Request yes/no option to enable Pcap during Sensor installation

[kspringer-maf]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

lots

RAM

lots

Storage for /

lots

Storage for /nsm

lots

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am requesting a step be added to the Sensor installation flow that asks if PCAP should be enabled or disabled. I've got a global network grid with many remote Sensors and it would be a real time and resource saver if we could have Steno disabled when we install instead of having to wait for the new Sensor to sync with the Grid and then turning it off in the configs and waiting for things to sync again. Also during that time period that Steno is active, it's consuming disk space with Pcap files.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

We've invested significant time and effort into building a web config interface so that the text-based portion of Setup can be as simple as possible. We have no plans to add back any complexity to the text-based portion of Setup. Here's a possible workaround:

1. Disable stenographer by changing your grid default PCAP engine to Suricata:
   https://docs.securityonion.net/en/2.4/suricata.html#pcap

2. Then change your grid default Suricata configuration to only record PCAP for NIDS alerts OR perhaps use the tag option but don't define any tags:
   https://docs.securityonion.net/en/2.4/suricata.html#conditional-pcap

[kspringer-maf]

Thanks so much Doug. It's greatly appreciated what you've built. I've made the change to the Suricata engine and will test.