Merge pull request #10340 from Security-Onion-Solutions/airgaps

Fix IDS Tools

salt/docker/defaults.yaml

@@ -73,6 +73,7 @@ docker:
         - 80:80
         - 443:443
         - 8443:8443
+        - 7788:7788
       custom_bind_mounts: []
       extra_hosts: []
     'so-playbook':

salt/firewall/defaults.yaml

@@ -94,6 +94,9 @@ firewall:
       tcp:
         - 5601
       udp: []
+    localrules:
+      tcp: - 7788
+      udp: []
     mysql:
       tcp:
         - 3306
@@ -181,6 +184,7 @@ firewall:
                 - influxdb
                 - elasticsearch_rest
                 - elasticsearch_node
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -364,6 +368,7 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -501,6 +506,7 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
+                - localrules
             sensor:
               portgroups:
                 - beats_5044
@@ -648,6 +654,7 @@ firewall:
                 - elastic_agent_update
                 - endgame
                 - strelka_frontend
+                - localrules
             fleet:
               portgroups:
                 - elasticsearch_rest
@@ -1005,6 +1012,7 @@ firewall:
                 - elasticsearch_rest
                 - elasticsearch_node
                 - elastic_agent_control
+                - localrules
             sensor:
               portgroups:
                 - beats_5044

salt/firewall/soc_firewall.yaml

@@ -118,6 +118,9 @@ firewall:
     kibana:
       tcp: *tcpsettings
       udp: *udpsettings
+    localrules:
+      tcp: *tcpsettings
+      udp: *udpsettings
     mysql:
       tcp: *tcpsettings
       udp: *udpsettings

salt/idstools/etc/rulecat.conf

@@ -4,7 +4,7 @@
 {%- if GLOBALS.airgap is sameas true -%}
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
-{%-   if GLOBAL.md_engine == "SURICATA" %}
+{%-   if GLOBALS.md_engine == "SURICATA" %}
 --local=/opt/so/rules/nids/sorules/extraction.rules
 --local=/opt/so/rules/nids/sorules/filters.rules
 {%-   endif %}

setup/so-functions

@@ -37,14 +37,8 @@ logCmd() {
 
 airgap_rules() {
 	# Copy the rules for suricata if using Airgap
-	mkdir -p /nsm/repo/rules
-	cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
-	
-	# Copy over sigma rules
-	cp -Rv /root/SecurityOnion/agrules/sigma /nsm/repo/rules/
-
-	# Don't leave Strelka out
-	cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/
+	mkdir -p /nsm/rules
+	cp -Rv /root/SecurityOnion/agrules/* /nsm/rules/
 }
 
 add_admin_user() {

setup/so-verify

@@ -44,6 +44,7 @@ log_has_errors() {
         grep -vE "Exception in callback None" | \
         grep -vE "deprecation: ERROR" | \
         grep -vE "code: 100" | \
+        grep -vE "/nsm/repo/rules/sigma/rules*" | \
         grep -vE "Running scope as unit" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then