match correct custom ruleset name

Rework ordering
be more verbose
2025-12-09 02:32:46 +01:00 · 2025-12-08 16:45:40 -05:00 · 2025-12-08 12:39:30 -05:00 · 2025-12-08 10:29:24 -05:00 · 2025-12-07 16:13:55 -05:00 · 2025-12-06 15:26:44 -05:00
4 changed files with 41 additions and 21 deletions
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -214,7 +214,7 @@ git_config_set_safe_dirs:

 surinsmrulesdir:
  file.directory:
-    - name: /nsm/rules/suricata
+    - name: /nsm/rules/suricata/etopen
    - user: 939
    - group: 939
    - makedirs: True
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1116,6 +1116,10 @@ cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
 Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
 EOF

+# Remove possible symlink & create salt local rules dir
+[ -L /opt/so/saltstack/local/salt/suricata/rules ] && rm -f /opt/so/saltstack/local/salt/suricata/rules
+install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/ || echo "Failed to create Suricata local rules directory"
+
 # Backup custom rules & overrides
 mkdir -p /nsm/backup/detections-migration/2-4-200
 cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
@@ -1297,7 +1301,6 @@ if [ -n "$(docker ps -q -f name=^so-idstools$)" ]; then
 fi

 echo "Removing idstools symlink and scripts..."
-rm /opt/so/saltstack/local/salt/suricata/rules
 rm -rf /usr/sbin/so-idstools*
 sed -i '/^#\?so-idstools$/d' /opt/so/conf/so-status/so-status.conf

@@ -1355,7 +1358,7 @@ unmount_update() {

 update_airgap_rules() {
  # Copy the rules over to update them for airgap.
-  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
+  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
  rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
  rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
  # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1622,12 +1622,11 @@ soc:
                sourceType: directory
            airgap:
              - name: Emerging-Threats
-                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
+                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
                licenseKey: ""
                enabled: true
-                sourceType: url
-                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
-                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
+                sourceType: directory
+                sourcePath: /nsm/rules/suricata/etopen/
                license: "BSD"
                excludeFiles:
                  - "*deleted*"
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -70,7 +70,7 @@

 {# Define the Detections custom ruleset that should always be present #}
 {% set CUSTOM_RULESET = {
-  'name': 'custom',
+  'name': '__custom__',
  'description': 'User-created custom rules created via the Detections module in the SOC UI',
  'sourceType': 'elasticsearch',
  'sourcePath': 'so_detection.ruleset:__custom__',
@@ -108,6 +108,14 @@
 {%     if ruleset.name == 'Emerging-Threats' %}
 {%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
 {#         License key is defined - transform to ETPRO #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
+               'license': 'Commercial'
+             }) %}
+{%         else %}
 {#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
 {%           do ruleset.update({
               'name': 'ETPRO',
@@ -115,8 +123,17 @@
               'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
               'license': 'Commercial'
             }) %}
+{%         endif %}
 {%       else %}
 {#         No license key - explicitly set to ETOPEN #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': '/nsm/rules/suricata/etopen/',
+               'license': 'BSD'
+             }) %}
+{%         else %}
 {%           do ruleset.update({
               'name': 'ETOPEN',
               'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
@@ -125,6 +142,7 @@
             }) %}
 {%         endif %}
 {%       endif %}
+{%     endif %}
 {%     endfor %}
 {%   endif %}
 {% endif %}
Author	SHA1	Message	Date
DefensiveDepth	72a4ba405f	match correct custom ruleset name	2025-12-08 16:45:40 -05:00
DefensiveDepth	72c8c2371e	Rework ordering	2025-12-08 12:39:30 -05:00
DefensiveDepth	0ff8fa57e7	be more verbose	2025-12-08 10:29:24 -05:00
DefensiveDepth	0f42233092	Make sure local salt dir is created	2025-12-07 16:13:55 -05:00
DefensiveDepth	271f545f4f	Fixup Airgap	2025-12-06 15:26:44 -05:00