From 37b3fd9b7b26a4e4267a0b2cbe07d8a7fd8bc8ed Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Thu, 13 Nov 2025 10:41:12 -0500 Subject: [PATCH] add detections backup --- salt/manager/tools/sbin/soup | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 0fb83d73f..cb5ec65d4 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1112,11 +1112,35 @@ cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs EOF -# TODO - backup custom rules & overrides +# Backup custom rules & overrides mkdir -p /nsm/backup/detections-migration/2-4-200 cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200 cp /opt/so/conf/idstools/etc/rulecat.conf /nsm/backup/detections-migration/2-4-200 +if [[ -f /opt/so/conf/soc/so-detections-backup.py ]]; then + python3 /opt/so/conf/soc/so-detections-backup.py + + # Verify backup by comparing counts + echo "Verifying detection overrides backup..." + es_override_count=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -k -L \ + "https://localhost:9200/so-detection/_count" \ + -H "Content-Type: application/json" \ + -d '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}}}' | jq -r '.count') + + backup_override_count=$(find /nsm/backup/detections/repo/*/overrides -type f 2>/dev/null | wc -l) + + echo " Elasticsearch overrides: $es_override_count" + echo " Backed up overrides: $backup_override_count" + + if [[ "$es_override_count" -eq "$backup_override_count" ]]; then + echo " Override backup verified successfully" + else + echo " Warning: Override counts do not match" + fi +else + echo "SOC Detections backup script not found, skipping detection backup" +fi + } suricata_idstools_removal_post() {