rule-update: disable noisy Suricata events if Setup hasn't already

[dougburks]

On 3/14/2016, we released securityonion-setup - 20120912-0ubuntu0securityonion201:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html

This version of Setup disabled noisy Suricata events by appending the following to /etc/nsm/pulledpork/disablesid.conf:

# Added by Security Onion Setup
stream-events
pcre:SURICATA\ ICMPv6

However, this was only for new installations that occurred after 3/14/2016. Older installations that had run Setup before that date did not have these entries in disablesid.conf.

On 10/23/2017, we released securityonion-rule-update - 20151201-1ubuntu1securityonion11:
http://blog.securityonion.net/2017/10/securityonion-rule-update-20151201.html

This update re-enabled Suricata events rules. From #1141:

If you run Setup and choose Snort, it disables the Suricata events rules. If you then switch from Snort to Suricata, those Suricata events rules are still disabled. rule-update needs to enable these rules if necessary.

The net effect of all this is that older installations with Setup run before 3/14/2016 did not have the entries in disablesid.conf and now all of a sudden enabled all of the noisy Suricata events. rule-update needs to disable these noisy Suricata events if Setup hasn't already. We can most likely just copy the code from sosetup that does this:

        # Disable noisy Suricata rules
        if ! grep "Security Onion Setup" /etc/nsm/pulledpork/disablesid.conf >/dev/null 2>&1; then
cat << EOF >> /etc/nsm/pulledpork/disablesid.conf

# Added by Security Onion Setup
stream-events
pcre:SURICATA\ ICMPv6
EOF
        fi

[dougburks]

commit:
Security-Onion-Solutions/securityonion-rule-update@87f71ca

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/pCbaciEQBaI/discussion

[dougburks]

Published:
http://blog.securityonion.net/2017/10/securityonion-rule-update-20151201_25.html