CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add local custom template

Browse Source
This commit is contained in:
defensivedepth
2024-10-29 19:42:06 -04:00
parent ac359839e2
commit 5406a263d5
5 changed files with 100 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/elasticfleet/config.sls
View File

@@ -82,13 +82,6 @@ eapackageupgrade:
{% if GLOBALS.role != "so-fleet" %} {% if GLOBALS.role != "so-fleet" %}
soresourcesrepoconfig:
git.config_set:
- name: safe.directory
- value: /nsm/securityonion-resources
- global: True
- user: socore
{% if not GLOBALS.airgap %} {% if not GLOBALS.airgap %}
soresourcesrepoclone: soresourcesrepoclone:
git.latest: git.latest:

9
salt/manager/init.sls
View File

@@ -141,6 +141,15 @@ rules_dir:
- group: socore - group: socore
- makedirs: True - makedirs: True
git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
- global: True
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

32
salt/soc/config.sls
View File

@@ -198,6 +198,38 @@ socsensoronirepos:
- mode: 775 - mode: 775
- makedirs: True - makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True
add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"
create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True
add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

12
salt/soc/defaults.yaml
View File

@@ -1342,11 +1342,17 @@ soc:
license: Elastic-2.0 license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
airgap: airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0 license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
sigmaRulePackages: sigmaRulePackages:
- core - core
- emerging_threats_addon - emerging_threats_addon
@@ -1412,10 +1418,16 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL license: DRL
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
airgap: airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL license: DRL
community: true community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
yaraRulesFolder: /opt/sensoroni/yara/rules yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200 integrityCheckFrequencySeconds: 1200

46
salt/soc/files/soc/detections_custom_repo_template_readme.jinja Normal file
View File

@@ -0,0 +1,46 @@
{% if repo_type == 'yara' %}
# YARA Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any YARA rule files found here.
Just add your rule file and commit it.
For example:
First, create the rule file; make sure to create the file with a .yar extension
`sudo vi my_custom_rule.yar`
Next, use git to stage the new rule to be commited:
`sudo git add my_custom_rule.yar`
Finally, commit it.
If this is your first time making changes to this repo, you will be asked to set some configuration.
`sudo git commit -m "Initial commit of my_custom_rule.yar"`
The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Sigma rule files found here.
Just add your rule file and commit it.
For example:
First, create the rule file; make sure to create the file with a .yaml|.yml extension
`sudo vi my_custom_rule.yml`
Next, use git to stage the new rule to be commited:
`sudo git add my_custom_rule.yml`
Finally, commit it.
If this is your first time making changes to this repo, you will be asked to set some configuration.
`sudo git commit -m "Initial commit of my_custom_rule.yml"`
The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% endif %}