How to add custom address-groups #12086

giomke · 2023-12-28T08:47:25Z

giomke
Dec 28, 2023

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

100

Storage for /nsm

200

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

How I can add custom address-groups in SOC, for example FILE_SERVERS

Guidelines

I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

Answered by reyesj2

Jan 5, 2024

This would be under Administration -> Configuration. At the top of the configuration page hit the drop down 'Options' menu and enable 'Show all configurable settings'.

Then navigate to the Suricata section, at the bottom there is an 'Advanced' section for suricata. Here is an example of how you'd make custom address-groups.

(for copy paste)

suricata:
  config:
    vars:
      address-groups:
        NEW_GROUP1:
          - 10.11.11.0/24
          - 10.12.12.0/24
        NEW_GROUP2: 
          - 10.13.13.0/24

Once you have added that to your suricata config under advanced, at top of the configuration screen open the 'Options' menu again and press 'Synchronize grid'. That will take some ti…

View full answer

robbiemarshall · 2023-12-28T17:29:27Z

robbiemarshall
Dec 28, 2023

The documentation on configuring additional host groups can be found here: https://docs.securityonion.net/en/2.4/firewall.html#host-groups

4 replies

giomke Jan 5, 2024
Author

Thanks for your answers. To be more clear, I am looking for adding custom "address-group" in Suricata config var menu.
Do you know how I can do it ?

reyesj2 Jan 5, 2024
Maintainer

This would be under Administration -> Configuration. At the top of the configuration page hit the drop down 'Options' menu and enable 'Show all configurable settings'.

Then navigate to the Suricata section, at the bottom there is an 'Advanced' section for suricata. Here is an example of how you'd make custom address-groups.

(for copy paste)

suricata:
  config:
    vars:
      address-groups:
        NEW_GROUP1:
          - 10.11.11.0/24
          - 10.12.12.0/24
        NEW_GROUP2: 
          - 10.13.13.0/24

Once you have added that to your suricata config under advanced, at top of the configuration screen open the 'Options' menu again and press 'Synchronize grid'. That will take some time, but will add a new address-group to your suricata.yaml. Here is mine after the above changes.

Answer selected by giomke

giomke Jan 7, 2024
Author

Thanks man you are awesome

giomke Jan 8, 2024
Author

@reyesj2 we have more than one forwarder. At this point, we have modified

/opt/so/saltstack/local/pillar/minions/first-forwarder_sensor.sls

If I made changes from SOC, it will be same for all forwarders ?.
Unfortunately, SOC does not have a select node option to choose.
As well, when we make changes from the SOC, does new groups appears under suricata -> config -> vars

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to add custom address-groups #12086

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to add custom address-groups #12086

Uh oh!

giomke Dec 28, 2023

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 4 replies

Uh oh!

Uh oh!

robbiemarshall Dec 28, 2023

Uh oh!

giomke Jan 5, 2024 Author

Uh oh!

reyesj2 Jan 5, 2024 Maintainer

Uh oh!

giomke Jan 7, 2024 Author

Uh oh!

giomke Jan 8, 2024 Author

giomke
Dec 28, 2023

Replies: 1 comment 4 replies

robbiemarshall
Dec 28, 2023

giomke Jan 5, 2024
Author

reyesj2 Jan 5, 2024
Maintainer

giomke Jan 7, 2024
Author

giomke Jan 8, 2024
Author