Suricata Salt Module - Add skeleton

2025-12-06 09:12:45 +01:00 · 2018-02-23 14:49:46 -05:00
parent 7032344fc9
commit 48b2ad505a
4 changed files with 54 additions and 2 deletions
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -69,7 +69,8 @@ so-steno:
    - image: toosmooth/so-steno:test2
    - network_mode: host
    - priviledged: true
-    - user: 941
+    - port_bindings:
+      - 127.0.0.1:1234:1234
    - binds:
      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
      - /opt/so/conf/steno/config:/etc/stenographer/config:rw
--- a/salt/pulledpork/init.sls
+++ b/salt/pulledpork/init.sls
@@ -27,6 +27,11 @@ rulesdir:
    - group: 939
    - makedirs: True

+ruleslink:
+  file.symlink:
+    - name: /opt/so/saltstack/salt/pulledpork/rules
+    - target: /opt/so/rules/nids
+
 toosmooth/so-pulledpork:test2:
  docker_image.present

--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -0,0 +1,46 @@
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Suricata
+ppdir:
+  file.directory:
+    - name: /opt/so/pulledpork
+    - user: 939
+    - group: 939
+
+rulesdir:
+  file.directory:
+    - name: /opt/so/rules/nids
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+ruleslink:
+  file.symlink:
+    - name: /opt/so/saltstack/salt/pulledpork/rules
+    - target: /opt/so/rules/nids
+
+toosmooth/so-pulledpork:test2:
+  docker_image.present
+
+so-pulledpork:
+  docker_container.running:
+    - image: toosmooth/so-pulledpork:test2
+    - hostname: so-pulledpork
+    - user: socore
+    - binds:
+      - /opt/so/pulledpork/etc:/opt/pulledpork/etc:ro
+      - /opt/so/rules/nids:/opt/so/rules/nids:rw
+    - network_mode: so-elastic-net
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -223,7 +223,7 @@ if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to in

    # Create the pillar file for the sensor
    touch /tmp/$HOSTNAME.sls
-    echo "sensor:" > /tmp/$HOSTNAME.sls
+    echo "sensors:" > /tmp/$HOSTNAME.sls
    echo "  interface: bond0" >> /tmp/$HOSTNAME.sls
    echo "  lbprocs: $LBPROCS" >> /tmp/$HOSTNAME.sls