diff --git a/salt/manager/init.sls b/salt/manager/init.sls index f59c33652..da829c1ce 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -206,6 +206,7 @@ git_config_set_safe_dirs: - multivar: - /nsm/rules/custom-local-repos/local-sigma - /nsm/rules/custom-local-repos/local-yara + - /nsm/rules/custom-local-repos/local-suricata - /nsm/securityonion-resources - /opt/so/conf/soc/ai_summary_repos/securityonion-resources - /nsm/airgap-resources/playbooks diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 78a495e0a..7e2beefa0 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -215,7 +215,6 @@ socsensoronirepos: - mode: 775 - makedirs: True - create_custom_local_yara_repo_template: git.present: - name: /nsm/rules/custom-local-repos/local-yara @@ -249,6 +248,39 @@ add_readme_custom_local_sigma_repo_template: - context: repo_type: "sigma" +create_custom_local_suricata_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-suricata + - bare: False + - force: True + +add_readme_custom_local_suricata_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-suricata/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "suricata" + +etpro_airgap_folder: + file.directory: + - name: /nsm/rules/custom-local-repos/local-etpro-suricata + - user: 939 + - group: 939 + - makedirs: True + +add_readme_etpro_airgap_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-etpro-suricata/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "suricata-etpro" + socore_own_custom_repos: file.directory: - name: /nsm/rules/custom-local-repos/ diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 53cbb10e1..685d0744c 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1595,16 +1595,29 @@ soc: sourcePath: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz sourceType: url - name: local-rules - id: local-rules - description: "Local custom rules from files (*.rules) in a directory on the filesystem" + description: "Local rules from files (*.rules) in a directory on the filesystem" license: "custom" sourceType: directory - sourcePath: /nsm/rules/local/ + sourcePath: /nsm/rules/custom-local-repos/local-suricata readOnly: false deleteUnreferenced: false + enabled: true + - name: SO_FILTERS + deleteUnreferenced: true + description: Filter rules for when Suricata is set as the metadata engine enabled: false - excludeFiles: - - "*backup*" + license: Elastic-2.0 + readOnly: true + sourcePath: /nsm/rules/suricata/so_filters.rules + sourceType: directory + - name: SO_EXTRACTIONS + description: Extraction rules for when Suricata is set as the metadata engine + deleteUnreferenced: true + enabled: false + license: Elastic-2.0 + readOnly: true + sourcePath: /nsm/rules/suricata/so_extraction.rules + sourceType: directory airgap: - name: Emerging-Threats description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules." @@ -1625,16 +1638,29 @@ soc: readOnly: true deleteUnreferenced: true - name: local-rules - id: local-rules - description: "Local custom rules from files (*.rules) in a directory on the filesystem" + description: "Local rules from files (*.rules) in a directory on the filesystem" license: "custom" sourceType: directory - sourcePath: /nsm/rules/local/ + sourcePath: /nsm/rules/custom-local-repos/local-suricata readOnly: false deleteUnreferenced: false + enabled: true + - name: SO_FILTERS + deleteUnreferenced: true + description: Filter rules for when Suricata is set as the metadata engine enabled: false - excludeFiles: - - "*backup*" + license: Elastic-2.0 + readOnly: true + sourcePath: /nsm/rules/suricata/so_filters.rules + sourceType: directory + - name: SO_EXTRACTIONS + description: Extraction rules for when Suricata is set as the metadata engine + deleteUnreferenced: true + enabled: false + license: Elastic-2.0 + readOnly: true + sourcePath: /nsm/rules/suricata/so_extraction.rules + sourceType: directory navigator: intervalMinutes: 30 outputPath: /opt/sensoroni/navigator diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja index 228a467bf..060b8ec6e 100644 --- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -45,6 +45,61 @@ Finally, commit it: The next time the Strelka / YARA engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further. +{% elif repo_type == 'suricata' %} +# Suricata Local Custom Rules Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any Suricata rule files found here. + +Just add your rule file and commit it. + +For example: + +** Note: If this is your first time making changes to this repo, you may run into the following error: + +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-suricata' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-suricata + +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .rules extension: +`vi my_custom_rules.rules` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rules.rules` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.rules"` + +The next time the Suricata engine syncs, the new rule/s should be imported +If there are errors, review the sync log to troubleshoot further. + +{% elif repo_type == 'suricata-etpro' %} +# Suricata ETPRO - Airgap + +This folder has been initialized for use with ETPRO during Airgap deployment. + +Just add your ETPRO rule/s file to this folder and the Suricata engine will import them. + +If there are errors, review the sync log to troubleshoot further. {% elif repo_type == 'sigma' %} # Sigma Local Custom Rules Repository diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index b43ccaf1b..cd23a17f3 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -90,6 +90,17 @@ {% endif %} {% endif %} +{# Enable SO_FILTERS and SO_EXTRACTIONS when Suricata is the metadata engine #} +{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %} +{% if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %} +{% for ruleset in SOCMERGED.config.server.modules.suricataengine.rulesetSources %} +{% if ruleset.name in ['SO_FILTERS', 'SO_EXTRACTIONS'] and GLOBALS.md_engine == 'SURICATA' %} +{% do ruleset.update({'enabled': true}) %} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} + {# Transform Emerging-Threats ruleset based on license key #} {% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %} {% if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %} diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index 7ce605e0b..46f5b1d7e 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -126,6 +126,20 @@ surirulesync: - group: 940 - show_changes: False +suriextractionrules: + file.managed: + - name: /nsm/rules/suricata/so_extraction.rules + - source: salt://suricata/files/so_extraction.rules + - user: 939 + - group: 939 + +surifiltersrules: + file.managed: + - name: /nsm/rules/suricata/so_filters.rules + - source: salt://suricata/files/so_filters.rules + - user: 939 + - group: 939 + surilogscript: file.managed: - name: /usr/local/bin/surilogcompress diff --git a/salt/suricata/files/so_extraction.rules b/salt/suricata/files/so_extraction.rules new file mode 100644 index 000000000..d43812144 --- /dev/null +++ b/salt/suricata/files/so_extraction.rules @@ -0,0 +1,26 @@ +# Extract all PDF mime type +alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100000; rev:1;) +alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100001; rev:1;) +alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100002; rev:1;) +alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100003; rev:1;) +# Extract EXE/DLL file types +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100004; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100005; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100006; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100007; rev:1;) +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100008; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100009; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100010; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100011; rev:1;) + +# Extract all Zip files +alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100012; rev:1;) +alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100013; rev:1;) +alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100014; rev:1;) +alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100015; rev:1;) + +# Extract Word Docs +alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100016; rev:1;) +alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100017; rev:1;) +alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100018; rev:1;) +alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100019; rev:1;) diff --git a/salt/suricata/files/so_filters.rules b/salt/suricata/files/so_filters.rules new file mode 100644 index 000000000..c49eaec26 --- /dev/null +++ b/salt/suricata/files/so_filters.rules @@ -0,0 +1,12 @@ +# Start the filters at sid 1200000 +# Example of filtering out *google.com from being in the dns log. +#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) +# Example of filtering out *google.com from being in the http log. +#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) +# Example of filtering out someuseragent from being in the http log. +#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) +# Example of filtering out Google's certificate from being in the ssl log. +#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) +# Example of filtering out a md5 of a file from being in the files log. +#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;) +