Merge pull request #13205 from Security-Onion-Solutions/2.4/customsuricatasources

Initial support for custom suricata urls and local rulesets

salt/idstools/config.sls

@@ -33,6 +33,19 @@ idstools_sbin_jinja:
     - file_mode: 755
     - template: jinja
 
+suricatacustomdirsfile:
+  file.directory:
+    - name: /nsm/rules/detect-suricata/custom_file
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+suricatacustomdirsurl:
+  file.directory:
+    - name: /nsm/rules/detect-suricata/custom_temp
+    - user: 939
+    - group: 939
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/idstools/etc/rulecat.conf

@@ -1,6 +1,8 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS -%}
-{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%}
+{%- from 'soc/merged.map.jinja' import SOCMERGED -%}
+--suricata-version=6.0
 --merged=/opt/so/rules/nids/suri/all.rules
+--output=/nsm/rules/detect-suricata/custom_temp
 --local=/opt/so/rules/nids/suri/local.rules
 {%-   if GLOBALS.md_engine == "SURICATA" %}
 --local=/opt/so/rules/nids/suri/extraction.rules
@@ -10,8 +12,12 @@
 --disable=/opt/so/idstools/etc/disable.conf
 --enable=/opt/so/idstools/etc/enable.conf
 --modify=/opt/so/idstools/etc/modify.conf
-{%- if IDSTOOLSMERGED.config.urls | length > 0 %}
-{%-   for URL in IDSTOOLSMERGED.config.urls %}
---url={{ URL }}
-{%-   endfor %}
-{%- endif %}
+{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %}
+    {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %}
+        {%- if 'url' in ruleset %}
+--url={{ ruleset.url }}
+        {%- elif 'file' in ruleset %}
+--local={{ ruleset.file }}
+        {%- endif %}
+    {%- endfor %}
+{%- endif %}

salt/idstools/tools/sbin_jinja/so-rule-update

@@ -26,8 +26,6 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
     docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
     docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
-{%-   elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
-    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   endif %}
 {%- endif %}
 

salt/soc/defaults.yaml

@@ -1399,6 +1399,7 @@ soc:
           autoUpdateEnabled: true
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
+          customRulesets:
           failAfterConsecutiveErrorCount: 10
           communityRulesFile: /nsm/rules/suricata/emerging-all.rules
           denyRegex: ''

salt/soc/soc_soc.yaml

@@ -247,6 +247,12 @@ soc:
             description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
             global: True
             advanced: True
+          customRulesets:
+            description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information'
+            global: True
+            advanced: True
+            forcedType: "[]{}"
+            helpLink: suricata.html
       client:
         enableReverseLookup:
           description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.