Merge pull request #15232 from Security-Onion-Solutions/idstools-refactor

Idstools refactor

salt/manager/init.sls

@@ -214,7 +214,7 @@ git_config_set_safe_dirs:
 
 surinsmrulesdir:
   file.directory:
-    - name: /nsm/rules/suricata/etopen
+    - name: /nsm/rules/suricata
     - user: 939
     - group: 939
     - makedirs: True

salt/manager/tools/sbin/soup

@@ -1116,9 +1116,6 @@ cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
 Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
 EOF
 
-# Create salt local rules dir
-install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/
-
 # Backup custom rules & overrides
 mkdir -p /nsm/backup/detections-migration/2-4-200
 cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
@@ -1358,7 +1355,7 @@ unmount_update() {
 
 update_airgap_rules() {
   # Copy the rules over to update them for airgap.
-  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
+  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
   rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
   # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch

salt/soc/defaults.yaml

@@ -1622,11 +1622,12 @@ soc:
                 sourceType: directory
             airgap:
               - name: Emerging-Threats
-                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
+                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
                 licenseKey: ""
                 enabled: true
-                sourceType: directory
+                sourceType: url
-                sourcePath: /nsm/rules/suricata/etopen/
+                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
+                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
                 license: "BSD"
                 excludeFiles:
                   - "*deleted*"

salt/soc/merged.map.jinja

@@ -108,39 +108,21 @@
 {%     if ruleset.name == 'Emerging-Threats' %}
 {%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
 {#         License key is defined - transform to ETPRO #}
-{%         if ruleset.sourceType == 'directory' %}
+{#         Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
-{#           Airgap mode - update directory path #}
+{%         do ruleset.update({
-{%           do ruleset.update({
+             'name': 'ETPRO',
-               'name': 'ETPRO',
+             'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
-               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
+             'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
-               'license': 'Commercial'
+             'license': 'Commercial'
-             }) %}
+           }) %}
-{%         else %}
-{#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
-{%           do ruleset.update({
-               'name': 'ETPRO',
-               'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
-               'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
-               'license': 'Commercial'
-             }) %}
-{%         endif %}
 {%       else %}
 {#         No license key - explicitly set to ETOPEN #}
-{%         if ruleset.sourceType == 'directory' %}
+{%         do ruleset.update({
-{#           Airgap mode - update directory path #}
+             'name': 'ETOPEN',
-{%           do ruleset.update({
+             'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
-               'name': 'ETOPEN',
+             'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
-               'sourcePath': '/nsm/rules/suricata/etopen/',
+             'license': 'BSD'
-               'license': 'BSD'
+           }) %}
-             }) %}
-{%         else %}
-{%           do ruleset.update({
-               'name': 'ETOPEN',
-               'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
-               'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
-               'license': 'BSD'
-             }) %}
-{%         endif %}
 {%       endif %}
 {%     endif %}
 {%     endfor %}