From 693a101d346a195e9f09d89b41ad60cc96b9990b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 15:59:58 -0400 Subject: [PATCH] IDSTOOLS Pillar Items --- salt/idstools/etc/modify.conf | 4 ++++ salt/idstools/etc/rulecat.conf | 15 ++++++++++++++- setup/so-functions | 11 +++++++++++ setup/so-whiptail | 5 ++--- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index 79d038c26..a32725ada 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -1,3 +1,4 @@ +{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} # idstools-rulecat - modify.conf # Format: "" "" @@ -12,3 +13,6 @@ # For compatibility, most Oinkmaster modifysid lines should work as # well. #modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" +{%- for sid in modify_sids %} +{{ sid }} +{%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 441ce3c5b..59a5ccda5 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,19 @@ ---suricata-version=4.0 +{% set URLS = salt['pillar.get']('idstools:config:urls') -%} +{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} +{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} +--suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf +{%- if RULESET == 'ETOPEN' %} +--etopen +{%- elif RULESET == 'ETPRO' %} +--etpro={{ OINKCODE }} +{%- elif RULESET == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} +{%- endif %} +{%- for URL in URLS %} +--url={{ URL }} +{%- endfor %} \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 526fd37ae..7493b3f0d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -982,7 +982,18 @@ manager_pillar() { "pcap:">> "$pillar_file"\ " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ ""\ + "idstools:"\ + " config:"\ + " ruleset: $RULESETUP"\ + " oinkcode: $OINKCODE"\ + " url:"\ + " sids:"\ + " enabled:"\ + " disabled:"\ + " modify:"\ + "" "kratos:" >> "$pillar_file" + printf '%s\n'\ " kratoskey: $KRATOSKEY"\ diff --git a/setup/so-whiptail b/setup/so-whiptail index cd0fb393c..f0f1fb7b5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -576,7 +576,7 @@ whiptail_oinkcode() { [ -n "$TESTING" ] && return OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) + "Enter your ET Pro or oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -956,8 +956,7 @@ whiptail_rule_setup() { "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ "ETOPEN" "Emerging Threats Open" ON \ "ETPRO" "Emerging Threats PRO" OFF \ - "TALOSET" "Snort Subscriber (Talos) and ET NoGPL rulesets" OFF \ - "TALOS" "Snort Subscriber (Talos) ruleset and set a policy" OFF \ + "TALOS" "Snort Subscriber ruleset - Experimental" OFF \ 3>&1 1>&2 2>&3) local exitstatus=$?