From 68302e14b9f0286fdc873ddb7b18c0dbd3ae58e3 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Fri, 14 Jun 2024 09:28:23 -0400
Subject: [PATCH] add to defaults and tweaks

---
 salt/idstools/config.sls | 1 -
 salt/soc/defaults.yaml   | 1 +
 salt/soc/soc_soc.yaml    | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls
index 4688442ba..2a45cf526 100644
--- a/salt/idstools/config.sls
+++ b/salt/idstools/config.sls
@@ -45,7 +45,6 @@ suricatacustomdirsurl:
     - name: /nsm/rules/detect-suricata/custom_urls
     - user: 939
     - group: 939
-    - makedirs: True
 
 {% else %}
 
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index f0d028fdb..ca9d2c6a1 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1399,6 +1399,7 @@ soc:
           autoUpdateEnabled: true
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
+          customRulesets: ''
           failAfterConsecutiveErrorCount: 10
           communityRulesFile: /nsm/rules/suricata/emerging-all.rules
           denyRegex: ''
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index e11c5ad73..e60a94485 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -248,7 +248,7 @@ soc:
             global: True
             advanced: True
           customRulesets:
-            description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"license":"GPLv2","ruleset":"snort-community","url":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the url parameter with "file" and the path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.'
+            description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information'
             global: True
             multiline: True
             advanced: True