From 148ef7ef21dd40a6008d9a5e59afd4fa4f318f2b Mon Sep 17 00:00:00 2001
From: DefensiveDepth <josh@defensivedepth.com>
Date: Tue, 18 Nov 2025 11:57:30 -0500
Subject: [PATCH] add default ruleset

---
 salt/soc/defaults.yaml   | 8 ++++++++
 salt/suricata/config.sls | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 65cdd385d..53cbb10e1 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1586,6 +1586,14 @@ soc:
                 insecureSkipVerify: false
                 readOnly: true
                 deleteUnreferenced: true
+              - name: ABUSECH-SSLBL
+                deleteUnreferenced: true
+                description: 'Abuse.ch SSL Blacklist'
+                enabled: false
+                license: CC0-1.0
+                readOnly: true
+                sourcePath: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
+                sourceType: url
               - name: local-rules
                 id: local-rules
                 description: "Local custom rules from files (*.rules) in a directory on the filesystem"
diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls
index c7c687bae..7ce605e0b 100644
--- a/salt/suricata/config.sls
+++ b/salt/suricata/config.sls
@@ -159,7 +159,7 @@ surithresholding:
     - source: salt://suricata/files/threshold.conf
     - user: 940
     - group: 940
-    - contents: 'This file is managed by Security Onion. Do not modify by hand.'
+    - onlyif: salt://suricata/files/threshold.conf
 
 suriclassifications:
   file.managed: