You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: airgap.rst
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,8 +25,10 @@ Airgap mode works as follows:
25
25
Rule Updates
26
26
------------
27
27
28
-
Our ISO image includes the Emerging Threats (ET) ruleset. When :ref:`soup` updates an airgap system via ISO, it automatically installs the latest ET rules as well. If you would like to switch to a different ruleset like Emerging Threats Pro (ETPRO), then you can manually copy the ETPRO rules to ``/nsm/rules/suricata/emerging-all.rules`` using a command like:
28
+
Our ISO image includes the latest version of various rulesets and will automatically install them when an airgap system is SOUP'ed via ISO:
29
29
30
-
::
30
+
- :ref:`nids`: Emerging Threats (ETOPEN). If you would like to switch to a different ruleset like Emerging Threats Pro (ETPRO), refer to our Ruleset config documentation :ref:`nids`
Copy file name to clipboardExpand all lines: architecture.rst
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,10 +45,10 @@ For more information, please see the :ref:`desktop` section.
45
45
Distributed
46
46
-----------
47
47
48
-
A standard distributed deployment includes a **manager node**, one or more **forward nodes** running network sensor components, and one or more **search nodes** running Elastic search components. This architecture may cost more upfront, but it provides for greater scalability and performance, as you can simply add more nodes to handle more traffic or log sources.
48
+
A standard distributed deployment includes a **manager node**, one or more **sensor nodes** running network sensor components, and one or more **search nodes** running Elastic search components. This architecture may cost more upfront, but it provides for greater scalability and performance, as you can simply add more nodes to handle more traffic or log sources.
49
49
50
50
- Recommended deployment type
51
-
- Consists of a manager node, one or more forward nodes, and one or more search nodes
51
+
- Consists of a manager node, one or more sensor nodes, and one or more search nodes
52
52
53
53
.. note::
54
54
@@ -102,12 +102,12 @@ A manager search node runs the following components:
102
102
- :ref:`elastalert`
103
103
- :ref:`redis`
104
104
105
-
Forward Node
105
+
Sensor Node
106
106
~~~~~~~~~~~~
107
107
108
-
A ``forward node`` forwards alerts and logs from :ref:`suricata` and :ref:`zeek` via :ref:`elastic-agent` to :ref:`logstash` on the manager node, where they are stored in :ref:`elasticsearch` on the manager node or a search node (if the manager node has been configured to use a search node). Full packet capture recorded by :ref:`stenographer` or :ref:`suricata` remains on the forward node itself.
108
+
A ``sensor node`` forwards alerts and logs from :ref:`suricata` and :ref:`zeek` via :ref:`elastic-agent` to :ref:`logstash` on the manager node, where they are stored in :ref:`elasticsearch` on the manager node or a search node (if the manager node has been configured to use a search node). Full packet capture recorded by :ref:`stenographer` or :ref:`suricata` remains on the sensor node itself.
In order to add the Remote Network Forward Node to the Grid, you would have to add ``10.55.1.10`` to the ``sensor`` firewall hostgroup.
193
+
In order to add the Remote Network Sensor Node to the Grid, you would have to add ``10.55.1.10`` to the ``sensor`` firewall hostgroup.
194
194
195
195
This change can be done in the SOC Configuration screen. Then, either wait up to 15 minutes for the scheduled configuration sync to run, or force a synchronization immediately via the SOC Configuration Options. Once the firewall hostgroup configuration has been synchronized your Manager will be ready for remote minions to start connecting.
Copy file name to clipboardExpand all lines: cloud-google.rst
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -225,7 +225,7 @@ If connecting sensors through the VPN instance you will need to add the inside i
225
225
Location: Remote Location: Remote Location: Googe Location: Google
226
226
192.168.33.13 192.168.33.10 10.55.1.10 10.55.1.20
227
227
228
-
In order to add the Remote Network Forward Node to the Grid, you would have to add ``10.55.1.10`` to the ``sensor`` firewall hostgroup.
228
+
In order to add the Remote Network Sensor Node to the Grid, you would have to add ``10.55.1.10`` to the ``sensor`` firewall hostgroup.
229
229
230
230
This change can be done in the SOC Configuration screen. Then, either wait up to 15 minutes for the scheduled configuration sync to run, or force a synchronization immediately via the SOC Configuration Options. Once the firewall hostgroup configuration has been synchronized your Manager will be ready for remote minions to start connecting.
Copy file name to clipboardExpand all lines: configuration.rst
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ Standalone is similar to Evaluation in that it only requires a single box, but S
36
36
Production Server - Distributed Deployment
37
37
------------------------------------------
38
38
39
-
If deploying a distributed environment, install and configure the manager node first and then join the other nodes to it. For best performance, the manager node should be dedicated to just being a manager for the other nodes (the manager node should not do any network sniffing, that should be handled by dedicated forward nodes).
