From 81ee60e6586f2fac5e47c96c40fa2ca32245f6c6 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 28 May 2024 06:42:18 -0400 Subject: [PATCH 1/3] Backup .yml files too --- salt/manager/tools/sbin/soup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index b6bf61d2a..c37138e19 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -677,7 +677,7 @@ playbook_migration() { if grep -A 1 'playbook:' /opt/so/saltstack/local/pillar/minions/* | grep -q 'enabled: True'; then # Check for active Elastalert rules - active_rules_count=$(find /opt/so/rules/elastalert/playbook/ -type f -name "*.yaml" | wc -l) + active_rules_count=$(find /opt/so/rules/elastalert/playbook/ -type f \( -name "*.yaml" -o -name "*.yml" \) | wc -l) if [[ "$active_rules_count" -gt 0 ]]; then # Prompt the user to press ENTER if active Elastalert rules found @@ -691,7 +691,8 @@ playbook_migration() { read -r echo "Backing up the Elastalert rules..." - rsync -av --stats /opt/so/rules/elastalert/playbook/*.yaml /nsm/backup/detections-migration/elastalert/ + rsync -av --stats /opt/so/rules/elastalert/playbook/*.{yaml,yml} /nsm/backup/detections-migration/elastalert/ + fi # Verify that rsync completed successfully if [[ $? -eq 0 ]]; then From 74dfc25376d845d042cfd1c00b57541ec40cffcc Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 28 May 2024 09:29:10 -0400 Subject: [PATCH 2/3] backup local rules --- salt/manager/tools/sbin/soup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c37138e19..9b61f3c8c 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -660,6 +660,11 @@ suricata_idstools_migration() { fail "Error: rsync failed to copy the files. Thresholds have not been backed up." fi + #Backup local rules + mkdir -p /nsm/backup/detections-migration/suricata/local-rules + rsync -av /opt/so/rules/nids/suri/local.rules /nsm/backup/detections-migration/suricata/local-rules + rsync -av /opt/so/saltstack/local/salt/idstools/rules/local.rules /nsm/backup/detections-migration/suricata/local-rules + #Tell SOC to migrate mkdir -p /opt/so/conf/soc/migrations echo "0" > /opt/so/conf/soc/migrations/suricata-migration-2.4.70 From 2a2b86ebe62b2690b4c2b0e51d0124f60c976b24 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 28 May 2024 09:43:45 -0400 Subject: [PATCH 3/3] Dont overwrite --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 9b61f3c8c..7d94fcf55 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -663,7 +663,7 @@ suricata_idstools_migration() { #Backup local rules mkdir -p /nsm/backup/detections-migration/suricata/local-rules rsync -av /opt/so/rules/nids/suri/local.rules /nsm/backup/detections-migration/suricata/local-rules - rsync -av /opt/so/saltstack/local/salt/idstools/rules/local.rules /nsm/backup/detections-migration/suricata/local-rules + rsync -av /opt/so/saltstack/local/salt/idstools/rules/local.rules /nsm/backup/detections-migration/suricata/local-rules/local.rules.bak #Tell SOC to migrate mkdir -p /opt/so/conf/soc/migrations