manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918

salt/suricata/classification.csv

@@ -1,43 +0,0 @@
-attempted-admin,Attempted Administrator Privilege Gain,1
-attempted-dos,Attempted Denial of Service,2
-attempted-recon,Attempted Information Leak,2
-attempted-user,Attempted User Privilege Gain,1
-bad-unknown,Potentially Bad Traffic, 2
-coin-mining,Crypto Currency Mining Activity Detected,2
-command-and-control,Malware Command and Control Activity Detected,1
-credential-theft,Successful Credential Theft Detected,1
-default-login-attempt,Attempt to login by a default username and password,2
-denial-of-service,Detection of a Denial of Service Attack,2
-domain-c2,Domain Observed Used for C2 Detected,1
-exploit-kit,Exploit Kit Activity Detected,1
-external-ip-check,Device Retrieving External IP Address Detected,2
-icmp-event,Generic ICMP event,3
-inappropriate-content,Inappropriate Content was Detected,1
-misc-activity,Misc activity,3
-misc-attack,Misc Attack,2
-network-scan,Detection of a Network Scan,3
-non-standard-protocol,Detection of a non-standard protocol or event,2
-not-suspicious,Not Suspicious Traffic,3
-policy-violation,Potential Corporate Privacy Violation,1
-protocol-command-decode,Generic Protocol Command Decode,3
-pup-activity,Possibly Unwanted Program Detected,2
-rpc-portmap-decode,Decode of an RPC Query,2
-shellcode-detect,Executable code was detected,1
-social-engineering,Possible Social Engineering Attempted,2
-string-detect,A suspicious string was detected,3
-successful-admin,Successful Administrator Privilege Gain,1
-successful-dos,Denial of Service,2
-successful-recon-largescale,Large Scale Information Leak,2
-successful-recon-limited,Information Leak,2
-successful-user,Successful User Privilege Gain,1
-suspicious-filename-detect,A suspicious filename was detected,2
-suspicious-login,An attempted login using a suspicious username was detected,2
-system-call-detect,A system call was detected,2
-targeted-activity,Targeted Malicious Activity was Detected,1
-tcp-connection,A TCP connection was detected,4
-trojan-activity,A Network Trojan was detected, 1
-unknown,Unknown Traffic,3
-unsuccessful-user,Unsuccessful User Privilege Gain,1
-unusual-client-port-connection,A client was using an unusual port,2
-web-application-activity,access to a potentially vulnerable web application,2
-web-application-attack,Web Application Attack,1

