Merge pull request #1032 from Security-Onion-Solutions/fix/idstools

IDSTOOLS Pillar Items

salt/idstools/etc/modify.conf

@@ -1,3 +1,4 @@
+{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
 # idstools-rulecat - modify.conf
 
 # Format: <sid> "<from>" "<to>"
@@ -12,3 +13,6 @@
 # For compatibility, most Oinkmaster modifysid lines should work as
 # well.
 #modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
+{%- for sid in modify_sids %}
+{{ sid }}
+{%- endfor %}

salt/idstools/etc/rulecat.conf

@@ -1,6 +1,19 @@
---suricata-version=4.0
+{% set URLS = salt['pillar.get']('idstools:config:urls') -%}
+{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
+{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%}
+--suricata-version=5.0
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
 --disable=/opt/so/idstools/etc/disable.conf
 --enable=/opt/so/idstools/etc/enable.conf
 --modify=/opt/so/idstools/etc/modify.conf
+{%- if RULESET == 'ETOPEN' %}
+--etopen
+{%- elif RULESET == 'ETPRO' %}
+--etpro={{ OINKCODE }}
+{%- elif RULESET == 'TALOS' %}
+--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
+{%- endif %}
+{%- for URL in URLS %}
+--url={{ URL }}
+{%- endfor %}

setup/so-functions

@@ -982,8 +982,19 @@ manager_pillar() {
 		"pcap:">> "$pillar_file"\
 		"  sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\
 		""\
+		"idstools:"\
+		"  config:"\
+		"    ruleset: $RULESETUP"\
+		"    oinkcode: $OINKCODE"\
+		"    url:"\
+		"  sids:"\
+		"    enabled:"\
+		"    disabled:"\
+		"    modify:"\
+		""
 		"kratos:" >> "$pillar_file"
 		
+
 	printf '%s\n'\
 		"  kratoskey: $KRATOSKEY"\
 		"" >> "$pillar_file"

setup/so-whiptail

@@ -576,7 +576,7 @@ whiptail_oinkcode() {
 	[ -n "$TESTING" ] && return
 
 	OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3)
+	"Enter your ET Pro or oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -956,8 +956,7 @@ whiptail_rule_setup() {
 	"Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \
 	"ETOPEN" "Emerging Threats Open" ON \
 	"ETPRO" "Emerging Threats PRO" OFF \
-	"TALOSET" "Snort Subscriber (Talos) and ET NoGPL rulesets" OFF \
+	"TALOS" "Snort Subscriber ruleset - Experimental" OFF \
-	"TALOS" "Snort Subscriber (Talos) ruleset and set a policy" OFF \
 	3>&1 1>&2 2>&3)
 
 	local exitstatus=$?