy it.
01:57
Well, it's actually
02:07
all right. So this is, uh,
02:09
test rule that I threw in here.
02:13
It's ah, fairly simple one. That's kind of silly, if you ask me, but
02:19
it is what it is. So we have alert TCP any any to our home network over http ports The message. I like peaches so alert when peaches are seen. The reference to our Wikipedia page about peaches
02:36
and the content that we're looking for is peach,
02:39
the flow to server with no case and, uh,
02:43
s I d that I just made up.
02:45
And this is revision one.
02:52
So just quit out of there. And after running this,
02:55
you want to do sudo rule
03:00
update,
03:04
and this will,
03:07
uh,
03:09
read the local that rules file and
03:15
basically enable it for us.
03:19
All right, so we have the flying piggy,
03:22
and
03:23
that should hypothetically have
03:25
enabled it for us. Assuming that I wrote the rule well,
03:30
no promises on that. It's just something that I made up real quick.
03:32
All right, so the next thing that we wanted to take a look at was viewing are downloaded rules.
03:39
Come back to our cheat, cheat. It's etc. Ns, um rules demoted rules.
03:46
Let's just go to that directorial quick.
03:53
Okay,
03:55
There you go.
03:58
This is everything that we have here. We want to take a look at demoted rules,
04:01
so let's just kept that file,
04:09
all right. I don't know about you, but I'm not getting any of that. Let's control see out of that.
04:15
So
04:17
let's say that hypothetically, your manager comes up to you one day and asks,
04:23
Are we?
04:25
We know that we're vulnerable to the Apache struts.
04:30
Vulnerability?
04:31
What rules do we have?
04:34
Ah, monitoring that.
04:38
So he can come in here.
04:40
He can say
04:41
cat
04:46
downloaded our rules and we want to grab her pipe to grab. Will say,
04:58
search for Apaches threats. See if we can find.
05:05
All right. Looks like there are
05:09
a decent few rules that air looking for Apache stretch ETS.
05:15
So
05:16
hypothetically, we have decent coverage for alerting for this particular particular vulnerability,
05:24
which can be a scary one. Because if I recall, this is how equal fax was compromised through Ah, unpatched Apaches. Threats, vulnerability.
05:36
Now let's say that
05:40
you have security up security, onion up and running and you
05:45
are seeing a lot of traffic coming from one rule in particular and you want to disable it? One that I've known to be fairly chatty
05:57
is
06:00
Has the society of 210
06:05
one poor 11
06:10
Yeah,
06:11
that is the GPL s an MP public access you d p.
06:17
So it's come back over to Archie Cheat.
06:20
We have disabled the rules,
06:24
so we want to edit
06:26
at CNN sm pulled pork disable s i d dot com.
06:30
So you want to go back? One directory?
06:34
Hey, I've got a pulled pork.
06:40
You want to look at this abled Assaidi?
06:50
All right, so nothing should be disabled right now
06:56
except four or Sir Kata, I believe
07:00
everything that we have a PPE here in blue. This is all commented out and it is a quick tutorial of quick examples of
07:11
how you disabled the rules in here.
07:14
So if you want to
07:15
disable a specific rule.
07:19
You do one colon, then your rule. I d If you want to do ranges, you conduce. Ooh, ranges like that.
07:28
Uh, you're free to comment out anything that you want in here.
07:33
So it looks like you can do regular expressions as well.
07:41
So let's say that you want to
07:49
remove or disabled the rule that I mentioned before. It's fairly easy. You do one
07:57
colon.
07:59
I dig it.
08:05
2101411
08:11
Then you check. Make sure that I wrote that, right. Okay.
08:16
All right, Quit,
08:24
then. Pseudo rule update again.
08:33
And once this finishes running, you
08:37
should be good to go. We should be monitoring for Peaches now. And
08:41
we should no longer be
08:45
looking for this particular rule that we don't care to be monitoring for anymore.
08:50
And that is Ah,
08:52
quick overview of working with I. D. S rules.

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor