Delete default ruleset

[Anadema]

Version

xxx

Installation Method

xxx

Description

xxx

Installation Type

xxx

Location

xxx

Hardware Specs

xxx

CPU

xxx

RAM

xxx

Storage for /

xxx

Storage for /nsm

xxx

Network Traffic Collection

xxx

Network Traffic Speeds

xxx

Status

xxx

Salt Status

xxx

Logs

xxx

Detail

Hello,

I’ve just started learning Security Onion, so I’m still a beginner and not very skilled yet. I’ve installed it on an hypervisor, choosing the standalone option to begin with. My SPAN setup is working fine. I’ve tested it with tcpdump and confirmed that it’s receiving traffic. Now, I’d like to remove all the default detection rules to start fresh.

I first tried deleting them manually from /nsm/rules/detect-suricata/custom_temp, but the system is smart it keeps recreating them. So, I went to the web console (Security Onion Console) and checked the rules section. There are actually 62,000 rules listed, and it’s impractical to select and delete them one by one. I consulted the manual and navigated to Administration > Configuration > idstools > config > ruleset to see if I could remove the ruleset entirely. However, the manual doesn’t explain how to do this or maybe I missed it. There’s a field labeled ETOPEN, but if I clear it or enter a new value, the system rejects the change, saying it’s not allowed. It seems there might be a specific ruleset configuration defined somewhere that’s restricting this.

Next, I turned to AI and deep search for help, but none of the suggested solutions worked. I uploaded the documentation to double-check, and I stumbled upon some rules in /opt/so/saltstack/local/salt/suricata/rules. I deleted them (after making a full backup, of course), restarted the Suricata process, and checked again. The rules still appeared in the web interface, but the /nsm/rules/detect-suricata/custom_temp directory was now empty. At this point, I’m out of ideas short of reinstalling everything.

I try also to check /opt/so/saltstack/local/pillar/minions/ids_standalone.sls and try to look for any rulesets config or sync config but nothing.

So, as my last resort before starting over, I’d like to ask you how I can achieve a clean installation with no default rules, allowing me to add rules one by one so I can learn step-by-step in an effective way.

Now I have that, it's normal I think because I delete all and maybe I have to clean a db somewhere ...

To conclude our system demonstrates incredible resilience, like me and I haven’t said my last word yet!

All the best !
Arsène

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Anadema]

Ok thanks for all, I reinstall all and will try another way to unfix myself.

[InfosecGoon]

You should be able to disable all of the default Suricata rules by using a regex like "ET/s".

Docs: https://docs.securityonion.net/en/2.4/nids.html#enabling-and-disabling-with-regex

[Anadema]

Why I didn't see this page, so maybe a simple line must be enough ...

sudo so-rule disabled add re:sid:2[01][0-9]{6}

And this is a question on the same subject, if I install ETPRO which includes ETOPEN after reading the mention in the page, I don't need to uninstall the default rule in fact?

[InfosecGoon]

so-rule is deprecated in the current version of Security Onion -- rule configuration is done through the Detections tool now rather than the command line.

If you use ETPRO, those rules will replace the ETOPEN ones.

[Anadema]

Ok thanks