################################ # sosetup.conf ################################ # This file can be used to automate sosetup. # # Copy this example file to your home directory: # cp /usr/share/securityonion/sosetup.conf ~ # # Edit your new sosetup.conf: # nano ~/sosetup.conf # # Run Setup with the -f switch and the path to this file: # sudo sosetup -f ~/sosetup.conf ################################ # Management Interface ################################ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. MGMT_INTERFACE='enp0s3' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? # We recommend using static IP whenever possible. # MGMT_CONFIG_TYPE='static' MGMT_CONFIG_TYPE='DHCP' # If MGMT_CONFIG_TYPE=static, then provide the details here. # If you have multiple nameservers, please separate them with spaces like this: # NAMESERVER='192.168.204.2 192.168.204.3' ADDRESS='192.168.204.222' NETMASK='255.255.255.0' GATEWAY='192.168.204.2' NAMESERVER='192.168.204.2' DOMAIN='example.com' ################################ # Sniffing interface(s) ################################ # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: # SNIFFING_INTERFACES='ens34 ens35' SNIFFING_INTERFACES='enp0s8' ################################ # Master Server ################################ # SERVER # If set to 1, then this box will be a Master server: # SERVER=1 # If set to 0, then this box will connect to a separate Master server: # SERVER=0 SERVER=1 # SERVERNAME # If SERVER=1, then this should be 'localhost': # SERVERNAME='localhost' # If SERVER=0, then this should be the name/IP of the separate Master server: # SERVERNAME='sguilserver.example.com' SERVERNAME='localhost' # SSH_USERNAME # If SERVER=0, then this should be the name of an # account on the separate Master server that has sudo privileges. # sudo privileges can be revoked after sosetup is complete. # SSH_USERNAME='sensor1' SSH_USERNAME='' # SGUIL_SERVER_NAME # If SERVER=1, then this is the name of the Sguil server we'll create. # You probably shouldn't change this value. SGUIL_SERVER_NAME='securityonion' # SGUIL_CLIENT_USERNAME # If SERVER=1, then this is the username that we'll create # for Sguil/Squert/Kibana. # Please use alphanumeric characters only! SGUIL_CLIENT_USERNAME='onionuser' # SGUIL_CLIENT_PASSWORD_1 # If SERVER=1, then this is the password that we'll create # for Sguil/Squert/Kibana. # If you set a password here, you may want to change it later and/or # shred this file. SGUIL_CLIENT_PASSWORD_1='asdfasdf' ################################ # Elastic Stack ################################ ELASTIC='yes' # LOG_SIZE_LIMIT # This setting controls how much disk space Elastic uses. # 10TB = 10000000000000 # LOG_SIZE_LIMIT='10000000000000' # 1TB = 1000000000000 # LOG_SIZE_LIMIT='1000000000000' # 100GB = 100000000000 # LOG_SIZE_LIMIT='100000000000' # 10GB = 10000000000 LOG_SIZE_LIMIT='10000000000' # If this is a master server that you want to extend # via storage nodes, then set LOGSTASH_OUTPUT_REDIS to 'yes'. LOGSTASH_OUTPUT_REDIS='no' # If this is a storage node that should consume from the # redis queue on the master server, then set LOGSTASH_INPUT_REDIS to 'yes'. LOGSTASH_INPUT_REDIS='no' # If this is a forward-only sensor, then set FORWARD to 'yes'. FORWARD='no' ################################ # Enable/disable services ################################ # The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. # Do you want to run the OSSEC Agent? yes/no OSSEC_AGENT_ENABLED='yes' # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. OSSEC_AGENT_LEVEL='5' # Salt allows you to manage your entire Security Onion deployment # as one cohesive whole. It provides configuration management # and remote code execution. # Do you want to enable Salt? yes/no SALT='yes' ################################ # Sensor components ################################ # SENSOR # If set to 1, then this box will run sensor components and sniff ethernet interfaces: # SENSOR=1 # If set to 0, then this box will not run sensor components: # SENSOR=0 SENSOR=1 ################################ # Enable/disable sensor services ################################ # If SENSOR=0, then no sensor services will run. # If SENSOR=1, then the following services can be enabled/disabled. # BRO_ENABLED # Do you want to run Zeek? yes/no BRO_ENABLED='yes' # IDS_ENGINE_ENABLED # Do you want to run an IDS engine (Snort/Suricata)? yes/no IDS_ENGINE_ENABLED='yes' # SNORT_AGENT_ENABLED # Do you want to run the Snort agent? yes/no # The Snort agent sends Snort IDS alerts to the Sguil database. SNORT_AGENT_ENABLED='yes' # BARNYARD2_ENABLED # Do you want to run Barnyard2? yes/no # Barnyard2 sends IDS