From 0522dc180a753ddb5886c9b370df6fc6662eef10 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 13:39:35 -0500 Subject: [PATCH] map pcap dir to container. enable pcap-log in map --- salt/suricata/enabled.sls | 3 +++ salt/suricata/map.jinja | 5 +++++ salt/suricata/pcap.sls | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index cf871906b..8b2776b39 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -35,6 +35,9 @@ so-suricata: - /nsm/suricata/:/nsm/:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro + {% if GLOBALS.pcap_engine == "SURICATA" %} + - /nsm/suripcap/:/nsm/pcap:rw + {% endif %} {% if DOCKER.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} - {{ BIND }} diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 01d019de8..5f6e913f5 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -60,6 +60,11 @@ {% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} +{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} +{% if GLOBALS.pcap_engine == "SURICATA" %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} +{% endif %} + {# outputs is a list but we convert to dict in defaults to work with ui #} {# below they are converted back to lists #} {% load_yaml as outputs %} diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls index 7a00d8d6a..a3cbafa0a 100644 --- a/salt/suricata/pcap.sls +++ b/salt/suricata/pcap.sls @@ -9,8 +9,8 @@ suripcapdir: - mode: 755 - makedirs: True - -{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %} +{# there should only be 1 interface in af-packet so we can just reference the first list item #} +{% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %} suripcapthread{{i}}dir: file.directory: