diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6d3667d0b..f33783507 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1311,7 +1311,6 @@ soc: kratos: hostUrl: elastalertengine: - allowRegex: '' autoUpdateEnabled: true autoEnabledSigmaRules: default: @@ -1327,7 +1326,6 @@ soc: communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 failAfterConsecutiveErrorCount: 10 - denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert reposFolder: /opt/sensoroni/sigma/repos rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint @@ -1392,7 +1390,6 @@ soc: userFiles: - rbac/users_roles strelkaengine: - allowRegex: '' autoEnabledYaraRules: - securityonion-yara autoUpdateEnabled: true @@ -1400,7 +1397,6 @@ soc: communityRulesImportErrorSeconds: 300 failAfterConsecutiveErrorCount: 10 compileYaraPythonScriptPath: /opt/sensoroni/yara/compile_yara.py - denyRegex: '' reposFolder: /opt/sensoroni/yara/repos rulesRepos: default: @@ -1415,14 +1411,14 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 suricataengine: - allowRegex: '' autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 customRulesets: + disableRegex: [] + enableRegex: [] failAfterConsecutiveErrorCount: 10 communityRulesFile: /nsm/rules/suricata/emerging-all.rules - denyRegex: '' rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 35402f760..b390c32c2 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -90,11 +90,6 @@ soc: helpLink: sigma.html forcedType: "[]string" multiline: True - allowRegex: - description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: sigma.html autoEnabledSigmaRules: default: &autoEnabledSigmaRules description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' @@ -103,11 +98,6 @@ soc: helpLink: sigma.html so-eval: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules - denyRegex: - description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: sigma.html communityRulesImportFrequencySeconds: description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' global: True @@ -199,21 +189,11 @@ soc: advanced: True forcedType: int strelkaengine: - allowRegex: - description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: yara.html autoEnabledYaraRules: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True helpLink: sigma.html - denyRegex: - description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: yara.html communityRulesImportFrequencySeconds: description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True @@ -232,21 +212,19 @@ soc: helpLink: yara.html airgap: *serulesRepos suricataengine: - allowRegex: - description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: suricata.html - denyRegex: - description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' - global: True - advanced: True - helpLink: suricata.html communityRulesImportFrequencySeconds: description: 'How often to check for new Suricata rules (in seconds).' global: True advanced: True helpLink: suricata.html + disableRegex: + description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content. + global: True + forcedType: "[]string" + enableRegex: + description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content. Takes priority over disableRegex matches. + global: True + forcedType: "[]string" integrityCheckFrequencySeconds: description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True