alerts from Snort/Suricata to # Sguil's Snort agent and syslog (Kibana). BARNYARD2_ENABLED='yes' # PCAP_ENABLED # Do you want to run full packet capture? yes/no PCAP_ENABLED='yes' # PCAP_AGENT_ENABLED # Do you want to run Sguil's pcap_agent? yes/no # The pcap_agent allows Sguil to access the pcap store. PCAP_AGENT_ENABLED='yes' ##!! THIS OPTION IS DEPRECATED AND IS NO LONGER USED - DO NOT ALTER OR REMOVE # PRADS_ENABLED # Do you want to run Prads? yes/no # Prads writes session data and asset data. # Zeek provides the same data types plus more, so most # folks don't run Prads. PRADS_ENABLED='no' ##!! THIS OPTION IS DEPRECATED AND IS NO LONGER USED - DO NOT ALTER OR REMOVE # SANCP_AGENT_ENABLED # Do you want to run the sancp_agent? yes/no # sancp_agent sends session data from Prads to Sguil. SANCP_AGENT_ENABLED='no' ##!! THIS OPTION IS DEPRECATED AND IS NO LONGER USED - DO NOT ALTER OR REMOVE # PADS_AGENT_ENABLED # Do you want to run the pads_agent? yes/no # pads_agent sends asset data from Prads to Sguil. PADS_AGENT_ENABLED='no' ##!! THIS OPTION IS DEPRECATED AND IS NO LONGER USED - DO NOT ALTER OR REMOVE # HTTP_AGENT_ENABLED # Do you want to run the http_agent? yes/no # http_agent sends http logs from Zeek to Sguil. # If you're running ELSA, then you probably want to disable this. HTTP_AGENT_ENABLED='no' ##!! THIS OPTION IS DEPRECATED AND IS NO LONGER USED - DO NOT ALTER OR REMOVE # ARGUS_ENABLED # Do you want to run Argus? yes/no # Argus writes session data, also provided by Zeek and Prads. # Most folks don't run Argus. ARGUS_ENABLED='no' ################################ # Rules ################################ # IDS_RULESET # This setting is only necessary on a master server. # Sensors automatically inherit ruleset from the master server. # Which IDS ruleset would you like to use? # Emerging Threats Open (no oinkcode required): # ETOPEN # Emerging Threats PRO (requires ETPRO oinkcode): # ETPRO # Sourcefire Talos (requires Talos oinkcode): # TALOS # TALOS and ET (requires TALOS oinkcode): # TALOSET IDS_RULESET='ETOPEN' # OINKCODE # This setting is only necessary on a master server. # Sensors automatically inherit ruleset from the master server. # If you're running TALOS or ETPRO rulesets, you'll need to supply your # oinkcode here. OINKCODE='' ################################ # PF_RING Config ################################ # PF_RING_SLOTS # The default is 4096. # High traffic networks may need to increase this. PF_RING_SLOTS=4096 ################################ # IDS Config ################################ # IDS_ENGINE # Which IDS engine would you like to run? snort/suricata # Whatever you choose here will apply to the master server # and then sensors inherit this setting from the master server. # To run Snort: # IDS_ENGINE='snort' # To run Suricata: # IDS_ENGINE='suricata' IDS_ENGINE='snort' # IDS_LB_PROCS # How many PF_RING load-balanced processes would you like to run? # This value should be lower than your number of CPU cores. IDS_LB_PROCS='1' # HOME_NET # Setup by default configures Snort/Suricata's HOME_NET variable # as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12). # If you wish to provide a custom value, enter it below, # ensuring a comma is placed after each range, with no spaces in between. # Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' ################################ # Zeek Config ################################ # BRO_LB_PROCS # How many PF_RING load-balanced processes would you like Zeek to run? # This value should be lower than your number of CPU cores. BRO_LB_PROCS='1' # EXTRACT_FILES # Do you want Zeek to automatically extract Windows EXEs and write them to disk? yes/no EXTRACT_FILES='yes' ################################ # PCAP Config ################################ # PCAP_SIZE # How large do you want your pcap files to be? # The default is 150MB. PCAP_SIZE='150' # PCAP_RING_SIZE # How big of a ring buffer should be allocated for netsniff-ng? # The default is 64MB. PCAP_RING_SIZE='64' # PCAP_OPTIONS # The default option here of '-c' is intended for low-volume environments. # If monitoring lots of traffic, you will want to remove the -c to use # netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option. PCAP_OPTIONS='-c' ################################ # Maintenance ################################ # WARN_DISK_USAGE # Begin warning when disk usage reaches this level WARN_DISK_USAGE='80' # CRIT_DISK_USAGE # Begin purging old files when disk usage reaches this level CRIT_DISK_USAGE='90' # DAYSTOKEEP # Only applies to Sguil database ('securityonion_db') DAYSTOKEEP='30' # DAYSTOREPAIR # Only applies to Sguil database ('securityonion_db') DAYSTOREPAIR='7'