Merge pull request #12859 from Security-Onion-Solutions/issue/12637

Issue/12637
2026-01-12 03:03:09 +01:00 · 2024-04-24 15:44:37 -04:00
parent 428fe787c4 73b5bb1a75
commit 383420b554
6 changed files with 52 additions and 1 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -180,6 +180,8 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits:
+        - memlock=524288000
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -63,5 +63,41 @@ docker:
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
    so-steno: *dockerOptions
-    so-suricata: *dockerOptions
+    so-suricata:
+      final_octet:
+        description: Last octet of the container IP address.
+        helpLink: docker.html
+        readonly: True
+        advanced: True
+        global: True
+      port_bindings:
+        description: List of port bindings for the container.
+        helpLink: docker.html
+        advanced: True
+        multiline: True
+        forcedType: "[]string"
+      custom_bind_mounts:
+        description: List of custom local volume bindings.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_hosts:
+        description: List of additional host entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_env:
+        description: List of additional ENV entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      ulimits:
+        description: Ulimits for the container, in bytes.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
    so-zeek: *dockerOptions
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -30,6 +30,7 @@ suricata:
      cluster-type: cluster_flow
      defrag: "yes"
      use-mmap: "yes"
+      mmap-locked: "no"
      threads: 1
      tpacket-v3: "yes"
      ring-size: 5000
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -24,6 +24,12 @@ so-suricata:
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKER.containers['so-suricata'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
+      - {{ ULIMIT }}
+    {%   endfor %}
+    {% endif %}
    - binds:
      - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
      - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -34,6 +34,7 @@
  cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
+  mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
  threads: {{ SURICATAMERGED.config['af-packet'].threads }}
  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
  ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -83,6 +83,11 @@ suricata:
      use-mmap:
        advanced: True
        readonly: True
+      mmap-locked:
+        description: Prevent swapping by locking the memory map.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
      threads:
        description: The amount of worker threads.
        helpLink: suricata.html