Merge pull request #1321 from Security-Onion-Solutions/experimental

IDS Tools now with Airgap support

pillar/firewall/ports.sls

@@ -26,6 +26,7 @@ firewall:
         - 4200
         - 5601
         - 6379
+        - 7788
         - 8086
         - 8090
         - 9001

salt/common/tools/sbin/soup

@@ -123,7 +123,19 @@ pillar_changes() {
     
     # Move baseurl in global.sls
     if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
-      # Move the static file to global.sls
+    rc1_to_rc2
+    rc2_to_rc3
+    fi
+
+    if [[ "$INSTALLEDVERSION" =~ rc.2 ]]; then
+    rc2_to_rc3
+    fi
+
+}
+
+rc1_to_rc2() {
+
+  # Move the static file to global.sls
       echo "Migrating static.sls to global.sls"
       mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
       sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
@@ -158,8 +170,16 @@ pillar_changes() {
         curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
       done </tmp/nodes.txt
 
+}
+
+rc2_to_rc3() {
+
+  # move location of local.rules
+  cp /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/local/salt/idstools/local.rules
+  mv /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/default/salt/idstools/localrules/local.rules.USE.THE.FILE.IN.LOCAL
+
+  # Rename ZEEKVERSION to MDENGINE
 
-    fi
 }
 
 update_dockers() {

salt/firewall/assigned_hostgroups.map.yaml

@@ -1,3 +1,4 @@
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'firewall/portgroups.yaml' as portgroups %}
 {% set portgroups = portgroups.firewall.aliases.ports %}
 
@@ -109,6 +110,9 @@ role:
               - {{ portgroups.elasticsearch_node }}
               - {{ portgroups.cortex_es_rest }}
               - {{ portgroups.cortex_es_node }}
+              {% if ISAIRGAP is sameas true %}
+              - {{ portgroups.agrules }}
+              {% endif %}
           minion:
             portgroups:
               - {{ portgroups.acng }}
@@ -117,7 +121,9 @@ role:
               - {{ portgroups.influxdb }}
               - {{ portgroups.wazuh_api }}
               - {{ portgroups.fleet_api }}
+              {% if ISAIRGAP is sameas true %}
               - {{ portgroups.yum }}
+              {% endif %}
           sensor:
             portgroups:
               - {{ portgroups.sensoroni }}

salt/firewall/portgroups.yaml

@@ -9,6 +9,9 @@ firewall:
       acng:
         tcp:
           - 3142
+      agrules:
+        tcp:
+          - 7788
       beats_5044:
         tcp:
           - 5044

salt/idstools/etc/rulecat.conf

@@ -1,21 +1,32 @@
 {%- set URLS = salt['pillar.get']('idstools:config:urls') -%}
 {%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
 {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%}
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
+{%- if ISAIRGAP is sameas true -%}
+--merged=/opt/so/rules/nids/all.rules
+--local=/opt/so/rules/nids/local.rules
+--url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules
+--disable=/opt/so/idstools/etc/disable.conf
+--enable=/opt/so/idstools/etc/enable.conf
+--modify=/opt/so/idstools/etc/modify.conf
+{%- else -%}
 --suricata-version=5.0
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
 --disable=/opt/so/idstools/etc/disable.conf
 --enable=/opt/so/idstools/etc/enable.conf
 --modify=/opt/so/idstools/etc/modify.conf
-{%- if RULESET == 'ETOPEN' %}
+  {%- if RULESET == 'ETOPEN' -%}
 --etopen
-{%- elif RULESET == 'ETPRO' %}
+  {%- elif RULESET == 'ETPRO' -%}
 --etpro={{ OINKCODE }}
-{%- elif RULESET == 'TALOS' %}
+  {%- elif RULESET == 'TALOS' -%}
 --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
-{%- endif %}
+  {%- endif -%}
-{%- if URLS != None %}
+{%- endif -%}
-{%- for URL in URLS %}
+{%- if URLS != None -%}
+{%- for URL in URLS -%}
 --url={{ URL }}
-{%- endfor %}
+{%- endfor -%}
-{%- endif %}
+{%- endif -%}

salt/idstools/init.sls

@@ -60,7 +60,7 @@ rulesdir:
 synclocalnidsrules:
   file.managed:
     - name: /opt/so/rules/nids/local.rules
-    - source: salt://idstools/localrules/local.rules
+    - source: salt://idstools/local.rules
     - user: 939
     - group: 939
 

