CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10417 from Security-Onion-Solutions/issue/10229

Browse Source 
Issue/10229
This commit is contained in:
Josh Patterson
2023-05-23 13:47:48 -04:00
committed by GitHub
parent f6a9a764de e65214b097
commit 4b18a0e758
13 changed files with 355 additions and 338 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/manager/tools/sbin/so-minion
View File

@@ -230,6 +230,7 @@ function add_sensor_to_minion() {
echo " node:" >> $PILLARFILE echo " node:" >> $PILLARFILE
echo " lb_procs: '$CORECOUNT'" >> $PILLARFILE echo " lb_procs: '$CORECOUNT'" >> $PILLARFILE
echo "suricata:" >> $PILLARFILE echo "suricata:" >> $PILLARFILE
echo " enabled: True " >> $PILLARFILE
echo " config:" >> $PILLARFILE echo " config:" >> $PILLARFILE
echo " af-packet:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE
echo " threads: '$CORECOUNT'" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE

163
salt/suricata/config.sls Normal file
View File

@@ -0,0 +1,163 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
{% set BPF_STATUS = 0 %}
# Add Suricata Group
suricatagroup:
group.present:
- name: suricata
- gid: 940
# Add Suricata user
suricata:
user.present:
- uid: 940
- gid: 940
- home: /nsm/suricata
- createhome: False
socoregroupwithsuricata:
group.present:
- name: socore
- gid: 939
- addusers:
- suricata
suricata_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://suricata/tools/sbin
- user: 939
- group: 939
- file_mode: 755
suricata_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://suricata/tools/sbin_jinja
- user: 939
- group: 939
- file_mode: 755
- template: jinja
suridir:
file.directory:
- name: /opt/so/conf/suricata
- user: 940
- group: 940
suriruledir:
file.directory:
- name: /opt/so/conf/suricata/rules
- user: 940
- group: 940
- makedirs: True
surilogdir:
file.directory:
- name: /opt/so/log/suricata
- user: 940
- group: 939
suridatadir:
file.directory:
- name: /nsm/suricata/extracted
- user: 940
- group: 939
- mode: 770
- makedirs: True
surirulesync:
file.recurse:
- name: /opt/so/conf/suricata/rules/
- source: salt://suricata/rules/
- user: 940
- group: 940
- show_changes: False
surilogscript:
file.managed:
- name: /usr/local/bin/surilogcompress
- source: salt://suricata/cron/surilogcompress
- mode: 755
surilogcompress:
cron.present:
- name: /usr/local/bin/surilogcompress
- identifier: surilogcompress
- user: suricata
- minute: '17'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
suriconfig:
file.managed:
- name: /opt/so/conf/suricata/suricata.yaml
- source: salt://suricata/files/suricata.yaml.jinja
- context:
suricata_config: {{ SURICATAMERGED.config }}
- user: 940
- group: 940
- template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
# BPF compilation and configuration
{% if SURICATABPF %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
suribpfcompilationfailure:
test.configurable_test_state:
- changes: False
- result: False
- comment: "BPF Syntax Error - Discarding Specified BPF"
{% endif %}
{% endif %}
suribpf:
file.managed:
- name: /opt/so/conf/suricata/bpf
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents: {{ SURICATABPF }}
{% else %}
- contents:
- ""
{% endif %}
so-suricata-eve-clean:
file.managed:
- name: /usr/sbin/so-suricata-eve-clean
- user: root
- group: root
- mode: 755
- template: jinja
- source: salt://suricata/cron/so-suricata-eve-clean
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/suricata/defaults.yaml
View File

@@ -1,4 +1,5 @@
suricata: suricata:
enabled: False
config: config:
threading: threading:
set-cpu-affinity: 'no' set-cpu-affinity: 'no'

32
salt/suricata/disabled.sls Normal file
View File

@@ -0,0 +1,32 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- suricata.sostatus
so-suricata:
docker_container.absent:
- force: True
so-kibana_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-suricata$
# Remove eve clean cron
clean_suricata_eve_files:
cron.absent:
- identifier: clean_suricata_eve_files
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

62
salt/suricata/enabled.sls Normal file
View File

@@ -0,0 +1,62 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- suricata.config
- suricata.sostatus
so-suricata:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }}
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- /nsm/suricata/:/nsm/:rw
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- network_mode: host
- watch:
- file: suriconfig
- file: surithresholding
- file: /opt/so/conf/suricata/rules/
- file: /opt/so/conf/suricata/bpf
- require:
- file: suriconfig
- file: surithresholding
- file: suribpf
delete_so-kibana_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-suricata$
# Add eve clean cron
clean_suricata_eve_files:
cron.present:
- name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
- identifier: clean_suricata_eve_files
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

