mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-08 10:12:53 +01:00
Compare commits
2 Commits
c4a70b540e
...
idstools-r
| Author | SHA1 | Date | |
|---|---|---|---|
|
0f42233092 | ||
|
|
271f545f4f |
@@ -214,7 +214,7 @@ git_config_set_safe_dirs:
|
||||
|
||||
surinsmrulesdir:
|
||||
file.directory:
|
||||
- name: /nsm/rules/suricata
|
||||
- name: /nsm/rules/suricata/etopen
|
||||
- user: 939
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
|
||||
@@ -1116,6 +1116,9 @@ cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
|
||||
Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
|
||||
EOF
|
||||
|
||||
# Create salt local rules dir
|
||||
install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/
|
||||
|
||||
# Backup custom rules & overrides
|
||||
mkdir -p /nsm/backup/detections-migration/2-4-200
|
||||
cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
|
||||
@@ -1355,7 +1358,7 @@ unmount_update() {
|
||||
|
||||
update_airgap_rules() {
|
||||
# Copy the rules over to update them for airgap.
|
||||
rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
|
||||
rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
|
||||
rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
|
||||
rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
|
||||
# Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
|
||||
|
||||
@@ -1622,12 +1622,11 @@ soc:
|
||||
sourceType: directory
|
||||
airgap:
|
||||
- name: Emerging-Threats
|
||||
description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
|
||||
description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
|
||||
licenseKey: ""
|
||||
enabled: true
|
||||
sourceType: url
|
||||
sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
|
||||
urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
|
||||
sourceType: directory
|
||||
sourcePath: /nsm/rules/suricata/etopen/
|
||||
license: "BSD"
|
||||
excludeFiles:
|
||||
- "*deleted*"
|
||||
|
||||
@@ -108,6 +108,14 @@
|
||||
{% if ruleset.name == 'Emerging-Threats' %}
|
||||
{% if ruleset.licenseKey and ruleset.licenseKey != '' %}
|
||||
{# License key is defined - transform to ETPRO #}
|
||||
{% if ruleset.sourceType == 'directory' %}
|
||||
{# Airgap mode - update directory path #}
|
||||
{% do ruleset.update({
|
||||
'name': 'ETPRO',
|
||||
'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
|
||||
'license': 'Commercial'
|
||||
}) %}
|
||||
{% else %}
|
||||
{# Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
|
||||
{% do ruleset.update({
|
||||
'name': 'ETPRO',
|
||||
@@ -115,8 +123,17 @@
|
||||
'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
|
||||
'license': 'Commercial'
|
||||
}) %}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
{# No license key - explicitly set to ETOPEN #}
|
||||
{% if ruleset.sourceType == 'directory' %}
|
||||
{# Airgap mode - update directory path #}
|
||||
{% do ruleset.update({
|
||||
'name': 'ETOPEN',
|
||||
'sourcePath': '/nsm/rules/suricata/etopen/',
|
||||
'license': 'BSD'
|
||||
}) %}
|
||||
{% else %}
|
||||
{% do ruleset.update({
|
||||
'name': 'ETOPEN',
|
||||
'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
|
||||
@@ -125,6 +142,7 @@
|
||||
}) %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user