|
FAQ
Frequently Asked Questions
What's the recommended procedure for installing Security Onion?What do I need to do if I'm behind a proxy?How do I install Security Onion updates?Why do apt-get and the Update Manager show tcl8.5 as held back?Why do I get the following error when starting Sguil?Application initialization failed: no display name and no $DISPLAY environment variable ERROR: Cannot fine the Iwidgets extension. The iwidgets package is part of the incr tcl extension and is available as a port/package most systems. See http://www.tcltk.com/iwidgets/ for more info. This is related to the previous question. See tcl notes. What is the password for root/mysql/Squert?How do I configure email for alerting and reporting?Where can I read more about the tools contained within Security Onion?How do I configure a BPF for Snort/Suricata/Daemonlogger/Bro?Where can I find interesting pcaps to replay?What are the default firewall settings and how do I change them?Can I be alerted when an interface stops receiving traffic?What can I do to decrease the size of my MySQL database?You can lower the DAYSTOKEEP setting in /etc/nsm/securityonion.conf. Can Security Onion run in IPS mode?Running Security Onion as an IPS requires manual configuration and is not supported. I talked about this on the Packet Pushers podcast: http://packetpushers.net/show-95-security-onion-with-doug-burks-or-why-ids-rules-and-ips-drools/ Why do I get segfaults when booting on VMware ESX?This is a known issue with Ubuntu 10.04 and ESXi 4.1 and is unrelated to Security Onion. Please see: Why is my disk filling up?Sguil uses daemonlogger to record full packet captures to disk. These pcaps are stored in /nsm/sensor_data/NAME_OF_SENSOR/dailylogs/. There is an hourly cronjob at /etc/cron.d/sensor-clean that should delete old pcaps when the disk reaches 90% of capacity. It's important to properly size your disk storage so that you avoid filling the disk to 100% before the next hourly purge runs. Why does Security Onion use UTC?Security Onion uses UTC because that is the recommended/required setting for Sguil: echo "Etc/UTC" | sudo tee /etc/timezone sudo dpkg-reconfigure --frontend noninteractive tzdata sudo service rsyslog restart sudo cp /etc/localtime /var/ossec/etc/localtime sudo chown root:ossec /var/ossec/etc/localtime sudo service ossec restart What to I need to modify in order to have the log files stored on a different mount point?There are two ways to do this: - go to /etc/apparmor.d How do I stop monitoring an interface?Execute the following command, replacing HOSTNAME-INTERFACE with the name of the sensor: sudo nsm_sensor_ps-stop --sensor-name=HOSTNAME-INTERFACE Then remove the relevant entry from /etc/nsm/sensortab. How do I change the fonts in the Sguil client?In the Sguil client, click the File menu and then go to "Change Font". You can change both the Standard and Fixed fonts. Fonts are a personal issue, but I like the following: How do I boot Security Onion to text mode (CLI instead of GUI)?In /etc/default/grub, change this line: GRUB_CMDLINE_LINUX_DEFAULT="splash quiet" to: GRUB_CMDLINE_LINUX_DEFAULT="text" Then run: sudo update-grub For more information, please see: How do I get Security Onion to recognize more than 4GB of RAM?Install the PAE kernel as described here: How do I disable the graphical Network Manager and configuring networking from the command line?http://code.google.com/p/security-onion/wiki/NetworkConfiguration Why can't I upgrade past version 20110628?If your /etc/nsm/securityonion.conf says: VERSION=20110628
Your Security Onion installation is up to date.
VERSION=20110709
I'm running Security Onion in a VM and the screensaver is using lots of CPU. How do I change/disable the screensaver?
I'm currently running Snort. How do I switch to Suricata?First, make sure you're running the latest version of Security Onion. Then run the following commands: sudo nsm_sensor_ps-stop --only-snort-alert sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf sudo /usr/local/bin/pulledpork_update.sh I'm currently running Suricata. How do I switch to Snort?First, make sure you're running the latest version of Security Onion. Then run the following commands: sudo nsm_sensor_ps-stop --only-snort-alert sudo sed -i 's|ENGINE=suricata|ENGINE=snort|g' /etc/nsm/securityonion.conf sudo /usr/local/bin/pulledpork_update.sh How do I add a new user to Sguil?You can add new Sguil user accounts with the following (if prompted for server name, enter "securityonion"): sudo /usr/local/sbin/nsm_server_user-add I get periodic MySQL crashes and/or error code 24 "out of resources" when searching in Sguil. How do I fix that?First, stop sguil and mysql: sudo nsm_server_ps-stop sudo service mysql stop Next, edit /etc/mysql/my.cnf and add the following in the mysqld section: open-files-limit = 4096 Finally, start mysql and sguil: sudo service mysql start sudo nsm_server_ps-start For more information, please see: How can I install FreeNX on Security Onion?Installing FreeNX on Security Onion Wiki Article - Contributed by Lance Honer How can I add and test local rules?Adding local rules and testing them with scapy Why is the Snorby dashboard not displaying correctly? Why do I have to restart the Sensor Cache job periodically?All known issues with the dashboard and sensor cache job have been resolved with the release of Snorby 2.5.1 in Security Onion 20120321: Why isn't Snorby showing GeoIP data properly?Try forcing the GeoIP job to run by doing the following: cd /usr/local/share/snorby/ sudo RAILS_ENV=production bundle exec rails c Snorby::Jobs::GeoipUpdatedbJob.new(true).perform quit Why does Snort segfault every day at 7:01 AM?7:01 AM is the time of the daily PulledPork rules update. If you're running Snort with the VRT ruleset, this includes updating the SO rules. There is a known issue when running Snort with the VRT ruleset and updating the SO rules: Barnyard2 is failing with an error like "ERROR: sguil: Expected Confirm 13324 and got: Failed to insert 13324: mysqlexec/db server: Duplicate entry '9-13324' for key 'PRIMARY'". How do I fix this?Sometimes, just restarting Barnyard will clear this up: sudo nsm_sensor_ps-restart --only-barnyard2 Other times, restarting Sguild and then restarting Barnyard will clear it up: sudo nsm_server_ps-restart sudo nsm_sensor_ps-restart --only-barnyard2 If that doesn't work, then try also restarting mysql: sudo service mysql restart sudo nsm_server_ps-restart sudo nsm_sensor_ps-restart --only-barnyard2 If that still doesn't fix it, you may have to perform MySQL surgery on the database "securityonion_db" as described in the Sguil FAQ: http://nsmwiki.org/Sguil_FAQ#Barnyard_dies_at_startup.2C_with_.22Duplicate_Entry.22_error How do I access Xplico with a hostname instead of IP address?From Gianluca Costa: To change this behavior you must modify the PHP code: - file /opt/xplico/xi/cake/dispatcher.php What's the difference between a "server" and a "sensor"?box Where do I send questions/problems/suggestions?The Security Onion mailing list is provided by Google Groups. Please join the mailing list here: |
|
|