Important Security Onion Files and Directories
This appendix contains a listing of important Security Onion files and directories. Some of these refer to areas where data is stored, while others point to configuration files that can be modified to change how Security Onion interacts with various tools. We’ve also included the location of many configuration files used by Security Onion tools, since they might be in a different location on an SO system than where they would be if you installed the tool manually on another operating system.
This listing describes the location of configuration files for multiple tools included with Security Onion, as well as configuration files for SO itself. This listing is short and only includes files that are commonly accessed or modified.
• If you are using Snort, its configuration file is located at /etc/nsm/< sensor >/snort.conf.
• If you are using Suricata, its configuration file is located at /etc/nsm/< sensor >/suricata.yaml.
• IDS rules are stored at /etc/nsm/rules/
• Downloaded rules are stored in the downloaded.rules file
• Custom rules can be added to the local.rules file
• Rule threshold entries can be added to the threshold.conf file
Snorby configuration files are located at /opt/snorby/config/.
Syslog-NG configuration files are located at /etc/syslog-ng/.
This listing contains locations where sensor tools store raw data:
Data Type | Application | Location |
FPC Data | Netsniff-NG | /nsm/sensor_data/< sensor >/dailylogs/ |
Session Data | Argus | /nsm/sensor_data/< sensor >/argus/ |
Alert Data | Snort/Suricata | /nsm/sensor_data/< sensor >/snort-1/ |
Network Log Data / Alert Data | Bro | /nsm/bro/ |
Host Data | PRADS | /var/log/prads-asset.log |