be more verbose

salt/manager/init.sls

@@ -214,7 +214,7 @@ git_config_set_safe_dirs:
 
 surinsmrulesdir:
   file.directory:
-    - name: /nsm/rules/suricata
+    - name: /nsm/rules/suricata/etopen
     - user: 939
     - group: 939
     - makedirs: True

salt/manager/tools/sbin/soup

@@ -1116,6 +1116,9 @@ cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
 Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
 EOF
 
+# Create salt local rules dir
+install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/ || echo "Failed to create Suricata local rules directory"
+
 # Backup custom rules & overrides
 mkdir -p /nsm/backup/detections-migration/2-4-200
 cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
@@ -1355,7 +1358,7 @@ unmount_update() {
 
 update_airgap_rules() {
   # Copy the rules over to update them for airgap.
-  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
+  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
   rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
   # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch

salt/soc/defaults.yaml

@@ -1622,12 +1622,11 @@ soc:
                 sourceType: directory
             airgap:
               - name: Emerging-Threats
-                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
+                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
                 licenseKey: ""
                 enabled: true
-                sourceType: url
+                sourceType: directory
-                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
+                sourcePath: /nsm/rules/suricata/etopen/
-                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
                 license: "BSD"
                 excludeFiles:
                   - "*deleted*"

salt/soc/merged.map.jinja

@@ -108,6 +108,14 @@
 {%     if ruleset.name == 'Emerging-Threats' %}
 {%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
 {#         License key is defined - transform to ETPRO #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
+               'license': 'Commercial'
+             }) %}
+{%         else %}
 {#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
 {%           do ruleset.update({
                'name': 'ETPRO',
@@ -115,8 +123,17 @@
                'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
                'license': 'Commercial'
              }) %}
+{%         endif %}
 {%       else %}
 {#         No license key - explicitly set to ETOPEN #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': '/nsm/rules/suricata/etopen/',
+               'license': 'BSD'
+             }) %}
+{%         else %}
 {%           do ruleset.update({
                'name': 'ETOPEN',
                'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
@@ -125,6 +142,7 @@
              }) %}
 {%         endif %}
 {%       endif %}
+{%     endif %}
 {%     endfor %}
 {%   endif %}
 {% endif %}