From 074d063feedd83786fa694ba5608f14646ef10d3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 May 2024 14:52:58 -0400 Subject: [PATCH 1/2] tests will retry on any rule import failure --- setup/so-functions | 23 +++++++++++++++++++---- setup/so-setup | 3 +++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 80ad0be6a..3cdaee9ca 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1259,12 +1259,27 @@ soc_pillar() { " srvKey: '$SOCSRVKEY'"\ " modules:"\ " elastalertengine:"\ - " allowRegex: '$ELASTALERT_ALLOW_REGEX'"\ + " allowRegex: '$ELASTALERT_ALLOW_REGEX'" > "$soc_pillar_file" + if [[ -n "$ELASTALERT_FAIL_ERROR_COUNT" ]]; then + printf '%s\n'\ + " failAfterConsecutiveErrorCount: $ELASTALERT_FAIL_ERROR_COUNT" >> "$soc_pillar_file" + fi + + printf '%s\n'\ " strelkaengine:"\ - " allowRegex: '$STRELKA_ALLOW_REGEX'"\ + " allowRegex: '$STRELKA_ALLOW_REGEX'" >> "$soc_pillar_file" + if [[ -n "$STRELKA_FAIL_ERROR_COUNT" ]]; then + printf '%s\n'\ + " failAfterConsecutiveErrorCount: $STRELKA_FAIL_ERROR_COUNT" >> "$soc_pillar_file" + fi + + printf '%s\n'\ " suricataengine:"\ - " allowRegex: '$SURICATA_ALLOW_REGEX'"\ - "" > "$soc_pillar_file" + " allowRegex: '$SURICATA_ALLOW_REGEX'" >> "$soc_pillar_file" + if [[ -n "$SURICATA_FAIL_ERROR_COUNT" ]]; then + printf '%s\n'\ + " failAfterConsecutiveErrorCount: $SURICATA_FAIL_ERROR_COUNT" >> "$soc_pillar_file" + fi if [[ $telemetry -ne 0 ]]; then echo " telemetryEnabled: false" >> $soc_pillar_file diff --git a/setup/so-setup b/setup/so-setup index b76f9bb98..cb535469b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -246,8 +246,11 @@ if [ -n "$test_profile" ]; then WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r STRELKA_ALLOW_REGEX="EquationGroup_Toolset_Apr17__ELV_.*" + STRELKA_FAIL_ERROR_COUNT=1 ELASTALERT_ALLOW_REGEX="Security Onion" + ELASTALERT_FAIL_ERROR_COUNT=1 SURICATA_ALLOW_REGEX="(200033\\d|2100538|2102466)" + SURICATA_FAIL_ERROR_COUNT=1 update_sudoers_for_testing fi From 19e1aaa1a65358f6cebba8645c28d0604b79371c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 May 2024 15:45:33 -0400 Subject: [PATCH 2/2] exclude detection rule errors --- salt/common/tools/sbin/so-log-check | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index b83c98e7a..67eff6d54 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -201,6 +201,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unknown column" # Elastalert errors from running EQL queries EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parsing_exception" # Elastalert EQL parsing issue. Temp. EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error running query:" # Specific issues with detection rules fi RESULT=0