Tuning¶
To get the best performance out of Security Onion, you’ll want to tune it for your environment. Start by creating Berkeley Packet Filters (BPFs) to ignore any traffic that you don’t want your network sensors to process. Then tune your rulesets using PulledPork’s disablesid.conf
and modifysid.conf
. There may be entire categories of rules that you want to disable first and then look at the remaining enabled rules to see if there are individual rules that can be disabled. Once your ruleset is a manageable size, then look at tuning your alerts via Sguil’s autocat feature. Once your rules and alerts are under control, then look at sostat to see if you have packet loss. If so, then tune using PF-RING or AF-PACKET. If you are on a large network, you may need to do additional tuning like pinning processes to CPU cores. More information on each of these topics can be found in this section.
- BPF
- Managing Rules
- Adding Local Rules
- Managing Alerts
- Testing to make sure the IDS is working
- Identifying overly active signatures
- From Squert
- From Sguil
- From the Command Line
- Listing the top twenty signatures
- Identifying rule categories
- Recovering from too many alerts
- So what’s next?
- Disable the sid
- Disable the category
- modifysid.conf
- Rewrite the signature
- Threshold
- Suppressions
- Autocategorize events
- Why is pulledpork ignoring disabled rules in downloaded.rules
- Sguil Days To Keep
- PF-RING
- AF-PACKET
- High Performance Tuning
- MySQL Tuning
- Trimming PCAPs
- Disabling Processes