Transfer SID disabled rules from Security Onion 1 to Security Onion 2 #5397

wompRS · 2021-09-03T18:55:25Z

wompRS
Sep 3, 2021

I am currently migrating our SECO solution from seco1 to seco2 (Security onion 1, 2). The way of disabling rules has changed obviously and we had done a lot of tuning on our system. What would be the best way of exporting the rules from seco1 and importing into seco2?

Answered by dougburks

Sep 7, 2021

In Security Onion 16.04, you would have disabled rules in /etc/nsm/pulledpork/disablesid.conf:
https://docs.securityonion.net/en/16.04/alerts.html#disable-the-sid

In Security Onion 2, you can disable rules via the so-rule command or in the minion pillar file:
https://docs.securityonion.net/en/2.3/managing-alerts.html#disable-the-sid

View full answer

dougburks · 2021-09-07T09:44:39Z

dougburks
Sep 7, 2021
Maintainer

In Security Onion 16.04, you would have disabled rules in /etc/nsm/pulledpork/disablesid.conf:
https://docs.securityonion.net/en/16.04/alerts.html#disable-the-sid

In Security Onion 2, you can disable rules via the so-rule command or in the minion pillar file:
https://docs.securityonion.net/en/2.3/managing-alerts.html#disable-the-sid

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Transfer SID disabled rules from Security Onion 1 to Security Onion 2 #5397

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Transfer SID disabled rules from Security Onion 1 to Security Onion 2 #5397

wompRS Sep 3, 2021

Replies: 1 comment

dougburks Sep 7, 2021 Maintainer

wompRS
Sep 3, 2021

dougburks
Sep 7, 2021
Maintainer