Merge pull request #12939 from Security-Onion-Solutions/2.4/detection…

…s-airgap Initial airgap support for detections
Security-Onion-Solutions · May 6, 2024 · b997e44 · b997e44
2 parents a67f0d9 + 2431d7b
commit b997e44
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 36 deletions.
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
@@ -1258,7 +1258,6 @@ soc:
       maxPacketCount: 5000
       htmlDir: html
       importUploadDir: /nsm/soc/uploads
-      airgapEnabled: false
       modules:
         cases: soc
         filedatastore:
@@ -1286,10 +1285,16 @@ soc:
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
           rulesRepos:
-          - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
-            license: Elastic-2.0
-            folder: sigma/stable
-            community: true
+            default:
+              - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
+                license: Elastic-2.0
+                folder: sigma/stable
+                community: true
+            airgap:
+              - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
+                license: Elastic-2.0
+                folder: sigma/stable
+                community: true
           sigmaRulePackages:
             - core
             - emerging_threats_addon
@@ -1345,9 +1350,14 @@ soc:
           denyRegex: ''
           reposFolder: /opt/sensoroni/yara/repos
           rulesRepos:
-          - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
-            license: DRL
-            community: true
+            default:
+              - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
+                license: DRL
+                community: true
+            airgap:
+              - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
+                license: DRL
+                community: true
           yaraRulesFolder: /opt/sensoroni/yara/rules
           stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
         suricataengine:

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
@@ -37,6 +37,17 @@
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
+{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
+{% if GLOBALS.airgap %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
+{%   do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
+{%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
@@ -107,21 +107,18 @@ soc:
             advanced: True
             helpLink: sigma.html
           rulesRepos:
-            description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.'
-            global: True
-            advanced: True
-            forcedType: "[]{}"
-            helpLink: sigma.html
+            default: &eerulesRepos
+              description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
+              global: True
+              advanced: True
+              forcedType: "[]{}"
+              helpLink: sigma.html
+            airgap: *eerulesRepos
           sigmaRulePackages:
             description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
             global: True
             advanced: False
             helpLink: sigma.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
-            helpLink: sigma.html
         elastic:
           index:
             description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -185,45 +182,39 @@ soc:
             advanced: True
         strelkaengine:
           allowRegex:
-            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
+            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: yara.html
-          autoEnabledYaraRules:
-            description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
+          autoEnabledYARARules:
+            description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
             global: True
             advanced: True
             helpLink: sigma.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
           denyRegex:
-            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
+            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: yara.html
           communityRulesImportFrequencySeconds:
-            description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.'
+            description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
             global: True
             advanced: True
             helpLink: yara.html
           rulesRepos:
-            description: 'Custom Git repos to pull Yara rules from. License field is required'
-            global: True
-            advanced: True
-            forcedType: "[]{}"
-            helpLink: yara.html
+            default: &serulesRepos
+              description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
+              global: True
+              advanced: True
+              forcedType: "[]{}"
+              helpLink: yara.html
+            airgap: *serulesRepos
         suricataengine:
           allowRegex:
             description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: suricata.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
           denyRegex:
             description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
             global: True