diff --git a/salt/suricata/defaults3.yaml b/salt/suricata/defaults3.yaml index e523f2445..7a5eae178 100644 --- a/salt/suricata/defaults3.yaml +++ b/salt/suricata/defaults3.yaml @@ -74,7 +74,7 @@ suricata: - eve-log: enabled: "yes" filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve.json + filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour #prefix: "@cee: " # prefix to prepend to each log entry diff --git a/salt/suricata/files/test.jinja b/salt/suricata/files/test.jinja new file mode 100644 index 000000000..3a024390a --- /dev/null +++ b/salt/suricata/files/test.jinja @@ -0,0 +1 @@ +{{ suricata | yaml(False) }} \ No newline at end of file diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 7eeb8379d..38439e940 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -1,6 +1,6 @@ -{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/defaults3.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} -{% set evelog_index = [] %} +{% set default_evelog_index = [] %} {% set hardware_header = 15 %} {% set default_packet_size = salt['grains.filter_by']({ @@ -15,22 +15,22 @@ }, },grain='id', merge=salt['pillar.get']('suricata')) %} -{% set meta_data = salt['pillar.filter_by']({ - 'SURICATA': suricata_meta.suricata.lookup.outputs[0], - 'default': suricata_defaults.suricata.lookup.outputs[1] -},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} - -{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} +{# Find the index of eve-log so it can be updated later #} {% for li in suricata_defaults.suricata.lookup.outputs %} {% for k, v in li.items() %} {% if k == 'eve-log' %} - {% do evelog_index.append(li) %} - {# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #} + {% do default_evelog_index.append(loop.index) %} {% endif %} {% endfor %} {% endfor %} +{% set default_evelog_index = default_evelog_index[0] %} +{% set meta_data = salt['pillar.filter_by']({ + 'SURICATA': suricata_meta.suricata.lookup.outputs[0], + 'default': suricata_defaults.suricata.lookup.outputs[default_evelog_index] +},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} -{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #} +{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} +{% do suricata_defaults.suricata.lookup.outputs[default_evelog_index].update(meta_data) %} {% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} \ No newline at end of file diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml index b052a3c9b..747e9b8f9 100644 --- a/salt/suricata/suricata_meta.yaml +++ b/salt/suricata/suricata_meta.yaml @@ -1,136 +1,136 @@ suricata: lookup: outputs: - - eve-log: - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: "no" - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: "no" - stream: "no" - applayer: "yes" - packethdr: "no" - - http: - extended: "yes" # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + - eve-log: + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + enabled: "no" + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + decode: "no" + stream: "no" + applayer: "yes" + packethdr: "no" + - http: + extended: "yes" # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + version: 2 - # Enable/disable this logger. Default: enabled. - enabled: "yes" + # Enable/disable this logger. Default: enabled. + enabled: "yes" - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: "no" - #responses: "no" + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: "no" + #responses: "no" - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: "yes" # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: "no" - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: "no" # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: "yes" # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: "yes" # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: "no" + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: "no" # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: "yes" # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. - - smtp: - extended: "yes" # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] + - smtp: + extended: "yes" # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: "yes" - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: "no" - - ssh - #- stats: - # totals: "yes" # stats for all threads merged together - # threads: "no" # per thread stats - # deltas: "no" # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: "yes" + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + # extended: "no" + - ssh + #- stats: + # totals: "yes" # stats for all threads merged together + # threads: "no" # per thread stats + # deltas: "no" # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata \ No newline at end of file + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata \ No newline at end of file diff --git a/salt/suricata/test.sls b/salt/suricata/test.sls new file mode 100644 index 000000000..118e76950 --- /dev/null +++ b/salt/suricata/test.sls @@ -0,0 +1,9 @@ +{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %} + +test_suri_config: + file.managed: + - name: /tmp/test.yaml + - source: salt://suricata/files/test.jinja + - context: + suricata: {{ suricata | json }} + - template: jinja \ No newline at end of file