enabling rulesets

[aa18afr]

Hi,

I have installed Securityonion 2.3.5 recently with Snort Subscriber Ruleset. The setup works fine, but I also want to enable ET OPEN rulesets along with the current Snort rulesets. Can someone let me know how to enable them as I have gone through the documentation but could not understand how to enable them? Previously, in Securityonon 16, both rulesets were selected in the initial setup. For this version, please let me know how to do it, many thanks.

[dougburks]

Have you reviewed the Rules section of the documentation?
https://docs.securityonion.net/en/2.3/rules.html

[aa18afr]

I have gone through the documentation and applied these settings as mentioned. I need to know that if I have configured security onion with Snort TALOS ruleset then how can I configure ET OPEN to run as well. As per the documentation, I need to provide a URL for ET OPEN and provided URL as url: https://rules.emergingthreats.net/open/suricata-6.0.0/emerging.rules.tar.gz

After adding url to path: /opt/so/saltstack/local/pillar/minions/<manager.sls> and running salt * state.highstate gives error and also if so-rule-update is run, even then there is no ET OPEN ruleset is downloaded. If issue pertains with the url or I am doing anything wrong, please address, thank you.

[dougburks]

After adding url to path: /opt/so/saltstack/local/pillar/minions/<manager.sls>

Did you actually create a file called <manager.sls> or are you using the existing sls file for your manager?

Are you able to share the entire idstools section of your manager's sls file including what you added (redacting oinkcodes as necessary)?

running salt * state.highstate gives error

Are you able to share the exact error?

Have you checked /opt/so/log/ for additional clues?

[aa18afr]

Did you actually create a file called <manager.sls> or are you using the existing sls file for your manager?
-> No, I am adding ruleset in the already present file which is placed at /opt/so/saltstack/local/pillar/minions/<manager.sls>

Are you able to share the entire idstools section of your manager's sls file including what you added (redacting oinkcodes as necessary)?
--> Please find the screenshot and I think I am doing something wrong in this file, please guide, thank you.

Are you able to share the exact error?

salt * state.highstate error:

master log:

[dougburks]

Looking at your manager.sls screenshot, have you tried having a single config section under idstools that contains your TALOS ruleset and oinkcode and then specifies the ET URL under urls as shown at https://docs.securityonion.net/en/2.3/rules.html#other?

[aa18afr]

Thanks, Doug, I tried adding the URL for ET OPEN and it worked fine for now, many thanks.