From 022df966c744bc780c8de281a3a31dbe92234030 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 18 Jul 2024 16:09:44 -0600 Subject: [PATCH] Remove Allow/Deny Regex, Add Suricata Enable/Disable Regex --- salt/soc/soc_soc.yaml | 38 ++++++++------------------------------ 1 file changed, 8 insertions(+), 30 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 35402f760..3732b1308 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -90,11 +90,6 @@ soc: helpLink: sigma.html forcedType: "[]string" multiline: True - allowRegex: - description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: sigma.html autoEnabledSigmaRules: default: &autoEnabledSigmaRules description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' @@ -103,11 +98,6 @@ soc: helpLink: sigma.html so-eval: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules - denyRegex: - description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: sigma.html communityRulesImportFrequencySeconds: description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' global: True @@ -199,21 +189,11 @@ soc: advanced: True forcedType: int strelkaengine: - allowRegex: - description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: yara.html autoEnabledYaraRules: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True helpLink: sigma.html - denyRegex: - description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: yara.html communityRulesImportFrequencySeconds: description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True @@ -232,21 +212,19 @@ soc: helpLink: yara.html airgap: *serulesRepos suricataengine: - allowRegex: - description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: suricata.html - denyRegex: - description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: suricata.html communityRulesImportFrequencySeconds: description: 'How often to check for new Suricata rules (in seconds).' global: True advanced: True helpLink: suricata.html + disableRegex: + description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content. + global: True + forcedType: "[]string" + enableRegex: + description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content. + global: True + forcedType: "[]string" integrityCheckFrequencySeconds: description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True