Airgap Check for AI Summaries

If the server is configured with AirgapEnabled = true, then the call to RefreshAiSummaries will log a debug statement, do nothing, and return no error. Otherwise the repo will be updated as usual.
Security-Onion-Solutions · Sep 24, 2024 · 903aea7 · 903aea7
1 parent 75b35ce
commit 903aea7
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 3 deletions.
diff --git a/server/modules/detections/ai_summary.go b/server/modules/detections/ai_summary.go
@@ -20,11 +20,17 @@ var lastSuccessfulAiUpdate time.Time
 
 type AiLoader interface {
 	LoadAuxiliaryData(summaries []*model.AiSummary) error
+	IsAirgapped() bool
 }
 
 //go:generate mockgen -destination mock/mock_ailoader.go -package mock . AiLoader
 
 func RefreshAiSummaries(eng AiLoader, lang model.SigLanguage, isRunning *bool, aiRepoPath string, aiRepoUrl string, aiRepoBranch string, logger *log.Entry, iom IOManager) error {
+	if eng.IsAirgapped() {
+		logger.Debug("skipping AI summary update because airgap is enabled")
+		return nil
+	}
+
 	err := updateAiRepo(isRunning, aiRepoPath, aiRepoUrl, aiRepoBranch, iom)
 	if err != nil {
 		if errors.Is(err, ErrModuleStopped) {

diff --git a/server/modules/detections/ai_summary_test.go b/server/modules/detections/ai_summary_test.go
@@ -25,7 +25,14 @@ func TestRefreshAiSummaries(t *testing.T) {
 
 	iom := mock.NewMockIOManager(ctrl)
 	loader := mock.NewMockAiLoader(ctrl)
+	logger := log.WithField("test", true)
+
+	loader.EXPECT().IsAirgapped().Return(true)
+
+	err := RefreshAiSummaries(loader, model.SigLangSigma, &isRunning, "baseRepoFolder", repo, branch, logger, iom)
+	assert.NoError(t, err)
 
+	loader.EXPECT().IsAirgapped().Return(false)
 	iom.EXPECT().ReadDir("baseRepoFolder").Return([]fs.DirEntry{}, nil)
 	iom.EXPECT().CloneRepo(gomock.Any(), "baseRepoFolder/repo1", repo, &branch).Return(nil)
 	iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/sigma_summaries.yaml").Return([]byte(summaries), nil)
@@ -54,10 +61,8 @@ func TestRefreshAiSummaries(t *testing.T) {
 		return nil
 	})
 
-	logger := log.WithField("test", true)
-
 	lastSuccessfulAiUpdate = time.Time{}
 
-	err := RefreshAiSummaries(loader, model.SigLangSigma, &isRunning, "baseRepoFolder", repo, branch, logger, iom)
+	err = RefreshAiSummaries(loader, model.SigLangSigma, &isRunning, "baseRepoFolder", repo, branch, logger, iom)
 	assert.NoError(t, err)
 }
diff --git a/server/modules/detections/mock/mock_ailoader.go b/server/modules/detections/mock/mock_ailoader.go
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
@@ -1556,6 +1556,10 @@ func (e *ElastAlertEngine) DuplicateDetection(ctx context.Context, detection *mo
 	return det, nil
 }
 
+func (e *ElastAlertEngine) IsAirgapped() bool {
+	return e.srv.Config.AirgapEnabled
+}
+
 func (e *ElastAlertEngine) LoadAuxiliaryData(summaries []*model.AiSummary) error {
 	sum := &sync.Map{}
 	for _, summary := range summaries {

diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
@@ -1136,6 +1136,10 @@ func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model
 	return det, nil
 }
 
+func (e *StrelkaEngine) IsAirgapped() bool {
+	return e.srv.Config.AirgapEnabled
+}
+
 func (e *StrelkaEngine) LoadAuxiliaryData(summaries []*model.AiSummary) error {
 	sum := &sync.Map{}
 	for _, summary := range summaries {

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
@@ -1746,6 +1746,10 @@ func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *mode
 	return det, nil
 }
 
+func (e *SuricataEngine) IsAirgapped() bool {
+	return e.srv.Config.AirgapEnabled
+}
+
 func (e *SuricataEngine) LoadAuxiliaryData(summaries []*model.AiSummary) error {
 	sum := &sync.Map{}
 	for _, summary := range summaries {