Applied Network Security Monitoring: Collection, Detection, and Analysis (2014)

APPENDIX 2. Important Security Onion Files and Directories

This appendix contains a listing of important Security Onion files and directories. Some of these refer to areas where data is stored, while others point to configuration files that can be modified to change how Security Onion interacts with various tools. We’ve also included the location of many configuration files used by Security Onion tools, since they might be in a different location on an SO system than where they would be if you installed the tool manually on another operating system.

Application Directories and Configuration Files

This listing describes the location of configuration files for multiple tools included with Security Onion, as well as configuration files for SO itself. This listing is short and only includes files that are commonly accessed or modified.

Security Onion

• General SO settings can be modified at /etc/nsm/securityonion.conf

• Template configurations for tools used on SO are stored at /etc/nsm/templates/

• Packet filtering can be applied by editing the /etc/nsm/rules/bpf.conf file

• Status checking and maintenance scripts are stored in /etc/cron.d/

Snort/Suricata

• If you are using Snort, its configuration file is located at /etc/nsm/< sensor >/snort.conf.

• If you are using Suricata, its configuration file is located at /etc/nsm/< sensor >/suricata.yaml.

• IDS rules are stored at /etc/nsm/rules/

• Downloaded rules are stored in the downloaded.rules file

• Custom rules can be added to the local.rules file

• Rule threshold entries can be added to the threshold.conf file

PulledPork

• The PulledPork configuration file is located at /etc/nsm/pulledpork/pulledpork.conf

• Rule modifications using PulledPork are accomplished with these files:

• /etc/nsm/pulledpork/disablesid.conf

• /etc/nsm/pulledpork/dropsid.conf

• /etc/nsm/pulledpork/enablesid.conf

• /etc/nsm/pulledpork/modifysid.conf

PRADS

• The PRADS configuration file is located at /etc/nsm/< sensor-interface >/prads.conf

Bro

• The Bro configuration files are located at /opt/bro/

ELSA

• In standalone and server installations, the ELSA web interface configuration file is located at /etc/elsa_web.conf

• In standalone and sensor installations, the ELSA node configuration file is located at /etc/elsa_node.conf

Snorby

Snorby configuration files are located at /opt/snorby/config/.

Syslog-NG

Syslog-NG configuration files are located at /etc/syslog-ng/.

Sguil

• Sguil configuration files are located at /etc/nsm/securityonion/

• Access to Sguil can be controlled with sguild.access

• Automatic categorization of events is handled by autocat.conf

• E-Mail alerts can be configured with sguild.email

• Queries for Sguil can be created with sguild.queries

Sensor Data Directories

This listing contains locations where sensor tools store raw data: