CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 10:42:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13365 from Security-Onion-Solutions/cogburn/suricata-regex-support

Browse Source 
Cogburn/suricata regex support
This commit is contained in:
coreyogburn
2024-07-19 12:47:10 -06:00
committed by GitHub
parent 92385d652e 45b2413175
commit be74449fb9
2 changed files with 10 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/soc/defaults.yaml
View File

@@ -1311,7 +1311,6 @@ soc:
kratos: kratos:
hostUrl: hostUrl:
elastalertengine: elastalertengine:
allowRegex: ''
autoUpdateEnabled: true autoUpdateEnabled: true
autoEnabledSigmaRules: autoEnabledSigmaRules:
default: default:
@@ -1327,7 +1326,6 @@ soc:
communityRulesImportFrequencySeconds: 86400 communityRulesImportFrequencySeconds: 86400
communityRulesImportErrorSeconds: 300 communityRulesImportErrorSeconds: 300
failAfterConsecutiveErrorCount: 10 failAfterConsecutiveErrorCount: 10
denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert elastAlertRulesFolder: /opt/sensoroni/elastalert
reposFolder: /opt/sensoroni/sigma/repos reposFolder: /opt/sensoroni/sigma/repos
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
@@ -1392,7 +1390,6 @@ soc:
userFiles: userFiles:
- rbac/users_roles - rbac/users_roles
strelkaengine: strelkaengine:
allowRegex: ''
autoEnabledYaraRules: autoEnabledYaraRules:
- securityonion-yara - securityonion-yara
autoUpdateEnabled: true autoUpdateEnabled: true
@@ -1400,7 +1397,6 @@ soc:
communityRulesImportErrorSeconds: 300 communityRulesImportErrorSeconds: 300
failAfterConsecutiveErrorCount: 10 failAfterConsecutiveErrorCount: 10
compileYaraPythonScriptPath: /opt/sensoroni/yara/compile_yara.py compileYaraPythonScriptPath: /opt/sensoroni/yara/compile_yara.py
denyRegex: ''
reposFolder: /opt/sensoroni/yara/repos reposFolder: /opt/sensoroni/yara/repos
rulesRepos: rulesRepos:
default: default:
@@ -1415,14 +1411,14 @@ soc:
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200 integrityCheckFrequencySeconds: 1200
suricataengine: suricataengine:
allowRegex: ''
autoUpdateEnabled: true autoUpdateEnabled: true
communityRulesImportFrequencySeconds: 86400 communityRulesImportFrequencySeconds: 86400
communityRulesImportErrorSeconds: 300 communityRulesImportErrorSeconds: 300
customRulesets: customRulesets:
disableRegex: []
enableRegex: []
failAfterConsecutiveErrorCount: 10 failAfterConsecutiveErrorCount: 10
communityRulesFile: /nsm/rules/suricata/emerging-all.rules communityRulesFile: /nsm/rules/suricata/emerging-all.rules
denyRegex: ''
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
integrityCheckFrequencySeconds: 1200 integrityCheckFrequencySeconds: 1200

38
salt/soc/soc_soc.yaml
View File

@@ -90,11 +90,6 @@ soc:
helpLink: sigma.html helpLink: sigma.html
forcedType: "[]string" forcedType: "[]string"
multiline: True multiline: True
allowRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: sigma.html
autoEnabledSigmaRules: autoEnabledSigmaRules:
default: &autoEnabledSigmaRules default: &autoEnabledSigmaRules
description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
@@ -103,11 +98,6 @@ soc:
helpLink: sigma.html helpLink: sigma.html
so-eval: *autoEnabledSigmaRules so-eval: *autoEnabledSigmaRules
so-import: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules
denyRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: sigma.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
global: True global: True
@@ -199,21 +189,11 @@ soc:
advanced: True advanced: True
forcedType: int forcedType: int
strelkaengine: strelkaengine:
allowRegex:
description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: yara.html
autoEnabledYaraRules: autoEnabledYaraRules:
description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
denyRegex:
description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: yara.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True global: True
@@ -232,21 +212,19 @@ soc:
helpLink: yara.html helpLink: yara.html
airgap: *serulesRepos airgap: *serulesRepos
suricataengine: suricataengine:
allowRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: suricata.html
denyRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: suricata.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new Suricata rules (in seconds).' description: 'How often to check for new Suricata rules (in seconds).'
global: True global: True
advanced: True advanced: True
helpLink: suricata.html helpLink: suricata.html
disableRegex:
description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content.
global: True
forcedType: "[]string"
enableRegex:
description: A list of regular expressions used to automatically enable rules that match any of them. Each regular expression is tested against the rule's content. Takes priority over disableRegex matches.
global: True
forcedType: "[]string"
integrityCheckFrequencySeconds: integrityCheckFrequencySeconds:
description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.' description: 'How often the Suricata integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
global: True global: True