securityonion/salt/idstools/soc_idstools.yaml

idstools:
  enabled:
    description: Enables or disables the IDStools process which is used by the Detection system.
  config:
    oinkcode:
      description: Enter your registration code or oinkcode for paid NIDS rulesets.
      title: Registration Code
      global: True
      forcedType: string
      helpLink: rules.html
    ruleset:
      description: 'Defines the ruleset you want to run. Options are ETOPEN or ETPRO. Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 24 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Suricata --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Suricata rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
      global: True
      regex:  ETPRO\b|ETOPEN\b
      helpLink: rules.html
    urls:
      description: This is a list of additional rule download locations. This feature is currently disabled. 
      global: True
      multiline: True
      forcedType: "[]string"
      readonly: True
      helpLink: rules.html
  sids:
    disabled:
      description: Contains the list of NIDS rules (or regex patterns) disabled across the grid. This setting is readonly; Use the Detections screen to disable rules.
      global: True
      multiline: True
      forcedType: "[]string"
      regex: \d*|re:.*
      helpLink: managing-alerts.html
      readonlyUi: True
      advanced: true
    enabled:
      description: Contains the list of NIDS rules (or regex patterns) enabled across the grid. This setting is readonly; Use the Detections screen to enable rules.
      global: True
      multiline: True
      forcedType: "[]string"
      regex: \d*|re:.*
      helpLink: managing-alerts.html
      readonlyUi: True
      advanced: true
    modify:
      description: Contains the list of NIDS rules (SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"). This setting is readonly; Use the Detections screen to modify rules.
      global: True
      multiline: True
      forcedType: "[]string"
      helpLink: managing-alerts.html
      readonlyUi: True
      advanced: true
  rules:
    local__rules:
      description: Contains the list of custom NIDS rules applied to the grid. This setting is readonly; Use the Detections screen to adjust rules.
      file: True
      global: True
      advanced: True
      title: Local Rules
      helpLink: local-rules.html
      readonlyUi: True
    filters__rules:
      description: If you are using Suricata for metadata, then you can set custom filters for that metadata here.
      file: True
      global: True
      advanced: True
      title: Filter Rules
      helpLink: suricata.html
    extraction__rules:
      description: If you are using Suricata for metadata, then you can set a list of MIME types for file extraction here.
      file: True
      global: True
      advanced: True
      title: Extraction Rules
      helpLink: suricata.html