From 085ab4007655660d9d588a161bad0aee7e85342d Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Apr 2018 16:03:20 -0400
Subject: [PATCH] IDSTools Module - Add base configs

---
 salt/idstools/etc/disable.conf | 10 ++++++++++
 salt/idstools/etc/enable.conf  | 10 ++++++++++
 salt/idstools/etc/local.rules  |  1 +
 salt/idstools/etc/modify.conf  | 14 ++++++++++++++
 salt/idstools/etc/rulecat.conf |  6 ++++++
 5 files changed, 41 insertions(+)
 create mode 100644 salt/idstools/etc/disable.conf
 create mode 100644 salt/idstools/etc/enable.conf
 create mode 100644 salt/idstools/etc/local.rules
 create mode 100644 salt/idstools/etc/modify.conf
 create mode 100644 salt/idstools/etc/rulecat.conf

diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf
new file mode 100644
index 000000000..e8928c495
--- /dev/null
+++ b/salt/idstools/etc/disable.conf
@@ -0,0 +1,10 @@
+# idstools - disable.conf
+
+# Example of disabling a rule by signature ID (gid is optional).
+# 1:2019401
+# 2019401
+
+# Example of disabling a rule by regular expression.
+# - All regular expression matches are case insensitive.
+# re:hearbleed
+# re:MS(0[7-9]|10)-\d+
diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf
new file mode 100644
index 000000000..b7738677c
--- /dev/null
+++ b/salt/idstools/etc/enable.conf
@@ -0,0 +1,10 @@
+# idstools-rulecat - enable.conf
+
+# Example of enabling a rule by signature ID (gid is optional).
+# 1:2019401
+# 2019401
+
+# Example of enabling a rule by regular expression.
+# - All regular expression matches are case insensitive.
+# re:hearbleed
+# re:MS(0[7-9]|10)-\d+
diff --git a/salt/idstools/etc/local.rules b/salt/idstools/etc/local.rules
new file mode 100644
index 000000000..e01ea913c
--- /dev/null
+++ b/salt/idstools/etc/local.rules
@@ -0,0 +1 @@
+# Put your own custom Snort/Suricata rules in here.
diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf
new file mode 100644
index 000000000..79d038c26
--- /dev/null
+++ b/salt/idstools/etc/modify.conf
@@ -0,0 +1,14 @@
+# idstools-rulecat - modify.conf
+
+# Format: <sid> "<from>" "<to>"
+
+# Example changing the seconds for rule 2019401 to 3600.
+#2019401 "seconds \d+" "seconds 3600"
+
+# Change all trojan-activity rules to drop. Its better to setup a
+# drop.conf for this, but this does show the use of back references.
+#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
+
+# For compatibility, most Oinkmaster modifysid lines should work as
+# well.
+#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf
new file mode 100644
index 000000000..87a881fb8
--- /dev/null
+++ b/salt/idstools/etc/rulecat.conf
@@ -0,0 +1,6 @@
+--suricata-version 4.0
+--merged=/opt/so/rules/nids/downloaded.rules
+--local=/opt/so/rules/nids/local.rules
+--disable=disable.conf
+--enable=enable.conf
+--modify=modify.conf