From c199acc64e9200029476335dc87053ad400cab2e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 May 2023 14:58:11 -0400 Subject: [PATCH] Suricata Airgap --- salt/idstools/etc/rulecat.conf | 28 ++++--------------------- salt/idstools/tools/sbin/so-rule-update | 21 +++++++++++++++++-- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 537c3f9e8..b95d0c463 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,35 +1,15 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} -{%- if GLOBALS.airgap is sameas true -%} ---merged=/opt/so/rules/nids/all.rules ---local=/opt/so/rules/nids/local.rules +--merged=/nsm/rules/suricata/all.rules +--local=/nsm/rules/local/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} ---local=/opt/so/rules/nids/sorules/extraction.rules ---local=/opt/so/rules/nids/sorules/filters.rules +--local=/nsm/rules/sorules/ids/extraction.rules +--local=/nsm/rules/sorules/filters.rules {%- endif %} --url=http://{{ GLOBALS.manager }}:7788/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- else -%} ---suricata-version=6.0 ---merged=/opt/so/rules/nids/all.rules ---local=/opt/so/rules/nids/local.rules -{%- if GLOBALS.md_engine == "SURICATA" %} ---local=/opt/so/rules/nids/sorules/extraction.rules ---local=/opt/so/rules/nids/sorules/filters.rules -{%- endif %} ---disable=/opt/so/idstools/etc/disable.conf ---enable=/opt/so/idstools/etc/enable.conf ---modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} ---etopen -{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} ---etpro={{ IDSTOOLSMERGED.config.oinkcode }} -{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} -{%- endif %} -{%- endif %} {%- if IDSTOOLSMERGED.config.urls | length > 0 %} {%- for URL in IDSTOOLSMERGED.config.urls %} --url={{ URL }} diff --git a/salt/idstools/tools/sbin/so-rule-update b/salt/idstools/tools/sbin/so-rule-update index 230d22ab6..7e08f0e6d 100755 --- a/salt/idstools/tools/sbin/so-rule-update +++ b/salt/idstools/tools/sbin/so-rule-update @@ -2,9 +2,26 @@ . /usr/sbin/so-common -# Pull down the latest rules if not airgap +{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} +{%- set proxy = salt['pillar.get']('manager:proxy') %} + +# Download the rules from the internet +{%- if GLOBALS.airgap != 'True' %} +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy= salt['pillar.get']('manager:no_proxy') +{%- endif %} +{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} +docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force +{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} +docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} +{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} +docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} +{%- endif %} +{%- endif %} -#docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --force argstr="" for arg in "$@"; do