You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was attempting to follow the documentation here to tune out some FPs. However, when I run the salt securityonion_standalone state.highstate command as documented, it removes my tuned rules in /opt/so/rules/nids/local.rules.
I tried running salt securityonion_standalone state.apply idstools instead after modifying the STS and writing the new rules in /opt/so/rules/nids/local.rules, however even running that deletes the contents in local.rules. So I don't know if the documentation is incorrect or I'm just not understanding salt well enough.
Reading more here, the hint was given to modify the /opt/so/saltstack/local/salt/idstools/localrules/local.rules file. That file did not exist, however /opt/so/saltstack/local/salt/idstools/local.rules did. So I added my new rule to that file, and had to run salt securityonion_standalone state.apply idstools. Then I ran so-rule-update. Now in /opt/so/rules/nids/all.rules the old rule is disabled, and the new rule is listed.
Is this how are we supposed to tune rules? If so, would you please update the documentation to reflect the proper steps?
Identify the rule SID you want to tune
Run grep <SID> /opt/so/rules/nids/all.rules, copy the rule syntax
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Details: 2.3.2 ISO, Standalone install
I was attempting to follow the documentation here to tune out some FPs. However, when I run the
salt securityonion_standalone state.highstatecommand as documented, it removes my tuned rules in /opt/so/rules/nids/local.rules.I tried running
salt securityonion_standalone state.apply idstoolsinstead after modifying the STS and writing the new rules in /opt/so/rules/nids/local.rules, however even running that deletes the contents in local.rules. So I don't know if the documentation is incorrect or I'm just not understanding salt well enough.Reading more here, the hint was given to modify the /opt/so/saltstack/local/salt/idstools/localrules/local.rules file. That file did not exist, however /opt/so/saltstack/local/salt/idstools/local.rules did. So I added my new rule to that file, and had to run
salt securityonion_standalone state.apply idstools. Then I ran so-rule-update. Now in /opt/so/rules/nids/all.rules the old rule is disabled, and the new rule is listed.Is this how are we supposed to tune rules? If so, would you please update the documentation to reflect the proper steps?
grep <SID> /opt/so/rules/nids/all.rules, copy the rule syntaxsudo salt securityonion_standalone state.apply idstoolssudo so-rule-updateBeta Was this translation helpful? Give feedback.
All reactions