From 45b241317514e462e0badc79aa16679084c8edec Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 19 Jul 2024 12:45:24 -0600
Subject: [PATCH] Removed Allow/Deny Regexes, Added Enable/Disable Regex

Update config and annotations for new regex support for suricata.
---
 salt/soc/defaults.yaml | 8 ++------
 salt/soc/soc_soc.yaml  | 2 +-
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 6d3667d0b..f33783507 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1311,7 +1311,6 @@ soc:
         kratos:
           hostUrl:
         elastalertengine:
-          allowRegex: ''
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
             default:
@@ -1327,7 +1326,6 @@ soc:
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10
-          denyRegex: ''
           elastAlertRulesFolder: /opt/sensoroni/elastalert
           reposFolder: /opt/sensoroni/sigma/repos
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
@@ -1392,7 +1390,6 @@ soc:
           userFiles:
             - rbac/users_roles
         strelkaengine:
-          allowRegex: ''
           autoEnabledYaraRules:
             - securityonion-yara
           autoUpdateEnabled: true
@@ -1400,7 +1397,6 @@ soc:
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10
           compileYaraPythonScriptPath: /opt/sensoroni/yara/compile_yara.py
-          denyRegex: ''
           reposFolder: /opt/sensoroni/yara/repos
           rulesRepos:
             default:
@@ -1415,14 +1411,14 @@ soc:
           stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
           integrityCheckFrequencySeconds: 1200
         suricataengine:
-          allowRegex: ''
           autoUpdateEnabled: true
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           customRulesets:
+          disableRegex: []
+          enableRegex: []
           failAfterConsecutiveErrorCount: 10
           communityRulesFile: /nsm/rules/suricata/emerging-all.rules
-          denyRegex: ''
           rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
           integrityCheckFrequencySeconds: 1200
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 3732b1308..b390c32c2 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -222,7 +222,7 @@ soc:
             global: True
             forcedType: "[]string"
           enableRegex:
-            description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content.
+            description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content. Takes priority over disableRegex matches.
             global: True
             forcedType: "[]string"
           integrityCheckFrequencySeconds: