Merge pull request #15283 from Security-Onion-Solutions/idstools-refactor

Fixup Airgap

salt/manager/init.sls

@@ -214,7 +214,7 @@ git_config_set_safe_dirs:
 
 surinsmrulesdir:
   file.directory:
-    - name: /nsm/rules/suricata
+    - name: /nsm/rules/suricata/etopen
     - user: 939
     - group: 939
     - makedirs: True

salt/manager/tools/sbin/soup

@@ -1355,7 +1355,7 @@ unmount_update() {
 
 update_airgap_rules() {
   # Copy the rules over to update them for airgap.
-  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
+  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
   rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
   # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch

salt/soc/defaults.yaml

@@ -1622,12 +1622,11 @@ soc:
                 sourceType: directory
             airgap:
               - name: Emerging-Threats
-                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
+                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
                 licenseKey: ""
                 enabled: true
-                sourceType: url
+                sourceType: directory
-                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
+                sourcePath: /nsm/rules/suricata/etopen/
-                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
                 license: "BSD"
                 excludeFiles:
                   - "*deleted*"

salt/soc/merged.map.jinja

@@ -108,21 +108,39 @@
 {%     if ruleset.name == 'Emerging-Threats' %}
 {%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
 {#         License key is defined - transform to ETPRO #}
-{#         Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
+{%         if ruleset.sourceType == 'directory' %}
-{%         do ruleset.update({
+{#           Airgap mode - update directory path #}
-             'name': 'ETPRO',
+{%           do ruleset.update({
-             'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
+               'name': 'ETPRO',
-             'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
+               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
-             'license': 'Commercial'
+               'license': 'Commercial'
-           }) %}
+             }) %}
+{%         else %}
+{#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
+               'license': 'Commercial'
+             }) %}
+{%         endif %}
 {%       else %}
 {#         No license key - explicitly set to ETOPEN #}
-{%         do ruleset.update({
+{%         if ruleset.sourceType == 'directory' %}
-             'name': 'ETOPEN',
+{#           Airgap mode - update directory path #}
-             'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
+{%           do ruleset.update({
-             'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
+               'name': 'ETOPEN',
-             'license': 'BSD'
+               'sourcePath': '/nsm/rules/suricata/etopen/',
-           }) %}
+               'license': 'BSD'
+             }) %}
+{%         else %}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
+               'license': 'BSD'
+             }) %}
+{%         endif %}
 {%       endif %}
 {%     endif %}
 {%     endfor %}