CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 01:02:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor for Airgap

Browse Source
This commit is contained in:
DefensiveDepth
2025-11-25 13:51:50 -05:00
parent 148ef7ef21
commit ced3af818c
8 changed files with 188 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/manager/init.sls
View File

@@ -206,6 +206,7 @@ git_config_set_safe_dirs:
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/rules/custom-local-repos/local-suricata
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
- /nsm/airgap-resources/playbooks

34
salt/soc/config.sls
View File

@@ -215,7 +215,6 @@ socsensoronirepos:
- mode: 775
- makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
@@ -249,6 +248,39 @@ add_readme_custom_local_sigma_repo_template:
- context:
repo_type: "sigma"
create_custom_local_suricata_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-suricata
- bare: False
- force: True
add_readme_custom_local_suricata_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-suricata/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "suricata"
etpro_airgap_folder:
file.directory:
- name: /nsm/rules/custom-local-repos/local-etpro-suricata
- user: 939
- group: 939
- makedirs: True
add_readme_etpro_airgap_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-etpro-suricata/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "suricata-etpro"
socore_own_custom_repos:
file.directory:
- name: /nsm/rules/custom-local-repos/

46
salt/soc/defaults.yaml
View File

@@ -1595,16 +1595,29 @@ soc:
sourcePath: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
sourceType: url
- name: local-rules
id: local-rules
description: "Local custom rules from files (*.rules) in a directory on the filesystem"
description: "Local rules from files (*.rules) in a directory on the filesystem"
license: "custom"
sourceType: directory
sourcePath: /nsm/rules/local/
sourcePath: /nsm/rules/custom-local-repos/local-suricata
readOnly: false
deleteUnreferenced: false
enabled: true
- name: SO_FILTERS
deleteUnreferenced: true
description: Filter rules for when Suricata is set as the metadata engine
enabled: false
excludeFiles:
- "*backup*"
license: Elastic-2.0
readOnly: true
sourcePath: /nsm/rules/suricata/so_filters.rules
sourceType: directory
- name: SO_EXTRACTIONS
description: Extraction rules for when Suricata is set as the metadata engine
deleteUnreferenced: true
enabled: false
license: Elastic-2.0
readOnly: true
sourcePath: /nsm/rules/suricata/so_extraction.rules
sourceType: directory
airgap:
- name: Emerging-Threats
description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
@@ -1625,16 +1638,29 @@ soc:
readOnly: true
deleteUnreferenced: true
- name: local-rules
id: local-rules
description: "Local custom rules from files (*.rules) in a directory on the filesystem"
description: "Local rules from files (*.rules) in a directory on the filesystem"
license: "custom"
sourceType: directory
sourcePath: /nsm/rules/local/
sourcePath: /nsm/rules/custom-local-repos/local-suricata
readOnly: false
deleteUnreferenced: false
enabled: true
- name: SO_FILTERS
deleteUnreferenced: true
description: Filter rules for when Suricata is set as the metadata engine
enabled: false
excludeFiles:
- "*backup*"
license: Elastic-2.0
readOnly: true
sourcePath: /nsm/rules/suricata/so_filters.rules
sourceType: directory
- name: SO_EXTRACTIONS
description: Extraction rules for when Suricata is set as the metadata engine
deleteUnreferenced: true
enabled: false
license: Elastic-2.0
readOnly: true
sourcePath: /nsm/rules/suricata/so_extraction.rules
sourceType: directory
navigator:
intervalMinutes: 30
outputPath: /opt/sensoroni/navigator

55
salt/soc/files/soc/detections_custom_repo_template_readme.jinja
View File

@@ -45,6 +45,61 @@ Finally, commit it:
The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'suricata' %}
# Suricata Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Suricata rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-suricata'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-suricata
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .rules extension:
`vi my_custom_rules.rules`
Next, use git to stage the new rule to be committed:
`git add my_custom_rules.rules`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.rules"`
The next time the Suricata engine syncs, the new rule/s should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'suricata-etpro' %}
# Suricata ETPRO - Airgap
This folder has been initialized for use with ETPRO during Airgap deployment.
Just add your ETPRO rule/s file to this folder and the Suricata engine will import them.
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository

11
salt/soc/merged.map.jinja
View File

@@ -90,6 +90,17 @@
{% endif %}
{% endif %}
{# Enable SO_FILTERS and SO_EXTRACTIONS when Suricata is the metadata engine #}
{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
{% if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}
{% for ruleset in SOCMERGED.config.server.modules.suricataengine.rulesetSources %}
{% if ruleset.name in ['SO_FILTERS', 'SO_EXTRACTIONS'] and GLOBALS.md_engine == 'SURICATA' %}
{% do ruleset.update({'enabled': true}) %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{# Transform Emerging-Threats ruleset based on license key #}
{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
{% if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}

14
salt/suricata/config.sls
View File

@@ -126,6 +126,20 @@ surirulesync:
- group: 940
- show_changes: False
suriextractionrules:
file.managed:
- name: /nsm/rules/suricata/so_extraction.rules
- source: salt://suricata/files/so_extraction.rules
- user: 939
- group: 939
surifiltersrules:
file.managed:
- name: /nsm/rules/suricata/so_filters.rules
- source: salt://suricata/files/so_filters.rules
- user: 939
- group: 939
surilogscript:
file.managed:
- name: /usr/local/bin/surilogcompress

26
salt/suricata/files/so_extraction.rules Normal file
View File

@@ -0,0 +1,26 @@
# Extract all PDF mime type
alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100000; rev:1;)
alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100001; rev:1;)
alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100002; rev:1;)
alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100003; rev:1;)
# Extract EXE/DLL file types
alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100004; rev:1;)
alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100005; rev:1;)
alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100006; rev:1;)
alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100007; rev:1;)
alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100008; rev:1;)
alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100009; rev:1;)
alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100010; rev:1;)
alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100011; rev:1;)
# Extract all Zip files
alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100012; rev:1;)
alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100013; rev:1;)
alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100014; rev:1;)
alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100015; rev:1;)
# Extract Word Docs
alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100016; rev:1;)
alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100017; rev:1;)
alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100018; rev:1;)
alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100019; rev:1;)

12
salt/suricata/files/so_filters.rules Normal file
View File

@@ -0,0 +1,12 @@
# Start the filters at sid 1200000
# Example of filtering out *google.com from being in the dns log.
#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;)
# Example of filtering out *google.com from being in the http log.
#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;)
# Example of filtering out someuseragent from being in the http log.
#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;)
# Example of filtering out Google's certificate from being in the ssl log.
#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;)
# Example of filtering out a md5 of a file from being in the files log.
#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;)