Please see the TroubleBooting section.
Please see the Installation Procedure section.
The Keyboard Layout screen may be larger than your screen resolution and so the Continue button may be off the screen to the right( as shown in https://launchpadlibrarian.net/207213663/Screenshot_wilyi386deskmanual_2015-05-22_13%3A05%3A41.png). You can simply slide the window over until you see the Continue button. For more information, please see https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1458039.
Please see the Upgrade Procedure section.
Please see the Updating section.
Please see the Proxy Configuration section.
Ubuntu is saying that my kernel has reached EOL (End Of Life). Should I update to the newer HWE stack?
Please see the HWE section.
Usually this happens when you clone a VM. VMware asks if you moved it or copied it. If you select "copied", it will change the MAC address to avoid duplication. At the next boot, Ubuntu's udev will see a new MAC address and create a new network interface (eth1). To fix this:
sudo rm /etc/udev/rules.d/70-persistent-net.rules sudo reboot
No, we only support 64-bit Intel/AMD architectures. Please see the hardware section.
securityonion
./etc/nsm/securityonion/
/usr/sbin/nsm_server
securityonion-eth0
and securityonion-eth1
).$HOSTNAME-$INTERFACE
/etc/nsm/$HOSTNAME-$INTERFACE/
sensor1-eth0
/usr/sbin/nsm_sensor
sensor1
having sensors sensor1-eth0
and sensor1-eth1
.Please see the Passwords section.
Please see the Moderation section.
Please see the Proxy#pulledpork section.
Why does rule-update fail with an error like "Error 404 when fetching s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5"?
The Snort Community ruleset has moved to a different URL. You can run the following command to update the Snort Community URL in pulledpork.conf
:
sudo sed -i 's\rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g' /etc/nsm/pulledpork/pulledpork.conf
Why does soup
fail with an error message like "find: `/usr/lib/python2.7/dist-packages/salt/': No such file or directory"?
This is a bug in the salt packages that can manifest when skipping salt versions. Resolve with the following:
sudo mkdir -p /usr/lib/python2.7/dist-packages/salt/ sudo apt-get -f install sudo soup
Why does barnyard2 keep failing with errors like "Returned signature_id is not equal to updated signature_id"?
I just updated Snort and it's now saying 'ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/chat.so" version 1.0 compiled with dynamic engine library version 2.1 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.4.'
Run the following:
sudo rule-update
For more information, please see:
https://blog.securityonion.net/2014/12/new-version-of-securityonion-rule.html
I get periodic MySQL crashes and/or error code 24 "out of resources" when searching in Sguil. How do I fix that?
Modern versions of Setup should set MySQL's open-files-limit
to 90000 to avoid this problem.
Barnyard2 is failing with an error like "ERROR: sguil: Expected Confirm 13324 and got: Failed to insert 13324: mysqlexec/db server: Duplicate entry '9-13324' for key 'PRIMARY'". How do I fix this?
Sometimes, just restarting Barnyard will clear this up:
sudo so-barnyard-restart
Other times, restarting Sguild and then restarting Barnyard will clear it up:
sudo so-sguild-restart sudo so-sensor-restart --only-barnyard2
If that doesn't work, then try also restarting mysql:
sudo service mysql restart sudo so-sguild-restart sudo so-sensor-restart --only-barnyard2
If that still doesn't fix it, you may have to perform MySQL surgery on the database securityonion_db
.
7:01 AM is the time of the daily PulledPork rules update. If you're running Snort with the Snort Subscriber (Talos) ruleset, this includes updating the SO rules. There is a known issue when running Snort with the Snort Subscriber (Talos) ruleset and updating the SO rules: https://groups.google.com/d/topic/pulledpork-users/1bQDkh3AhNs/discussion
After updating the rules, Snort is restarted, and the segfault occurs in the OLD instance of Snort (not the NEW instance). Therefore, the segfault is merely a nuisance log entry and can safely be ignored.
