From eb633be437bc2dd80b3ac68d6f58ddeb9bd30edd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 22 May 2023 17:48:22 -0400 Subject: [PATCH 1/2] enable/disable suricata in ui. assign threads properly --- salt/manager/tools/sbin/so-minion | 1 + salt/suricata/config.sls | 163 +++++++++++++ salt/suricata/defaults.yaml | 3 +- salt/suricata/disabled.sls | 32 +++ salt/suricata/enabled.sls | 62 +++++ salt/suricata/init.sls | 227 +----------------- salt/suricata/map.jinja | 68 +++++- salt/suricata/soc_suricata.yaml | 3 + salt/suricata/sostatus.sls | 21 ++ salt/suricata/suricata_config.map.jinja | 56 ----- ...icata_meta.yaml => suricata_mdengine.yaml} | 0 11 files changed, 348 insertions(+), 288 deletions(-) create mode 100644 salt/suricata/config.sls create mode 100644 salt/suricata/disabled.sls create mode 100644 salt/suricata/enabled.sls create mode 100644 salt/suricata/sostatus.sls delete mode 100644 salt/suricata/suricata_config.map.jinja rename salt/suricata/{suricata_meta.yaml => suricata_mdengine.yaml} (100%) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 0ba62e4b7..66236492c 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -230,6 +230,7 @@ function add_sensor_to_minion() { echo " node:" >> $PILLARFILE echo " lb_procs: '$CORECOUNT'" >> $PILLARFILE echo "suricata:" >> $PILLARFILE + echo " enabled: True " >> $PILLARFILE echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls new file mode 100644 index 000000000..c8666ef2b --- /dev/null +++ b/salt/suricata/config.sls @@ -0,0 +1,163 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF %} +{% from 'suricata/map.jinja' import SURICATAMERGED %} +{% set BPF_STATUS = 0 %} + +# Add Suricata Group +suricatagroup: + group.present: + - name: suricata + - gid: 940 + +# Add Suricata user +suricata: + user.present: + - uid: 940 + - gid: 940 + - home: /nsm/suricata + - createhome: False + +socoregroupwithsuricata: + group.present: + - name: socore + - gid: 939 + - addusers: + - suricata + +suricata_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://suricata/tools/sbin + - user: 939 + - group: 939 + - file_mode: 755 + +suricata_sbin_jinja: + file.recurse: + - name: /usr/sbin + - source: salt://suricata/tools/sbin_jinja + - user: 939 + - group: 939 + - file_mode: 755 + - template: jinja + +suridir: + file.directory: + - name: /opt/so/conf/suricata + - user: 940 + - group: 940 + +suriruledir: + file.directory: + - name: /opt/so/conf/suricata/rules + - user: 940 + - group: 940 + - makedirs: True + +surilogdir: + file.directory: + - name: /opt/so/log/suricata + - user: 940 + - group: 939 + +suridatadir: + file.directory: + - name: /nsm/suricata/extracted + - user: 940 + - group: 939 + - mode: 770 + - makedirs: True + +surirulesync: + file.recurse: + - name: /opt/so/conf/suricata/rules/ + - source: salt://suricata/rules/ + - user: 940 + - group: 940 + - show_changes: False + +surilogscript: + file.managed: + - name: /usr/local/bin/surilogcompress + - source: salt://suricata/cron/surilogcompress + - mode: 755 + +surilogcompress: + cron.present: + - name: /usr/local/bin/surilogcompress + - identifier: surilogcompress + - user: suricata + - minute: '17' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + +suriconfig: + file.managed: + - name: /opt/so/conf/suricata/suricata.yaml + - source: salt://suricata/files/suricata.yaml.jinja + - context: + suricata_config: {{ SURICATAMERGED.config }} + - user: 940 + - group: 940 + - template: jinja + +surithresholding: + file.managed: + - name: /opt/so/conf/suricata/threshold.conf + - source: salt://suricata/files/threshold.conf.jinja + - user: 940 + - group: 940 + - template: jinja + +# BPF compilation and configuration +{% if SURICATABPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} + {% if BPF_CALC['stderr'] == "" %} + {% set BPF_STATUS = 1 %} + {% else %} +suribpfcompilationfailure: + test.configurable_test_state: + - changes: False + - result: False + - comment: "BPF Syntax Error - Discarding Specified BPF" + {% endif %} +{% endif %} + +suribpf: + file.managed: + - name: /opt/so/conf/suricata/bpf + - user: 940 + - group: 940 + {% if BPF_STATUS %} + - contents: {{ SURICATABPF }} + {% else %} + - contents: + - "" + {% endif %} + +so-suricata-eve-clean: + file.managed: + - name: /usr/sbin/so-suricata-eve-clean + - user: root + - group: root + - mode: 755 + - template: jinja + - source: salt://suricata/cron/so-suricata-eve-clean + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index cf7db31af..f154b5beb 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,4 +1,5 @@ suricata: + enabled: False config: threading: set-cpu-affinity: 'no' @@ -417,4 +418,4 @@ suricata: - all.