NIDS

NIDS (Network Intrusion Detection System) rules are loaded into Suricata to monitor network traffic for suspicious or noteworthy activity. Active NIDS rules generate alerts that can be found in Alerts.

Managing Existing NIDS Rules

You can manage existing NIDS rules using Detections. There are two ways to do so:

  • From the main Detections interface, you can search for the desired detection and click the binoculars icon.

  • From the Alerts interface, you can click an alert and then click the Tune Detection menu item.

Once you’ve used one of these methods to reach the detection detail page, you can check the Status field in the upper-right corner and use the slider to enable or disable the detection.

_images/60_detection_nids.png

To tune the detection:

  • click the TUNING tab

  • click the blue + button

  • select the type of tuning (Modify, Suppress, or Threshold)

  • fill out the requested values

  • click the CREATE button

_images/60_detection_nids_2_tuning_2_add.png

Adding New NIDS Rules

To add a new NIDS rule, go to the main Detections page and click the blue + button between Options and the query bar. A form will appear where you will:

  • click the Language drop-down and select Suricata

  • optionally specify a license

  • add the signature

  • click the CREATE button and the detection should deploy to your grid at the next 15-minute cycle

_images/58_detection_create.png

Update Frequency

By default, Security Onion checks for new NIDS rules every 24 hours. You can change this value as follows:

  • Navigate to Administration –> Configuration.

  • At the top of the page, click the Options menu and then enable the Show all configurable settings, including advanced settings. option.

  • Navigate to soc –> config –> server –> modules –> suricataengine –> communityRulesImportFrequencySeconds.

Changing to a Different Ruleset

Security Onion includes the Emerging Threats Open (ETOPEN) ruleset by default. If you would like to change to a different ruleset, you can do this via Administration –> Configuration –> idstools –> config –> ruleset.

_images/config-item-idstools.png

Security Onion offers the following choices for NIDS rulesets. The main options are ETOPEN (free) and ETPRO (commercial) but advanced users may choose a Snort ruleset if they understand the caveats as shown below.

ETOPEN

  • default ruleset included in Security Onion

  • optimized for Suricata

  • free

For more information, see:

ETPRO

  • includes ETOPEN and additional rules

  • optimized for Suricata

  • rules retrievable as released

  • license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)

Snort Community

  • NOT optimized for Suricata

  • community-contributed rules

  • free

Snort Registered

  • NOT optimized for Suricata

  • Snort SO (Shared Object) rules do NOT work with Suricata

  • same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release

  • free

Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+'.

Snort Subscriber (Talos)

  • NOT optimized for Suricata

  • Snort SO (Shared Object) rules do NOT work with Suricata

  • rules retrievable as released

  • license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)

Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+'.

Other

  • not officially managed/supported by Security Onion

  • license fee may or may not apply