CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13879 from Security-Onion-Solutions/2.4/templaterepos

Browse Source 
Add local custom template
This commit is contained in:
Josh Brower
2024-11-07 15:40:36 -05:00
committed by GitHub
parent 356236ba4c f5bd8ab585
commit 47f9b0021c
5 changed files with 149 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/elasticfleet/config.sls
View File

@@ -82,13 +82,6 @@ eapackageupgrade:
{% if GLOBALS.role != "so-fleet" %} {% if GLOBALS.role != "so-fleet" %}
soresourcesrepoconfig:
git.config_set:
- name: safe.directory
- value: /nsm/securityonion-resources
- global: True
- user: socore
{% if not GLOBALS.airgap %} {% if not GLOBALS.airgap %}
soresourcesrepoclone: soresourcesrepoclone:
git.latest: git.latest:

10
salt/manager/init.sls
View File

@@ -141,6 +141,16 @@ rules_dir:
- group: socore - group: socore
- makedirs: True - makedirs: True
git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- global: True
- user: socore
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

32
salt/soc/config.sls
View File

@@ -198,6 +198,38 @@ socsensoronirepos:
- mode: 775 - mode: 775
- makedirs: True - makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True
add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"
create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True
add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

12
salt/soc/defaults.yaml
View File

@@ -1342,11 +1342,17 @@ soc:
license: Elastic-2.0 license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
airgap: airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0 license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
sigmaRulePackages: sigmaRulePackages:
- core - core
- emerging_threats_addon - emerging_threats_addon
@@ -1412,10 +1418,16 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL license: DRL
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
airgap: airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL license: DRL
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
yaraRulesFolder: /opt/sensoroni/yara/rules yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200 integrityCheckFrequencySeconds: 1200

94
salt/soc/files/soc/detections_custom_repo_template_readme.jinja Normal file
View File

@@ -0,0 +1,94 @@
{% if repo_type == 'yara' %}
# YARA Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any YARA rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yar extension:
`vi my_custom_rule.yar`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yar`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yar"`
The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Sigma rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yml or .yaml extension:
`vi my_custom_rule.yml`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yml`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yml"`
The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% endif %}