Security Onion Restart

[aznzakum]

Good morning all,

My organization is testing a couple of components regarding the all.rules file in the manager or minion. As of this moment we have disabled the cronjob everyday that updates the all.rules file.

Our objective is to manually edit the all.rules file without any of the rules we write to be overwritten. (We are aware that we can create a separate rule file for custom rules, but due to our other platform this is what we are looking at for now).

Ever since we turned off the cronjob for daily updates, the rules we have been writing into all.rules have appeared successful and have remained. We recently noticed that if you restart the Security Onion Manager, all the rules we previously wrote into all.rules will be completely removed.

Does anyone know how to prevent all.rules from being overwritten when the Security Onion Manager restarts?

Due to the way how our platform works, another solution we thought of is if there is a way to prevent the Security Onion Manager from updating any minion all.rules.

All of this seems a bit wonky, but if we could just do either of the two above, we'd be golden!

Thank you!

[dougburks]

Our official recommendation is that you avoid modifying all.rules directly. As you mentioned, you can add your own rules as shown at https://docs.securityonion.net/en/2.3/local-rules.html. If your ruleset is available via HTTP, then another option might be to add the ruleset itself as shown at https://docs.securityonion.net/en/2.3/rules.html.

[aznzakum]

Thank you Doug for the prompt reply.

If we wanted to sever the manager from updating all the minion's all.rules every time it restarts; is there a specific cronjob or config file that allows us to control this aspect?

[aznzakum]

Or forget the restart aspect of it, is there a cronjob or config file we can update to stop the manager from auto pushing updates to the minions? For science, we would like to edit a minion all.rules and have our test rule remain there without it ever being updated by the manager.

[dougburks]

I've already given you our official and supported recommendation. If you don't want to use the supported recommendation, then you will need to perform your own science experiments.