Merge pull request #904 from Security-Onion-Solutions/issue/583

Issue/583

salt/idstools/etc/disable.conf

@@ -1,3 +1,4 @@
+{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
 # idstools - disable.conf
 
 # Example of disabling a rule by signature ID (gid is optional).
@@ -8,3 +9,7 @@
 # - All regular expression matches are case insensitive.
 # re:hearbleed
 # re:MS(0[7-9]|10)-\d+
+
+{%- for sid in disabled_sids %}
+{{ sid }}
+{%- endfor %}

salt/idstools/etc/enable.conf

@@ -1,3 +1,4 @@
+{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
 # idstools-rulecat - enable.conf
 
 # Example of enabling a rule by signature ID (gid is optional).
@@ -8,3 +9,7 @@
 # - All regular expression matches are case insensitive.
 # re:hearbleed
 # re:MS(0[7-9]|10)-\d+
+
+{%- for sid in enabled_sids %}
+{{ sid }}
+{%- endfor %}

salt/idstools/init.sls

@@ -66,3 +66,5 @@ so-idstools:
     - binds:
       - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
       - /opt/so/rules/nids:/opt/so/rules/nids:rw
+    - watch:
+      - file: idstoolsetcsync

salt/idstools/localrules/local.rules

@@ -1 +1 @@
-# Put your own custom Snort/Suricata rules in here.
+# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/.