Best way to update suricata ruleset (From ET-OPEN to ET-PRO), in AIRGAP mode

[AnyrunMalware]

Hi!
I am evaluating the Security Onion Product and we installed it in a grid setup using the AIRGAP option.

None of nodes, including the management node have internet access.

We would like to switch from the ET-OPEN ruleset to the ET-PRO ruleset.

We have a 30 day trial and downloaded the etpro.rules.tar.gz from the Emerging Threat's website using the $oinkcode and $version.

Now that I have the rules, what is the best way for me to update my sensor with this set?

Thanks for your help,

Much appreciated.

[dougburks]

In airgap mode, NIDS rules are normally updated when you run soup and it copies them from the new ISO image to /nsm/repo/rules/:
https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/common/tools/sbin/soup#L719

Based on that (but without actual testing), I would think that you could manually sneakernet your new ruleset to /nsm/repo/rules/.

[dougburks]

The default ET ruleset shows 32K rules:

sudo so-rule-update
2021-12-29 20:46:30,667 - <INFO> - Loading ./rulecat.conf.
2021-12-29 20:46:30,670 - <INFO> - Fetching http://172.16.XXX.YYY:7788/rules/emerging-all.rules.
 100% - 18818038/18818038             
2021-12-29 20:46:30,817 - <INFO> - Done.
2021-12-29 20:46:30,824 - <INFO> - Loading local file /opt/so/rules/nids/local.rules
2021-12-29 20:46:32,885 - <INFO> - Loaded 32595 rules.
2021-12-29 20:46:32,892 - <INFO> - Disabled 0 rules.
2021-12-29 20:46:32,892 - <INFO> - Enabled 0 rules.
2021-12-29 20:46:32,892 - <INFO> - Modified 0 rules.
2021-12-29 20:46:32,892 - <INFO> - Dropped 0 rules.
2021-12-29 20:46:33,131 - <INFO> - Enabled 285 rules for flowbit dependencies.
2021-12-29 20:46:36,233 - <INFO> - Writing rules to /opt/so/rules/nids/all.rules: total: 32595; enabled: 22698; added: 0; removed 0; modified: 0
2021-12-29 20:46:36,428 - <INFO> - Done.

After placing the ETPRO ruleset in /nsm/repo/rules/emerging-all.rules, it shows 80K rules:

sudo so-rule-update
2021-12-29 20:48:23,109 - <INFO> - Loading ./rulecat.conf.
2021-12-29 20:48:23,112 - <INFO> - Fetching http://172.16.XXX.YYY:7788/rules/emerging-all.rules.
 100% - 53092248/53092248             
2021-12-29 20:48:23,409 - <INFO> - Done.
2021-12-29 20:48:23,441 - <INFO> - Loading local file /opt/so/rules/nids/local.rules
2021-12-29 20:48:30,096 - <INFO> - Loaded 80131 rules.
2021-12-29 20:48:30,118 - <INFO> - Disabled 0 rules.
2021-12-29 20:48:30,118 - <INFO> - Enabled 0 rules.
2021-12-29 20:48:30,118 - <INFO> - Modified 0 rules.
2021-12-29 20:48:30,118 - <INFO> - Dropped 0 rules.
2021-12-29 20:48:30,695 - <INFO> - Enabled 437 rules for flowbit dependencies.
2021-12-29 20:48:34,165 - <INFO> - Writing rules to /opt/so/rules/nids/all.rules: total: 80131; enabled: 58157; added: 47536; removed 0; modified: 25222
2021-12-29 20:48:34,594 - <INFO> - Done.

[kl3ss]

Hey All,

Im also interested in the answer to this. I can verify that the answer given did not work for me. I downloaded the etpro.rules.tar.gz file as we also have an ET PRO License. I untard the tar.gz file into /nsm/repo/rules and ran sudo so-rule-update and then results were exactly the same as I ran a sudo so-rule update and gathered the results before untaring the current rules file.

I look forward to hearing about how we would do this, as we also have an airgapped installation.

Cheers

kl3ss

[kl3ss]

Hey All,

After digging down a rabbit hole, My findings are that there is a file under /opt/so/idstools/etc/ called rulecat.conf. Would it be safe to say that the following would need to be done if updating signature updates for suricata in a airgapped install:

-: Copy rulecat.conf into /opt/so/saltstack/local/salt/idstools/etc/
-: Create a new folder under /opt/so/saltstack/local/salt/idstools/ called Suricata or ETPro and give it the same permissions as the sorules folder that already exists under there
-: Untar the contents of the definition file into the new folder created above
-: Update rulecat.conf that we copied into /opt/so/saltstack/local/salt/idstools/etc to and use the --local= entry to add a new location pointing at the new signature files
-: run a salt update
-: then run so-rule-update

I have not tried this, and would be nice if someone could come back and confirm that this may be correct?

Cheers

kl3ss

[aa18afr]

Hey All,

Need an answer to this one, thank you.

I have installed Securityonion 2.3.5 recently with Snort Subscriber Ruleset. The setup works fine, but I also want to enable ET OPEN rulesets along with the current Snort rulesets. Can someone let me know how to enable them as I have gone through the documentation but could not understand how to enable them? Previously, in Securityonon 16, both rulesets were selected in the initial setup. For this version, please let me know how to do it, many thanks.

[dougburks]

@aa18afr This is an old discussion from 2021. Please avoid replying to old discussions like this. It looks like you've created your own discussion at #11108 so please keep the discussion there.