Merge pull request #13205 from Security-Onion-Solutions/2.4/customsuricatasources

Initial support for custom suricata urls and local rulesets
2025-12-10 19:22:54 +01:00 · 2024-06-14 13:50:06 -04:00
parent b91c608fcf c89f1c9d95
commit af11879545
5 changed files with 32 additions and 8 deletions
--- a/salt/idstools/config.sls
+++ b/salt/idstools/config.sls
@@ -33,6 +33,19 @@ idstools_sbin_jinja:
    - file_mode: 755
    - template: jinja
 suricatacustomdirsfile:
  file.directory:
    - name: /nsm/rules/detect-suricata/custom_file
    - user: 939
    - group: 939
    - makedirs: True
 suricatacustomdirsurl:
  file.directory:
    - name: /nsm/rules/detect-suricata/custom_temp
    - user: 939
    - group: 939
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/idstools/etc/rulecat.conf
+++ b/salt/idstools/etc/rulecat.conf
@@ -1,6 +1,8 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS -%}
-{%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%}
+{%- from 'soc/merged.map.jinja' import SOCMERGED -%}
 --suricata-version=6.0
 --merged=/opt/so/rules/nids/suri/all.rules
 --output=/nsm/rules/detect-suricata/custom_temp
 --local=/opt/so/rules/nids/suri/local.rules
 {%-   if GLOBALS.md_engine == "SURICATA" %}
 --local=/opt/so/rules/nids/suri/extraction.rules
@@ -10,8 +12,12 @@
 --disable=/opt/so/idstools/etc/disable.conf
 --enable=/opt/so/idstools/etc/enable.conf
 --modify=/opt/so/idstools/etc/modify.conf
-{%- if IDSTOOLSMERGED.config.urls | length > 0 %}
+{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %}
-{%-   for URL in IDSTOOLSMERGED.config.urls %}
+    {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %}
--url={{ URL }}
+        {%- if 'url' in ruleset %}
-{%-   endfor %}
+--url={{ ruleset.url }}
-{%- endif %}
+        {%- elif 'file' in ruleset %}
 --local={{ ruleset.file }}
        {%- endif %}
    {%- endfor %}
 {%- endif %}
--- a/salt/idstools/tools/sbin_jinja/so-rule-update
+++ b/salt/idstools/tools/sbin_jinja/so-rule-update
@@ -26,8 +26,6 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   endif %}
 {%- endif %}
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1399,6 +1399,7 @@ soc:
          autoUpdateEnabled: true
          communityRulesImportFrequencySeconds: 86400
          communityRulesImportErrorSeconds: 300
          customRulesets:
          failAfterConsecutiveErrorCount: 10
          communityRulesFile: /nsm/rules/suricata/emerging-all.rules
          denyRegex: ''
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -247,6 +247,12 @@ soc:
            description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
            global: True
            advanced: True
          customRulesets:
            description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information'
            global: True
            advanced: True
            forcedType: "[]{}"
            helpLink: suricata.html
      client:
        enableReverseLookup:
          description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.