update yara template

Merge pull request #15669 from Security-Onion-Solutions/lowercasefix
Lowercase network transport
2026-03-25 14:02:41 +01:00 · 2026-03-24 15:56:26 -04:00 · 2026-03-24 11:30:13 -04:00 · 2026-03-24 11:24:59 -04:00 · 2026-03-24 09:56:03 -04:00 · 2026-03-24 09:54:49 -04:00
9 changed files with 74968 additions and 43851 deletions
--- a/.github/.gitleaks.toml
+++ b/.github/.gitleaks.toml
@@ -542,5 +542,6 @@ paths = [
    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
    '''salt/nginx/files/enterprise-attack.json''',
-    '''(.*?)whl$'''
+    '''(.*?)whl$''',
+    '''salt/stig/files/sos-oscap.xml'''
 ]
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -22,6 +22,12 @@
                "ignore_failure": true
            }
        },
+        {
+            "lowercase": {
+                "field": "network.transport",
+                "ignore_failure": true
+            }
+        },
        {
            "rename": {
                "field": "message2.in_iface",
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -20,7 +20,7 @@ so-idh:
    - network_mode: host
    - binds:
      - /nsm/idh:/var/tmp:rw
-      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
+      - /opt/so/conf/idh/http-skins:/opt/opencanary/http-skins:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
--- a/salt/idh/opencanary_config.map.jinja
+++ b/salt/idh/opencanary_config.map.jinja
@@ -28,6 +28,7 @@
 {% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
 {% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
 {% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'http_x_skindir': '/opt/opencanary/http-skins/' ~ OPENCANARYCONFIG['http_x_skin']}) %}

 {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}

--- a/salt/idh/skins/http/opencanary/basicLogin/redirect.html
+++ b/salt/idh/skins/http/opencanary/basicLogin/redirect.html
@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+
--- a/salt/idh/skins/http/opencanary/nasLogin/redirect.html
+++ b/salt/idh/skins/http/opencanary/nasLogin/redirect.html
@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2622,6 +2622,7 @@ soc:
              This is a YARA rule template. Replace all template values with your own values.
              The YARA rule name is the unique identifier for the rule.
              Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
+              Delete these comments before attempting to "Create" the rule
              */

              rule Example // This identifier _must_ be unique
--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -38,6 +38,7 @@ zeekzkgsync:
    - source: salt://zeek/zkg
    - user: 937
    - group: 939
+    - clean: True
    - makedirs: True
    - exclude_pat: README
Author	SHA1	Message	Date
Josh Brower	9e53bd3f2d	update yara template	2026-03-24 15:56:26 -04:00
Josh Brower	d4f1078f84	Merge pull request #15669 from Security-Onion-Solutions/lowercasefix Lowercase network transport	2026-03-24 11:30:13 -04:00
Josh Brower	1f9bf45b66	Lowercase network transport	2026-03-24 11:24:59 -04:00
Mike Reeves	271de757e7	Merge pull request #15667 from Security-Onion-Solutions/TOoSmOotH-patch-1 Enable clean option for Zeek configuration	2026-03-24 09:56:03 -04:00
Mike Reeves	d4ac352b5a	Enable clean option for Zeek configuration	2026-03-24 09:54:49 -04:00
Jorge Reyes	afcef1d0e7	Merge pull request #15661 from Security-Onion-Solutions/reyesj2-361 update stig profile v1r3	2026-03-23 18:09:33 -05:00
Josh Patterson	91b164b728	Merge pull request #15665 from Security-Onion-Solutions/delta allow negation in suricata address-group vars	2026-03-23 17:34:21 -04:00
Josh Brower	c6978f9037	Merge pull request #15663 from Security-Onion-Solutions/fix/idh-skins Remove hardcoded path	2026-03-23 16:30:51 -04:00
Josh Brower	7300513636	Remove hardcoded path	2026-03-23 16:26:56 -04:00
Jorge Reyes	fb7b73c601	Merge pull request #15662 from Security-Onion-Solutions/reyesj2-patch-1 exclude oscap profile from gitleaks	2026-03-23 14:23:24 -05:00
Jorge Reyes	f2b6d59c65	exclude oscap profile from gitleaks	2026-03-23 14:17:39 -05:00
reyesj2	67162357a3	update stig profile v1r3	2026-03-23 14:04:48 -05:00