mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #12939 from Security-Onion-Solutions/2.4/detections-airgap
Initial airgap support for detections
This commit is contained in:
Josh Brower
GitHub
@@ -1258,7 +1258,6 @@ soc:
|
||||
maxPacketCount: 5000
|
||||
htmlDir: html
|
||||
importUploadDir: /nsm/soc/uploads
|
||||
airgapEnabled: false
|
||||
modules:
|
||||
cases: soc
|
||||
filedatastore:
|
||||
@@ -1286,10 +1285,16 @@ soc:
|
||||
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
|
||||
stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
|
||||
rulesRepos:
|
||||
default:
|
||||
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources
|
||||
license: Elastic-2.0
|
||||
folder: sigma/stable
|
||||
community: true
|
||||
airgap:
|
||||
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
|
||||
license: Elastic-2.0
|
||||
folder: sigma/stable
|
||||
community: true
|
||||
sigmaRulePackages:
|
||||
- core
|
||||
- emerging_threats_addon
|
||||
@@ -1345,9 +1350,14 @@ soc:
|
||||
denyRegex: ''
|
||||
reposFolder: /opt/sensoroni/yara/repos
|
||||
rulesRepos:
|
||||
default:
|
||||
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
|
||||
license: DRL
|
||||
community: true
|
||||
airgap:
|
||||
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
|
||||
license: DRL
|
||||
community: true
|
||||
yaraRulesFolder: /opt/sensoroni/yara/rules
|
||||
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
|
||||
suricataengine:
|
||||
|
||||
@@ -37,6 +37,17 @@
|
||||
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
|
||||
{% endif %}
|
||||
|
||||
{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
|
||||
{% if GLOBALS.airgap %}
|
||||
{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
|
||||
{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
|
||||
{% do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
|
||||
{% else %}
|
||||
{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
|
||||
{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
|
||||
{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
|
||||
{% endif %}
|
||||
|
||||
{# remove these modules if detections is disabled #}
|
||||
{% if not SOCMERGED.config.server.client.detectionsEnabled %}
|
||||
{% do SOCMERGED.config.server.modules.pop('elastalertengine') %}
|
||||
|
||||
@@ -107,21 +107,18 @@ soc:
|
||||
advanced: True
|
||||
helpLink: sigma.html
|
||||
rulesRepos:
|
||||
description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.'
|
||||
default: &eerulesRepos
|
||||
description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
|
||||
global: True
|
||||
advanced: True
|
||||
forcedType: "[]{}"
|
||||
helpLink: sigma.html
|
||||
airgap: *eerulesRepos
|
||||
sigmaRulePackages:
|
||||
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
|
||||
global: True
|
||||
advanced: False
|
||||
helpLink: sigma.html
|
||||
autoUpdateEnabled:
|
||||
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: sigma.html
|
||||
elastic:
|
||||
index:
|
||||
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
|
||||
@@ -185,45 +182,39 @@ soc:
|
||||
advanced: True
|
||||
strelkaengine:
|
||||
allowRegex:
|
||||
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: yara.html
|
||||
autoEnabledYaraRules:
|
||||
description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
|
||||
autoEnabledYARARules:
|
||||
description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: sigma.html
|
||||
autoUpdateEnabled:
|
||||
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
|
||||
global: True
|
||||
advanced: True
|
||||
denyRegex:
|
||||
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: yara.html
|
||||
communityRulesImportFrequencySeconds:
|
||||
description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.'
|
||||
description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: yara.html
|
||||
rulesRepos:
|
||||
description: 'Custom Git repos to pull Yara rules from. License field is required'
|
||||
default: &serulesRepos
|
||||
description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
|
||||
global: True
|
||||
advanced: True
|
||||
forcedType: "[]{}"
|
||||
helpLink: yara.html
|
||||
airgap: *serulesRepos
|
||||
suricataengine:
|
||||
allowRegex:
|
||||
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: suricata.html
|
||||
autoUpdateEnabled:
|
||||
description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
|
||||
global: True
|
||||
advanced: True
|
||||
denyRegex:
|
||||
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
|
||||
global: True
|
||||
|
||||
Reference in New Issue
Block a user