From f5bd8ab58556c0f9bafa26717d83de33f6dd2862 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 7 Nov 2024 15:33:47 -0500 Subject: [PATCH] Rewrite docs --- ...tections_custom_repo_template_readme.jinja | 76 +++++++++++++++---- 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja index 1d391fec03..228a467bf2 100644 --- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -8,15 +8,39 @@ Just add your rule file and commit it. For example: -First, create the rule file; make sure to create the file with a .yar extension -`sudo vi my_custom_rule.yar` +** Note: If this is your first time making changes to this repo, you may run into the following error: -Next, use git to stage the new rule to be commited: -`sudo git add my_custom_rule.yar` +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara -Finally, commit it. -If this is your first time making changes to this repo, you will be asked to set some configuration. -`sudo git commit -m "Initial commit of my_custom_rule.yar"` +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yar extension: +`vi my_custom_rule.yar` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yar` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yar"` The next time the Strelka / YARA engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further. @@ -31,15 +55,39 @@ Just add your rule file and commit it. For example: -First, create the rule file; make sure to create the file with a .yaml|.yml extension -`sudo vi my_custom_rule.yml` +** Note: If this is your first time making changes to this repo, you may run into the following error: + +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma + +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yml or .yaml extension: +`vi my_custom_rule.yml` -Next, use git to stage the new rule to be commited: -`sudo git add my_custom_rule.yml` +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yml` -Finally, commit it. -If this is your first time making changes to this repo, you will be asked to set some configuration. -`sudo git commit -m "Initial commit of my_custom_rule.yml"` +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yml"` The next time the Elastalert / Sigma engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further.