Security Onion configuration

snort configuration file /etc/nsm/SO2012-eth3/snort.conf

Managing over active signatures

Rules to ignore various packets

/etc/nsm/rules/local.rules

pass udp 8.8.8.8 53 -> 192.168.1.1 any (msg:"Ignore google dns"; sid:22222228;)
#pass tcp $HOME_NET any <> $WINDOWS_UPDATE 80 (msg:"Ignore Windows Update"; sid:
22222229;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore Windows Update"; content:"Host|3a|
 download.windowsupdate.com"; http_header; classtype: web-application-activity;
sid:22222230;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore DynDNS Updates"; content:"Host|3a|
 checkip.dyndns.com"; http_header; classtype: web-application-activity; sid:2222
2231;)

/etc/nsm/pulledpork/disablesid.conf

1:2013914 # User Agent to Backtrack Repository
1:2014726 # Outdated Windows Flash Version ID
1:15169 # XBOX Live Kerberos authentication request
1:16739 # FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap over

119:19 # http_inspect: LONG HEADER
123:8 # frag3: Fragmentation overlap
128:4 # ssh: Protocol mismatch
129:4 # stream5: TCP Timestamp is outside of PAWS window
129:5 # stream5: Bad segment, overlap adjusted size less than/equal 0
129:7 # stream5: Limit on number of overlapping TCP packets reached
129:12 # stream5: TCP Small Segment Threshold Exceeded
129:15 # stream5: Reset outside window
138:5 # sensitive_data: sensitive data - eMail addresses

Update Rules: /usr/bin/rule-update

Fine tuning snort rules: http://www.doctorchaos.com/fine-tuning-snort-rules-in-security-onion/

ELSA Parsers

http://blog.infosecmatters.net/2013/01/creating-vyatta-parser-for-elsa.html

Merging parsers

Integrating business data with ELSA

Apache failing

Elsa