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config - threshold-file: /etc/suricata/threshold.conf \ No newline at end of file + threshold-file: /etc/suricata/threshold.conf diff --git a/salt/suricata/disabled.sls b/salt/suricata/disabled.sls new file mode 100644 index 000000000..60754ed3c --- /dev/null +++ b/salt/suricata/disabled.sls @@ -0,0 +1,32 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - suricata.sostatus + +so-suricata: + docker_container.absent: + - force: True + +so-kibana_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-suricata$ + +# Remove eve clean cron +clean_suricata_eve_files: + cron.absent: + - identifier: clean_suricata_eve_files + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls new file mode 100644 index 000000000..efc5f0251 --- /dev/null +++ b/salt/suricata/enabled.sls @@ -0,0 +1,62 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - suricata.config + - suricata.sostatus + +so-suricata: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }} + - privileged: True + - environment: + - INTERFACE={{ GLOBALS.sensor.interface }} + - binds: + - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro + - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro + - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro + - /opt/so/log/suricata/:/var/log/suricata/:rw + - /nsm/suricata/:/nsm/:rw + - /nsm/suricata/extracted:/var/log/suricata//filestore:rw + - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro + - network_mode: host + - watch: + - file: suriconfig + - file: surithresholding + - file: /opt/so/conf/suricata/rules/ + - file: /opt/so/conf/suricata/bpf + - require: + - file: suriconfig + - file: surithresholding + - file: suribpf + +delete_so-kibana_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-suricata$ + +# Add eve clean cron +clean_suricata_eve_files: + cron.present: + - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 + - identifier: clean_suricata_eve_files + - user: root + - minute: '*/5' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 7788fa94a..34e1cdcdf 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -3,228 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %} - -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from "suricata/map.jinja" import SURICATAOPTIONS with context %} - -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} -{% set BPF_STATUS = 0 %} - -{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} -{% from "suricata/map.jinja" import START with context %} - -# Suricata - -# Add Suricata Group -suricatagroup: - group.present: - - name: suricata - - gid: 940 - -# Add Suricata user -suricata: - user.present: - - uid: 940 - - gid: 940 - - home: /nsm/suricata - - createhome: False - -socoregroupwithsuricata: - group.present: - - name: socore - - gid: 939 - - addusers: - - suricata - -suricata_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://suricata/tools/sbin - - user: 939 - - group: 939 - - file_mode: 755 - -suricata_sbin_jinja: - file.recurse: - - name: /usr/sbin - - source: salt://suricata/tools/sbin_jinja - - user: 939 - - group: 939 - - file_mode: 755 - - template: jinja - -suridir: - file.directory: - - name: /opt/so/conf/suricata - - user: 940 - - group: 940 - -suriruledir: - file.directory: - - name: /opt/so/conf/suricata/rules - - user: 940 - - group: 940 - - makedirs: True - -surilogdir: - file.directory: - - name: /opt/so/log/suricata - - user: 940 - - group: 939 - -suridatadir: - file.directory: - - name: /nsm/suricata/extracted - - user: 940 - - group: 939 - - mode: 770 - - makedirs: True - -surirulesync: - file.recurse: - - name: /opt/so/conf/suricata/rules/ - - source: salt://suricata/rules/ - - user: 940 - - group: 940 - - show_changes: False - -surilogscript: - file.managed: - - name: /usr/local/bin/surilogcompress - - source: salt://suricata/cron/surilogcompress - - mode: 755 - -surilogcompress: - cron.present: - - name: /usr/local/bin/surilogcompress - - identifier: surilogcompress - - user: suricata - - minute: '17' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -suriconfig: - file.managed: - - name: /opt/so/conf/suricata/suricata.yaml - - source: salt://suricata/files/suricata.yaml.jinja - - context: - suricata_config: {{ suricata_config.suricata.config }} - - user: 940 - - group: 940 - - template: jinja - -surithresholding: - file.managed: - - name: /opt/so/conf/suricata/threshold.conf - - source: salt://suricata/files/threshold.conf.jinja - - user: 940 - - group: 940 - - template: jinja - -# BPF compilation and configuration -{% if SURICATABPF %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} -suribpfcompilationfailure: - test.configurable_test_state: - - changes: False - - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} -{% endif %} - -suribpf: - file.managed: - - name: /opt/so/conf/suricata/bpf - - user: 940 - - group: 940 - {% if BPF_STATUS %} - - contents: {{ SURICATABPF }} - {% else %} - - contents: - - "" - {% endif %} - -so-suricata: - docker_container.{{ SURICATAOPTIONS.status }}: - {% if SURICATAOPTIONS.status == 'running' %} - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }} - - start: {{ SURICATAOPTIONS.start }} - - privileged: True - - environment: - - INTERFACE={{ GLOBALS.sensor.interface }} - - binds: - - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - - /opt/so/log/suricata/:/var/log/suricata/:rw - - /nsm/suricata/:/nsm/:rw - - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - - network_mode: host - - watch: - - file: suriconfig - - file: surithresholding - - file: /opt/so/conf/suricata/rules/ - - file: /opt/so/conf/suricata/bpf - - require: - - file: suriconfig - - file: surithresholding - - file: suribpf - - {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - - force: True - {% endif %} - -append_so-suricata_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-suricata - - unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf - - {% if not SURICATAOPTIONS.start %} -so-suricata_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-suricata$ - {% else %} -delete_so-suricata_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-suricata$ - {% endif %} - -so-suricata-eve-clean: - file.managed: - - name: /usr/sbin/so-suricata-eve-clean - - user: root - - group: root - - mode: 755 - - template: jinja - - source: salt://suricata/cron/so-suricata-eve-clean - -# Add eve clean cron -clean_suricata_eve_files: - cron.present: - - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 - - identifier: clean_suricata_eve_files - - user: root - - minute: '*/5' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' +{% from 'suricata/map.jinja' import SURICATAMERGED %} +include: +{% if SURICATAMERGED.enabled %} + - suricata.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - suricata.disabled {% endif %} diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 550781436..b238405c8 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -1,11 +1,61 @@ -{% set SURICATAOPTIONS = {} %} -{% set ENABLED = salt['pillar.get']('suricata:enabled', 'True') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} +{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} +{% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %} -# don't start the docker container if it is an import node or disabled via pillar -{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} - {% do SURICATAOPTIONS.update({'start': False}) %} - {% do SURICATAOPTIONS.update({'status': 'absent'}) %} -{% else %} - {% do SURICATAOPTIONS.update({'start': True}) %} - {% do