Scribd
Upload
799 views1 page

Security Onion Cheat Sheet

This document summarizes configuration files, common tasks, and log files for Security Onion, an open source security monitoring platform. Key configuration files include /etc/nsm/securityonion.conf for general settings and /etc/nsm/<hostname-interface>/sensor.conf for sensor settings. Common tasks involve starting and stopping services, managing rules, and checking service status. Log files are stored for components like Bro, Elasticsearch, and Logstash and provide error logs and data outputs.

Uploaded by

vhinzsanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
799 views1 page

Security Onion Cheat Sheet

This document summarizes configuration files, common tasks, and log files for Security Onion, an open source security monitoring platform. Key configuration files include /etc/nsm/securityonion.conf for general settings and /etc/nsm/<hostname-interface>/sensor.conf for sensor settings. Common tasks involve starting and stopping services, managing rules, and checking service status. Log files are stored for components like Bro, Elasticsearch, and Logstash and provide error logs and data outputs.

Uploaded by

vhinzsanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IMPORTANT FILES COMMON TASKS

Configuration Files Rule Management General Maintenance


Configuration File Configuration File Task Command
General Settings /etc/nsm/securityonion.conf IDS Rules (Downloaded) /etc/nsm/rules/downloaded.rules Check Service Status so-status

Sensor Settings /etc/nsm/<hostname-interface>/sensor.conf IDS Rules (Custom) /etc/nsm/rules/local.rules Start/Stop/Restart All Services so-start|stop|restart

Start/Stop/Restart Server
Maintenance Scripts /etc/cron.d, /usr/sbin Rule Thresholds /etc/nsm/rules/threshold.conf so-sguild-start|stop|restart
Services
Start/Stop/Restart Sensor
Snort /etc/nsm/<hostname-interface>/snort.conf Disabled Rules /etc/nsm/pulledpork/disablesid.conf so-sensor-start|stop|restart
Services
Suricata /etc/nsm/<hostname-interface>/suricata.yaml Modified Rules /etc/nsm/pulledpork/modifysid.conf Start/Stop/Restart Docker docker start|stop|restart
Start/Stop All Docker
Bro /opt/bro PulledPork Config /etc/nsm/pulledpork/pulledpork.conf so-elastic-start|stop
Containers
Start/Stop Specific so-<noun>-verb
Bro Config /opt/bro/etc/networks.cfg, node.cfg Wazuh Rules /var/ossec/rules
Container/Service Ex: so-logstash-start|stop
/opt/bro/share/bro/site/local.bro (config)
Bro Local Add Analyst
/opt/bro/share/bro/policy (scripts) Wazuh Rules (Custom) /var/ossec/rules/local_rules.xml so-user-add
Policy/Scripts/Intel (Sguil/Squert/Kibana) User
/opt/bro/share/bro/intel/intel.dat (intel)
/etc/elasticsearch/elasticsearch.yml Change Analyst User
Elasticsearch Config Elastalert /etc/elastalert/rules so-user-passwd
/etc/elasticsearch/jvm.options (heap size) Password
/etc/logstash/logstash.yml
/etc/logstash/jvm.options (heap size)
Add/View Firewall Rules so-allow
Logstash Config /etc/logstash/conf.d (standard pipeline config)
(Analyst, Beats, Syslog, etc.) so-allow-view
/etc/logstash/custom (custom pipeline config and custom
templates)
Kibana Config /etc/kibana/kibana.yml Packet Filtering Update SO (and Ubuntu) soup
Curator Config /etc/curator/config/curator.yml Scope File Update Rules rule-update
Syslog-NG /etc/syslog-ng/syslog-ng.conf Server (Entire Deployment) /etc/nsm/rules/bpf.conf Generate SO Statistics sostat
Wazuh /var/ossec/etc/ossec.conf Sensor-Specific /etc/nsm/<hostname-interface>/bpf.conf Check Redis Queue Length redis-cli llen logstash:redis
/etc/nsm/<hostname-interface>/bpf-bro.conf,
Sguil (Server) /etc/nsm/securityonion/sguild.conf Component-Specific
bpf-ids.conf, etc.
Sguil (Client) /etc/sguil/sguil.conf Salt Commands (from Master Server)
Sguil (Email) /etc/nsm/securityonion/sguild.email Task Command
Onionsalt /opt/onionsalt DATA Execute Command salt '*' cmd.run '<command>'
Verify Minions Up salt '*' test.ping
Log Files Data Directories Sync Minions salt '*' state.highstate
Scope File Data Directory Update Entire Deployment soup && salt '*' cmd.run 'soup -y'
/nsm/bro/logs/current/stderr.log (errors), reporter.log
Bro Packet Capture (Sensor) /nsm/sensor_data/<hostname-interface>/dailylogs
(errors/warnings), loaded_scripts.log (loaded scripts)
Elastalert /var/log/elastalert/elastalert_stderr.log Alert Data (Sensor) /nsm/sensor_data/<hostname-interface> Port/Protocols/Services (Distributed Deployment)
Elasticsearch /var/log/elasticsearch/<hostname>.log Alert Data (Master) /var/lib/mysql/securityonion_db Port/Protocol Service/Purpose
SSH access/AutoSSH tunnel from sensor(s) to
Logstash /var/log/logstash/logstash.log Bro (Archived) (Sensor) /nsm/bro/logs/yyyy-mm-dd 22/tcp (Sensor/Master)
Master
Kibana /var/log/kibana/kibana.log Bro (Current Hr) (Sensor) /nsm/bro/logs/current 4505-4506/tcp (Master) Salt comm from sensor(s) to Master
OSSEC /var/ossec/logs/ossec.log Bro Extracted Files (Sensor) /nsm/bro/extracted (only EXEs extracted, by default) 7736/tcp (Master) Sguild comm from sensor(s) to Master
/var/log/nsm/<hostname-interface>/snortu-n.log, Elasticsearch
Sensor Logs /nsm/elasticsearch/nodes/x/indices
barnyard2-n.log, suricata.log, netsniff-ng.log (Master/Heavy/Storage)
Sguild /var/log/nsm/securityonion/sguild.log
Support

Performance Tuning Mailing List


Target Parameter/File https://securityonion.net/docs/mailinglists
Reddit
Bro lb_procs in /opt/bro/etc/node.cfg
https://www.reddit.com/r/securityonion/
Originally Designed by: Chris Sanders - http://www.chrissanders.org - @chrissanders88
IDS_LB_PROCS in /etc/nsm/<hostname-interface>/sensor. Docs
Snort/Suricata Updated by: Security Onion Solutions - https://securityonion.net - @securityonion
conf https://securityonion.readthedocs.io
Security Onion Version: 16.04.6.1
Last Modified: 05.14.2019 Blog
PF_RING min_num_slots in /etc/modprobe.d/pf_ring.conf
https://blog.securityonion.net
PCAP_OPTIONS, PCAP_SIZE, PCAP_RING_SIZE in Training, Professional Services, Hardware Appliances
Netsniff-NG
/etc/nsm/<hostname-interface>/sensor.conf https://securityonionsolutions.com

You might also like