From b455078fcab74619b0281721e6d9fab3fd7ace74 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 2 Oct 2024 15:16:03 +0200 Subject: [PATCH 1/4] up --- collections/crowdsecurity/suricata.yaml | 2 ++ contexts/crowdsecurity/suricata_base.yaml | 7 +++++++ 2 files changed, 9 insertions(+) create mode 100644 contexts/crowdsecurity/suricata_base.yaml diff --git a/collections/crowdsecurity/suricata.yaml b/collections/crowdsecurity/suricata.yaml index aef72ba7062..bd86fc02bdb 100644 --- a/collections/crowdsecurity/suricata.yaml +++ b/collections/crowdsecurity/suricata.yaml @@ -4,6 +4,8 @@ scenarios: - crowdsecurity/suricata-alerts description: "suricata support : parser and automatic remediation on high/major alerts" author: crowdsecurity +contexts: + - crowdsecurity/suricata_base tags: - linux - suricata diff --git a/contexts/crowdsecurity/suricata_base.yaml b/contexts/crowdsecurity/suricata_base.yaml new file mode 100644 index 00000000000..b50e0467aa1 --- /dev/null +++ b/contexts/crowdsecurity/suricata_base.yaml @@ -0,0 +1,7 @@ +context: + alert_signature: + - evt.Parsed.suricata_alert_signature + dst_port: + - evt.Parsed.dest_port + signature_id: + - evt.Meta.suricata_alert_signature_id From b45c26f5469543892fa1e1c4ce0ce3e906452921 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 2 Oct 2024 13:16:47 +0000 Subject: [PATCH 2/4] Update index --- .index.json | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index c9c4f4deefc..d5c3b2efecf 100644 --- a/.index.json +++ b/.index.json @@ -4955,15 +4955,19 @@ }, "crowdsecurity/suricata": { "path": "collections/crowdsecurity/suricata.yaml", - "version": "0.1", + "version": "0.2", "versions": { "0.1": { "digest": "6f5d4ed7c676be6082af86c8ff771a063808a5970cb56edb9c8161c9b8390466", "deprecated": false + }, + "0.2": { + "digest": "dd64cd667d97c13485e0ca5c1274b1c33e9c98a0df76024cc12c88d461db1209", + "deprecated": false } }, "long_description": "IyMgU3VyaWNhdGEgY29sbGVjdGlvbgoKQSBjb2xsZWN0aW9uIGZvciB0aGUgW1N1cmljYXRhXShodHRwczovL3N1cmljYXRhLmlvLykgSURTL0lQUy4KVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIDoKIC0gUGFyc2VycyBmb3IgU3VyaWNhdGEgbG9ncyAoYm90aCBgZmFzdC5sb2dgIGFuZCBgZXZlLmpzb25gIGZvcm1hdHMpCiAtIFNjZW5hcmlvcyBmb3IgU3VyaWNhdGEgYWxlcnRzIDoKICAgLSB0cmlnZ2VyIGJhbiBvbiAqTWFqb3IqIChzZXZlcml0eToxKSBydWxlcwogICAtIHRyaWdnZXIgYmFuIG9uID4yICoqZGlzdGluY3QqKiBydWxlcyBvZiBzZXZlcml0eSAyCgoKTm90ZTogVGVzdGVkIHdpdGggU3VyaWNhdGEgNgoKCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb24gOgoKYGBgeWFtbApmaWxlbmFtZTogL3Zhci9sb2cvc3VyaWNhdGEvZXZlLmpzb24KbGFiZWxzOgogIHR5cGU6IHN1cmljYXRhLWV2ZWxvZ3MKYGBgCgoqKm9yKioKCmBgYHlhbWwKZmlsZW5hbWU6IC92YXIvbG9nL3N1cmljYXRhL2Zhc3QubG9nCmxhYmVsczoKICB0eXBlOiBzdXJpY2F0YS1mYXN0bG9ncwpgYGAKCm5vdGVzIDoKIC0gVXNpbmcgYm90aCBhY3F1aXNpdGlvbnMgc2ltdWx0YW5lb3VzbHkgd2lsbCBsZWFkIHRvIGRvdWJsZSBkZWNpc2lvbnMgb3IgdW5wcmVkaWN0YWJsZSBiZWhhdmlvci4gYGV2ZS5qc29uYCBzaG91bGQgYmUgcHJlZmVycmVkLgogLSBEZXBlbmRpbmcgb24geW91ciBkaXN0cmlidXRpb24vT1MsIHBhdGhzIHRvIGxvZyBmaWxlcyBtaWdodCBjaGFuZ2UKIC0gT25seSByZWxldmFudCBpZiB5b3UgYXJlIG1hbnVhbGx5IGluc3RhbGxpbmcgY29sbGVjdGlvbgo=", - "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3VyaWNhdGEtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L3N1cmljYXRhLWFsZXJ0cwpkZXNjcmlwdGlvbjogInN1cmljYXRhIHN1cHBvcnQgOiBwYXJzZXIgYW5kIGF1dG9tYXRpYyByZW1lZGlhdGlvbiBvbiBoaWdoL21ham9yIGFsZXJ0cyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CnRhZ3M6CiAgLSBsaW51eAogIC0gc3VyaWNhdGEKICAtIElEUwoK", + "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvc3VyaWNhdGEtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L3N1cmljYXRhLWFsZXJ0cwpkZXNjcmlwdGlvbjogInN1cmljYXRhIHN1cHBvcnQgOiBwYXJzZXIgYW5kIGF1dG9tYXRpYyByZW1lZGlhdGlvbiBvbiBoaWdoL21ham9yIGFsZXJ0cyIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CmNvbnRleHRzOgogIC0gY3Jvd2RzZWN1cml0eS9zdXJpY2F0YV9iYXNlCnRhZ3M6CiAgLSBsaW51eAogIC0gc3VyaWNhdGEKICAtIElEUwoK", "description": "suricata