From 3de2afe6189f4c989df3e0a9541445ed887aebba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 17:29:11 -0400 Subject: [PATCH] Fix final bugs --- ...{broversion.map.jinja => zeekversion.map.jinja} | 0 salt/idstools/etc/rulecat.conf | 12 +++++++----- salt/zeek/init.sls | 6 ++++-- .../securityonion/file-extraction/extract.zeek | 14 ++++++++------ 4 files changed, 19 insertions(+), 13 deletions(-) rename salt/common/maps/{broversion.map.jinja => zeekversion.map.jinja} (100%) diff --git a/salt/common/maps/broversion.map.jinja b/salt/common/maps/zeekversion.map.jinja similarity index 100% rename from salt/common/maps/broversion.map.jinja rename to salt/common/maps/zeekversion.map.jinja diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 1957c6c13..5501c9b50 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ -{% set URLS = salt['pillar.get']('idstools:config:urls', {}) -%} -{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} -{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} +{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} +{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} +{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} --suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules @@ -10,10 +10,12 @@ {%- if RULESET == 'ETOPEN' %} --etopen {%- elif RULESET == 'ETPRO' %} ---etpro={{ OINKCODE }} +--etpro={{ OINCODE }} {%- elif RULESET == 'TALOS' %} --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} {%- endif %} +{%- if URLS != None %} {%- for URL in URLS %} --url={{ URL }} -{%- endfor %} \ No newline at end of file +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 7b91632c9..68908a2ce 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -43,7 +43,7 @@ zeekspooldir: file.directory: - name: /nsm/zeek/spool/manager - user: 937 - - makedirs: true + - makedirs: True # Zeek extracted zeekextractdir: @@ -57,7 +57,7 @@ zeekextractcompletedir: file.directory: - name: /nsm/zeek/extracted/complete - user: 937 - - makedirs: true + - makedirs: True # Sync the policies zeekpolicysync: @@ -75,6 +75,7 @@ zeekintelloadsync: - source: salt://zeek/policy/intel/__load__.zeek - user: 937 - group: 939 + - makedirs: True zeekctlcfg: file.managed: @@ -186,3 +187,4 @@ so-zeek: - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf + \ No newline at end of file diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index cf7b307ab..6f59ed447 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,4 +1,4 @@ -{%- from zeek/fileextraction_defaults.yaml import zeek %} +{%- import_yaml "zeek/fileextraction_defaults.yaml" as zeek with context %} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -6,14 +6,16 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - {%- for li in zeek.policy.file_extraction %} - {%- for k,v in li %} + {%- for li in zeek.zeek.policy.file_extraction %} {%- if not loop.last %} + {%- for k,v in li.items() %} ["{{ k }}"] = "{{ v }}", - {%- else %} - ["{{ k }}"] = "{{ v }}" - {%- endif %} {%- endfor %} + {%- else %} + {%- for k,v in li.items() %} + ["{{ k }}"] = "{{ v }}" + {%- endfor %} + {%- endif %} {%- endfor %} }; }