From ff84640aad5465a4c5f0729ed88ffecfeb1e070a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 13:59:23 -0400 Subject: [PATCH 1/4] add pcap to import node, test not starting zeek docker by default --- salt/top.sls | 1 + salt/zeek/init.sls | 3 +++ salt/zeek/map.jinja | 6 ++++++ setup/so-functions | 1 + setup/so-setup | 2 +- 5 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 salt/zeek/map.jinja diff --git a/salt/top.sls b/salt/top.sls index 01eed5343..4b560c3c1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -399,6 +399,7 @@ base: - firewall - idstools - suricata.manager + - pcap - elasticsearch - kibana - filebeat diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 8743878da..f6e1e999e 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,3 +1,5 @@ +{% from "zeek/map.jinja" import START with context %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -167,6 +169,7 @@ localzeeksync: so-zeek: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} + - start: {{ START }} - privileged: True - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja new file mode 100644 index 000000000..ad4d70e80 --- /dev/null +++ b/salt/zeek/map.jinja @@ -0,0 +1,6 @@ +# don't start the docker container if it is an import node +{% if grains.id.split('_')|last == 'import' %} + {% set START = False %} +{% else %} + {% set START = True %} +{% endif %} \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 5a63d7c12..8e94dc373 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -804,6 +804,7 @@ docker_seed_registry() { "so-filebeat:$VERSION" \ "so-suricata:$VERSION" \ "so-soc:$VERSION" \ + "so-steno:$VERSION" \ "so-elasticsearch:$VERSION" \ "so-kibana:$VERSION" \ "so-kratos:$VERSION" \ diff --git a/setup/so-setup b/setup/so-setup index 45b08433f..56647b1b4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -577,7 +577,7 @@ fi salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 fi - if [[ $is_sensor ]]; then + if [[ $is_sensor || $is_import ]]; then set_progress_str 65 "$(print_salt_state_apply 'pcap')" salt-call state.apply -l info pcap >> $setup_log 2>&1 fi From 3836f0030979b3387544dc438eca37c9e50b43e4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 14:32:34 -0400 Subject: [PATCH 2/4] allow sensori port for import node --- salt/firewall/assigned_hostgroups.map.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index ef9e6fe0c..b6dd7b9bc 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -506,6 +506,7 @@ role: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.sensoroni }} search_node: portgroups: - {{ portgroups.redis }} From f9a6b8d2315e61f928ad91a2d4cf8c707d3843c4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 14:39:02 -0400 Subject: [PATCH 3/4] remove zeek and suricata from so-status for import node --- salt/common/maps/import.map.jinja | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/salt/common/maps/import.map.jinja b/salt/common/maps/import.map.jinja index adb266809..324536d11 100644 --- a/salt/common/maps/import.map.jinja +++ b/salt/common/maps/import.map.jinja @@ -5,8 +5,6 @@ 'so-soc', 'so-kratos', 'so-elasticsearch', - 'so-kibana', - 'so-suricata', - 'so-zeek' + 'so-kibana' ] } %} \ No newline at end of file From 35027e32b35938fe4d2ded10be0cba7b2b651cf9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 14:43:37 -0400 Subject: [PATCH 4/4] dont constantly run steno or suricata containers for import node --- salt/pcap/init.sls | 2 ++ salt/pcap/map.jinja | 6 ++++++ salt/suricata/init.sls | 2 ++ salt/suricata/map.jinja | 6 ++++++ 4 files changed, 16 insertions(+) create mode 100644 salt/pcap/map.jinja create mode 100644 salt/suricata/map.jinja diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 3db7a227c..135b49334 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -18,6 +18,7 @@ {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} {% set BPF_COMPILED = "" %} +{% from "pcap/map.jinja" import START with context %} # PCAP Section @@ -131,6 +132,7 @@ sensoronilog: so-steno: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }} + - start: {{ START }} - network_mode: host - privileged: True - port_bindings: diff --git a/salt/pcap/map.jinja b/salt/pcap/map.jinja new file mode 100644 index 000000000..ad4d70e80 --- /dev/null +++ b/salt/pcap/map.jinja @@ -0,0 +1,6 @@ +# don't start the docker container if it is an import node +{% if grains.id.split('_')|last == 'import' %} + {% set START = False %} +{% else %} + {% set START = True %} +{% endif %} \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 783f174ca..a15255af1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -23,6 +23,7 @@ {# import_yaml 'suricata/files/defaults2.yaml' as suricata #} {% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} +{% from "suricata/map.jinja" import START with context %} # Suricata @@ -134,6 +135,7 @@ suribpf: so-suricata: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} + - start: {{ START }} - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja new file mode 100644 index 000000000..ad4d70e80 --- /dev/null +++ b/salt/suricata/map.jinja @@ -0,0 +1,6 @@ +# don't start the docker container if it is an import node +{% if grains.id.split('_')|last == 'import' %} + {% set START = False %} +{% else %} + {% set START = True %} +{% endif %} \ No newline at end of file