CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge eve-log in outputs for suricata meta data generation or zeek/default - https://github.com/Security-Onion-Solutions/securityonion/issues/584

Browse Source
This commit is contained in:
m0duspwnens
2020-06-22 16:56:03 -04:00
parent f1bcd35734
commit 36a329214a
5 changed files with 147 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/suricata/defaults3.yaml
View File

@@ -74,7 +74,7 @@ suricata:
- eve-log: - eve-log:
enabled: "yes" enabled: "yes"
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: /nsm/eve.json filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour rotate-interval: hour
#prefix: "@cee: " # prefix to prepend to each log entry #prefix: "@cee: " # prefix to prepend to each log entry

1
salt/suricata/files/test.jinja Normal file
View File

@@ -0,0 +1 @@
{{ suricata | yaml(False) }}

22
salt/suricata/suricata_config.map.jinja
View File

@@ -1,6 +1,6 @@
{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/defaults3.yaml' as suricata_defaults with context %}
{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %}
{% set evelog_index = [] %} {% set default_evelog_index = [] %}
{% set hardware_header = 15 %} {% set hardware_header = 15 %}
{% set default_packet_size = salt['grains.filter_by']({ {% set default_packet_size = salt['grains.filter_by']({
@@ -15,22 +15,22 @@
}, },
},grain='id', merge=salt['pillar.get']('suricata')) %} },grain='id', merge=salt['pillar.get']('suricata')) %}
{% set meta_data = salt['pillar.filter_by']({ {# Find the index of eve-log so it can be updated later #}
'SURICATA': suricata_meta.suricata.lookup.outputs[0],
'default': suricata_defaults.suricata.lookup.outputs[1]
},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %}
{% do suricata_defaults.suricata.lookup.update(default_packet_size) %}
{% for li in suricata_defaults.suricata.lookup.outputs %} {% for li in suricata_defaults.suricata.lookup.outputs %}
{% for k, v in li.items() %} {% for k, v in li.items() %}
{% if k == 'eve-log' %} {% if k == 'eve-log' %}
{% do evelog_index.append(li) %} {% do default_evelog_index.append(loop.index) %}
{# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% set default_evelog_index = default_evelog_index[0] %}
{% set meta_data = salt['pillar.filter_by']({
'SURICATA': suricata_meta.suricata.lookup.outputs[0],
'default': suricata_defaults.suricata.lookup.outputs[default_evelog_index]
},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %}
{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #} {% do suricata_defaults.suricata.lookup.update(default_packet_size) %}
{% do suricata_defaults.suricata.lookup.outputs[default_evelog_index].update(meta_data) %}
{% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} {% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %}

9
salt/suricata/test.sls Normal file
View File

@@ -0,0 +1,9 @@
{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %}
test_suri_config:
file.managed:
- name: /tmp/test.yaml
- source: salt://suricata/files/test.jinja
- context:
suricata: {{ suricata | json }}
- template: jinja