From 69dd35c30a49587f08261c40f2b56458a7dbc96b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 4 Nov 2024 14:31:53 -0700 Subject: [PATCH 1/4] Add Option for Ignoring Ranges of SIDs in Suricata Integrity Check --- salt/soc/defaults.yaml | 2 ++ salt/soc/soc_soc.yaml | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6a9a1bfc6..068a9c9b7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1435,6 +1435,8 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 + ignoredSidRanges: + - '1100000-1199999' client: enableReverseLookup: false docsUrl: /docs/ diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 14296dade..fd3295daf 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -390,6 +390,11 @@ soc: advanced: True forcedType: "[]{}" helpLink: suricata.html + ignoredSidRanges: + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + global: True + advanced: True + forcedType: "[]string" client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From 5e48ccafce5ab3b4a04d6e059b311b8efac975b4 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:11:34 -0700 Subject: [PATCH 2/4] Update Default Value --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 068a9c9b7..73446abd7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1436,7 +1436,7 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 ignoredSidRanges: - - '1100000-1199999' + - '1100000-1101000' client: enableReverseLookup: false docsUrl: /docs/ From 25d55feeefd8f6955271daac729b94be1d2e4d4a Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:41:14 -0700 Subject: [PATCH 3/4] More Detailed Description --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fd3295daf..3bd1774bc 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -391,7 +391,7 @@ soc: forcedType: "[]{}" helpLink: suricata.html ignoredSidRanges: - description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' global: True advanced: True forcedType: "[]string" From 52a144c0521a3a4f5b7e476f60251b66f2c0a332 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 12:11:17 -0700 Subject: [PATCH 4/4] Added Help Link to Annotation for IgnoredSidRanges --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 3bd1774bc..c27228ab6 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -395,6 +395,7 @@ soc: global: True advanced: True forcedType: "[]string" + helpLink: detections.html#rule-engine-status client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.