support : parser and automatic remediation on high/major alerts", "author": "crowdsecurity", "labels": null, @@ -4972,6 +4976,9 @@ ], "scenarios": [ "crowdsecurity/suricata-alerts" + ], + "contexts": [ + "crowdsecurity/suricata_base" ] }, "crowdsecurity/synology-dsm": { @@ -5965,6 +5972,19 @@ "content": "Y29udGV4dDoKICB0aHJlYXRfaWQ6CiAgLSBldnQuTWV0YS50aHJlYXRfaWQKICBzZXZlcml0eToKICAtIGV2dC5NZXRhLnNldmVyaXR5CiAgcnVsZV9uYW1lOgogIC0gZXZ0Lk1ldGEucnVsZV9uYW1lCg==", "author": "crowdsecurity", "labels": null + }, + "crowdsecurity/suricata_base": { + "path": "contexts/crowdsecurity/suricata_base.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "a4fde8bbce311a7b128ead06027cf8651d1d611414b3cb3e08610671cf65f723", + "deprecated": false + } + }, + "content": "Y29udGV4dDoKICBhbGVydF9zaWduYXR1cmU6CiAgIC0gZXZ0LlBhcnNlZC5zdXJpY2F0YV9hbGVydF9zaWduYXR1cmUKICBkc3RfcG9ydDoKICAgIC0gZXZ0LlBhcnNlZC5kZXN0X3BvcnQKICBzaWduYXR1cmVfaWQ6CiAgICAtIGV2dC5NZXRhLnN1cmljYXRhX2FsZXJ0X3NpZ25hdHVyZV9pZAo=", + "author": "crowdsecurity", + "labels": null } }, "parsers": { From f56612c2879d169203840e1a14f36e44dd446acf Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 2 Oct 2024 15:49:24 +0200 Subject: [PATCH 3/4] comment out rule ID by default --- contexts/crowdsecurity/suricata_base.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contexts/crowdsecurity/suricata_base.yaml b/contexts/crowdsecurity/suricata_base.yaml index b50e0467aa1..3e99487d28e 100644 --- a/contexts/crowdsecurity/suricata_base.yaml +++ b/contexts/crowdsecurity/suricata_base.yaml @@ -3,5 +3,5 @@ context: - evt.Parsed.suricata_alert_signature dst_port: - evt.Parsed.dest_port - signature_id: - - evt.Meta.suricata_alert_signature_id + # signature_id: + # - evt.Meta.suricata_alert_signature_id From 3a990a2f78603b7eb4a58ce6856bdb5dfcf1f803 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 2 Oct 2024 13:50:09 +0000 Subject: [PATCH 4/4] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index d5c3b2efecf..28e0aceb752 100644 --- a/.index.json +++ b/.index.json @@ -5975,14 +5975,18 @@ }, "crowdsecurity/suricata_base": { "path": "contexts/crowdsecurity/suricata_base.yaml", - "version": "0.1", + "version": "0.2", "versions": { "0.1": { "digest": "a4fde8bbce311a7b128ead06027cf8651d1d611414b3cb3e08610671cf65f723", "deprecated": false + }, + "0.2": { + "digest": "e354b651c80c05f629930631fcbcb4c72f8e07a6ceacaccd0254cda777e027cb", + "deprecated": false } }, - "content": "Y29udGV4dDoKICBhbGVydF9zaWduYXR1cmU6CiAgIC0gZXZ0LlBhcnNlZC5zdXJpY2F0YV9hbGVydF9zaWduYXR1cmUKICBkc3RfcG9ydDoKICAgIC0gZXZ0LlBhcnNlZC5kZXN0X3BvcnQKICBzaWduYXR1cmVfaWQ6CiAgICAtIGV2dC5NZXRhLnN1cmljYXRhX2FsZXJ0X3NpZ25hdHVyZV9pZAo=", + "content": "Y29udGV4dDoKICBhbGVydF9zaWduYXR1cmU6CiAgIC0gZXZ0LlBhcnNlZC5zdXJpY2F0YV9hbGVydF9zaWduYXR1cmUKICBkc3RfcG9ydDoKICAgIC0gZXZ0LlBhcnNlZC5kZXN0X3BvcnQKICAjIHNpZ25hdHVyZV9pZDoKICAjICAgLSBldnQuTWV0YS5zdXJpY2F0YV9hbGVydF9zaWduYXR1cmVfaWQK", "author": "crowdsecurity", "labels": null }