CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'kilo' of github.com:security-onion-solutions/securityonion into kilo

Browse Source
This commit is contained in:
Corey Ogburn
2024-02-13 12:53:29 -07:00
parent 0d297274c8 0c6c6ba2d5
commit c933627a71
5 changed files with 23 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/idstools/soc_idstools.yaml
View File

@@ -8,7 +8,7 @@ idstools:
global: True
helpLink: rules.html
ruleset:
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO. -- WARNING -- Changing the ruleset will remove all existing Suricata rules of the previous ruleset and their associated overrides.'
global: True
regex: ETPRO\b|ETOPEN\b
helpLink: rules.html

9
salt/soc/config.sls
View File

@@ -9,9 +9,16 @@
include:
- manager.sync_es_users
socdirtest:
file.directory:
- name: /opt/so/rules/elastalert/rules
- user: 939
- group: 939
- makedirs: True
socdir:
file.directory:
- name: /opt/so/conf/soc
- name: /opt/so/conf/soc/fingerprints
- user: 939
- group: 939
- makedirs: True

22
salt/soc/defaults.yaml
View File

@@ -1006,7 +1006,7 @@ soc:
communityRulesImportFrequencySeconds: 180
elastAlertRulesFolder: /opt/sensoroni/elastalert
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
sigmaRulePackages: all
sigmaRulePackages: core
elastic:
hostUrl:
remoteHostUrls: []
@@ -1050,10 +1050,10 @@ soc:
- rbac/users_roles
strelkaengine:
compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
reposFolder: /nsm/rules/strelka/repos
reposFolder: /opt/sensoroni/yara/repos
rulesRepos:
- https://github.com/Security-Onion-Solutions/securityonion-yara
yaraRulesFolder: /opt/sensoroni/yara
yaraRulesFolder: /opt/sensoroni/yara/rules
suricataengine:
communityRulesFile: /nsm/rules/suricata/emerging-all.rules
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
@@ -1770,21 +1770,23 @@ soc:
- so_detection.title
- so_detection.isEnabled
- so_detection.language
- "@timestamp"
- so_detection.severity
queries:
- name: "All Detections"
query: "_id:*"
- name: "Local Rules"
- name: "Custom Detections"
query: "so_detection.isCommunity:false"
- name: "Enabled"
- name: "All Detections - Enabled"
query: "so_detection.isEnabled:true"
- name: "Disabled"
- name: "All Detections - Disabled"
query: "so_detection.isEnabled:false"
- name: "Suricata"
- name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata"
- name: "Sigma"
- name: "Detection Type - Sigma - All"
query: "so_detection.language:sigma"
- name: "Yara"
- name: "Detection Type - Sigma - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
- name: "Detection Type - Yara (Strelka)"
query: "so_detection.language:yara"
detection:
presets:

2
salt/soc/enabled.sls
View File

@@ -23,7 +23,7 @@ so-soc:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw #Need to tighten this up?
- /opt/so/rules/yara:/opt/sensoroni/yara:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw

2
salt/soc/soc_soc.yaml
View File

@@ -72,7 +72,7 @@ soc:
modules:
elastalertengine:
sigmaRulePackages:
description: 'One of the following: core | core+ | core++ | all'
description: 'Defines the Sigma Community Ruleset you want to run: core | core+ | core++ | all. -- WARNING -- Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides.'
global: True
advanced: False
elastic: