diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go index 7d93339f..0d37117e 100644 --- a/server/modules/elastalert/elastalert.go +++ b/server/modules/elastalert/elastalert.go @@ -41,6 +41,18 @@ import ( var errModuleStopped = fmt.Errorf("elastalert module has stopped running") +const ( + DEFAULT_ALLOW_REGEX = "" + DEFAULT_DENY_REGEX = "" + DEFAULT_AUTO_UPDATE_ENABLED = false + DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS = 86400 + DEFAULT_SIGMA_PACKAGE_DOWNLOAD_TEMPLATE = "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip" + DEFAULT_ELASTALERT_RULES_FOLDER = "/opt/sensoroni/elastalert" + DEFAULT_RULES_FINGERPRINT_FILE = "/opt/sensoroni/fingerprints/sigma.fingerprint" + DEFAULT_REPOS_FOLDER = "/opt/sensoroni/sigma/repos" + DEFAULT_STATE_FILE_PATH = "/opt/sensoroni/fingerprints/elastalertengine.state" +) + var acceptedExtensions = map[string]bool{ ".yml": true, ".yaml": true, @@ -109,17 +121,17 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { e.thread = &sync.WaitGroup{} e.interrupt = make(chan bool, 1) - e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 86400) - e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip") - e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/sensoroni/elastalert") - e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/sensoroni/fingerprints/sigma.fingerprint") - e.autoUpdateEnabled = module.GetBoolDefault(config, "autoUpdateEnabled", false) + e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS) + e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", DEFAULT_SIGMA_PACKAGE_DOWNLOAD_TEMPLATE) + e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", DEFAULT_ELASTALERT_RULES_FOLDER) + e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", DEFAULT_RULES_FINGERPRINT_FILE) + e.autoUpdateEnabled = module.GetBoolDefault(config, "autoUpdateEnabled", DEFAULT_AUTO_UPDATE_ENABLED) e.autoEnabledSigmaRules = module.GetStringArrayDefault(config, "autoEnabledSigmaRules", []string{"securityonion-resources+critical", "securityonion-resources+high"}) pkgs := module.GetStringArrayDefault(config, "sigmaRulePackages", []string{"core", "emerging_threats_addon"}) e.parseSigmaPackages(pkgs) - e.reposFolder = module.GetStringDefault(config, "reposFolder", "/opt/sensoroni/sigma/repos") + e.reposFolder = module.GetStringDefault(config, "reposFolder", DEFAULT_REPOS_FOLDER) e.rulesRepos, err = model.GetReposDefault(config, "rulesRepos", []*model.RuleRepo{ { Repo: "https://github.com/Security-Onion-Solutions/securityonion-resources", @@ -131,8 +143,8 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { return fmt.Errorf("unable to parse ElastAlert's rulesRepos: %w", err) } - allow := module.GetStringDefault(config, "allowRegex", "") - deny := module.GetStringDefault(config, "denyRegex", "") + allow := module.GetStringDefault(config, "allowRegex", DEFAULT_ALLOW_REGEX) + deny := module.GetStringDefault(config, "denyRegex", DEFAULT_DENY_REGEX) if allow != "" { var err error @@ -150,7 +162,7 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { } } - e.stateFilePath = module.GetStringDefault(config, "stateFilePath", "/opt/sensoroni/fingerprints/elastalertengine.state") + e.stateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH) return nil } diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go index a4a51b76..edc28f2c 100644 --- a/server/modules/strelka/strelka.go +++ b/server/modules/strelka/strelka.go @@ -32,6 +32,19 @@ import ( "github.com/kennygrant/sanitize" ) +const ( + DEFAULT_ALLOW_REGEX = "" + DEFAULT_DENY_REGEX = "" + DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS = 86400 + DEFAULT_YARA_RULES_FOLDER = "/opt/sensoroni/yara/rules" + DEFAULT_REPOS_FOLDER = "/opt/sensoroni/yara/repos" + DEFAULT_COMPILE_YARA_PYTHON_SCRIPT_PATH = "/opt/so/conf/strelka/compile_yara.py" + DEFAULT_COMPILE_RULES = true + DEFAULT_AUTO_UPDATE_ENABLED = false + DEFAULT_STATE_FILE_PATH = "/opt/sensoroni/fingerprints/strelkaengine.state" + DEFAULT_AUTO_ENABLED_YARA_RULES = "securityonion-yara" +) + var errModuleStopped = fmt.Errorf("strelka module has stopped running") type IOManager interface { @@ -90,13 +103,13 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) (err error) { e.thread = &sync.WaitGroup{} e.interrupt = make(chan bool, 1) - e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 86400) - e.yaraRulesFolder = module.GetStringDefault(config, "yaraRulesFolder", "/opt/sensoroni/yara/rules") - e.reposFolder = module.GetStringDefault(config, "reposFolder", "/opt/sensoroni/yara/repos") - e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", "/opt/so/conf/strelka/compile_yara.py") - e.compileRules = module.GetBoolDefault(config, "compileRules", true) - e.autoUpdateEnabled = module.GetBoolDefault(config, "autoUpdateEnabled", false) - e.autoEnabledYaraRules = module.GetStringArrayDefault(config, "autoEnabledYaraRules", []string{"securityonion-yara"}) + e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS) + e.yaraRulesFolder = module.GetStringDefault(config, "yaraRulesFolder", DEFAULT_YARA_RULES_FOLDER) + e.reposFolder = module.GetStringDefault(config, "reposFolder", DEFAULT_REPOS_FOLDER) + e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", DEFAULT_COMPILE_YARA_PYTHON_SCRIPT_PATH) + e.compileRules = module.GetBoolDefault(config, "compileRules", DEFAULT_COMPILE_RULES) + e.autoUpdateEnabled = module.GetBoolDefault(config, "autoUpdateEnabled", DEFAULT_AUTO_UPDATE_ENABLED) + e.autoEnabledYaraRules = module.GetStringArrayDefault(config, "autoEnabledYaraRules", []string{DEFAULT_AUTO_ENABLED_YARA_RULES}) e.rulesRepos, err = model.GetReposDefault(config, "rulesRepos", []*model.RuleRepo{ { @@ -108,8 +121,8 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) (err error) { return fmt.Errorf("unable to parse Strelka's rulesRepos: %w", err) } - allow := module.GetStringDefault(config, "allowRegex", "") - deny := module.GetStringDefault(config, "denyRegex", "") + allow := module.GetStringDefault(config, "allowRegex", DEFAULT_ALLOW_REGEX) + deny := module.GetStringDefault(config, "denyRegex", DEFAULT_DENY_REGEX) if allow != "" { e.allowRegex, err = regexp.Compile(allow) @@ -126,7 +139,7 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) (err error) { } } - e.stateFilePath = module.GetStringDefault(config, "stateFilePath", "/opt/sensoroni/fingerprints/strelkaengine.state") + e.stateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH) return nil } diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go index 40be7641..ee6d2bce 100644 --- a/server/modules/suricata/suricata.go +++ b/server/modules/suricata/suricata.go @@ -43,6 +43,15 @@ var licenseBySource = map[string]string{ "etpro": model.LicenseCommercial, } +const ( + DEFAULT_COMMUNITY_RULES_FILE = "/nsm/rules/suricata/emerging-all.rules" + DEFAULT_RULES_FINGERPRINT_FILE = "/opt/sensoroni/fingerprints/emerging-all.fingerprint" + DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS = 86400 + DEFAULT_STATE_FILE_PATH = "/opt/sensoroni/fingerprints/suricataengine.state" + DEFAULT_ALLOW_REGEX = "" + DEFAULT_DENY_REGEX = "" +) + type IOManager interface { ReadFile(path string) ([]byte, error) WriteFile(path string, contents []byte, perm fs.FileMode) error @@ -80,12 +89,12 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) { e.thread = &sync.WaitGroup{} e.interrupt = make(chan bool, 1) - e.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", "/nsm/rules/suricata/emerging-all.rules") - e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/sensoroni/fingerprints/emerging-all.fingerprint") - e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 86400) + e.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", DEFAULT_COMMUNITY_RULES_FILE) + e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", DEFAULT_RULES_FINGERPRINT_FILE) + e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS) - allow := module.GetStringDefault(config, "allowRegex", "") - deny := module.GetStringDefault(config, "denyRegex", "") + allow := module.GetStringDefault(config, "allowRegex", DEFAULT_ALLOW_REGEX) + deny := module.GetStringDefault(config, "denyRegex", DEFAULT_DENY_REGEX) if allow != "" { var err error @@ -103,7 +112,7 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) { } } - e.stateFilePath = module.GetStringDefault(config, "stateFilePath", "/opt/sensoroni/fingerprints/suricataengine.state") + e.stateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH) return nil }