Managing Rules
Updating Rules
Assuming you have Internet access, Security Onion will automatically update your NIDS rules on a daily basis. If you need to manually update your rules, you can run the following on your manager node:
sudo so-rule-update
If you have a distributed deployment and you update the rules on your manager node, then those rules will automatically replicate from the manager node to your sensors within 15 minutes. If you don’t want to wait 15 minutes, you can force the sensors to update immediately by running the following command on your manager node:
sudo salt \* state.highstate
Configuration
You can modify your rule configuration by going to Administration –> Configuration –> idstools.
Rulesets
Security Onion offers the following choices for rulesets to be used by Suricata.
ET Open
optimized for Suricata
free
ET Pro (Proofpoint)
optimized for Suricata
rules retrievable as released
license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)
Snort Community
NOT optimized for Suricata
community-contributed rules
free
Snort Registered
NOT optimized for Suricata
Snort SO (Shared Object) rules do NOT work with Suricata
same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release
free
Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+' as described in the Managing Alerts section.
Snort Subscriber (Talos)
NOT optimized for Suricata
Snort SO (Shared Object) rules do NOT work with Suricata
rules retrievable as released
license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)
Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+' as described in the Managing Alerts section.
Other
not officially managed/supported by Security Onion
license fee may or may not apply