Merge pull request #620 from Security-Onion-Solutions/cogburn/sync-si…

…gma-custom Sync Local Rules
Security-Onion-Solutions · Aug 26, 2024 · b04f49d · b04f49d
2 parents cc10f21 + 2308b47
commit b04f49d
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
@@ -526,7 +526,7 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error {
 	var errMap map[string]error
 
 	// If the system is Airgap, load the sigma packages from disk.
-	// else, not Airgap, downoad the sigma packages.
+	// else, not Airgap, download the sigma packages.
 	if e.airgapEnabled {
 		zips, errMap = e.loadSigmaPackagesFromDisk()
 	} else {
@@ -675,6 +675,53 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error {
 		return detections.ErrSyncFailed
 	}
 
+	localrules, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameElastAlert), model.WithCommunity(false))
+	if err != nil {
+		if errors.Is(err, detections.ErrModuleStopped) {
+			return err
+		}
+
+		logger.WithError(err).Error("unable to get local detections")
+
+		if e.notify {
+			e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+				Engine: model.EngineNameElastAlert,
+				Status: "error",
+			})
+		}
+
+		return detections.ErrSyncFailed
+	}
+
+	if len(localrules) > 0 {
+		local := make([]*model.Detection, 0, len(localrules))
+		for _, det := range localrules {
+			local = append(local, det)
+		}
+
+		errMapLocal, err := e.SyncLocalDetections(e.srv.Context, local)
+		if err != nil {
+			if errors.Is(err, detections.ErrModuleStopped) {
+				return err
+			}
+
+			logger.WithError(err).Error("unable to sync local detections")
+
+			if e.notify {
+				e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+					Engine: model.EngineNameElastAlert,
+					Status: "error",
+				})
+			}
+
+			return detections.ErrSyncFailed
+		}
+
+		for publicID, err := range errMapLocal {
+			errMap[publicID] = errors.New(err)
+		}
+	}
+
 	detections.WriteStateFile(e.IOManager, e.StateFilePath)
 
 	if len(errMap) > 0 {

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
@@ -1366,6 +1366,18 @@ func TestSyncChanges(t *testing.T) {
 	}).Times(3)
 	auditm.EXPECT().Close(gomock.Any()).Return(nil)
 	auditm.EXPECT().Stats().Return(esutil.BulkIndexerStats{})
+	// SyncLocalDetections
+	detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{
+		SimpleRule2SID: {
+			PublicID: SimpleRule2SID,
+		},
+	}, nil)
+	iom.EXPECT().ReadDir("elastAlertRulesFolder").Return([]fs.DirEntry{
+		&handmock.MockDirEntry{
+			Filename: SimpleRule2SID + ".yml",
+		},
+	}, nil) // IndexExistingRules
+	iom.EXPECT().DeleteFile("elastAlertRulesFolder/" + SimpleRule2SID + ".yml").Return(nil)
 	iom.EXPECT().WriteFile("stateFilePath", gomock.Any(), fs.FileMode(0644)).Return(nil)        // WriteStateFile
 	iom.EXPECT().WriteFile("rulesFingerprintFile", gomock.Any(), fs.FileMode(0644)).Return(nil) // WriteFingerprintFile
 	// regenNeeded