diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 522684e07..69093dee7 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -7,6 +7,7 @@ firewall: multiline: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. + duplicates: True anywhere: &hostgroupsettingsadv description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" @@ -15,6 +16,7 @@ firewall: advanced: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. + duplicates: True beats_endpoint: *hostgroupsettings beats_endpoint_ssl: *hostgroupsettings dockernet: &ROhostgroupsettingsadv @@ -53,6 +55,7 @@ firewall: multiline: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. + duplicates: True customhostgroup1: *customhostgroupsettings customhostgroup2: *customhostgroupsettings customhostgroup3: *customhostgroupsettings @@ -70,12 +73,14 @@ firewall: helpLink: firewall.html advanced: True multiline: True + duplicates: True udp: &udpsettings description: List of UDP ports for this port group. forcedType: "[]string" helpLink: firewall.html advanced: True multiline: True + duplicates: True agrules: tcp: *tcpsettings udp: *udpsettings @@ -187,6 +192,7 @@ firewall: multiline: True forcedType: "[]string" helpLink: firewall.html + duplicates: True sensor: portgroups: *portgroupsdocker searchnode: @@ -240,6 +246,7 @@ firewall: multiline: True forcedType: "[]string" helpLink: firewall.html + duplicates: True dockernet: portgroups: *portgroupshost localhost: diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index 3172ff7c5..cc81d3103 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -10,6 +10,7 @@ logstash: helpLink: logstash.html multiline: True forcedType: "[]string" + duplicates: True receiver: *assigned_pipelines heavynode: *assigned_pipelines searchnode: *assigned_pipelines @@ -23,6 +24,7 @@ logstash: helpLink: logstash.html multiline: True forcedType: "[]string" + duplicates: True fleet: *defined_pipelines manager: *defined_pipelines search: *defined_pipelines @@ -38,6 +40,7 @@ logstash: multiline: True forcedType: string helpLink: logstash.html + duplicates: True custom002: *pipeline_config custom003: *pipeline_config custom004: *pipeline_config diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index a1847167c..78c28f9e4 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -148,84 +148,40 @@ suricata: helpLink: suricata.html vars: address-groups: - HOME_NET: - description: List of hosts or networks. + HOME_NET: &suriaddressgroup + description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regexFailureMessage: You must enter a valid IP address or CIDR. helpLink: suricata.html - EXTERNAL_NET: - description: List of hosts or networks. - helpLink: suricata.html - HTTP_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - SMTP_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - SQL_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - DNS_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - TELNET_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - AIM_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - DC_SERVERS: - description: List of hosts or networks. - helpLink: suricata.html - DNP3_SERVER: - description: List of hosts or networks. - helpLink: suricata.html - DNP3_CLIENT: - description: List of hosts or networks. - helpLink: suricata.html - MODBUS_CLIENT: - description: List of hosts or networks. - helpLink: suricata.html - MODBUS_SERVER: - description: List of hosts or networks. - helpLink: suricata.html - ENIP_CLIENT: - description: List of hosts or networks. - helpLink: suricata.html - ENIP_SERVER: - description: List of hosts or networks. - helpLink: suricata.html + duplicates: True + EXTERNAL_NET: *suriaddressgroup + HTTP_SERVERS: *suriaddressgroup + SMTP_SERVERS: *suriaddressgroup + SQL_SERVERS: *suriaddressgroup + DNS_SERVERS: *suriaddressgroup + TELNET_SERVERS: *suriaddressgroup + AIM_SERVERS: *suriaddressgroup + DC_SERVERS: *suriaddressgroup + DNP3_SERVER: *suriaddressgroup + DNP3_CLIENT: *suriaddressgroup + MODBUS_CLIENT: *suriaddressgroup + MODBUS_SERVER: *suriaddressgroup + ENIP_CLIENT: *suriaddressgroup + ENIP_SERVER: *suriaddressgroup port-groups: - HTTP_PORTS: - description: List of ports to look for HTTP traffic on. - helpLink: suricata.html - SHELLCODE_PORTS: - description: List of ports to look for SHELLCODE traffic on. - helpLink: suricata.html - ORACLE_PORTS: - description: List of ports to look for ORACLE traffic on. - helpLink: suricata.html - SSH_PORTS: - description: List of ports to look for SSH traffic on. - helpLink: suricata.html - DNP3_PORTS: - description: List of ports to look for DNP3 traffic on. - helpLink: suricata.html - MODBUS_PORTS: - description: List of ports to look for MODBUS traffic on. - helpLink: suricata.html - FILE_DATA_PORTS: - description: List of ports to look for FILE_DATA traffic on. - helpLink: suricata.html - FTP_PORTS: - description: List of ports to look for FTP traffic on. - helpLink: suricata.html - VXLAN_PORTS: - description: List of ports to look for VXLAN traffic on. - helpLink: suricata.html - TEREDO_PORTS: - description: List of ports to look for TEREDO traffic on. + HTTP_PORTS: &suriportgroup + description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. helpLink: suricata.html + duplicates: True + SHELLCODE_PORTS: *suriportgroup + ORACLE_PORTS: *suriportgroup + SSH_PORTS: *suriportgroup + DNP3_PORTS: *suriportgroup + MODBUS_PORTS: *suriportgroup + FILE_DATA_PORTS: *suriportgroup + FTP_PORTS: *suriportgroup + VXLAN_PORTS: *suriportgroup + TEREDO_PORTS: *suriportgroup outputs: eve-log: types: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index bd5d88116..1594eed58 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -60,6 +60,7 @@ zeek: file: True global: True advanced: True + duplicates: True file_extraction: description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} helpLink: zeek.html