Frustrated with BPF and NIDS Rules

[WPTechnician]

Hi all:

I thought I had things working but I can't turn off rules or apply BPF to save my life. My setup is a forward sensor that is ingesting all of the traffic and a manager/search node. I added the rules to the global.sls, I added them to the minion sls file, I have restarted services on both nodes, restarted the nodes themselves to no avail. I can see when applying the state that the rules are added and it is all green yet when I check in Kibana, they are there in the Suricata feed and in the alerts page after that. I am not sure what I am missing here, I have followed the documentation closely.

As an example:

I have had these rules in my global.sls since last week.

I have restarted everything and I am getting new records on those rules.

[TOoSmOotH]

This all belongs in the minion pillar not global. The minion config will overwrite the global. See https://docs.securityonion.net/en/2.3/managing-alerts.html?highlight=minionid where it details this. Once you change that run so-idstools-restart.

Next look to see if the rules are disabled:
cat /opt/so/rules/nids/all.rules | grep 2100366 and make sure it is disabled.

If the rules are commented out then they are disabled. You would then need to restart suricata or wait for them to check in to restart themselves. The old alerts will still show up only new alerts will stop.

[WPTechnician]

I think my confusion comes from the that link where it says:

In a distributed Security Onion environment, you only need to change the configuration in the manager pillar and then all other nodes will get the updated rules automatically.

I will try it on the minion configuration and see what happens. Thanks!

[WPTechnician]

Ok, I understand it now! Thank you for taking the time!

[TOoSmOotH]

yea IDSTools only runs on the manager.