This usually means that there is an unexpected file in the dailylogs directory. Run the following:
ls /nsm/sensor_data/*/dailylogs/
You should see a bunch of date stamped directories and you may see some extraneous files. Remove any extraneous files and restart pcap_agent:
sudo so-pcap-agent-restart
This is a known issue with certain versions of VMware. You can either:
- go into the VM configuration and disable 3D in the video adapter OR
- upgrade the VM hardware level (may require upgrading to a new version of VMware)
The GeoIP CITY database is not free
and thus we cannot include it in the distro. Zeek fails to find it and falls back to the GeoIP COUNTRY database (which is free). As long as you are seeing some country codes in your conn.log, then everything should be fine. If you really need the CITY database, see this thread for some options: https://groups.google.com/d/topic/security-onion-testing/gtc-8ZTuCi4/discussion
Please see the Secure Boot section.
Please see the NIDS#switching-from-snort-to-suricata section.
Please see the NIDS#switching-from-suricata-to-snort section.
Please see the NIDS#NIPS section.
Please see the Tools section.
Please see the /nsm Directory Structure section.
Please see the UTC and Time Zones section.
Please see the UTC and Time Zones section.
Sguil uses netsniff-ng to record full packet captures to disk. These pcaps are stored in nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/
. /etc/cron.d/sensor-clean
is a cronjob that runs every minute that should delete old pcaps when the disk reaches your defined disk usage threshold (90% by default). It's important to properly size your disk storage so that you avoid filling the disk to 100% between purges.
Older versions of Security Onion waited 60 seconds after boot to ensure network interfaces are fully initialized before starting services. Starting in 16.04, services should start automatically as soon as network interfaces are initialized.
Please see the tcl section.
Please see the VLAN Traffic section.
Please see the Email section.
Please see the BPF section.
Please see the BPF section.
Please see the BPF section.
Please see the Firewall section.
Please see the Adding a New Disk for /nsm section.
Please see the Network Configuration section.
Please see the Disabling Processes section.
Please see the Disabling Processes section.
DAYSTOKEEP
setting in /etc/nsm/securityonion.conf
.UNCAT_MAX
:Please see the Sguil#customize-sguil-client section.
Please see the Interface stops receiving traffic section.
Please see the Disabling Desktop section.
I'm running Security Onion in a VM and the screensaver is using lots of CPU. How do I change/disable the screensaver?
- Click Applications.
- Click Settings.
- Click Screensaver.
- Screensaver Preferences window appears. Click the Mode dropdown and select "Disable Screen Saver" or "Blank Screen Only".
- Close the Screensaver Preferences window.
Sguild
has to load uncategorized events into memory when it starts and it won't accept connections until that's complete. You can either:
wait for sguild to start up (may take a LONG time), then log into Sguil, and
F8
LOTS of events ORstop sguild
sudo so-sguild-stop
and manually categorize events usingmysql
ORlower yourDAYSTOKEEP
setting in/etc/nsm/securityonion.conf
and runsudo sguil-db-purge
To keep
Uncategorized Events
from getting too high, you should log into Sguil/Squert on a daily/weekly basis and categorize events.
If the machine was built with the Security Onion 16.04 ISO image, version information can be found in /etc/PinguyBuilder.conf
.
Please see the Pcaps section.
Please see the NTP section.
Network Security Monitoring as a whole is considered "best effort". It is not a "mission critical" resource like a file server or web server. Since we're dealing with "big data" (potentially terabytes of full packet capture), backups would be prohibitively expensive. Most organizations don't do any backups and instead just rebuild boxes when necessary.
Please see the Adding local rules and testing them with scapy section.
You can download the full source code for any of our packages like this:
apt-get source PACKAGE-NAME
where PACKAGE-NAME
is usually something like securityonion-snort
. Here's a list of all of our packages:
| https://launchpad.net/~securityonion/+archive/stable
If the Squert map is not showing the country for IPs, try running the following:
sudo /usr/bin/php -e /var/www/so/squert/.inc/ip2c.php 0'/
Please see the Deploying NtopNG section.
We're not allowed to redistribute the unrar plugin, so you'll need to install it manually:
sudo apt-get update sudo apt-get install unrar
Security Onion is based on Ubuntu, but we don't provide community support for the Ubuntu OS itself. If you have questions about Ubuntu, you should check the Ubuntu website, forums, and Google.
We understand the appeal of Active Directory integration, but we typically recommend against joining any security infrastructure (including Security Onion) to Active Directory. The reason is that when you get an adversary inside your network, one of their first goals is going to be gaining access to Active Directory. If they get access to Active Directory, then they get access to everything connected to Active Directory. For that reason, we recommend that all security infrastructure (including Security Onion) be totally separate from Active Directory.