################################ # sosetup.conf ################################ # This file can be used to automate sosetup. # # Copy this example file to your home directory: # cp /usr/share/securityonion/sosetup.conf ~ # # Edit your new sosetup.conf: # nano ~/sosetup.conf # # Run Setup with the -f switch and the path to this file: # sudo sosetup -f ~/sosetup.conf ################################ # Management Interface ################################ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. # We recommend that you always make this eth0 if possible for consistency. MGMT_INTERFACE='eth2' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? # We recommend using static IP whenever possible. MGMT_CONFIG_TYPE='static' # MGMT_CONFIG_TYPE='DHCP' # If MGMT_CONFIG_TYPE=static, then provide the details here: ADDRESS='192.168.39.10' NETMASK='255.255.255.0' GATEWAY='192.168.39.1' NAMESERVER='192.168.39.1' DOMAIN='example.com' ################################ # Sniffing interface(s) ################################ # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: # SNIFFING_INTERFACES='eth1 eth2' SNIFFING_INTERFACES='eth0 eth1' ################################ # Master Server ################################ # SERVER # If set to 1, then this box will be a Master server: # SERVER=1 # If set to 0, then this box will connect to a separate Master server: # SERVER=0 SERVER=1 # SERVERNAME # If SERVER=1, then this should be 'localhost': # SERVERNAME='localhost' # If SERVER=0, then this should be the name/IP of the separate Master server: # SERVERNAME='sguilserver.example.com' SERVERNAME='localhost' # SSH_USERNAME # If SERVER=0, then this should be the name of an # account on the separate Master server that has sudo privileges. # sudo privileges can be revoked after sosetup is complete. # SSH_USERNAME='sensor1' SSH_USERNAME='' # SGUIL_SERVER_NAME # If SERVER=1, then this is the name of the Sguil server we'll create. # You probably shouldn't change this value. SGUIL_SERVER_NAME='securityonion' # SGUIL_CLIENT_USERNAME # If SERVER=1, then this is the username that we'll create # for Sguil/Squert/ELSA. # Please use alphanumeric characters only! SGUIL_CLIENT_USERNAME='vagrant' # SGUIL_CLIENT_PASSWORD_1 # If SERVER=1, then this is the password that we'll create # for Sguil/Squert/ELSA. # If you set a password here, you may want to change it later and/or # shred this file. SGUIL_CLIENT_PASSWORD_1='vagrant' ################################ # Master server services ################################ # If SERVER=0, then no server services will run. # If SERVER=1, then the following services can be enabled/disabled. # Do you want to run Xplico? yes/no XPLICO_ENABLED='no' ################################ # ELSA ################################ # ELSA # If set to YES, then this box will run ELSA components: # ELSA=YES # If set to NO, then this box will not run ELSA components: # ELSA=NO # If you want to run ELSA, then you should enable this setting on every box in your deployment. ELSA=YES # UPDATE_ELSA_SERVER # If SERVER=0, then the server's elsa_web.conf will need # to be updated and Apache restarted for it to recognize # this new ELSA node. Restarting Apache will interrupt # any running ELSA queries. # To automatically update the server's elsa_web.conf and # restart Apache, set this option to 'YES': # UPDATE_ELSA_SERVER='YES' # If you'd rather update the server's elsa_web.conf yourself # and manually restart Apache, set this option to 'NO': # UPDATE_ELSA_SERVER='NO' UPDATE_ELSA_SERVER='YES' # LOG_SIZE_LIMIT # This setting controls how much disk space ELSA uses. # 10TB = 10000000000000 # LOG_SIZE_LIMIT='10000000000000' # 1TB = 1000000000000 # LOG_SIZE_LIMIT='1000000000000' # 100GB = 100000000000 # LOG_SIZE_LIMIT='100000000000' # 10GB = 10000000000 LOG_SIZE_LIMIT='10000000000' ################################ # Enable/disable services ################################ # The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. # Do you want to run the OSSEC Agent? yes/no OSSEC_AGENT_ENABLED='no' # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. OSSEC_AGENT_LEVEL='5' # Salt allows you to manage your entire Security Onion deployment # as one cohesive whole. It provides configuration management # and remote code execution. # Do you want to enable Salt? yes/no SALT='no' ################################ # Sensor components ################################ # SENSOR # If set to 1, then this box will run sensor components and sniff ethernet interfaces: # SENSOR=1 # If set to 0, then this box will not run sensor components: # SENSOR=0 SENSOR=1 ################################ # Enable/disable sensor services ################################ # If SENSOR=0, then no sensor services will