Merge pull request #13365 from Security-Onion-Solutions/cogburn/suricata-regex-support

Cogburn/suricata regex support

salt/soc/defaults.yaml

@@ -1311,7 +1311,6 @@ soc:
         kratos:
           hostUrl:
         elastalertengine:
-          allowRegex: ''
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
             default:
@@ -1327,7 +1326,6 @@ soc:
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10
-          denyRegex: ''
           elastAlertRulesFolder: /opt/sensoroni/elastalert
           reposFolder: /opt/sensoroni/sigma/repos
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
@@ -1392,7 +1390,6 @@ soc:
           userFiles:
             - rbac/users_roles
         strelkaengine:
-          allowRegex: ''
           autoEnabledYaraRules:
             - securityonion-yara
           autoUpdateEnabled: true
@@ -1400,7 +1397,6 @@ soc:
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10
           compileYaraPythonScriptPath: /opt/sensoroni/yara/compile_yara.py
-          denyRegex: ''
           reposFolder: /opt/sensoroni/yara/repos
           rulesRepos:
             default:
@@ -1415,14 +1411,14 @@ soc:
           stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
           integrityCheckFrequencySeconds: 1200
         suricataengine:
-          allowRegex: ''
           autoUpdateEnabled: true
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           customRulesets:
+          disableRegex: []
+          enableRegex: []
           failAfterConsecutiveErrorCount: 10
           communityRulesFile: /nsm/rules/suricata/emerging-all.rules
-          denyRegex: ''
           rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
           integrityCheckFrequencySeconds: 1200

salt/soc/soc_soc.yaml

@@ -90,11 +90,6 @@ soc:
             helpLink: sigma.html
             forcedType: "[]string"
             multiline: True
-          allowRegex:
-            description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: sigma.html
           autoEnabledSigmaRules:
             default: &autoEnabledSigmaRules
               description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
@@ -103,11 +98,6 @@ soc:
               helpLink: sigma.html
             so-eval: *autoEnabledSigmaRules
             so-import: *autoEnabledSigmaRules
-          denyRegex:
-            description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: sigma.html
           communityRulesImportFrequencySeconds:
             description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
             global: True
@@ -199,21 +189,11 @@ soc:
             advanced: True
             forcedType: int
         strelkaengine:
-          allowRegex:
-            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: yara.html
           autoEnabledYaraRules:
             description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
             global: True
             advanced: True
             helpLink: sigma.html
-          denyRegex:
-            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: yara.html
           communityRulesImportFrequencySeconds:
             description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
             global: True
@@ -232,21 +212,19 @@ soc:
               helpLink: yara.html
             airgap: *serulesRepos
         suricataengine:
-          allowRegex:
-            description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: suricata.html
-          denyRegex:
-            description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
-            global: True
-            advanced: True
-            helpLink: suricata.html
           communityRulesImportFrequencySeconds:
             description: 'How often to check for new Suricata rules (in seconds).'
             global: True
             advanced: True
             helpLink: suricata.html
+          disableRegex:
+            description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content.
+            global: True
+            forcedType: "[]string"
+          enableRegex:
+            description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content. Takes priority over disableRegex matches.
+            global: True
+            forcedType: "[]string"
           integrityCheckFrequencySeconds:
             description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
             global: True