Security Onion Control Scripts
This appendix contains a listing of scripts used to control and interact with Security Onion services and data. All of these scripts (with the exception of rule-update) are located in the /usr/sbin/ directory and are required to be executed with elevated privileges using the sudo command. While we won’t cover every available option for every single script, you can learn more about each script by running it with the --help argument.
High Level Commands
nsm
This script is used to pass options to underlying scripts, such as nsm_server and nsm_sensor. This script can be used to check the status of an SO system by using this command:
sudo nsm --all --status
Server Control Commands
nsm_server
This script is used to pass options to underlying scripts. The script can be used to check the status of an SO system’s server components with this command:
sudo nsm_server --status
nsm_server_add
This script is used to create a new Sguil server. This script is executed during the SO setup process and shouldn’t need to be run manually.
nsm_server_backup-config
This script is used to back up the Sguil configuration files. This example will back up the configuration to an archive file in my home directory:
sudo nsm_server_backup-config --backup-file =/home/sanders/config-backup.tar.gz
nsm_server_backup-data
This script is used to back up Sguil data. This example will back up data to an archive file in my home directory:
sudo nsm_server_backup-data --backup-file =/home/sanders/data-backup.tar.gz
nsm_server_clear
This script will delete all Sguil data. This example will clear data for the current Sguil server:
sudo nsm_server_clear
nsm_server_del
This script will permanently delete the Sguil server. This example will delete the current Sguil server:
sudo nsm_server_del
nsm_server_edit
This script is used to modify specific Sguil configuration settings. All of these settings can be listed by running this command:
sudo nsm_server_edit --help
This example command would change the server sensor port:
sudo nsm_server_edit --server-name = < server > --new-server-sensor-port = < port >
nsm_server_ps-status
This script is used to check the status of the Sguild service. This script is usually executed with no options, like this:
sudo nsm_server_ps-status
nsm_server_ps-start
This script starts the Sguild service. This script is usually executed with no options, like this:
sudo nsm_server_ps-start
nsm_server_ps-stop
This script stops the Sguild service. This script is usually executed with no options, like this:
sudo nsm_server_ps-stop
nsm_server_ps-restart
This script restarts the Sguild service. This script is usually executed with no options, like this:
sudo nsm_server_ps-restart
nsm_server_sensor-add
This script is used to add a sensor to the Sguil configuration. If this script is launched without arguments, it will provide a dialog for completing this action. Otherwise, this command will add a sensor to a Sguil server:
sudo nsm_server_sensor-add --server-name = < server > --sensor-name = < sensor >
nsm_server_sensor-del
This script is used to remove a sensor from the Sguil configuration. If this script is launched without arguments, it will provide a dialog for completing this action. Otherwise, this command will delete a sensor from a Sguil server:
sudo nsm_server_sensor-del --server-name = < server > --sensor-name = < sensor >
nsm_server_user-add
This script is used to add a new user to the Sguil configuration. If this script is launched without arguments, it will provide a dialog for completing this action. Otherwise, this command will add a user to a Sguil server:
sudo nsm_server_user-add --server-name = < server > --user-name= < username > --user-pass = < password >
Sensor Control Commands
nsm_sensor
This script is used to pass options to underlying scripts. The script can be used to check the status of an SO system’s sensor components with this command:
sudo nsm_sensor --status
nsm_sensor_add
This script is used to create a new sensor. This script is executed during the SO setup process and shouldn’t need to be run manually.
nsm_sensor_backup-config
This script is used to back up the sensor configuration files. This example will back up the configuration to an archive file in my home directory:
sudo nsm_sensor_backup-config --backup-file =/home/sanders/config-backup.tar.gz
nsm_sensor_backup-data
This script is used to back up collected sensor data. This example will back up data to an archive file in my home directory:
sudo nsm_sensor_backup-data --backup-file =/home/sanders/data-backup.tar.gz
nsm_sensor_clean
This script is used to remove collected sensor data when the total disk utilization is above 90%. When executed, the oldest sensor data is removed until disk utilization falls below this threshold. The script is run hourly as a cron job. It can be executed manually by running it without any arguments:
sudo nsm_sensor_clean
nsm_sensor_clear
This script is used to remove all collected sensor data. If this script is launched without arguments, it will provide a dialog for completing this action. This command will remove all collected data for a specified sensor:
sudo nsm_sensor_clear --sensor-name = < sensor >
nsm_sensor_del
This script removes all collected sensor data and configuration information. If this script is launched without arguments, it will provide a dialog for completing this action. This command will remove all collected sensor data and configuration information for a specified sensor:
sudo nsm_sensor_clear --sensor-name = < sensor >
nsm_sensor_edit
This script is used to modify specific sensor configuration settings. All of these settings can be listed by running this command:
sudo nsm_sensor_edit --help
This example command would change the IP address of the server that the sensor reports to:
sudo nsm_sensor_edit --sensor-name = < sensor > --new-sensor-server-host = < server >
nsm_sensor_ps-daily-restart
This script is used with a cron job to perform a daily restart of certain sensor services at midnight. It should not need to be run manually.
nsm_sensor_ps-status
This script is used to check the status of sensor services. If it is executed with no options, it will display the status of all sensor services. However, you can also use it to display the status of individual services. You can list these services by running the following command:
sudo nsm_sensor_ps-status --help
This example command will only display the status for Bro:
sudo nsm_sensor_ps-status --only-bro
nsm_sensor_ps-start
This script is used to start sensor services. If it is executed with no options, it will start all sensor services, unless they are already running. However, you can also use it to start individual services. You can list these services by running the following command:
sudo nsm_sensor_ps-start --help
This example command will only start Snort:
sudo nsm_sensor_ps-start --only-snort-alert
nsm_sensor_ps-stop
This script is used to stop sensor services. If it is executed with no options, it will stop all sensor services, unless they are already running. However, you can also use it to stop individual services. You can list these services by running the following command:
sudo nsm_sensor_ps-stop --help
This example command will only stop Netsniff-NG:
sudo nsm_sensor_ps-stop --only-pcap
nsm_sensor_ps-restart
This script is used to restart sensor services. If it is executed with no options, it will restart all sensor services, unless they are already running. However, you can also use it to restart individual services. You can list these services by running the following command:
sudo nsm_sensor_ps-restart --help
This example command will only restart PRADS:
sudo nsm_sensor_ps-stop --only-prads
rule-update
This script is used to update sensor IDS rules. In a standalone or server installation, it will download these rules from the Internet. Once a sensor installs, it will download these rules from the configured server. It runs automatically at 7:01 AM UTC every day. It can be executed manually by running it without any arguments:
sudo rule-update
For more information on these scripts, visit the Security Onion wiki at https://code.google.com/p/security-onion/w/list.