9
salt/suricata/files/threshold.conf.jinja
View File

@@ -1,9 +1,8 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%} {% import_yaml 'suricata/thresholding/sids.yaml' as THRESHOLDING %}
{% if THRESHOLDING -%} {% if THRESHOLDING -%}
{% for EACH_SID in THRESHOLDING.sids -%} {% for EACH_SID in THRESHOLDING -%}
{% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%} {% for ACTIONS_LIST in THRESHOLDING[EACH_SID] -%}
{% for EACH_ACTION in ACTIONS_LIST -%} {% for EACH_ACTION in ACTIONS_LIST -%}
{%- if EACH_ACTION == 'threshold' %} {%- if EACH_ACTION == 'threshold' %}
@@ -31,6 +30,6 @@
{%- endfor %} {%- endfor %}
{%- else %} {%- else %}
##### The thresholding pillar has not been defined ##### Navigate to suricata > thresholding > SIDS in SOC to define thresholding
{%- endif %} {%- endif %}

227
salt/suricata/init.sls
View File

@@ -3,228 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'suricata/map.jinja' import SURICATAMERGED %}
{% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
{% set BPF_STATUS = 0 %}
{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %}
{% from "suricata/map.jinja" import START with context %}
# Suricata
# Add Suricata Group
suricatagroup:
group.present:
- name: suricata
- gid: 940
# Add Suricata user
suricata:
user.present:
- uid: 940
- gid: 940
- home: /nsm/suricata
- createhome: False
socoregroupwithsuricata:
group.present:
- name: socore
- gid: 939
- addusers:
- suricata
suricata_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://suricata/tools/sbin
- user: 939
- group: 939
- file_mode: 755
suricata_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://suricata/tools/sbin_jinja
- user: 939
- group: 939
- file_mode: 755
- template: jinja
suridir:
file.directory:
- name: /opt/so/conf/suricata
- user: 940
- group: 940
suriruledir:
file.directory:
- name: /opt/so/conf/suricata/rules
- user: 940
- group: 940
- makedirs: True
surilogdir:
file.directory:
- name: /opt/so/log/suricata
- user: 940
- group: 939
suridatadir:
file.directory:
- name: /nsm/suricata/extracted
- user: 940
- group: 939
- mode: 770
- makedirs: True
surirulesync:
file.recurse:
- name: /opt/so/conf/suricata/rules/
- source: salt://suricata/rules/
- user: 940
- group: 940
- show_changes: False
surilogscript:
file.managed:
- name: /usr/local/bin/surilogcompress
- source: salt://suricata/cron/surilogcompress
- mode: 755
surilogcompress:
cron.present:
- name: /usr/local/bin/surilogcompress
- identifier: surilogcompress
- user: suricata
- minute: '17'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
suriconfig:
file.managed:
- name: /opt/so/conf/suricata/suricata.yaml
- source: salt://suricata/files/suricata.yaml.jinja
- context:
suricata_config: {{ suricata_config.suricata.config }}
- user: 940
- group: 940
- template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
# BPF compilation and configuration
{% if SURICATABPF %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
suribpfcompilationfailure:
test.configurable_test_state:
- changes: False
- result: False
- comment: "BPF Syntax Error - Discarding Specified BPF"
{% endif %}
{% endif %}
suribpf:
file.managed:
- name: /opt/so/conf/suricata/bpf
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents: {{ SURICATABPF }}
{% else %}
- contents:
- ""
{% endif %}
so-suricata:
docker_container.{{ SURICATAOPTIONS.status }}:
{% if SURICATAOPTIONS.status == 'running' %}
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }}
- start: {{ SURICATAOPTIONS.start }}
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- /nsm/suricata/:/nsm/:rw
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- network_mode: host
- watch:
- file: suriconfig
- file: surithresholding
- file: /opt/so/conf/suricata/rules/
- file: /opt/so/conf/suricata/bpf
- require:
- file: suriconfig
- file: surithresholding
- file: suribpf
{% else %} {# if Suricata isn't enabled, then stop and remove the container #}
- force: True
{% endif %}
append_so-suricata_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-suricata
- unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf
{% if not SURICATAOPTIONS.start %}
so-suricata_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-suricata$
{% else %}
delete_so-suricata_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-suricata$
{% endif %}
so-suricata-eve-clean:
file.managed:
- name: /usr/sbin/so-suricata-eve-clean
- user: root
- group: root
- mode: 755
- template: jinja
- source: salt://suricata/cron/so-suricata-eve-clean
# Add eve clean cron
clean_suricata_eve_files:
cron.present:
- name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
- identifier: clean_suricata_eve_files
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
include:
{% if SURICATAMERGED.enabled %}
- suricata.enabled
{% else %} {% else %}
- suricata.disabled
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

