IDSTools Overhaul

2025-12-06 17:22:49 +01:00 · 2020-09-09 15:53:32 -04:00
parent a77532c1d8
commit 7ebf93fcb5
5 changed files with 37 additions and 4 deletions
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -123,7 +123,19 @@ pillar_changes() {
    
    # Move baseurl in global.sls
    if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
-      # Move the static file to global.sls
+    rc1_to_rc2
+    rc2_to_rc3
+    fi
+
+    if [[ "$INSTALLEDVERSION" =~ rc.2 ]]; then
+    rc2_to_rc3
+    fi
+
+}
+
+rc1_to_rc2() {
+
+  # Move the static file to global.sls
      echo "Migrating static.sls to global.sls"
      mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
      sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
@@ -158,8 +170,16 @@ pillar_changes() {
        curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
      done </tmp/nodes.txt

+}
+
+rc2_to_rc3() {
+
+  # move location of local.rules
+  cp /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/local/salt/idstools/local.rules
+  mv /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/default/salt/idstools/localrules/local.rules.USE.THE.FILE.IN.LOCAL
+
+  # Rename ZEEKVERSION to MDENGINE

-    fi
 }

 update_dockers() {
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -55,7 +55,7 @@ rulesdir:
 synclocalnidsrules:
  file.managed:
    - name: /opt/so/rules/nids/local.rules
-    - source: salt://idstools/localrules/local.rules
+    - source: salt://idstools/local.rules
    - user: 939
    - group: 939

--- a/salt/idstools/localrules/local.rules
+++ b/salt/idstools/localrules/local.rules
@@ -1 +0,0 @@
-# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -46,6 +46,12 @@ logCmd() {
 	$cmd >> "$setup_log" 2>&1
 }

+airgap_rules() {
+	# Copy the rules for suricata if using Airgap
+	mkdir -p /opt/so/rules/nids
+	cp -v /root/SecurityOnion/agrules/emerging-all.rules /opt/so/rules/nids/
+}
+
 analyze_system() {
 	title "System Characteristics"
 	logCmd "uptime"
@@ -630,6 +636,12 @@ create_local_directories() {

 }

+create_local_nids_rules() {
+	# Create a local.rules file so it doesn't get blasted on updates
+	mkdir -p /opt/so/saltstack/local/salt/idstools
+	echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules
+}
+
 create_repo() {
 	# Create the repo for airgap
 	createrepo /nsm/repo
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -465,6 +465,7 @@ fi
    if [[ $is_manager && $is_airgap ]]; then
 	    info "Creating airgap repo"
 	    create_repo >> $setup_log 2>&1
+		airgap_rules >> $setup_log 2>&1
    fi

 	if [[ $is_minion ]]; then
@@ -575,6 +576,7 @@ fi
 		salt-call state.apply -l info manager >> $setup_log 2>&1

 		set_progress_str 61 "$(print_salt_state_apply 'idstools')"
+		create_local_nids_rules >> $setup_log 2>&1
 		salt-call state.apply -l info idstools >> $setup_log 2>&1

 		set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')"
				`@@ -1 +0,0 @@`
				`# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules`