Where are Detections modifications authoritatively stored, and are they getting backed up by so-config-backup? #14964
Replies: 2 comments
-
|
Overrides (Sigma filters, NIDS supressions, etc) & custom rules are authoritatively stored in Elasticsearch under the A restore script has not been created, but is in the works. I have created an issue to track refactoring of the detections backup - specifically, moving the initial backup (from ES --> disk) out of /nsm/backup/detections, and then adding the new location to the so-config-backup script. That issue is here: #14992 |
Beta Was this translation helpful? Give feedback.
-
|
I wondered if you had the Detections stuff databased somewhere. I'm glad you are exporting it to /nsm/backup/detections and can confirm I see signs of local rules and override rules therein, though I have not seen any signs in that location of rules just being plain disabled in Detections. Would that be backed up instead under /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls inside of the so-config-backup-*.tar file? If so, please make sure your restore script also covers the restoration of the enablesid/disablesid stuff, too. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.170
Installation Method
Security Onion ISO image
Description
other (please provide detail below)
Installation Type
other (please provide detail below)
Location
other (please provide detail below)
Hardware Specs
Meets minimum requirements
CPU
na
RAM
na
Storage for /
na
Storage for /nsm
na
Network Traffic Collection
other (please provide detail below)
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
With the new Detections rule management layer in Security Onion, where are the customizations that are made under that module actually stored authoritatively? When I untar my latest /nsm/backup/so-config-backup-* file and recursively grep for one Suricata sid that I have disabled with Detections, and another Suricata sid that I added as a new local rule with Detections, the only signs I see of those sids are in these two files:
opt/so/saltstack/local/pillar/idstools/soc_idstools.slsopt/so/saltstack/local/salt/idstools/rules/local.rulesAre these really where Detections retains its rule modifications, or is this just where those mods are rendered? In the past, any time I've tried to make any direct changes to the local soc_idstools.sls file, the changes have not been honored. This leaves me concerned that if I need to rebuild an NSM system that I may not have any way to successfully restore all the customizations I formerly had in place in the context of Detections.
Please confirm that the so-config-backup facility really is backing up Detections changes in a way that really can be restored from backup if an NSM rebuild were necessary. And whether or not this is presently the case, please clarify what the authoritative location is where Detections stores configured rule customizations and additions.
Thanks,
Kevin Branch
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions