diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls index e162d1139..6d4b1036e 100644 --- a/salt/idstools/config.sls +++ b/salt/idstools/config.sls @@ -33,6 +33,19 @@ idstools_sbin_jinja: - file_mode: 755 - template: jinja +suricatacustomdirsfile: + file.directory: + - name: /nsm/rules/detect-suricata/custom_file + - user: 939 + - group: 939 + - makedirs: True + +suricatacustomdirsurl: + file.directory: + - name: /nsm/rules/detect-suricata/custom_temp + - user: 939 + - group: 939 + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index f7c784413..db78cec29 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,8 @@ {%- from 'vars/globals.map.jinja' import GLOBALS -%} -{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%} +{%- from 'soc/merged.map.jinja' import SOCMERGED -%} +--suricata-version=6.0 --merged=/opt/so/rules/nids/suri/all.rules +--output=/nsm/rules/detect-suricata/custom_temp --local=/opt/so/rules/nids/suri/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/suri/extraction.rules @@ -10,8 +12,12 @@ --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.config.urls | length > 0 %} -{%- for URL in IDSTOOLSMERGED.config.urls %} ---url={{ URL }} -{%- endfor %} -{%- endif %} +{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- if 'url' in ruleset %} +--url={{ ruleset.url }} + {%- elif 'file' in ruleset %} +--local={{ ruleset.file }} + {%- endif %} + {%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index db110abc1..da4c272dd 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -26,8 +26,6 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} -{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} - docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} {%- endif %} {%- endif %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index f0d028fdb..d1d89d812 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1399,6 +1399,7 @@ soc: autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 + customRulesets: failAfterConsecutiveErrorCount: 10 communityRulesFile: /nsm/rules/suricata/emerging-all.rules denyRegex: '' diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 47d051e4e..4975b75f0 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -247,6 +247,12 @@ soc: description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True advanced: True + customRulesets: + description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information' + global: True + advanced: True + forcedType: "[]{}" + helpLink: suricata.html client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.