CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

test regexes for detections

Browse Source
This commit is contained in:
Jason Ertel
2024-05-06 19:03:12 -04:00
parent a67f0d93a0
commit 4ebe070cd8
3 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/soc/soc_soc.yaml
View File

@@ -135,6 +135,7 @@ soc:
description: Duration (in milliseconds) to wait for a response from the Elasticsearch host before giving up and showing an error on the SOC UI. description: Duration (in milliseconds) to wait for a response from the Elasticsearch host before giving up and showing an error on the SOC UI.
global: True global: True
advanced: True advanced: True
forcedType: int
casesEnabled: casesEnabled:
description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled. description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
global: True global: True
@@ -179,10 +180,12 @@ soc:
description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI. description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
global: True global: True
advanced: True advanced: True
forcedType: int
relayTimeoutMs: relayTimeoutMs:
description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI. description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI.
global: True global: True
advanced: True advanced: True
forcedType: int
strelkaengine: strelkaengine:
allowRegex: allowRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
@@ -242,17 +245,21 @@ soc:
description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI. description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
global: True global: True
advanced: True advanced: True
forcedType: int
webSocketTimeoutMs: webSocketTimeoutMs:
description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting. description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
global: True global: True
advanced: True advanced: True
forcedType: int
tipTimeoutMs: tipTimeoutMs:
description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation. description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
global: True global: True
forcedType: int
cacheExpirationMs: cacheExpirationMs:
description: Duration (in milliseconds) of cached data within the browser, including users and settings. description: Duration (in milliseconds) of cached data within the browser, including users and settings.
global: True global: True
advanced: True advanced: True
forcedType: int
casesEnabled: casesEnabled:
description: Set to true to enable case management in SOC. description: Set to true to enable case management in SOC.
global: True global: True

7
setup/so-functions
View File

@@ -1257,6 +1257,13 @@ soc_pillar() {
" config:"\ " config:"\
" server:"\ " server:"\
" srvKey: '$SOCSRVKEY'"\ " srvKey: '$SOCSRVKEY'"\
" modules:"\
" elastalertengine:"\
" allowRegex: '$ELASTALERT_ALLOW_REGEX'"\
" strelkaengine:"\
" allowRegex: '$STRELKA_ALLOW_REGEX'"\
" suricataengine:"\
" allowRegex: '$SURICATA_ALLOW_REGEX'"\
"" > "$soc_pillar_file" "" > "$soc_pillar_file"
if [[ $telemetry -ne 0 ]]; then if [[ $telemetry -ne 0 ]]; then

3
setup/so-setup
View File

@@ -245,6 +245,9 @@ if [ -n "$test_profile" ]; then
WEBUSER=onionuser@somewhere.invalid WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r WEBPASSWD2=0n10nus3r
STRELKA_ALLOW_REGEX="EquationGroup_Toolset_Apr17__ELV_.*"
ELASTALERT_ALLOW_REGEX="Security Onion"
SURICATA_ALLOW_REGEX="200033\\d"
update_sudoers_for_testing update_sudoers_for_testing
fi fi