Managing network-wide vs sensor specific syricata rules? #11978
-
|
I stood up a temporary single test deployment of security onion a couple years ago as a short term solution until the expensive solution forced on me by execs was set up. We are throwing out the expensive solution and planning to build out a proper distributed sec onion. My understanding of how sec onion manages sec onion rules is that I append the config file on the manager and the salt stack pushes to all the servers. How do I manage which rules I want to go to all sec onion servers (ie ET Pro) vs rules specific to a sensor (ie no SMPT on this segment so alert for SMTP). Or am I overthinking it and as long as I keep my rules specific enough to won't impact performance if the rules get pushed to all the severs. I use suricata for baselining network traffic so I have thousands of custom alerts. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Welcome back! Make sure you're using the latest version 2.4 as it makes administration and configuration MUCH easier than previous versions:
Security Onion is designed to have a single ruleset that is managed by the manager and pushed out to all sensors: You can then tune that ruleset by disabling, modifying, or suppressing certain rules: You can add your own custom rules to the manager and they will likewise be pushed out to all sensors: |
Beta Was this translation helpful? Give feedback.
Welcome back! Make sure you're using the latest version 2.4 as it makes administration and configuration MUCH easier than previous versions:
https://docs.securityonion.net/en/2.4/administration.html