Detections from saricata on lab

[JimmothyHarold]

Version

2.4 Pre-release (Beta, Release Candidate)

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16

Storage for /

100gb

Storage for /nsm

100gb

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I have security onion running in a lab environment. Is the detections tab actual detections or are they the list of rules that SO uses for alerts? Is there a way to speed up the detection rules being automatically created on first install for an airgapped environment?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Is the detections tab actual detections or are they the list of rules that SO uses for alerts?

The Detections interface shows all possible detections. If one of those detections actually detects something, then it generates an alert in the Alerts interface. For more information, please see:
https://docs.securityonion.net/en/2.4/detections.html
https://docs.securityonion.net/en/2.4/alerts.html

Is there a way to speed up the detection rules being automatically created on first install for an airgapped environment?

What version are you running? 2.4.90 included some speed improvements:
https://blog.securityonion.net/2024/07/security-onion-2490-now-available.html