Issue Adding Sigma Rules from Local Repo

[jstore-embers]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

64 GB

Storage for /

2 TB

Storage for /nsm

12 TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to add a private sigma ruleset offered by the DFIR Report. I can use git to pull the repo down to /nsm/rules/detect-sigma/repos/dfir-report/ and I've configured the following line in the admin interface under rule repos according to the documentation here

{"community":true,"folder":"rules/rules/sigma","license":"Elastic-2.0","repo":"file:///nsm/rules/detect-sigma/repos/dfir-report"}

I think the above is correct (not sure what I should put for license, so I copied the option from the securityonion-resources repo. Note the full path to the rules root folder in my instance is /nsm/rules/detect-sigma/repos/dfir-report/rules/rules/sigma but there are several subfolders.

I'm wondering where I may find logs that are generated when doing a full-update on the elastalert rules from the detections interface or if there's anything obviously wrong with this config.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

When you say pull down - did you download it or did you git clone it?

That dir needs to be a git repo. You should be able to run git status on the following dir: /nsm/rules/detect-sigma/repos/dfir-report/

[jstore-embers]

Any idea on how to revert that change from the command line. I assume that's stored in Kratos?

[defensivedepth]

Delete this config from the following file, then restart soc: sudo so-soc-restart --force

This will set that particular config back to the default.

/opt/so/saltstack/local/pillar/soc/soc_soc.sls 
soc:
    config:
        server:
            modules:
                elastalertengine:
                    rulesRepos:
                        default:
                            - community: true
                              folder: sigma/stable
                              license: Elastic-2.0
                              repo: https://github.com/Security-Onion-Solutions/securityonion-resources
                            - community: true
                              folder: sigma/stable
                              license: Elastic-2.0
                              repo: https://github.com/Security-Onion-Solutions/securityonion-resourcess

[defensivedepth]

Once you are back up and running, doublecheck your settings and try it again. For this upcoming release, I have added a template git repo + more detailed instructions. In particular, make sure that the repo files are owned by socore:

https://github.com/Security-Onion-Solutions/securityonion/pull/13879/files#diff-cfa2634fc56f514ff9255a2a3201fe7af42008d623bf7ccfa1d7dae0cfe8272dR65

[jstore-embers]

I appreciate the help. I was able to get back up and running. I'm ill trying to figure out how to get the sigma rules to show up in the detections page.

I tried the follow config:

                            - community: true
                              license: Elastic-2.0
                              repo: file:///nsm/rules/detect-sigma/repos/dfir-report/rules

The folder is my repo and the files are all owned by so-core, but I did initialize and clone the repo as root.

[root@onion-manager rules]# pwd
/nsm/rules/detect-sigma/repos/dfir-report/rules
[root@onion-manager rules]# git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
[root@onion-manager rules]# ls -la
total 8
drwxr-xr-x. 7 socore socore   94 Nov  6 17:06 .
drwxr-xr-x. 3 socore socore   37 Nov  6 17:06 ..
drwxr-xr-x. 8 socore socore 4096 Nov 14 17:25 .git
drwxr-xr-x. 3 socore socore   23 Nov  6 17:06 .github
-rw-r--r--. 1 socore socore   65 Nov  6 17:06 README.md
drwxr-xr-x. 3 socore socore   19 Nov  6 17:06 rules
drwxr-xr-x. 3 socore socore   43 Nov  6 17:06 statistics
drwxr-xr-x. 2 socore socore   37 Nov  6 17:06 tests
[root@onion-manager rules]#

All subdirectories and files are owned by socore:socore with various permissions that all have at least read.

[jstore-embers]

Also, I did add the exception for git to trust the path.