Merge pull request #107 from defensivedepth/updates

Updates

detections.rst

@@ -121,3 +121,48 @@ For more information about managing :ref:`nids` rules for :ref:`suricata`, pleas
 For more information about managing :ref:`sigma` rules for :ref:`elastalert`, please see the :ref:`sigma` section.
 
 For more information about managing :ref:`yara` rules for :ref:`strelka`, please see the :ref:`yara` section.
+
+
+Technical Background
+---------------------
+
+SOC Detections abstracts the underlying alerting engine and simplifies writing detections for different rule types. With this abstraction, it's not always clear how quickly changes are implemented. The following provides this information.
+
+**Enable | Disable (Bulk and Individual) Operations**
+
+Elastalert/Sigma
+  - Immediate change - UI & disk
+
+Suricata
+  - UI Bulk & Individual: Immediate change in the UI, disk change once `idstools state` is run next
+  - Regex: UI and disk change once `soc state` is run next + Suricata engine sync
+
+Strelka/YARA
+  - Immediate change in the UI, disk change once `strelka state` is run next
+
+**Tuning**
+
+Elastalert/Sigma
+  - Immediate change - UI & disk
+
+Suricata
+  - Immediate change in the UI, disk change once `idstools state` is run next
+
+Strelka/YARA
+  - N/A
+
+**Ruleset Changes**
+
+Elastalert (Sigma)
+  - Sigma Ruleset Packages: UI and disk change once `soc state` is run next + Elastalert engine sync
+  - Git repo (https or disk): UI and disk change once `soc state` is run next + Elastalert engine sync
+
+Suricata
+  - ETOPEN/ETPRO: UI and disk change once `soc state`, `idstools state` is run next + Suricata engine sync
+  - Custom URL: UI and disk change once `soc state`, `idstools state` is run next + Suricata engine sync
+  - Custom Local File: UI and disk change once `soc state`, `idstools state` is run next + Suricata engine sync
+
+Strelka/YARA
+  - Git repo (https or disk): UI and disk change once `soc state` is run next + Strelka engine sync
+
+

nids.rst

@@ -29,6 +29,44 @@ To tune the detection:
 .. image:: images/60_detection_nids_2_tuning_2_add.png
   :target: _images/60_detection_nids_2_tuning_2_add.png
 
+Enabling | Disabling with Regex
+-------------------------------
+
+In 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC Configuration and filter for `regex`, then drill down into soc --> config --> server --> modules --> suricataengine --> disableRegex or enableRegex.
+
+The regex flavor is Google RE2: https://github.com/google/re2/wiki/Syntax
+
+In ETOPEN, categories are prepended to the rule name, ie ``ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound``. So to disable the following categories of ETOPEN rules:
+
+::
+
+        ET EXPLOIT
+        ET MALWARE
+
+but not:
+::
+
+        ET EXPLOIT_KIT
+
+You would use the following regex patterns:
+
+
+::
+
+        ET EXPLOIT\s
+        ET MALWARE\s
+
+
+The ``\s`` is a shortcut for whitespace and is useful in this situation to make sure we are only matching the specific categories that we want to disable.
+
+If a detection would be matched by both an enable and disable regex, it is enabled. If a Detection's status is changed via the Detections interface, but it is currently matched by a regex pattern, the change initiated from the Detections interface is reverted and a message is shown.
+
+Enable and disable operations that are based on regex patterns are actioned during rule updates, which defaults to every 24 hours. If you have made a change to the regex patterns and would like to have it implemented more immediately:
+
+- Under Grid configuration, click "Synchronize Grid", which will kick off a salt highstate - give that about 5 minutes.
+- Navigate to Detections and run a "Full Update" for Suricata. Once this completes, refresh the Detections page and you should see the relevant Detections statuses have changed.
+
+
 Adding New NIDS Rules
 ---------------------