COMMON TASKS

General Maintenance
Task Command
Check Service Status so-status
Start/Stop/Restart All Services so-start|stop|restart
Start/Stop/Restart Server Services so-sguild-start|stop|restart
Start/Stop/Restart Sensor Services so-sensor-start|stop|restart
Start/Stop/Restart Docker docker start|stop|restart
Start/Stop/Restart All Docker Containers so-elastic-start|stop|restart
Start/Stop Specific Component so-<component>-<verb> (Ex: so-logstash-start)
Add Analyst (Sguil/Squert/Kibana) User so-user-add
Change Analyst User Password so-user-passwd
Add/View Firewall Rules so-allow
(Analyst, Beats, Syslog, etc.) so-allow-view
Update SO (packages and containers) soup
Update Rules rule-update
Generate SO Statistics sostat
Check Redis Queue Length so-redis-count

Salt Commands (from Master Server)

Task Command
Execute Command salt '*' cmd.run '<command>'
Verify Minions Up salt '*' test.ping
Sync Minions salt '*' state.highstate
Update Entire Deployment soup && salt '*' cmd.run 'soup -y'

Port/Protocols/Services (Distributed Deployment)

Port/Protocol Service/Purpose
22/tcp (node/Master) SSH access/AutoSSH tunnel from node(s) to Master
4505-4506/tcp (Master) Salt comm from node(s) to Master
7736/tcp (Master) Sguild comm from sensor(s) to Master

Support

Blog https://blog.securityonion.net
Docs https://securityonion.net/docs
Mailing List https://securityonion.net/docs/mailinglists
Reddit https://www.reddit.com/r/securityonion
Training, Professional Services, Hardware Appliances https://securityonionsolutions.com
 Packet Filtering
IMPORTANT FILES Scope File
Server (Entire Deployment) /etc/nsm/rules/bpf.conf
Configuration Files Sensor-Specific /etc/nsm/<hostname-interface>/bpf.conf
/etc/nsm/<hostname-interface>/
Configuration File Component-Specific
bpf-bro.conf, bpf-ids.conf, etc.
General Settings /etc/nsm/securityonion.conf
Sensor Settings /etc/nsm/<hostname-interface>/sensor.conf Rule Management
Maintenance Scripts /etc/cron.d, /usr/sbin Configuration File
Snort /etc/nsm/<hostname-interface>/snort.conf IDS Rules (Downloaded) /etc/nsm/rules/downloaded.rules
Suricata /etc/nsm/<hostname-interface>/suricata.yaml IDS Rules (Custom) /etc/nsm/rules/local.rules
Zeek/Bro /opt/bro Rule Thresholds /etc/nsm/rules/threshold.conf
Zeek/Bro Config /opt/bro/etc/networks.cfg, node.cfg Disabled Rules /etc/nsm/pulledpork/disablesid.conf
/opt/bro/share/bro/site/local.bro (config)
Zeek/Bro Local
/opt/bro/share/bro/policy (scripts) Modified Rules /etc/nsm/pulledpork/modifysid.conf
Policy/Scripts/Intel
/opt/bro/share/bro/intel/intel.dat (intel)
/etc/elasticsearch/elasticsearch.yml
Elasticsearch Config PulledPork Config /etc/nsm/pulledpork/pulledpork.conf
/etc/elasticsearch/jvm.options (heap size)
/etc/logstash/logstash.yml Wazuh/OSSEC Rules /var/ossec/rules/
/etc/logstash/jvm.options (heap size) Wazuh/OSSEC Rules (Custom) /var/ossec/rules/local_rules.xml
Logstash Config /etc/logstash/conf.d (standard pipeline config) Elastalert /etc/elastalert/rules/
/etc/logstash/custom (custom pipeline config
and custom templates)
Kibana Config /etc/kibana/kibana.yml DATA
Curator Config /etc/curator/config/curator.yml Data Directories
Syslog-NG /etc/syslog-ng/syslog-ng.conf Data Directory
Wazuh/OSSEC /var/ossec/etc/ossec.conf /nsm/sensor_data/
Sguil (Server) /etc/nsm/securityonion/sguild.conf Packet Capture (Sensor) |--- <hostname-interface>
Sguil (Client) /etc/sguil/sguil.conf |--- dailylogs/
Sguil (Email) /etc/nsm/securityonion/sguild.email Alert Data (Sensor) /nsm/sensor_data/<hostname-interface>/
Onionsalt /opt/onionsalt Alert Data (Master) /var/lib/mysql/securityonion_db/
Zeek/Bro (Archived) (Sensor) /nsm/bro/logs/<yyyy-mm-dd>/
Log Files Zeek/Bro (Current Hour)
/nsm/bro/logs/current/
Scope File (Sensor)
/nsm/bro/logs/current/
Zeek/Bro Extracted Files /nsm/bro/extracted/
Zeek/Bro stderr.log (errors), reporter.log (errors/warnings),
(Sensor) (only EXEs extracted by default)
loaded_scripts.log (loaded scripts)
Elastalert /var/log/elastalert/elastalert_stderr.log Elasticsearch
/nsm/elasticsearch/nodes/<x>/indices/
Elasticsearch /var/log/elasticsearch/<hostname>.log (Master/Heavy/Storage)
Logstash /var/log/logstash/logstash.log Wazuh/OSSEC HIDS /var/ossec/logs/
Kibana /var/log/kibana/kibana.log
Wazuh/OSSEC /var/ossec/logs/ossec.log Originally Designed by: Chris Sanders
/var/log/nsm/<hostname-interface>/snortu-n.log, http://www.chrissanders.org - @chrissanders88
Sensor Logs
barnyard2-n.log, suricata.log, netsniff-ng.log
Sguild /var/log/nsm/securityonion/sguild.log
Updated by: Security Onion Solutions
Performance Tuning
https://securityonionsolutions.com - @securityonion
Target Parameter/File
Zeek/Bro lb_procs in /opt/bro/etc/node.cfg Security Onion Version: 16.04.6.5
IDS_LB_PROCS in Last Modified: 03.23.2020
Snort/Suricata
/etc/nsm/<hostname-interface>/sensor.conf
PF_RING min_num_slots in /etc/modprobe.d/pf_ring.conf
PCAP_OPTIONS, PCAP_SIZE, PCAP_RING_SIZE in
Netsniff-NG
/etc/nsm/<hostname-interface>/sensor.conf