From c6baa4be1baad88a7301e7c08d8c960d865afca0 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Mon, 26 Feb 2024 16:19:32 -0500
Subject: [PATCH] Airgap Support - Detections module

---
 salt/manager/tools/sbin/soup | 10 ++++++----
 salt/soc/enabled.sls         |  2 +-
 salt/soc/merged.map.jinja    |  6 ++++++
 setup/so-setup               |  6 ++----
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 90ec636ef..655e99f6c 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -603,6 +603,10 @@ update_airgap_rules() {
   if [ -d /nsm/repo/rules/sigma ]; then
     rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/
   fi
+
+  # SOC Detections Airgap
+  rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
+  rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
 }
 
 update_airgap_repo() {
@@ -931,10 +935,8 @@ main() {
     preupgrade_changes
     echo ""
 
-    if [[ $is_airgap -eq 0 ]]; then
-      echo "Updating Rule Files to the Latest."
-      update_airgap_rules
-    fi
+    echo "Updating Airgap Rule Files to the Latest."
+    update_airgap_rules
 
     # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
     if [[ ! "$MINIONID" =~ "_import" ]]; then
diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls
index 7c04da825..93ca07ac8 100644
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -22,7 +22,7 @@ so-soc:
       - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
-      - /nsm/rules:/nsm/rules:rw #Need to tighten this up?
+      - /nsm/rules:/nsm/rules:rw
       - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index 65091158e..bc7c5cada 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -34,6 +34,12 @@
 {%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
+{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
+{% if pillar.global.airgap %}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
+  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
+{% endif %}
+
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
 
 {% if pillar.global.endgamehost != '' %}
diff --git a/setup/so-setup b/setup/so-setup
index ca1581ef9..e2de39f50 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -687,10 +687,8 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "so-minion -o=setup" 
 		title "Creating Global SLS"
 
-		if [[ $is_airgap ]]; then
-			# Airgap Rules
-			airgap_rules
-		fi
+		# Airgap Rules
+		airgap_rules
 
 		manager_pillar