salt/idstools/localrules/local.rules

@@ -1 +0,0 @@
-# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules

salt/nginx/etc/nginx.conf.so-eval

@@ -67,6 +67,23 @@ http {
 			server_name _;
 			return 301 https://$host$request_uri;
 	}
+	{%- if ISAIRGAP is sameas true %}
+	server {
+		    listen 7788;
+			server_name _;
+			root /opt/socore/html/repo;
+			location /rules/ {
+                allow all;
+                sendfile on;
+                sendfile_max_chunk 1m;
+                autoindex on;
+                autoindex_exact_size off;
+                autoindex_format html;
+                autoindex_localtime on;
+			}
+	}
+	{%- endif %}
+
 
 {% if FLEET_MANAGER %}
 	server {

salt/nginx/etc/nginx.conf.so-manager

@@ -67,6 +67,22 @@ http {
 			server_name _;
 			return 301 https://$host$request_uri;
 	}
+	{%- if ISAIRGAP is sameas true %}
+	server {
+		    listen 7788;
+			server_name _;
+			root /opt/socore/html/repo;
+			location /rules/ {
+                allow all;
+                sendfile on;
+                sendfile_max_chunk 1m;
+                autoindex on;
+                autoindex_exact_size off;
+                autoindex_format html;
+                autoindex_localtime on;
+			}
+	}
+	{%- endif %}
 
 {% if FLEET_MANAGER %}
 	server {

salt/nginx/etc/nginx.conf.so-managersearch

@@ -67,6 +67,23 @@ http {
 		server_name _;
 		return 301 https://$host$request_uri;
 	}
+	{%- if ISAIRGAP is sameas true %}
+	server {
+		    listen 7788;
+			server_name _;
+			root /opt/socore/html/repo;
+			location /rules/ {
+                allow all;
+                sendfile on;
+                sendfile_max_chunk 1m;
+                autoindex on;
+                autoindex_exact_size off;
+                autoindex_format html;
+                autoindex_localtime on;
+			}
+	}
+	{%- endif %}
+
 
 {% if FLEET_MANAGER %}
 	server {

salt/nginx/etc/nginx.conf.so-standalone

@@ -66,6 +66,23 @@ http {
 			server_name _;
 			return 301 https://$host$request_uri;
 	}
+	{%- if ISAIRGAP is sameas true %}
+	server {
+		    listen 7788;
+			server_name _;
+			root /opt/socore/html/repo;
+			location /rules/ {
+                allow all;
+                sendfile on;
+                sendfile_max_chunk 1m;
+                autoindex on;
+                autoindex_exact_size off;
+                autoindex_format html;
+                autoindex_localtime on;
+			}
+	}
+	{%- endif %}
+
 
 {% if FLEET_MANAGER %}
 	server {

salt/nginx/init.sls

@@ -88,6 +88,9 @@ so-nginx:
     - port_bindings:
       - 80:80
       - 443:443
+      {% if ISAIRGAP is sameas true %}
+      - 7788:7788
+      {% endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
       - 8090:8090
     {%- endif %}

setup/so-functions

@@ -46,6 +46,12 @@ logCmd() {
 	$cmd >> "$setup_log" 2>&1
 }
 
+airgap_rules() {
+	# Copy the rules for suricata if using Airgap
+	mkdir -p /nsm/repo/rules
+	cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
+}
+
 analyze_system() {
 	title "System Characteristics"
 	logCmd "uptime"
@@ -630,6 +636,12 @@ create_local_directories() {
 
 }
 
+create_local_nids_rules() {
+	# Create a local.rules file so it doesn't get blasted on updates
+	mkdir -p /opt/so/saltstack/local/salt/idstools
+	echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules
+}
+
 create_repo() {
 	# Create the repo for airgap
 	createrepo /nsm/repo

setup/so-setup

@@ -465,6 +465,7 @@ fi
     if [[ $is_manager && $is_airgap ]]; then
 	    info "Creating airgap repo"
 	    create_repo >> $setup_log 2>&1
+		airgap_rules >> $setup_log 2>&1
     fi
 
 	if [[ $is_minion ]]; then
@@ -575,6 +576,7 @@ fi
 		salt-call state.apply -l info manager >> $setup_log 2>&1
 
 		set_progress_str 61 "$(print_salt_state_apply 'idstools')"
+		create_local_nids_rules >> $setup_log 2>&1
 		salt-call state.apply -l info idstools >> $setup_log 2>&1
 
 		set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')"