39
+
If deploying a distributed environment, install and configure the manager node first and then join the other nodes to it. For best performance, the manager node should be dedicated to just being a manager for the other nodes (the manager node should not do any network sniffing, that should be handled by dedicated sensor nodes).
40
40
41
41
Build the manager by running Setup, selecting the ``DISTRIBUTED`` deployment option, and choosing the ``New Deployment`` option. You can choose either ``MANAGER`` or ``MANAGERSEARCH``. If you choose ``MANAGER``, then you must join one or more search nodes (this is optional if you choose ``MANAGERSEARCH``) and you will want to do this before you start joining other node types.
Copy file name to clipboardExpand all lines: detections.rst
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,8 @@ Here is the list of possible status messages and what they mean:
30
30
- **Migration Failed**: A failure occurred during the migration. The migration will stop on the first error and will not attempt to migrate to newer versions until the issue is resolved.
31
31
- **Synchronizing**: A rule synchronization is in progress. This occurs daily, to ensure the Security Onion grid has the latest rules.
32
32
- **Sync Failed**: A failure occurred during the synchronization procedure. The next sync will retry within a few minutes.
33
-
- **Rule Mismatch**: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One possible reason for this is if you had previously added custom rules to /opt/so/saltstack/local/salt/idstools/rules/local.rules and, if this is the case, then you can remove the rules from that file and re-add them using the Detections interface. Another possible reason is that :ref:`elasticsearch` has reached its disk watermark setting and is no longer allowing updates to the Detections indices.
33
+
- **Sync Blocked**: Rule synchronization is currently blocked.
34
+
- **Rule Mismatch**: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One possible reason is that :ref:`elasticsearch` has reached its disk watermark setting and is no longer allowing updates to the Detections indices.
34
35
- **OK**: No known issues with the rule engine.
35
36
36
37
.. tip::
@@ -147,8 +148,8 @@ Elastalert/Sigma
147
148
- Immediate change in the UI and on disk
148
149
149
150
Suricata/NIDS
150
-
- UI Bulk and Individual: Immediate change in the UI, disk change once the `idstools` state runs again
151
-
- Regex: UI and disk change once the `soc` state runs again and the :ref:`suricata` engine syncs
151
+
- UI Bulk and Individual: Immediate change in the UI and on disk
152
+
- Regex: UI and disk change once the :ref:`suricata` engine syncs
152
153
153
154
Strelka/YARA
154
155
- Immediate change in the UI, disk change once the `strelka` state runs again
@@ -160,7 +161,7 @@ Elastalert/Sigma
160
161
- Immediate change in the UI and on disk
161
162
162
163
Suricata/NIDS
163
-
- Immediate change in the UI, disk change once the `idstools` state runs again
164
+
- Immediate change in the UI and on disk
164
165
165
166
Strelka/YARA
166
167
- N/A
@@ -173,9 +174,7 @@ Elastalert/Sigma
173
174
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`elastalert` engine syncs
174
175
175
176
Suricata/NIDS
176
-
- ETOPEN/ETPRO: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
177
-
- Custom URL: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
178
-
- Custom Local File: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
177
+
- All ruleset sources (ETOPEN, ETPRO, custom URL, local directory): UI and disk change once the :ref:`suricata` engine syncs
179
178
180
179
Strelka/YARA
181
180
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`strelka` engine syncs
Copy file name to clipboardExpand all lines: elastic-agent.rst
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ Each Security Onion node uses the Elastic Agent to transport logs to :ref:`elast
11
11
12
12
.. note::
13
13
14
-
In order to receive logs from the Elastic Agent, Security Onion must be running :ref:`logstash`. Evaluation Mode and Import Mode do not run :ref:`logstash`, so you'll need Standalone or a full Distributed Deployment. In a Distributed Deployment, forward nodes do not run :ref:`logstash`, so you'll need to configure agents to send to your manager or receiver nodes. For more information, please see the :ref:`architecture` section.
14
+
In order to receive logs from the Elastic Agent, Security Onion must be running :ref:`logstash`. Evaluation Mode and Import Mode do not run :ref:`logstash`, so you'll need Standalone or a full Distributed Deployment. In a Distributed Deployment, sensor nodes do not run :ref:`logstash`, so you'll need to configure agents to send to your manager or receiver nodes. For more information, please see the :ref:`architecture` section.
15
15
16
16
To deploy an Elastic agent to an endpoint, go to the :ref:`soc` :ref:`downloads` page and download the proper Elastic agent for the operating system of that endpoint.
0 commit comments