CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12939 from Security-Onion-Solutions/2.4/detections-airgap

Browse Source 
Initial airgap support for detections
This commit is contained in:
Josh Brower
2024-05-06 15:46:29 -04:00
committed by GitHub
parent a67f0d93a0 2431d7b028
commit b997e44715
3 changed files with 48 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/soc/defaults.yaml
View File

@@ -1258,7 +1258,6 @@ soc:
maxPacketCount: 5000 maxPacketCount: 5000
htmlDir: html htmlDir: html
importUploadDir: /nsm/soc/uploads importUploadDir: /nsm/soc/uploads
airgapEnabled: false
modules: modules:
cases: soc cases: soc
filedatastore: filedatastore:
@@ -1286,10 +1285,16 @@ soc:
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
rulesRepos: rulesRepos:
default:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
license: Elastic-2.0 license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
community: true community: true
airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0
folder: sigma/stable
community: true
sigmaRulePackages: sigmaRulePackages:
- core - core
- emerging_threats_addon - emerging_threats_addon
@@ -1345,9 +1350,14 @@ soc:
denyRegex: '' denyRegex: ''
reposFolder: /opt/sensoroni/yara/repos reposFolder: /opt/sensoroni/yara/repos
rulesRepos: rulesRepos:
default:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL license: DRL
community: true community: true
airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL
community: true
yaraRulesFolder: /opt/sensoroni/yara/rules yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
suricataengine: suricataengine:

11
salt/soc/merged.map.jinja
View File

@@ -37,6 +37,17 @@
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
{% endif %} {% endif %}
{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
{% if GLOBALS.airgap %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
{% do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
{% else %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
{% endif %}
{# remove these modules if detections is disabled #} {# remove these modules if detections is disabled #}
{% if not SOCMERGED.config.server.client.detectionsEnabled %} {% if not SOCMERGED.config.server.client.detectionsEnabled %}
{% do SOCMERGED.config.server.modules.pop('elastalertengine') %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %}

31
salt/soc/soc_soc.yaml
View File

@@ -107,21 +107,18 @@ soc:
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
rulesRepos: rulesRepos:
description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' default: &eerulesRepos
description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: sigma.html helpLink: sigma.html
airgap: *eerulesRepos
sigmaRulePackages: sigmaRulePackages:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
global: True global: True
advanced: False advanced: False
helpLink: sigma.html helpLink: sigma.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
helpLink: sigma.html
elastic: elastic:
index: index:
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -185,45 +182,39 @@ soc:
advanced: True advanced: True
strelkaengine: strelkaengine:
allowRegex: allowRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
autoEnabledYaraRules: autoEnabledYARARules:
description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex: denyRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
rulesRepos: rulesRepos:
description: 'Custom Git repos to pull Yara rules from. License field is required' default: &serulesRepos
description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
helpLink: yara.html helpLink: yara.html
airgap: *serulesRepos
suricataengine: suricataengine:
allowRegex: allowRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: suricata.html helpLink: suricata.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex: denyRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True