From 8ee2142de488348e7ceb39b891365c8e61f1e5ae Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 11:21:47 -0400 Subject: [PATCH 1/4] pillarize idstools - https://github.com/Security-Onion-Solutions/securityonion/issues/583 --- salt/idstools/etc/disable.conf | 6 ++++++ salt/idstools/etc/enable.conf | 6 ++++++ salt/idstools/init.sls | 2 ++ 3 files changed, 14 insertions(+) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index e8928c495..9eb69575e 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,3 +1,5 @@ +{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} + # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). @@ -8,3 +10,7 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ + +{%- for sid in disabled_sids %} +{{ sid }} +{% endfor -%} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index b7738677c..3f965541f 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,3 +1,5 @@ +{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} + # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). @@ -8,3 +10,7 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ + +{%- for sid in enabled_sids %} +{{ sid }} +{% endfor -%} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index d145a4e15..078cb5b03 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -66,3 +66,5 @@ so-idstools: - binds: - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - /opt/so/rules/nids:/opt/so/rules/nids:rw + - watch: + - file: idstoolsetcsync From fe8df2206309f5ca1a2f7e357978e74cee08a105 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:03:14 -0400 Subject: [PATCH 2/4] cleanup whitespace in idstools enable/disable.conf --- salt/idstools/etc/disable.conf | 1 - salt/idstools/etc/enable.conf | 1 - 2 files changed, 2 deletions(-) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index 9eb69575e..33f7e0ae6 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,5 +1,4 @@ {% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} - # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index 3f965541f..36f95fbc4 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,5 +1,4 @@ {% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} - # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). From 67f2eedad1616dfdf6298aa11e5f7df447d39c37 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:11:30 -0400 Subject: [PATCH 3/4] cleanup whitespace in idstools enable/disable.conf --- salt/idstools/etc/disable.conf | 2 +- salt/idstools/etc/enable.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index 33f7e0ae6..ff7197360 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -12,4 +12,4 @@ {%- for sid in disabled_sids %} {{ sid }} -{% endfor -%} \ No newline at end of file +{%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index 36f95fbc4..c16b25986 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -12,4 +12,4 @@ {%- for sid in enabled_sids %} {{ sid }} -{% endfor -%} \ No newline at end of file +{%- endfor %} \ No newline at end of file From efaf41107c87021478ba8a903991edb6f005ec62 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:14:36 -0400 Subject: [PATCH 4/4] update description in localrules/local.rules for idstools --- salt/idstools/localrules/local.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idstools/localrules/local.rules b/salt/idstools/localrules/local.rules index e01ea913c..95be9156f 100644 --- a/salt/idstools/localrules/local.rules +++ b/salt/idstools/localrules/local.rules @@ -1 +1 @@ -# Put your own custom Snort/Suricata rules in here. +# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/. \ No newline at end of file