run. # If SENSOR=1, then the following services can be enabled/disabled. # BRO_ENABLED # Do you want to run Bro? yes/no BRO_ENABLED='yes' # IDS_ENGINE_ENABLED # Do you want to run an IDS engine (Snort/Suricata)? yes/no IDS_ENGINE_ENABLED='yes' # SNORT_AGENT_ENABLED # Do you want to run the Snort agent? yes/no # The Snort agent sends Snort IDS alerts to the Sguil database. SNORT_AGENT_ENABLED='yes' # BARNYARD2_ENABLED # Do you want to run Barnyard2? yes/no # Barnyard2 sends IDS alerts from Snort/Suricata to # Sguil's Snort agent and syslog (ELSA). BARNYARD2_ENABLED='yes' # PCAP_ENABLED # Do you want to run full packet capture? yes/no PCAP_ENABLED='yes' # PCAP_AGENT_ENABLED # Do you want to run Sguil's pcap_agent? yes/no # The pcap_agent allows Sguil to access the pcap store. PCAP_AGENT_ENABLED='yes' # PRADS_ENABLED # Do you want to run Prads? yes/no # Prads writes session data and asset data. # Bro provides the same data types plus more, so most # folks don't run Prads. PRADS_ENABLED='no' # SANCP_AGENT_ENABLED # Do you want to run the sancp_agent? yes/no # sancp_agent sends session data from Prads to Sguil. SANCP_AGENT_ENABLED='no' # PADS_AGENT_ENABLED # Do you want to run the pads_agent? yes/no # pads_agent sends asset data from Prads to Sguil. PADS_AGENT_ENABLED='no' # HTTP_AGENT_ENABLED # Do you want to run the http_agent? yes/no # http_agent sends http logs from Bro to Sguil. # If you're running ELSA, then you probably want to disable this. HTTP_AGENT_ENABLED='no' # ARGUS_ENABLED # Do you want to run Argus? yes/no # Argus writes session data, also provided by Bro and Prads. # Most folks don't run Argus. ARGUS_ENABLED='no' ################################ # Rules ################################ # IDS_RULESET # This setting is only necessary on a master server. # Sensors automatically inherit ruleset from the master server. # Which IDS ruleset would you like to use? # Emerging Threats Open (no oinkcode required): # ETOPEN # Emerging Threats PRO (requires ETPRO oinkcode): # ETPRO # Sourcefire VRT (requires VRT oinkcode): # VRT # VRT and ET (requires VRT oinkcode): # VRTET IDS_RULESET='ETOPEN' # OINKCODE # This setting is only necessary on a master server. # Sensors automatically inherit ruleset from the master server. # If you're running VRT or ETPRO rulesets, you'll need to supply your # oinkcode here. OINKCODE='' ################################ # PF_RING Config ################################ # PF_RING_SLOTS # The default is 4096. # High traffic networks may need to increase this. PF_RING_SLOTS=4096 ################################ # IDS Config ################################ # IDS_ENGINE # Which IDS engine would you like to run? snort/suricata # Whatever you choose here will apply to the master server # and then sensors inherit this setting from the master server. # To run Snort: # IDS_ENGINE='snort' # To run Suricata: # IDS_ENGINE='suricata' IDS_ENGINE='snort' # IDS_LB_PROCS # How many PF_RING load-balanced processes would you like to run? # This value should be lower than your number of CPU cores. IDS_LB_PROCS='1' # HOME_NET # Setup by default configures Snort/Suricata's HOME_NET variable # as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12). # If you wish to provide a custom value, enter it below, # ensuring a comma is placed after each range, with no spaces in between. # Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' ################################ # Bro Config ################################ # BRO_LB_PROCS # How many PF_RING load-balanced processes would you like Bro to run? # This value should be lower than your number of CPU cores. BRO_LB_PROCS='1' # EXTRACT_FILES # Do you want Bro to automatically extract Windows EXEs and write them to disk? yes/no EXTRACT_FILES='yes' ################################ # PCAP Config ################################ # PCAP_SIZE # How large do you want your pcap files to be? # The default is 150MB. PCAP_SIZE='150' # PCAP_RING_SIZE # How big of a ring buffer should be allocated for netsniff-ng? # The default is 64MB. PCAP_RING_SIZE='64' # PCAP_OPTIONS # The default option here of '-c' is intended for low-volume environments. # If monitoring lots of traffic, you will want to remove the -c to use # netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option. PCAP_OPTIONS='-c' ################################ # Maintenance ################################ # WARN_DISK_USAGE # Begin warning when disk usage reaches this level WARN_DISK_USAGE='80' # CRIT_DISK_USAGE # Begin purging old files when disk usage reaches this level CRIT_DISK_USAGE='90' # DAYSTOKEEP # Only applies to Sguil database ('securityonion_db') DAYSTOKEEP='30' # DAYSTOREPAIR # Only applies to Sguil database ('securityonion_db') DAYSTOREPAIR='7'