CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-20 16:03:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

initial support for custom suricata urls and local rulesets

Browse Source
This commit is contained in:
DefensiveDepth
2024-06-14 08:42:10 -04:00
parent b91c608fcf
commit 484717d57d
3 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
salt/idstools/config.sls
View File

@@ -33,6 +33,20 @@ idstools_sbin_jinja:
- file_mode: 755 - file_mode: 755
- template: jinja - template: jinja
suricatacustomdirsfile:
file.directory:
- name: /nsm/rules/detect-suricata/custom_file
- user: 939
- group: 939
- makedirs: True
suricatacustomdirsurl:
file.directory:
- name: /nsm/rules/detect-suricata/custom_urls
- user: 939
- group: 939
- makedirs: True
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

14
salt/idstools/etc/rulecat.conf
View File

@@ -1,5 +1,7 @@
{%- from 'vars/globals.map.jinja' import GLOBALS -%} {%- from 'vars/globals.map.jinja' import GLOBALS -%}
{%- from 'soc/merged.map.jinja' import SOCMERGED -%}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%}
--temp-dir=/nsm/rules/detect-suricata/custom_urls
--merged=/opt/so/rules/nids/suri/all.rules --merged=/opt/so/rules/nids/suri/all.rules
--local=/opt/so/rules/nids/suri/local.rules --local=/opt/so/rules/nids/suri/local.rules
{%- if GLOBALS.md_engine == "SURICATA" %} {%- if GLOBALS.md_engine == "SURICATA" %}
@@ -10,8 +12,12 @@
--disable=/opt/so/idstools/etc/disable.conf --disable=/opt/so/idstools/etc/disable.conf
--enable=/opt/so/idstools/etc/enable.conf --enable=/opt/so/idstools/etc/enable.conf
--modify=/opt/so/idstools/etc/modify.conf --modify=/opt/so/idstools/etc/modify.conf
{%- if IDSTOOLSMERGED.config.urls | length > 0 %} {%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %}
{%- for URL in IDSTOOLSMERGED.config.urls %} {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %}
--url={{ URL }} {%- if 'url' in ruleset %}
{%- endfor %} --url={{ ruleset.url }}
{%- elif 'file' in ruleset %}
--local={{ ruleset.file }}
{%- endif %}
{%- endfor %}
{%- endif %} {%- endif %}

7
salt/soc/soc_soc.yaml
View File

@@ -247,6 +247,13 @@ soc:
description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True global: True
advanced: True advanced: True
customRulesets:
description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"ruleset":"snort-community","license":"GPLv2","path":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the URL in path with a full file path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.'
global: True
multiline: True
advanced: True
forcedType: '[]{}'
helpLink: suricata.html
client: client:
enableReverseLookup: enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.