From 484717d57d0522da6e9f1bd6f5ab62ab7fa0a492 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 08:42:10 -0400 Subject: [PATCH 1/7] initial support for custom suricata urls and local rulesets --- salt/idstools/config.sls | 14 ++++++++++++++ salt/idstools/etc/rulecat.conf | 16 +++++++++++----- salt/soc/soc_soc.yaml | 7 +++++++ 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls index e162d1139..4688442ba 100644 --- a/salt/idstools/config.sls +++ b/salt/idstools/config.sls @@ -33,6 +33,20 @@ idstools_sbin_jinja: - file_mode: 755 - template: jinja +suricatacustomdirsfile: + file.directory: + - name: /nsm/rules/detect-suricata/custom_file + - user: 939 + - group: 939 + - makedirs: True + +suricatacustomdirsurl: + file.directory: + - name: /nsm/rules/detect-suricata/custom_urls + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index f7c784413..74434afd2 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,5 +1,7 @@ {%- from 'vars/globals.map.jinja' import GLOBALS -%} +{%- from 'soc/merged.map.jinja' import SOCMERGED -%} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%} +--temp-dir=/nsm/rules/detect-suricata/custom_urls --merged=/opt/so/rules/nids/suri/all.rules --local=/opt/so/rules/nids/suri/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} @@ -10,8 +12,12 @@ --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.config.urls | length > 0 %} -{%- for URL in IDSTOOLSMERGED.config.urls %} ---url={{ URL }} -{%- endfor %} -{%- endif %} +{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %} + {%- if 'url' in ruleset %} +--url={{ ruleset.url }} + {%- elif 'file' in ruleset %} +--local={{ ruleset.file }} + {%- endif %} + {%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 47d051e4e..b63094927 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -247,6 +247,13 @@ soc: description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True advanced: True + customRulesets: + description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"ruleset":"snort-community","license":"GPLv2","path":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the URL in path with a full file path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.' + global: True + multiline: True + advanced: True + forcedType: '[]{}' + helpLink: suricata.html client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From c1abc7a7f18d78a7892551d90417267d6e248c76 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 08:51:34 -0400 Subject: [PATCH 2/7] Update description --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b63094927..e11c5ad73 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -248,7 +248,7 @@ soc: global: True advanced: True customRulesets: - description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"ruleset":"snort-community","license":"GPLv2","path":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the URL in path with a full file path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.' + description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"license":"GPLv2","ruleset":"snort-community","url":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the url parameter with "file" and the path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.' global: True multiline: True advanced: True From 68302e14b9f0286fdc873ddb7b18c0dbd3ae58e3 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 09:28:23 -0400 Subject: [PATCH 3/7] add to defaults and tweaks --- salt/idstools/config.sls | 1 - salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls index 4688442ba..2a45cf526 100644 --- a/salt/idstools/config.sls +++ b/salt/idstools/config.sls @@ -45,7 +45,6 @@ suricatacustomdirsurl: - name: /nsm/rules/detect-suricata/custom_urls - user: 939 - group: 939 - - makedirs: True {% else %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index f0d028fdb..ca9d2c6a1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1399,6 +1399,7 @@ soc: autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 + customRulesets: '' failAfterConsecutiveErrorCount: 10 communityRulesFile: /nsm/rules/suricata/emerging-all.rules denyRegex: '' diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e11c5ad73..e60a94485 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -248,7 +248,7 @@ soc: global: True advanced: True customRulesets: - description: 'Custom URLs or local files to sync Suricata rules from. Format is: {"community":true,"license":"GPLv2","ruleset":"snort-community","url":"https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"}. All fields are required. Replace the url parameter with "file" and the path for local rules, which must be put under: /nsm/rules/detect-suricata/custom_file. "community" disables some management options for the imported rules - they can''t be deleted or edited, just tuned, duplicated, and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections --> Options dropdown menu --> Suricata --> Full Update.' + description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information' global: True multiline: True advanced: True From 4bcb4b5b9c97646d8eda1792de88530c35874d97 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 09:32:34 -0400 Subject: [PATCH 4/7] removed unneeded import --- salt/idstools/etc/rulecat.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 74434afd2..32b18e0c0 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS -%} {%- from 'soc/merged.map.jinja' import SOCMERGED -%} -{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%} --temp-dir=/nsm/rules/detect-suricata/custom_urls --merged=/opt/so/rules/nids/suri/all.rules --local=/opt/so/rules/nids/suri/local.rules From 8363877c6646c218320d45a5e5c6115552db3f3f Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 12:41:44 -0400 Subject: [PATCH 5/7] move to custom rules --- salt/idstools/config.sls | 2 +- salt/idstools/etc/rulecat.conf | 3 ++- salt/idstools/tools/sbin_jinja/so-rule-update | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls index 2a45cf526..6d4b1036e 100644 --- a/salt/idstools/config.sls +++ b/salt/idstools/config.sls @@ -42,7 +42,7 @@ suricatacustomdirsfile: suricatacustomdirsurl: file.directory: - - name: /nsm/rules/detect-suricata/custom_urls + - name: /nsm/rules/detect-suricata/custom_temp - user: 939 - group: 939 diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 32b18e0c0..db78cec29 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,7 +1,8 @@ {%- from 'vars/globals.map.jinja' import GLOBALS -%} {%- from 'soc/merged.map.jinja' import SOCMERGED -%} ---temp-dir=/nsm/rules/detect-suricata/custom_urls +--suricata-version=6.0 --merged=/opt/so/rules/nids/suri/all.rules +--output=/nsm/rules/detect-suricata/custom_temp --local=/opt/so/rules/nids/suri/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/suri/extraction.rules diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index db110abc1..da4c272dd 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -26,8 +26,6 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} -{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} - docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} {%- endif %} {%- endif %} From b7ac599a42b07df018be658814913b5fe42de710 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 13:21:36 -0400 Subject: [PATCH 6/7] set to empty --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ca9d2c6a1..d1d89d812 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1399,7 +1399,7 @@ soc: autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 - customRulesets: '' + customRulesets: failAfterConsecutiveErrorCount: 10 communityRulesFile: /nsm/rules/suricata/emerging-all.rules denyRegex: '' From c89f1c9d952cff11c9b63bc4dc7b93d2064faf6a Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Fri, 14 Jun 2024 13:48:55 -0400 Subject: [PATCH 7/7] remove multiline --- salt/soc/soc_soc.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e60a94485..4975b75f0 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -250,9 +250,8 @@ soc: customRulesets: description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information' global: True - multiline: True advanced: True - forcedType: '[]{}' + forcedType: "[]{}" helpLink: suricata.html client: enableReverseLookup: