Add microsensors

When Corelight-update is deploying content to Microsensor, it uses SCP to push content to a local folder path on the sensor.

To configure a Microsensor in Corelight-update, you’ll need:

  • Network connectivity from the Corelight-update host to the Microsensor.

  • The IP address or FQDN of the Microsensor.

  • A username and password on the Microsensor host, or a host ssh key.

  • The sensor user needs read/write access to the content folders.

The Corelight-update sensor inventory requires one entry for each Microsensor host. You can remove any setting that’s not required for a specific sensor’s configuration.

sensors:
  - name:            # sensor name
    type:            micro
    ip:              # address or fqdn
    username:        # host username
    password:        # set to "ssh-key" to use ssh keys on microsensors, leave blank to use encrypted password
    encrypted_pass:  # use the 'encrypt' CLI command to encrypt a password before it's stored here
    suricata:        true  # push suricata rulesets to this sensor
    intel:           true  # push intel files to this sensor
    input:           true  # push input files to this sensor
    bundle:          true  # push package bundle to this sensor
    intel_path:      "/etc/corelight/intel/intel.dat"      # microsensors and localhost ONLY
    input_path:      "/etc/corelight/input_files/"         # microsensors and localhost ONLY
    suricata_path:   "/etc/corelight/rules/suricata.rules" # microsensors and localhost ONLY
    bundle_path:     "/etc/corelight/corelight.bundle"     # microsensors ONLY

Microsensor file management

  • When depoying content on a Microsensor, the Zeek package will automatically detect changes to Intel and Input files and load them automatically.

  • Deploying a Suricata ruleset on a Microsensor requires a reload of the Suricata rules to use the latest file.

Reload Suricata using incron

You can use the incron command to automatically reload the Microsensor Suricata rules when a ruleset file is updated.

On the Microsensor host:

  1. Verify the incron command is available, or install incron using the package management tool on the Microsensor host.

  2. A suricata.rules file must present to create the file monitor in incron. Create a temporary suricata.rules file in the folder:

    sudo touch /etc/corelight/rules/suricata.rules

  3. Create a new entry using incron to signal a reload of Suricata when the rule file is modified:

    sudo echo '/etc/corelight/rules/suricata.rules IN_MODIFY killall -SIGUSR2 Suricata-Main' >> /var/spool/incron/root

  4. Start the incron service:

    /etc/init.d/incron start

    When a new suricata.rules file is updated on the Microsensor, the Suricata service is reloaded and uses the updated ruleset.