IMPORTANT FILES COMMON TASKS

Configuration Files Rule Management General Maintenance

Configuration File Configuration File Task Command
General Settings /etc/nsm/securityonion.conf IDS Rules (Downloaded) /etc/nsm/rules/downloaded.rules Check Service Status so-status

Sensor Settings /etc/nsm/<hostname-interface>/sensor.conf IDS Rules (Custom) /etc/nsm/rules/local.rules Start/Stop/Restart All Services so-start|stop|restart

Start/Stop/Restart Server
Maintenance Scripts /etc/cron.d, /usr/sbin Rule Thresholds /etc/nsm/rules/threshold.conf so-sguild-start|stop|restart
Services
Start/Stop/Restart Sensor
Snort /etc/nsm/<hostname-interface>/snort.conf Disabled Rules /etc/nsm/pulledpork/disablesid.conf so-sensor-start|stop|restart
Services
Suricata /etc/nsm/<hostname-interface>/suricata.yaml Modified Rules /etc/nsm/pulledpork/modifysid.conf Start/Stop/Restart Docker docker start|stop|restart
Start/Stop All Docker
Zeek/Bro /opt/bro PulledPork Config /etc/nsm/pulledpork/pulledpork.conf so-elastic-start|stop
Containers
Start/Stop Specific so-<noun>-verb
Zeek/Bro Config /opt/bro/etc/networks.cfg, node.cfg Wazuh/OSSEC Rules /var/ossec/rules/
Container/Service Ex: so-logstash-start|stop
/opt/bro/share/bro/site/local.bro (config)
Zeek/Bro Local Wazuh/OSSEC Rules Add Analyst
/opt/bro/share/bro/policy (scripts) /var/ossec/rules/local_rules.xml so-user-add
Policy/Scripts/Intel (Custom) (Sguil/Squert/Kibana) User
/opt/bro/share/bro/intel/intel.dat (intel)
/etc/elasticsearch/elasticsearch.yml Change Analyst User
Elasticsearch Config Elastalert /etc/elastalert/rules/ so-user-passwd
/etc/elasticsearch/jvm.options (heap size) Password
/etc/logstash/logstash.yml
/etc/logstash/jvm.options (heap size)
Add/View Firewall Rules so-allow
Logstash Config /etc/logstash/conf.d (standard pipeline config)
(Analyst, Beats, Syslog, etc.) so-allow-view
/etc/logstash/custom (custom pipeline config and custom
templates)
Kibana Config /etc/kibana/kibana.yml Packet Filtering Update SO (and Ubuntu) soup
Curator Config /etc/curator/config/curator.yml Scope File Update Rules rule-update
Syslog-NG /etc/syslog-ng/syslog-ng.conf Server (Entire Deployment) /etc/nsm/rules/bpf.conf Generate SO Statistics sostat
Wazuh/OSSEC /var/ossec/etc/ossec.conf Sensor-Specific /etc/nsm/<hostname-interface>/bpf.conf Check Redis Queue Length so-redis-count
/etc/nsm/<hostname-interface>/bpf-bro.conf,
Sguil (Server) /etc/nsm/securityonion/sguild.conf Component-Specific
bpf-ids.conf, etc.
Sguil (Client) /etc/sguil/sguil.conf Salt Commands (from Master Server)
Sguil (Email) /etc/nsm/securityonion/sguild.email Task Command
Onionsalt /opt/onionsalt DATA Execute Command salt '*' cmd.run '<command>'
Verify Minions Up salt '*' test.ping
Log Files Data Directories Sync Minions salt '*' state.highstate
Scope File Data Directory Update Entire Deployment soup && salt '*' cmd.run 'soup -y'
/nsm/bro/logs/current/stderr.log (errors), reporter.log
Zeek/Bro Packet Capture (Sensor) /nsm/sensor_data/<hostname-interface>/dailylogs/
(errors/warnings), loaded_scripts.log (loaded scripts)
Elastalert /var/log/elastalert/elastalert_stderr.log Alert Data (Sensor) /nsm/sensor_data/<hostname-interface>/ Port/Protocols/Services (Distributed Deployment)
Elasticsearch /var/log/elasticsearch/<hostname>.log Alert Data (Master) /var/lib/mysql/securityonion_db/ Port/Protocol Service/Purpose
SSH access/AutoSSH tunnel from sensor(s) to
Logstash /var/log/logstash/logstash.log Zeek/Bro (Archived) (Sensor) /nsm/bro/logs/<yyyy-mm-dd>/ 22/tcp (Sensor/Master)
Master
Kibana /var/log/kibana/kibana.log Zeek (Current Hr) (Sensor) /nsm/bro/logs/current/ 4505-4506/tcp (Master) Salt comm from sensor(s) to Master
Wazuh/OSSEC /var/ossec/logs/ossec.log Zeek Extracted Files (Sensor) /nsm/bro/extracted/ (only EXEs extracted by default) 7736/tcp (Master) Sguild comm from sensor(s) to Master
/var/log/nsm/<hostname-interface>/snortu-n.log, Elasticsearch
Sensor Logs /nsm/elasticsearch/nodes/<x>/indices/
barnyard2-n.log, suricata.log, netsniff-ng.log (Master/Heavy/Storage)
Sguild /var/log/nsm/securityonion/sguild.log Wazuh/OSSEC HIDS /var/ossec/logs/
Support

Performance Tuning Mailing List

Target Parameter/File https://securityonion.net/docs/mailinglists
Blog
Zeek/Bro lb_procs in /opt/bro/etc/node.cfg
https://blog.securityonion.net
Originally Designed by: Chris Sanders - http://www.chrissanders.org - @chrissanders88
IDS_LB_PROCS in /etc/nsm/<hostname-interface>/sensor. Docs
Snort/Suricata Updated by: Security Onion Solutions - https://securityonion.net - @securityonion
conf https://securityonion.net/docs
Security Onion Version: 16.04.6.4
Last Modified: 01.03.2020 Reddit
PF_RING min_num_slots in /etc/modprobe.d/pf_ring.conf
https://www.reddit.com/r/securityonion
PCAP_OPTIONS, PCAP_SIZE, PCAP_RING_SIZE in Training, Professional Services, Hardware Appliances
Netsniff-NG
/etc/nsm/<hostname-interface>/sensor.conf https://securityonionsolutions.com