CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge eve-log in outputs for suricata meta data generation or zeek/default - https://github.com/Security-Onion-Solutions/securityonion/issues/584

Browse Source
This commit is contained in:
m0duspwnens
2020-06-22 16:56:03 -04:00
parent f1bcd35734
commit 36a329214a
5 changed files with 147 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/suricata/defaults3.yaml
View File

@@ -74,7 +74,7 @@ suricata:
- eve-log: - eve-log:
enabled: "yes" enabled: "yes"
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: /nsm/eve.json filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour rotate-interval: hour
#prefix: "@cee: " # prefix to prepend to each log entry #prefix: "@cee: " # prefix to prepend to each log entry

1
salt/suricata/files/test.jinja Normal file
View File

@@ -0,0 +1 @@
{{ suricata | yaml(False) }}

22
salt/suricata/suricata_config.map.jinja
View File

@@ -1,6 +1,6 @@
{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/defaults3.yaml' as suricata_defaults with context %}
{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %}
{% set evelog_index = [] %} {% set default_evelog_index = [] %}
{% set hardware_header = 15 %} {% set hardware_header = 15 %}
{% set default_packet_size = salt['grains.filter_by']({ {% set default_packet_size = salt['grains.filter_by']({
@@ -15,22 +15,22 @@
}, },
},grain='id', merge=salt['pillar.get']('suricata')) %} },grain='id', merge=salt['pillar.get']('suricata')) %}
{% set meta_data = salt['pillar.filter_by']({ {# Find the index of eve-log so it can be updated later #}
'SURICATA': suricata_meta.suricata.lookup.outputs[0],
'default': suricata_defaults.suricata.lookup.outputs[1]
},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %}
{% do suricata_defaults.suricata.lookup.update(default_packet_size) %}
{% for li in suricata_defaults.suricata.lookup.outputs %} {% for li in suricata_defaults.suricata.lookup.outputs %}
{% for k, v in li.items() %} {% for k, v in li.items() %}
{% if k == 'eve-log' %} {% if k == 'eve-log' %}
{% do evelog_index.append(li) %} {% do default_evelog_index.append(loop.index) %}
{# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% set default_evelog_index = default_evelog_index[0] %}
{% set meta_data = salt['pillar.filter_by']({
'SURICATA': suricata_meta.suricata.lookup.outputs[0],
'default': suricata_defaults.suricata.lookup.outputs[default_evelog_index]
},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %}
{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #} {% do suricata_defaults.suricata.lookup.update(default_packet_size) %}
{% do suricata_defaults.suricata.lookup.outputs[default_evelog_index].update(meta_data) %}
{% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} {% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %}

