update yara template

Merge pull request #15669 from Security-Onion-Solutions/lowercasefix
Lowercase network transport
2026-03-25 14:02:41 +01:00 · 2026-03-24 15:56:26 -04:00 · 2026-03-24 11:30:13 -04:00 · 2026-03-24 11:24:59 -04:00 · 2026-03-24 09:56:03 -04:00 · 2026-03-24 09:54:49 -04:00
6 changed files with 74909 additions and 43851 deletions
--- a/.github/.gitleaks.toml
+++ b/.github/.gitleaks.toml
@@ -542,5 +542,6 @@ paths = [
    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
    '''salt/nginx/files/enterprise-attack.json''',
-    '''(.*?)whl$'''
+    '''(.*?)whl$''',
+    '''salt/stig/files/sos-oscap.xml'''
 ]
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -22,6 +22,12 @@
                "ignore_failure": true
            }
        },
+        {
+            "lowercase": {
+                "field": "network.transport",
+                "ignore_failure": true
+            }
+        },
        {
            "rename": {
                "field": "message2.in_iface",
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2622,6 +2622,7 @@ soc:
              This is a YARA rule template. Replace all template values with your own values.
              The YARA rule name is the unique identifier for the rule.
              Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
+              Delete these comments before attempting to "Create" the rule
              */

              rule Example // This identifier _must_ be unique
--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -161,7 +161,7 @@ suricata:
      address-groups:
        HOME_NET: 
          description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
-          regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
+          regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
          regexFailureMessage: You must enter a valid IP address or CIDR.
          forcedType: "[]string"
          duplicates: True
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -38,6 +38,7 @@ zeekzkgsync:
    - source: salt://zeek/zkg
    - user: 937
    - group: 939
+    - clean: True
    - makedirs: True
    - exclude_pat: README
Author	SHA1	Message	Date
Josh Brower	9e53bd3f2d	update yara template	2026-03-24 15:56:26 -04:00
Josh Brower	d4f1078f84	Merge pull request #15669 from Security-Onion-Solutions/lowercasefix Lowercase network transport	2026-03-24 11:30:13 -04:00
Josh Brower	1f9bf45b66	Lowercase network transport	2026-03-24 11:24:59 -04:00
Mike Reeves	271de757e7	Merge pull request #15667 from Security-Onion-Solutions/TOoSmOotH-patch-1 Enable clean option for Zeek configuration	2026-03-24 09:56:03 -04:00
Mike Reeves	d4ac352b5a	Enable clean option for Zeek configuration	2026-03-24 09:54:49 -04:00
Jorge Reyes	afcef1d0e7	Merge pull request #15661 from Security-Onion-Solutions/reyesj2-361 update stig profile v1r3	2026-03-23 18:09:33 -05:00
Josh Patterson	91b164b728	Merge pull request #15665 from Security-Onion-Solutions/delta allow negation in suricata address-group vars	2026-03-23 17:34:21 -04:00
Josh Patterson	6a4501241d	allow negation in suricata address-group vars	2026-03-23 17:24:12 -04:00
Josh Brower	c6978f9037	Merge pull request #15663 from Security-Onion-Solutions/fix/idh-skins Remove hardcoded path	2026-03-23 16:30:51 -04:00
Jorge Reyes	fb7b73c601	Merge pull request #15662 from Security-Onion-Solutions/reyesj2-patch-1 exclude oscap profile from gitleaks	2026-03-23 14:23:24 -05:00
Jorge Reyes	f2b6d59c65	exclude oscap profile from gitleaks	2026-03-23 14:17:39 -05:00
reyesj2	67162357a3	update stig profile v1r3	2026-03-23 14:04:48 -05:00