68
salt/suricata/map.jinja
View File

@@ -1,11 +1,61 @@
{% set SURICATAOPTIONS = {} %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set ENABLED = salt['pillar.get']('suricata:enabled', 'True') %} {% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %}
{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %}
{% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %}
# don't start the docker container if it is an import node or disabled via pillar {% set default_evelog_index = [] %}
{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} {% set default_filestore_index = [] %}
{% do SURICATAOPTIONS.update({'start': False}) %} {% set surimeta_evelog_index = [] %}
{% do SURICATAOPTIONS.update({'status': 'absent'}) %} {% set surimeta_filestore_index = [] %}
{% else %}
{% do SURICATAOPTIONS.update({'start': True}) %} {# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #}
{% do SURICATAOPTIONS.update({'status': 'running'}) %} {# we are limited to only one iterface #}
{% load_yaml as afpacket %}
- interface: {{ SURICATAMERGED.config['af-packet'].interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
threads: {{ SURICATAMERGED.config['af-packet'].threads }}
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
{% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
{% load_yaml as outputs %}
{% for le, ld in SURICATAMERGED.config.outputs.items() %}
- {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.pop('outputs') %}
{% do SURICATAMERGED.config.update({'outputs': outputs}) %}
{# Find the index of eve-log so it can be updated later #}
{% for li in SURICATAMERGED.config.outputs %}
{% if 'eve-log' in li.keys() %}
{% do default_evelog_index.append(loop.index0) %}
{% endif %}
{% if 'file-store' in li.keys() %}
{% do default_filestore_index.append(loop.index0) %}
{% endif %}
{% endfor %}
{% set default_evelog_index = default_evelog_index[0] %}
{% set default_filestore_index = default_filestore_index[0] %}
{# Find the index of eve-log so it can be grabbed later #}
{% for li in suricata_mdengine.suricata.config.outputs %}
{% if 'eve-log' in li.keys() %}
{% do surimeta_evelog_index.append(loop.index0) %}
{% endif %}
{% if 'file-store' in li.keys() %}
{% do surimeta_filestore_index.append(loop.index0) %}
{% endif %}
{% endfor %}
{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
{% set surimeta_filestore_index = surimeta_filestore_index[0] %}
{% if GLOBALS.md_engine == 'SURICATA' %}
{% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %} {% endif %}

7
salt/suricata/soc_suricata.yaml
View File

@@ -1,9 +1,14 @@
suricata: suricata:
enabled:
description: You can enable or disable Suricata.
helpLink: suricata.html
thresholding: thresholding:
sids__yaml: sids__yaml:
description: Threshold SIDS List description: Threshold SIDS List
file: True
syntax: yaml syntax: yaml
file: True
global: True
multiline: True
title: SIDS title: SIDS
helpLink: suricata.html helpLink: suricata.html
config: config:

21
salt/suricata/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-kibana_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-suricata
- unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

56
salt/suricata/suricata_config.map.jinja
View File

@@ -1,56 +0,0 @@
{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %}
{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %}
{% set suricata_pillar = pillar.suricata %}
{% set surimerge = salt['defaults.merge'](suricata_defaults, suricata_pillar, in_place=False) %}
{% set default_evelog_index = [] %}
{% set default_filestore_index = [] %}
{% set surimeta_evelog_index = [] %}
{% set surimeta_filestore_index = [] %}
{% load_yaml as afpacket %}
- interface: {{ surimerge.suricata.config['af-packet'].interface }}
cluster-id: {{ surimerge.suricata.config['af-packet']['cluster-id'] }}
cluster-type: {{ surimerge.suricata.config['af-packet']['cluster-type'] }}
defrag: {{ surimerge.suricata.config['af-packet'].defrag }}
use-mmap: {{ surimerge.suricata.config['af-packet']['use-mmap'] }}
threads: {{ surimerge.suricata.config['af-packet'].threads }}
tpacket-v3: {{ surimerge.suricata.config['af-packet']['tpacket-v3'] }}
ring-size: {{ surimerge.suricata.config['af-packet']['ring-size'] }}
{% endload %}
{% do suricata_defaults.suricata.config.update({'af-packet': afpacket}) %}
{% load_yaml as outputs %}
{% for le, ld in surimerge.suricata.config.outputs.items() %}
- {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do suricata_defaults.suricata.config.update({'outputs': outputs}) %}
{# Find the index of eve-log so it can be updated later #}
{% for li in suricata_defaults.suricata.config.outputs %}
{% if 'eve-log' in li.keys() %}
{% do default_evelog_index.append(loop.index0) %}
{% endif %}
{% if 'file-store' in li.keys() %}
{% do default_filestore_index.append(loop.index0) %}
{% endif %}
{% endfor %}
{% set default_evelog_index = default_evelog_index[0] %}
{% set default_filestore_index = default_filestore_index[0] %}
{# Find the index of eve-log so it can be grabbed later #}
{% for li in suricata_meta.suricata.config.outputs %}
{% if 'eve-log' in li.keys() %}
{% do surimeta_evelog_index.append(loop.index0) %}
{% endif %}
{% if 'file-store' in li.keys() %}
{% do surimeta_filestore_index.append(loop.index0) %}
{% endif %}
{% endfor %}
{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
{% set surimeta_filestore_index = surimeta_filestore_index[0] %}
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
{% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{% do suricata_defaults.suricata.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_meta.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %}

0
salt/suricata/suricata_meta.yaml → salt/suricata/suricata_mdengine.yaml
View File

44
salt/suricata/thresholding/sids.yaml
View File

@@ -1,44 +0,0 @@
thresholding:
sids:
99999999999999999:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
99999999999999998:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24