Running multiple rulesets

[petiepooo]

I've found the discussion on how to enable the TALOS ruleset with SO rules disabled (#1727). I would like to also run the ETOPEN ruleset, but the idstools config section doesn't appear to be a YAML list, so I see no way to specify both TALOS and ETOPEN..

Is there a way to do this?

[petiepooo]

I've figured out a solution, although it's not optimal.

To add the Snort community rules, just add a list entry under urls for the community rules in the minion's sls file. For example, to use both ETOPEN and Snort-community rulesets, it would look like:

idstools:
  config:
    ruleset: 'ETOPEN'
    oinkcode: ''
    urls:
      - 'https://snort.org/downloads/community/community-rules.tar.gz'

The drawback is that there is no md5 pre-check to know whether the comunity ruleset has changed since the last download. It just downloads the full ruleset whenever rules are updated, wasting bandwidth for rulesets that are not updated frequently.

A similar modification can be used to download the registered or subscription TALOS rulesets; you just need to enter the full URL there, including the oinkcode parameter. It has the same drawback of not checking the md5 too, but the idstools-rulecat script also fails, as it just appends a '.md5' extension to the end of the URL string, meaning it's added at the end of the oinkcode parameter instead of the pathname.

If you are using TALOS, don't forget to disable the shared-object rules. netsecninja's method works well:

  sids:
    disabled:
      - 're:soid [0-9]+'

In fact, I would recommend the install script disable those rules automatically if TALOS is selected during installation.

I've opened issue jasonish/py-idstools#81 against rulecat to fix the md5 check. It would be nice if rulecat checked the md5 for regular URLs it's passed as well, but py-idstools seems to be in search of an active maintainer. There isn't much activity of late, and some of the issues and PRs are quite old.

I don't think it's worth modifying the Security Onion install script and jinja template to account for multiple rulesets via the installer UI. This is an advanced feature that can require people to edit textfiles to implement.

[petiepooo]

Another followup. Jasonish, developer of py-idstools is responding and active. While he didn't respond immediately to the issue I had opened, when I sent a linked pull request with the fix, he tested and merged it quite quickly.

@weslambert would you please consider updating the next spin of the so-idstools image to include commit jasonish/py-idstools@d2988a4 to make use of the TALOS ruleset easier? Please also consider automatically disabling shared-object rules during install if the TALOS ruleset is selected. Before reading the netsecninja post, a stock install using TALOS was very badly broken.