salt/suricata/classification.yml

@@ -1,126 +0,0 @@
-- '3': 3
-  Not Suspicious Traffic: Unknown Traffic
-  not-suspicious: unknown
-- '3': 2
-  Not Suspicious Traffic: Potentially Bad Traffic
-  not-suspicious: bad-unknown
-- '3': 2
-  Not Suspicious Traffic: Attempted Information Leak
-  not-suspicious: attempted-recon
-- '3': 2
-  Not Suspicious Traffic: Information Leak
-  not-suspicious: successful-recon-limited
-- '3': 2
-  Not Suspicious Traffic: Large Scale Information Leak
-  not-suspicious: successful-recon-largescale
-- '3': 2
-  Not Suspicious Traffic: Attempted Denial of Service
-  not-suspicious: attempted-dos
-- '3': 2
-  Not Suspicious Traffic: Denial of Service
-  not-suspicious: successful-dos
-- '3': 1
-  Not Suspicious Traffic: Attempted User Privilege Gain
-  not-suspicious: attempted-user
-- '3': 1
-  Not Suspicious Traffic: Unsuccessful User Privilege Gain
-  not-suspicious: unsuccessful-user
-- '3': 1
-  Not Suspicious Traffic: Successful User Privilege Gain
-  not-suspicious: successful-user
-- '3': 1
-  Not Suspicious Traffic: Attempted Administrator Privilege Gain
-  not-suspicious: attempted-admin
-- '3': 1
-  Not Suspicious Traffic: Successful Administrator Privilege Gain
-  not-suspicious: successful-admin
-- '3': 2
-  Not Suspicious Traffic: Decode of an RPC Query
-  not-suspicious: rpc-portmap-decode
-- '3': 1
-  Not Suspicious Traffic: Executable code was detected
-  not-suspicious: shellcode-detect
-- '3': 3
-  Not Suspicious Traffic: A suspicious string was detected
-  not-suspicious: string-detect
-- '3': 2
-  Not Suspicious Traffic: A suspicious filename was detected
-  not-suspicious: suspicious-filename-detect
-- '3': 2
-  Not Suspicious Traffic: An attempted login using a suspicious username was detected
-  not-suspicious: suspicious-login
-- '3': 2
-  Not Suspicious Traffic: A system call was detected
-  not-suspicious: system-call-detect
-- '3': 4
-  Not Suspicious Traffic: A TCP connection was detected
-  not-suspicious: tcp-connection
-- '3': 1
-  Not Suspicious Traffic: A Network Trojan was detected
-  not-suspicious: trojan-activity
-- '3': 2
-  Not Suspicious Traffic: A client was using an unusual port
-  not-suspicious: unusual-client-port-connection
-- '3': 3
-  Not Suspicious Traffic: Detection of a Network Scan
-  not-suspicious: network-scan
-- '3': 2
-  Not Suspicious Traffic: Detection of a Denial of Service Attack
-  not-suspicious: denial-of-service
-- '3': 2
-  Not Suspicious Traffic: Detection of a non-standard protocol or event
-  not-suspicious: non-standard-protocol
-- '3': 3
-  Not Suspicious Traffic: Generic Protocol Command Decode
-  not-suspicious: protocol-command-decode
-- '3': 2
-  Not Suspicious Traffic: access to a potentially vulnerable web application
-  not-suspicious: web-application-activity
-- '3': 1
-  Not Suspicious Traffic: Web Application Attack
-  not-suspicious: web-application-attack
-- '3': 3
-  Not Suspicious Traffic: Misc activity
-  not-suspicious: misc-activity
-- '3': 2
-  Not Suspicious Traffic: Misc Attack
-  not-suspicious: misc-attack
-- '3': 3
-  Not Suspicious Traffic: Generic ICMP event
-  not-suspicious: icmp-event
-- '3': 1
-  Not Suspicious Traffic: Inappropriate Content was Detected
-  not-suspicious: inappropriate-content
-- '3': 1
-  Not Suspicious Traffic: Potential Corporate Privacy Violation
-  not-suspicious: policy-violation
-- '3': 2
-  Not Suspicious Traffic: Attempt to login by a default username and password
-  not-suspicious: default-login-attempt
-- '3': 1
-  Not Suspicious Traffic: Targeted Malicious Activity was Detected
-  not-suspicious: targeted-activity
-- '3': 1
-  Not Suspicious Traffic: Exploit Kit Activity Detected
-  not-suspicious: exploit-kit
-- '3': 2
-  Not Suspicious Traffic: Device Retrieving External IP Address Detected
-  not-suspicious: external-ip-check
-- '3': 1
-  Not Suspicious Traffic: Domain Observed Used for C2 Detected
-  not-suspicious: domain-c2
-- '3': 2
-  Not Suspicious Traffic: Possibly Unwanted Program Detected
-  not-suspicious: pup-activity
-- '3': 1
-  Not Suspicious Traffic: Successful Credential Theft Detected
-  not-suspicious: credential-theft
-- '3': 2
-  Not Suspicious Traffic: Possible Social Engineering Attempted
-  not-suspicious: social-engineering
-- '3': 2
-  Not Suspicious Traffic: Crypto Currency Mining Activity Detected
-  not-suspicious: coin-mining
-- '3': 1
-  Not Suspicious Traffic: Malware Command and Control Activity Detected
-  not-suspicious: command-and-control

salt/suricata/files/classification.config.jinja

@@ -5,6 +5,7 @@
 #
 {% for sn, details in suricata_defaults.suricata.classification.items() -%}
 {%   if not details -%}
+{%     set details = {} -%}
 {%     do details.update({'description': 'The description is not set', 'priority': '1'}) -%}
 {%   endif -%}
 config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}