SURICATAOPTIONS.update({'status': 'running'}) %} +{% set default_evelog_index = [] %} +{% set default_filestore_index = [] %} +{% set surimeta_evelog_index = [] %} +{% set surimeta_filestore_index = [] %} + +{# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #} +{# we are limited to only one iterface #} +{% load_yaml as afpacket %} +- interface: {{ SURICATAMERGED.config['af-packet'].interface }} + cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} + cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} + defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} + use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} + threads: {{ SURICATAMERGED.config['af-packet'].threads }} + tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} + ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} +{% endload %} +{% do SURICATAMERGED.config.pop('af-packet') %} +{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} + +{% load_yaml as outputs %} +{% for le, ld in SURICATAMERGED.config.outputs.items() %} + - {{ le }}: {{ ld }} +{% endfor %} +{% endload %} +{% do SURICATAMERGED.config.pop('outputs') %} +{% do SURICATAMERGED.config.update({'outputs': outputs}) %} + +{# Find the index of eve-log so it can be updated later #} +{% for li in SURICATAMERGED.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do default_evelog_index.append(loop.index0) %} + {% endif %} + {% if 'file-store' in li.keys() %} + {% do default_filestore_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set default_evelog_index = default_evelog_index[0] %} +{% set default_filestore_index = default_filestore_index[0] %} + +{# Find the index of eve-log so it can be grabbed later #} +{% for li in suricata_mdengine.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do surimeta_evelog_index.append(loop.index0) %} + {% endif %} + {% if 'file-store' in li.keys() %} + {% do surimeta_filestore_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set surimeta_evelog_index = surimeta_evelog_index[0] %} +{% set surimeta_filestore_index = surimeta_filestore_index[0] %} + +{% if GLOBALS.md_engine == 'SURICATA' %} + {% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} + {% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index ea98b7650..976949111 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,4 +1,7 @@ suricata: + enabled: + description: You can enable or disable Suricata. + helpLink: suricata.html thresholding: sids__yaml: description: Threshold SIDS List diff --git a/salt/suricata/sostatus.sls b/salt/suricata/sostatus.sls new file mode 100644 index 000000000..fc22e1aac --- /dev/null +++ b/salt/suricata/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-kibana_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-suricata + - unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja deleted file mode 100644 index fb4c22af3..000000000 --- a/salt/suricata/suricata_config.map.jinja +++ /dev/null @@ -1,56 +0,0 @@ -{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %} -{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} -{% set suricata_pillar = pillar.suricata %} -{% set surimerge = salt['defaults.merge'](suricata_defaults, suricata_pillar, in_place=False) %} -{% set default_evelog_index = [] %} -{% set default_filestore_index = [] %} -{% set surimeta_evelog_index = [] %} -{% set surimeta_filestore_index = [] %} - -{% load_yaml as afpacket %} -- interface: {{ surimerge.suricata.config['af-packet'].interface }} - cluster-id: {{ surimerge.suricata.config['af-packet']['cluster-id'] }} - cluster-type: {{ surimerge.suricata.config['af-packet']['cluster-type'] }} - defrag: {{ surimerge.suricata.config['af-packet'].defrag }} - use-mmap: {{ surimerge.suricata.config['af-packet']['use-mmap'] }} - threads: {{ surimerge.suricata.config['af-packet'].threads }} - tpacket-v3: {{ surimerge.suricata.config['af-packet']['tpacket-v3'] }} - ring-size: {{ surimerge.suricata.config['af-packet']['ring-size'] }} -{% endload %} -{% do suricata_defaults.suricata.config.update({'af-packet': afpacket}) %} - -{% load_yaml