update yara template

Merge pull request #15669 from Security-Onion-Solutions/lowercasefix
Lowercase network transport
2026-03-25 14:02:41 +01:00 · 2026-03-24 15:56:26 -04:00 · 2026-03-24 11:30:13 -04:00 · 2026-03-24 11:24:59 -04:00 · 2026-03-24 09:56:03 -04:00
2 changed files with 7 additions and 0 deletions
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -22,6 +22,12 @@
                "ignore_failure": true
            }
        },
+        {
+            "lowercase": {
+                "field": "network.transport",
+                "ignore_failure": true
+            }
+        },
        {
            "rename": {
                "field": "message2.in_iface",
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2622,6 +2622,7 @@ soc:
              This is a YARA rule template. Replace all template values with your own values.
              The YARA rule name is the unique identifier for the rule.
              Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
+              Delete these comments before attempting to "Create" the rule
              */

              rule Example // This identifier _must_ be unique
Author	SHA1	Message	Date
Josh Brower	9e53bd3f2d	update yara template	2026-03-24 15:56:26 -04:00
Josh Brower	d4f1078f84	Merge pull request #15669 from Security-Onion-Solutions/lowercasefix Lowercase network transport	2026-03-24 11:30:13 -04:00
Josh Brower	1f9bf45b66	Lowercase network transport	2026-03-24 11:24:59 -04:00
Mike Reeves	271de757e7	Merge pull request #15667 from Security-Onion-Solutions/TOoSmOotH-patch-1 Enable clean option for Zeek configuration	2026-03-24 09:56:03 -04:00