From 26c6a98b45369e522d3a396b7e92623a0a81eb6c Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Mon, 6 May 2024 08:43:01 -0400 Subject: [PATCH 1/5] Initial airgap support for detections --- salt/soc/soc_soc.yaml | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 4b88a5f84..a9d6bac08 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -107,7 +107,7 @@ soc: advanced: True helpLink: sigma.html rulesRepos: - description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' + description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.' global: True advanced: True forcedType: "[]{}" @@ -117,8 +117,8 @@ soc: global: True advanced: False helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' + airgapEnabled: + description: 'This setting dynamically changes to the current status of Airgap on this system and is used during the Sigma ruleset update process.' global: True advanced: True helpLink: sigma.html @@ -185,31 +185,27 @@ soc: advanced: True strelkaengine: allowRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html - autoEnabledYaraRules: - description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' + autoEnabledYARARules: + description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html communityRulesImportFrequencySeconds: - description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' + description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True advanced: True helpLink: yara.html rulesRepos: - description: 'Custom Git repos to pull Yara rules from. License field is required' + description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'' global: True advanced: True forcedType: "[]{}" @@ -220,10 +216,6 @@ soc: global: True advanced: True helpLink: suricata.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' global: True From 5b966b83a9881a35c1a040561255af3b000739d1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 May 2024 09:26:52 -0400 Subject: [PATCH 2/5] change rulesRepos for airgap or not --- salt/soc/defaults.yaml | 24 +++++++++++++++++------- salt/soc/merged.map.jinja | 9 +++++++++ salt/soc/soc_soc.yaml | 24 ++++++++++++++---------- 3 files changed, 40 insertions(+), 17 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ad154e9d1..1f96c63a8 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1274,10 +1274,15 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state rulesRepos: - - repo: https://github.com/Security-Onion-Solutions/securityonion-resources - license: Elastic-2.0 - folder: sigma/stable - community: true + default: + - repo: https://github.com/Security-Onion-Solutions/securityonion-resources + license: Elastic-2.0 + folder: sigma/stable + community: true + airgap: + - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources + license: DRL + community: true sigmaRulePackages: - core - emerging_threats_addon @@ -1333,9 +1338,14 @@ soc: denyRegex: '' reposFolder: /opt/sensoroni/yara/repos rulesRepos: - - repo: https://github.com/Security-Onion-Solutions/securityonion-yara - license: DRL - community: true + default: + - repo: https://github.com/Security-Onion-Solutions/securityonion-yara + license: DRL + community: true + airgap: + - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara + license: DRL + community: true yaraRulesFolder: /opt/sensoroni/yara/rules stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state suricataengine: diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 222566dba..e31fabf2a 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -37,6 +37,15 @@ {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% endif %} +{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #} +{% if GLOBALS.airgap %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %} +{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %} +{% else %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %} +{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %} +{% endif %} + {# remove these modules if detections is disabled #} {% if not SOCMERGED.config.server.client.detectionsEnabled %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index a9d6bac08..01308f73f 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -107,11 +107,13 @@ soc: advanced: True helpLink: sigma.html rulesRepos: - description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.' - global: True - advanced: True - forcedType: "[]{}" - helpLink: sigma.html + default: &eerulesRepos + description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.' + global: True + advanced: True + forcedType: "[]{}" + helpLink: sigma.html + airgap: *eerulesRepos sigmaRulePackages: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' global: True @@ -205,11 +207,13 @@ soc: advanced: True helpLink: yara.html rulesRepos: - description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'' - global: True - advanced: True - forcedType: "[]{}" - helpLink: yara.html + default: &serulesRepos + description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'' + global: True + advanced: True + forcedType: "[]{}" + helpLink: yara.html + airgap: *serulesRepos suricataengine: allowRegex: description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' From 38f74d2e9e8e17262a44d21fb515c9cc7ab73053 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 May 2024 11:38:30 -0400 Subject: [PATCH 3/5] change quotes --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 01308f73f..67305d4e9 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -108,7 +108,7 @@ soc: helpLink: sigma.html rulesRepos: default: &eerulesRepos - description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.' + description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled." global: True advanced: True forcedType: "[]{}" @@ -208,7 +208,7 @@ soc: helpLink: yara.html rulesRepos: default: &serulesRepos - description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'' + description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled." global: True advanced: True forcedType: "[]{}" From be1758aea71f308a2aa2fd4204da80a9015b2a8e Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Mon, 6 May 2024 12:22:44 -0400 Subject: [PATCH 4/5] Fix license and folder --- salt/soc/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 1f96c63a8..5ae1497f0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1281,7 +1281,8 @@ soc: community: true airgap: - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources - license: DRL + license: Elastic-2.0 + folder: sigma/stable community: true sigmaRulePackages: - core From 554a2035414f0ddea0e01b4f8acaac55233251d9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 May 2024 12:59:45 -0400 Subject: [PATCH 5/5] update airgapEnabled in map file --- salt/soc/defaults.yaml | 1 - salt/soc/merged.map.jinja | 2 ++ salt/soc/soc_soc.yaml | 5 ----- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 1f96c63a8..582f0af82 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1246,7 +1246,6 @@ soc: maxPacketCount: 5000 htmlDir: html importUploadDir: /nsm/soc/uploads - airgapEnabled: false modules: cases: soc filedatastore: diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index e31fabf2a..f23d9c115 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -41,9 +41,11 @@ {% if GLOBALS.airgap %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %} {% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %} +{% do SOCMERGED.config.server.update({'airgapEnabled': true}) %} {% else %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %} {% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %} +{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} {% endif %} {# remove these modules if detections is disabled #} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 67305d4e9..2b1e83ec4 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -119,11 +119,6 @@ soc: global: True advanced: False helpLink: sigma.html - airgapEnabled: - description: 'This setting dynamically changes to the current status of Airgap on this system and is used during the Sigma ruleset update process.' - global: True - advanced: True - helpLink: sigma.html elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.