as outputs %} -{% for le, ld in surimerge.suricata.config.outputs.items() %} - - {{ le }}: {{ ld }} -{% endfor %} -{% endload %} -{% do suricata_defaults.suricata.config.update({'outputs': outputs}) %} - -{# Find the index of eve-log so it can be updated later #} -{% for li in suricata_defaults.suricata.config.outputs %} - {% if 'eve-log' in li.keys() %} - {% do default_evelog_index.append(loop.index0) %} - {% endif %} - {% if 'file-store' in li.keys() %} - {% do default_filestore_index.append(loop.index0) %} - {% endif %} -{% endfor %} -{% set default_evelog_index = default_evelog_index[0] %} -{% set default_filestore_index = default_filestore_index[0] %} - -{# Find the index of eve-log so it can be grabbed later #} -{% for li in suricata_meta.suricata.config.outputs %} - {% if 'eve-log' in li.keys() %} - {% do surimeta_evelog_index.append(loop.index0) %} - {% endif %} - {% if 'file-store' in li.keys() %} - {% do surimeta_filestore_index.append(loop.index0) %} - {% endif %} -{% endfor %} -{% set surimeta_evelog_index = surimeta_evelog_index[0] %} -{% set surimeta_filestore_index = surimeta_filestore_index[0] %} - -{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} - {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} - {% do suricata_defaults.suricata.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_meta.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} -{% endif %} diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_mdengine.yaml similarity index 100% rename from salt/suricata/suricata_meta.yaml rename to salt/suricata/suricata_mdengine.yaml From cc47f9a595d67dce2b438136fc6aa8fdcf09ac48 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 23 May 2023 11:16:32 -0400 Subject: [PATCH 2/2] fix suricata thresholding --- salt/suricata/files/threshold.conf.jinja | 9 +++-- salt/suricata/soc_suricata.yaml | 4 ++- salt/suricata/thresholding/sids.yaml | 44 ------------------------ 3 files changed, 7 insertions(+), 50 deletions(-) diff --git a/salt/suricata/files/threshold.conf.jinja b/salt/suricata/files/threshold.conf.jinja index 45642404a..a439dad96 100644 --- a/salt/suricata/files/threshold.conf.jinja +++ b/salt/suricata/files/threshold.conf.jinja @@ -1,9 +1,8 @@ -{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%} - +{% import_yaml 'suricata/thresholding/sids.yaml' as THRESHOLDING %} {% if THRESHOLDING -%} - {% for EACH_SID in THRESHOLDING.sids -%} - {% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%} + {% for EACH_SID in THRESHOLDING -%} + {% for ACTIONS_LIST in THRESHOLDING[EACH_SID] -%} {% for EACH_ACTION in ACTIONS_LIST -%} {%- if EACH_ACTION == 'threshold' %} @@ -31,6 +30,6 @@ {%- endfor %} {%- else %} -##### The thresholding pillar has not been defined +##### Navigate to suricata > thresholding > SIDS in SOC to define thresholding {%- endif %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 976949111..f1971f17f 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -5,8 +5,10 @@ suricata: thresholding: sids__yaml: description: Threshold SIDS List - file: True syntax: yaml + file: True + global: True + multiline: True title: SIDS helpLink: suricata.html config: diff --git a/salt/suricata/thresholding/sids.yaml b/salt/suricata/thresholding/sids.yaml index e9dc04e25..e69de29bb 100644 --- a/salt/suricata/thresholding/sids.yaml +++ b/salt/suricata/thresholding/sids.yaml @@ -1,44 +0,0 @@ -thresholding: - sids: - 99999999999999999: - - threshold: - gen_id: 1 - type: threshold - track: by_src - count: 10 - seconds: 10 - - threshold: - gen_id: 1 - type: limit - track: by_dst - count: 100 - seconds: 30 - - rate_filter: - gen_id: 1 - track: by_rule - count: 50 - seconds: 30 - new_action: alert - timeout: 30 - - suppress: - gen_id: 1 - track: by_either - ip: 10.10.3.7 - 99999999999999998: - - threshold: - gen_id: 1 - type: limit - track: by_dst - count: 10 - seconds: 10 - - rate_filter: - gen_id: 1 - track: by_src - count: 50 - seconds: 20 - new_action: pass - timeout: 60 - - suppress: - gen_id: 1 - track: by_src - ip: 10.10.3.0/24 \ No newline at end of file