Deprecate instead

Security-Onion-Solutions · Nov 20, 2024 · e005429 · e005429
1 parent 2255df3
commit e005429
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 15 deletions.
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
@@ -103,7 +103,8 @@ type ElastAlertEngine struct {
 	sigmaPipelineSO                    string
 	sigmaPipelinesFingerprintFile      string
 	sigmaRulePackages                  []string
-	autoEnabledSigmaRules              []RuleCriteria
+	autoEnabledSigmaRules              []string
+	enabledSigmaRules                  []RuleCriteria
 	additionalAlerters                 []string
 	additionalAlerterParams            string
 	informationalSeverityAlerters      []string
@@ -136,7 +137,7 @@ type ElastAlertEngine struct {
 	model.EngineState
 }
 
-func loadAutoEnabledSigmaRules(config module.ModuleConfig) []RuleCriteria {
+func loadEnabledSigmaRules(config module.ModuleConfig) []RuleCriteria {
 	defaultRuleFilters := []RuleCriteria{
 		{
 			Ruleset:  []string{"securityonion-resources"},
@@ -154,16 +155,16 @@ func loadAutoEnabledSigmaRules(config module.ModuleConfig) []RuleCriteria {
 		},
 	}
 
-	rawRuleFilters, ok := config["autoEnabledSigmaRules"]
+	rawRuleFilters, ok := config["enabledSigmaRules"]
 	if !ok {
-		log.Info("autoEnabledSigmaRules not found in config, using defaults.")
+		log.Info("enabledSigmaRules not found in config, using defaults.")
 		return defaultRuleFilters
 	}
 
 	var configData []RuleCriteria
 	err := yaml.Unmarshal([]byte(rawRuleFilters.(string)), &configData)
 	if err != nil {
-		log.WithError(err).Error("Failed to unmarshal YAML data for autoEnabledSigmaRules")
+		log.WithError(err).Error("Failed to unmarshal YAML data for enabledSigmaRules")
 		return defaultRuleFilters
 	}
 
@@ -179,14 +180,30 @@ func loadAutoEnabledSigmaRules(config module.ModuleConfig) []RuleCriteria {
 func checkRulesetEnabled(e *ElastAlertEngine, det *model.Detection) {
 	det.IsEnabled = false
 
-	for _, rule := range e.autoEnabledSigmaRules {
-		if matchArrayField(rule.Ruleset, det.Ruleset) &&
-			matchArrayField(rule.Level, string(det.Severity)) &&
-			matchArrayField(rule.Product, det.Product) &&
-			matchArrayField(rule.Category, det.Category) &&
-			matchArrayField(rule.Service, det.Service) {
-			det.IsEnabled = true
-			break
+	if len(e.autoEnabledSigmaRules) != 0 {
+
+		// Deprecated in 2.4.120, will be removed in a future release
+		log.Warn("Use of autoEnabledSigmaRules is deprecated, use enabledSigmaRules instead")
+		// Combine Ruleset and Severity into a single string
+		metaCombined := det.Ruleset + "+" + string(det.Severity)
+		for _, rule := range e.autoEnabledSigmaRules {
+			if strings.EqualFold(rule, metaCombined) {
+				det.IsEnabled = true
+				break
+			}
+		}
+
+	} else {
+
+		for _, rule := range e.enabledSigmaRules {
+			if matchArrayField(rule.Ruleset, det.Ruleset) &&
+				matchArrayField(rule.Level, string(det.Severity)) &&
+				matchArrayField(rule.Product, det.Product) &&
+				matchArrayField(rule.Category, det.Category) &&
+				matchArrayField(rule.Service, det.Service) {
+				det.IsEnabled = true
+				break
+			}
 		}
 	}
 }
@@ -240,7 +257,8 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) {
 	e.sigmaPipelineSO = module.GetStringDefault(config, "sigmaPipelineSO", DEFAULT_SIGMA_PIPELINE_SO_FILE)
 	e.sigmaPipelinesFingerprintFile = module.GetStringDefault(config, "sigmaPipelinesFingerprintFile", DEFAULT_SIGMA_PIPELINES_FINGERPRINT_FILE)
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", DEFAULT_RULES_FINGERPRINT_FILE)
-	e.autoEnabledSigmaRules = loadAutoEnabledSigmaRules(config)
+	e.enabledSigmaRules = loadEnabledSigmaRules(config)
+	e.autoEnabledSigmaRules = module.GetStringArrayDefault(config, "autoEnabledSigmaRules", []string{})
 	e.CommunityRulesImportErrorSeconds = module.GetIntDefault(config, "communityRulesImportErrorSeconds", DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS)
 	e.failAfterConsecutiveErrorCount = module.GetIntDefault(config, "failAfterConsecutiveErrorCount", DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT)
 	e.additionalAlerters = module.GetStringArrayDefault(config, "additionalAlerters", []string{})

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
@@ -42,7 +42,39 @@ import (
 
 func TestCheckAutoEnabledSigmaRule(t *testing.T) {
 	e := &ElastAlertEngine{
-		autoEnabledSigmaRules: []RuleCriteria{
+		autoEnabledSigmaRules: []string{"securityonion-resources+high", "core+critical"},
+	}
+
+	tests := []struct {
+		name     string
+		ruleset  string
+		severity model.Severity
+		expected bool
+	}{
+		{"securityonion-resources rule with high severity, rule enabled", "securityonion-resources", model.SeverityHigh, true},
+		{"securityonion-resources rule with high severity upper case, rule enabled", "securityonion-RESOURCES", model.SeverityHigh, true},
+		{"core rule with critical severity, rule enabled", "core", model.SeverityCritical, true},
+		{"core rule with high severity, rule not enabled", "core", model.SeverityHigh, false},
+		{"empty ruleset, high severity, rule not enabled", "", model.SeverityHigh, false},
+		{"core ruleset, empty severity, rule not enabled", "core", "", false},
+		{"empty ruleset, empty severity, rule not enabled", "", "", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			det := &model.Detection{
+				Ruleset:  tt.ruleset,
+				Severity: tt.severity,
+			}
+			checkRulesetEnabled(e, det)
+			assert.Equal(t, tt.expected, det.IsEnabled)
+		})
+	}
+}
+
+func TestCheckEnabledSigmaRule(t *testing.T) {
+	e := &ElastAlertEngine{
+		enabledSigmaRules: []RuleCriteria{
 			{
 				Ruleset:  []string{"securityonion-resources", "core"},
 				Level:    []string{"high"},