From 0bd0c7b1ec09b86b460cf16d24b5d172bd9beaa4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 24 Apr 2024 13:26:25 -0400 Subject: [PATCH 1/4] allow for mmap-locked to be configured --- salt/suricata/defaults.yaml | 1 + salt/suricata/map.jinja | 1 + salt/suricata/soc_suricata.yaml | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 914c045b1..fa863473a 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -30,6 +30,7 @@ suricata: cluster-type: cluster_flow defrag: "yes" use-mmap: "yes" + mmap-locked: "yes" threads: 1 tpacket-v3: "yes" ring-size: 5000 diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 2a3adf5f1..d9748acee 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -34,6 +34,7 @@ cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}" use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}" + mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} threads: {{ SURICATAMERGED.config['af-packet'].threads }} tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}" ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index b0a864329..a1847167c 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -83,6 +83,11 @@ suricata: use-mmap: advanced: True readonly: True + mmap-locked: + description: Prevent swapping by locking the memory map. + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html threads: description: The amount of worker threads. helpLink: suricata.html From 4b7f826a2a8ca44f5f6eb7d809b50fb09d2ba1c8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 24 Apr 2024 13:29:55 -0400 Subject: [PATCH 2/4] quote is so true becomes yes --- salt/suricata/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index d9748acee..a5012317a 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -34,7 +34,7 @@ cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}" use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}" - mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} + mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}" threads: {{ SURICATAMERGED.config['af-packet'].threads }} tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}" ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} From 13a6520a8ca3ab753906f837b1d767b4e8b548ea Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 24 Apr 2024 13:50:12 -0400 Subject: [PATCH 3/4] mmap-locked default no --- salt/suricata/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index fa863473a..d819d1cf9 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -30,7 +30,7 @@ suricata: cluster-type: cluster_flow defrag: "yes" use-mmap: "yes" - mmap-locked: "yes" + mmap-locked: "no" threads: 1 tpacket-v3: "yes" ring-size: 5000 From 73b5bb1a75312b0c7a712c0ae1cde30f01fa26fd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 24 Apr 2024 15:35:17 -0400 Subject: [PATCH 4/4] add memlock to so-suricata container --- salt/docker/defaults.yaml | 2 ++ salt/docker/soc_docker.yaml | 38 ++++++++++++++++++++++++++++++++++++- salt/suricata/enabled.sls | 6 ++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 2ceaecaa7..b1d3b4e44 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -180,6 +180,8 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - memlock=524288000 'so-zeek': final_octet: 99 custom_bind_mounts: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index da078941a..08e0dccc5 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -63,5 +63,41 @@ docker: so-elastic-agent: *dockerOptions so-telegraf: *dockerOptions so-steno: *dockerOptions - so-suricata: *dockerOptions + so-suricata: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + global: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multiline: True + forcedType: "[]string" + custom_bind_mounts: + description: List of custom local volume bindings. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" + extra_hosts: + description: List of additional host entries for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" + extra_env: + description: List of additional ENV entries for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" + ulimits: + description: Ulimits for the container, in bytes. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" so-zeek: *dockerOptions diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index d35160527..8520187d0 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -24,6 +24,12 @@ so-suricata: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-suricata'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro