From a4cd695cc8da1985ee22876c6814028ecf674103 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 11 May 2023 16:00:07 -0400
Subject: [PATCH 1/3] Airgap Rules Fix

---
 salt/docker/defaults.yaml       |  1 +
 salt/firewall/defaults.yaml     |  8 ++++++++
 salt/firewall/soc_firewall.yaml |  3 +++
 salt/idstools/etc/rulecat.conf  |  2 +-
 setup/so-functions              | 10 ++--------
 5 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml
index 55dfc5db5..ad3506737 100644
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -73,6 +73,7 @@ docker:
         - 80:80
         - 443:443
         - 8443:8443
+        - 7788:7788
       custom_bind_mounts: []
       extra_hosts: []
     'so-playbook':
diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml
index 1526e5504..b3ec4da27 100644
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -94,6 +94,9 @@ firewall:
       tcp:
         - 5601
       udp: []
+    localrules:
+      tcp: - 7788
+      udp: []
     mysql:
       tcp:
         - 3306
@@ -181,6 +184,7 @@ firewall:
                 - influxdb
                 - elasticsearch_rest
                 - elasticsearch_node
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -364,6 +368,7 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -501,6 +506,7 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -648,6 +654,7 @@ firewall:
                 - elastic_agent_update
                 - endgame
                 - strelka_frontend
+                - localrules
             fleet:
               portgroups:
                 - elasticsearch_rest
@@ -1005,6 +1012,7 @@ firewall:
                 - elasticsearch_rest
                 - elasticsearch_node
                 - elastic_agent_control
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml
index 9954c1305..d1db56a0b 100644
--- a/salt/firewall/soc_firewall.yaml
+++ b/salt/firewall/soc_firewall.yaml
@@ -118,6 +118,9 @@ firewall:
     kibana:
       tcp: *tcpsettings
       udp: *udpsettings
+    localrules:
+      tcp: *tcpsettings
+      udp: *udpsettings
     mysql:
       tcp: *tcpsettings
       udp: *udpsettings
diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf
index fad421243..4ba668026 100644
--- a/salt/idstools/etc/rulecat.conf
+++ b/salt/idstools/etc/rulecat.conf
@@ -4,7 +4,7 @@
 {%- if GLOBALS.airgap is sameas true -%}
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
-{%-   if GLOBAL.md_engine == "SURICATA" %}
+{%-   if GLOBALS.md_engine == "SURICATA" %}
 --local=/opt/so/rules/nids/sorules/extraction.rules
 --local=/opt/so/rules/nids/sorules/filters.rules
 {%-   endif %}
diff --git a/setup/so-functions b/setup/so-functions
index 86a56abd8..ee2d6f81b 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -37,14 +37,8 @@ logCmd() {
 
 airgap_rules() {
 	# Copy the rules for suricata if using Airgap
-	mkdir -p /nsm/repo/rules
-	cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
-	
-	# Copy over sigma rules
-	cp -Rv /root/SecurityOnion/agrules/sigma /nsm/repo/rules/
-
-	# Don't leave Strelka out
-	cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/
+	mkdir -p /nsm/rules
+	cp -Rv /root/SecurityOnion/agrules/* /nsm/rules/
 }
 
 add_admin_user() {

From 64e294ef48dc17f985cfd71a00e20e15629258b5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 11 May 2023 16:02:58 -0400
Subject: [PATCH 2/3] Fix verify so copying sigma rules isnt fail

---
 setup/so-verify | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/so-verify b/setup/so-verify
index a89e24120..3c3724e9d 100755
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -48,6 +48,7 @@ log_has_errors() {
         grep -vE "code: 100" | \
         grep -vE "/tmp/__salt.tmp." | \
         grep -vE "retcode: 126" | \
+        grep -vE "/nsm/repo/rules/sigma/rules*" | \
         grep -vE "Running scope as unit" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then

From 2fe88a1e663d44102a4fa2c187207fad661736a1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 15 May 2023 15:33:52 -0400
Subject: [PATCH 3/3] Fix verify so copying sigma rules isnt fail

---
 setup/so-verify | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/so-verify b/setup/so-verify
index 7345ae4ab..62e15b7d4 100755
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -44,6 +44,7 @@ log_has_errors() {
         grep -vE "Exception in callback None" | \
         grep -vE "deprecation: ERROR" | \
         grep -vE "code: 100" | \
+        grep -vE "/nsm/repo/rules/sigma/rules*" | \
         grep -vE "Running scope as unit" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then