Merge pull request #10245 from Security-Onion-Solutions/2.4/Fix_zeek_idstools

2.4/fix zeek idstools

pillar/top.sls

@@ -18,7 +18,8 @@ base:
 
   '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
     - match: compound
-    - zeek
+    - zeek.soc_zeek
+    - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
 

salt/idstools/soc_idstools.yaml

@@ -1,12 +1,14 @@
 idstools:
   config:
     oinkcode:
-      description: Enter your registration code for paid rulesets.
+      description: Enter your registration/oink code for paid NIDS rulesets.
+      title: registraion code
       global: True
       helpLink: rules.html
     ruleset:
-      description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
+      description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
       global: True
+      regex:  ETPRO\b|ETOPEN\b
       helpLink: rules.html
     urls:
       description: This is a list of additional rule download locations.
@@ -14,20 +16,28 @@ idstools:
       helpLink: rules.html
   sids:
     disabled:
-      description: List of SIDS that you want to disable.
+      description: Contains the list of NIDS rules manually disabled across the grid. To disable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To disable multiple rules, you can use regular expressions.
       global: True
+      multiline: True
+      forcedType: "[]string"
+      regex: \d*|re:.*
       helpLink: managing-alerts.html
     enabled:
-      description: List of SIDS that are disabled by the rule source that you want to enable.
+      description: Contains the list of NIDS rules manually enabled across the grid. To enable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To enable multiple rules, you can use regular expressions.
       global: True
+      multiline: True
+      forcedType: "[]string"
+      regex: \d*|re:.*
       helpLink: managing-alerts.html
     modify:
-      description: List of SIDS that you want to modify.
+      description: Contains the list of NIDS rules that were modified from their default values. Entries must adhere to the following format - SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"
       global: True
+      multiline: True
+      forcedType: "[]string"
       helpLink: managing-alerts.html
   rules:
     local__rules:
-      description: This is where custom Suricata rules are entered.
+      description: Contains the list of custom NIDS rules applied to the grid. To add custom NIDS rules to the grid, enter one rule per line in the Current Grid Value box.
       file: True
       global: True
       advanced: True

salt/zeek/files/node.cfg.jinja

@@ -16,10 +16,10 @@ type=worker
 host=localhost
 interface=af_packet::{{ NODE.interface }}
 lb_method=custom
-  {%- if NODE.lb_procs %}
+  {%- if NODE.pins %}
-lb_procs={{ NODE.lb_procs }}
-    {%- else %}
 lb_procs={{ NODE.pins | length }}
+    {%- else %}
+lb_procs={{ NODE.lb_procs }}
   {%- endif %}
   {%- if NODE.pins %}
 pin_cpus={{ NODE.pins | join(", ") }}

salt/zeek/soc_zeek.yaml

@@ -6,30 +6,36 @@ zeek:
   config:
     local:
       load:
-        description: List of Zeek policies to load
+        description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
         forcedType: "[]string"
         helpLink: zeek.html
       load-sigs:
-        description: List of Zeek signatures to load
+        description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
         forcedType: "[]string"
         helpLink: zeek.html
       redef:
-        description: List of Zeek variables to redefine
+        description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
         forcedType: "[]string"
         advanced: True
         helpLink: zeek.html
     node:
       lb_procs:
-        description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
+        description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
+        title: workers
         helpLink: zeek.html
         node: True
       pins_enabled:
         description: Enabling this setting allows you to pin Zeek to specific CPUs.
+        title: cpu affinity enabled
+        forcedType: bool
         helpLink: zeek.html
         node: True
         advanced: True
       pins:
-        description: This is a list of CPUs you want to pin Zeek to.
+        description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes.
+        title: cpu affinity
+        multiline: True
+        forcedType: "[]string"
         helpLink: zeek.html
         node: True
         advanced: True
@@ -47,5 +53,5 @@ zeek:
           global: True
           advanced: True
   file_extraction:
-    description: This is a list of MIME types that Zeek will extract from the network streams.
+    description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"}
     helpLink: zeek.html