250
salt/suricata/suricata_meta.yaml
View File

@@ -1,136 +1,136 @@
suricata: suricata:
lookup: lookup:
outputs: outputs:
- eve-log: - eve-log:
- anomaly: - anomaly:
# Anomaly log records describe unexpected conditions such # Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP # as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet # length values, and other events that render the packet
# invalid for further processing or describe unexpected # invalid for further processing or describe unexpected
# behavior on an established stream. Networks which # behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience # experience high occurrences of anomalies may experience
# packet processing degradation. # packet processing degradation.
# #
# Anomalies are reported for the following: # Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while # 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or # decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well # unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues, # as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc). # unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP # 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number, # 3-way handshake issues, unexpected sequence number,
# etc). # etc).
# 3. Application layer: These denote application layer # 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are # specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state. # unexpected given the application monitoring state.
# #
# By default, anomaly logging is disabled. When anomaly # By default, anomaly logging is disabled. When anomaly
# logging is enabled, applayer anomaly reporting is # logging is enabled, applayer anomaly reporting is
# enabled. # enabled.
enabled: "no" enabled: "no"
# #
# Choose one or more types of anomaly logging and whether to enable # Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies. # logging of the packet header for packet anomalies.
types: types:
decode: "no" decode: "no"
stream: "no" stream: "no"
applayer: "yes" applayer: "yes"
packethdr: "no" packethdr: "no"
- http: - http:
extended: "yes" # enable this for extended logging information extended: "yes" # enable this for extended logging information
# custom allows additional http fields to be included in eve-log # custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented # the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization] #custom: [Accept-Encoding, Accept-Language, Authorization]
# set this value to one and only one among {both, request, response} # set this value to one and only one among {both, request, response}
# to dump all http headers for every http request and/or response # to dump all http headers for every http request and/or response
# dump-all-headers: none # dump-all-headers: none
- dns: - dns:
# This configuration uses the new DNS logging format, # This configuration uses the new DNS logging format,
# the old configuration is still available: # the old configuration is still available:
# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output # As of Suricata 5.0, version 2 of the eve dns output
# format is the default. # format is the default.
version: 2 version: 2
# Enable/disable this logger. Default: enabled. # Enable/disable this logger. Default: enabled.
enabled: "yes" enabled: "yes"
# Control logging of requests and responses: # Control logging of requests and responses:
# - requests: enable logging of DNS queries # - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers # - responses: enable logging of DNS answers
# By default both requests and responses are logged. # By default both requests and responses are logged.
#requests: "no" #requests: "no"
#responses: "no" #responses: "no"
# Format of answer logging: # Format of answer logging:
# - detailed: array item per answer # - detailed: array item per answer
# - grouped: answers aggregated by type # - grouped: answers aggregated by type
# Default: all # Default: all
#formats: [detailed, grouped] #formats: [detailed, grouped]
# Types to log, based on the query type. # Types to log, based on the query type.
# Default: all. # Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt] #types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls: - tls:
extended: "yes" # enable this for extended logging information extended: "yes" # enable this for extended logging information
# output TLS transaction where the session is resumed using a # output TLS transaction where the session is resumed using a
# session id # session id
#session-resumption: "no" #session-resumption: "no"
# custom allows to control which tls fields that are included # custom allows to control which tls fields that are included
# in eve-log # in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
- files: - files:
force-magic: "no" # force logging magic on all logged files force-magic: "no" # force logging magic on all logged files
# force logging of checksums, available hash functions are md5, # force logging of checksums, available hash functions are md5,
# sha1 and sha256 # sha1 and sha256
#force-hash: [md5] #force-hash: [md5]
#- drop: #- drop:
# alerts: "yes" # log alerts that caused drops # alerts: "yes" # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop # flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt. # # per flow direction. All logs each dropped pkt.
- smtp: - smtp:
extended: "yes" # enable this for extended logging information extended: "yes" # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent # this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list: # custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received, # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority, # x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date # sensitivity, organization, content-md5, date
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject # output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5 # for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes # to yes
#md5: [body, subject] #md5: [body, subject]
- dnp3 - dnp3
- ftp - ftp
- rdp - rdp
- nfs - nfs
- smb - smb
- tftp - tftp
- ikev2 - ikev2
- krb5 - krb5
- snmp - snmp
- sip - sip
- dhcp: - dhcp:
enabled: "yes" enabled: "yes"
# When extended mode is on, all DHCP messages are logged # When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the # with full detail. When extended mode is off (the
# default), just enough information to map a MAC address # default), just enough information to map a MAC address
# to an IP address is logged. # to an IP address is logged.
# extended: "no" # extended: "no"
- ssh - ssh
#- stats: #- stats:
# totals: "yes" # stats for all threads merged together # totals: "yes" # stats for all threads merged together
# threads: "no" # per thread stats # threads: "no" # per thread stats
# deltas: "no" # include delta values # deltas: "no" # include delta values
# bi-directional flows # bi-directional flows
- flow - flow
# uni-directional flows # uni-directional flows
#- netflow #- netflow
# Metadata event type. Triggered whenever a pktvar is saved # Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and # and will include the pktvars, flowvars, flowbits and
# flowints. # flowints.
#- metadata #- metadata

9
salt/suricata/test.sls Normal file
View File

@@ -0,0 +1,9 @@
{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %}
test_suri_config:
file.managed:
- name: /tmp/test.yaml
- source: salt://suricata/files/test.jinja
- context:
suricata: {{ suricata | json }}
- template: jinja