From 484717d57d0522da6e9f1bd6f5ab62ab7fa0a492 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 08:42:10 -0400 Subject: [PATCH] initial support for custom suricata urls and local rulesets --- salt/idstools/config.sls | 14 ++++++++++++++ salt/idstools/etc/rulecat.conf | 16 +++++++++++----- salt/soc/soc_soc.yaml | 7 +++++++ 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls index e162d1139..4688442ba 100644 --- a/salt/idstools/config.sls +++ b/salt/idstools/config.sls @@ -33,6 +33,20 @@ idstools_sbin_jinja: - file_mode: 755 - template: jinja +suricatacustomdirsfile: + file.directory: + - name: /nsm/rules/detect-suricata/custom_file + - user: 939 + - group: 939 + - makedirs: True + +suricatacustomdirsurl: + file.directory: + - name: /nsm/rules/detect-suricata/custom_urls + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index f7c784413..74434afd2 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,5 +1,7 @@ {%- from 'vars/globals.map.jinja' import GLOBALS -%} +{%- from 'soc/merged.map.jinja' import SOCMERGED -%} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%} +--temp-dir=/nsm/rules/detect-suricata/custom_urls --merged=/opt/so/rules/nids/suri/all.rules --local=/opt/so/rules/nids/suri/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} @@ -10,8 +12,12 @@ --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.config.urls | length > 0 %} -{%- for URL in IDSTOOLSMERGED.config.urls %} ---url={{ URL }} -{%- endfor %} -{%- endif %} +{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- if 'url' in ruleset %} +--url={{ ruleset.url }} + {%- elif 'file' in ruleset %} +--local={{ ruleset.file }} + {%- endif %} + {%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 47d051e4e..b63094927 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -247,6 +247,13 @@ soc: description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True advanced: True + customRulesets: + description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"ruleset":"snort-community","license":"GPLv2","path":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the URL in path with a full file path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.' + global: True + multiline: True + advanced: True + forcedType: '[]{}' + helpLink: suricata.html client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.