manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918

salt/suricata/classification.csv

@@ -0,0 +1,43 @@
+attempted-admin,Attempted Administrator Privilege Gain,1
+attempted-dos,Attempted Denial of Service,2
+attempted-recon,Attempted Information Leak,2
+attempted-user,Attempted User Privilege Gain,1
+bad-unknown,Potentially Bad Traffic, 2
+coin-mining,Crypto Currency Mining Activity Detected,2
+command-and-control,Malware Command and Control Activity Detected,1
+credential-theft,Successful Credential Theft Detected,1
+default-login-attempt,Attempt to login by a default username and password,2
+denial-of-service,Detection of a Denial of Service Attack,2
+domain-c2,Domain Observed Used for C2 Detected,1
+exploit-kit,Exploit Kit Activity Detected,1
+external-ip-check,Device Retrieving External IP Address Detected,2
+icmp-event,Generic ICMP event,3
+inappropriate-content,Inappropriate Content was Detected,1
+misc-activity,Misc activity,3
+misc-attack,Misc Attack,2
+network-scan,Detection of a Network Scan,3
+non-standard-protocol,Detection of a non-standard protocol or event,2
+not-suspicious,Not Suspicious Traffic,3
+policy-violation,Potential Corporate Privacy Violation,1
+protocol-command-decode,Generic Protocol Command Decode,3
+pup-activity,Possibly Unwanted Program Detected,2
+rpc-portmap-decode,Decode of an RPC Query,2
+shellcode-detect,Executable code was detected,1
+social-engineering,Possible Social Engineering Attempted,2
+string-detect,A suspicious string was detected,3
+successful-admin,Successful Administrator Privilege Gain,1
+successful-dos,Denial of Service,2
+successful-recon-largescale,Large Scale Information Leak,2
+successful-recon-limited,Information Leak,2
+successful-user,Successful User Privilege Gain,1
+suspicious-filename-detect,A suspicious filename was detected,2
+suspicious-login,An attempted login using a suspicious username was detected,2
+system-call-detect,A system call was detected,2
+targeted-activity,Targeted Malicious Activity was Detected,1
+tcp-connection,A TCP connection was detected,4
+trojan-activity,A Network Trojan was detected, 1
+unknown,Unknown Traffic,3
+unsuccessful-user,Unsuccessful User Privilege Gain,1
+unusual-client-port-connection,A client was using an unusual port,2
+web-application-activity,access to a potentially vulnerable web application,2
+web-application-attack,Web Application Attack,1

salt/suricata/classification.yml

@@ -0,0 +1,126 @@
+- '3': 3
+  Not Suspicious Traffic: Unknown Traffic
+  not-suspicious: unknown
+- '3': 2
+  Not Suspicious Traffic: Potentially Bad Traffic
+  not-suspicious: bad-unknown
+- '3': 2
+  Not Suspicious Traffic: Attempted Information Leak
+  not-suspicious: attempted-recon
+- '3': 2
+  Not Suspicious Traffic: Information Leak
+  not-suspicious: successful-recon-limited
+- '3': 2
+  Not Suspicious Traffic: Large Scale Information Leak
+  not-suspicious: successful-recon-largescale
+- '3': 2
+  Not Suspicious Traffic: Attempted Denial of Service
+  not-suspicious: attempted-dos
+- '3': 2
+  Not Suspicious Traffic: Denial of Service
+  not-suspicious: successful-dos
+- '3': 1
+  Not Suspicious Traffic: Attempted User Privilege Gain
+  not-suspicious: attempted-user
+- '3': 1
+  Not Suspicious Traffic: Unsuccessful User Privilege Gain
+  not-suspicious: unsuccessful-user
+- '3': 1
+  Not Suspicious Traffic: Successful User Privilege Gain
+  not-suspicious: successful-user
+- '3': 1
+  Not Suspicious Traffic: Attempted Administrator Privilege Gain
+  not-suspicious: attempted-admin
+- '3': 1
+  Not Suspicious Traffic: Successful Administrator Privilege Gain
+  not-suspicious: successful-admin
+- '3': 2
+  Not Suspicious Traffic: Decode of an RPC Query
+  not-suspicious: rpc-portmap-decode
+- '3': 1
+  Not Suspicious Traffic: Executable code was detected
+  not-suspicious: shellcode-detect
+- '3': 3
+  Not Suspicious Traffic: A suspicious string was detected
+  not-suspicious: string-detect
+- '3': 2
+  Not Suspicious Traffic: A suspicious filename was detected
+  not-suspicious: suspicious-filename-detect
+- '3': 2
+  Not Suspicious Traffic: An attempted login using a suspicious username was detected
+  not-suspicious: suspicious-login
+- '3': 2
+  Not Suspicious Traffic: A system call was detected
+  not-suspicious: system-call-detect
+- '3': 4
+  Not Suspicious Traffic: A TCP connection was detected
+  not-suspicious: tcp-connection
+- '3': 1
+  Not Suspicious Traffic: A Network Trojan was detected
+  not-suspicious: trojan-activity
+- '3': 2
+  Not Suspicious Traffic: A client was using an unusual port
+  not-suspicious: unusual-client-port-connection
+- '3': 3
+  Not Suspicious Traffic: Detection of a Network Scan
+  not-suspicious: network-scan
+- '3': 2
+  Not Suspicious Traffic: Detection of a Denial of Service Attack
+  not-suspicious: denial-of-service
+- '3': 2
+  Not Suspicious Traffic: Detection of a non-standard protocol or event
+  not-suspicious: non-standard-protocol
+- '3': 3
+  Not Suspicious Traffic: Generic Protocol Command Decode
+  not-suspicious: protocol-command-decode
+- '3': 2
+  Not Suspicious Traffic: access to a potentially vulnerable web application
+  not-suspicious: web-application-activity
+- '3': 1
+  Not Suspicious Traffic: Web Application Attack
+  not-suspicious: web-application-attack
+- '3': 3
+  Not Suspicious Traffic: Misc activity
+  not-suspicious: misc-activity
+- '3': 2
+  Not Suspicious Traffic: Misc Attack
+  not-suspicious: misc-attack
+- '3': 3
+  Not Suspicious Traffic: Generic ICMP event
+  not-suspicious: icmp-event
+- '3': 1
+  Not Suspicious Traffic: Inappropriate Content was Detected
+  not-suspicious: inappropriate-content
+- '3': 1
+  Not Suspicious Traffic: Potential Corporate Privacy Violation
+  not-suspicious: policy-violation
+- '3': 2
+  Not Suspicious Traffic: Attempt to login by a default username and password
+  not-suspicious: default-login-attempt
+- '3': 1
+  Not Suspicious Traffic: Targeted Malicious Activity was Detected
+  not-suspicious: targeted-activity
+- '3': 1
+  Not Suspicious Traffic: Exploit Kit Activity Detected
+  not-suspicious: exploit-kit
+- '3': 2
+  Not Suspicious Traffic: Device Retrieving External IP Address Detected
+  not-suspicious: external-ip-check
+- '3': 1
+  Not Suspicious Traffic: Domain Observed Used for C2 Detected
+  not-suspicious: domain-c2
+- '3': 2
+  Not Suspicious Traffic: Possibly Unwanted Program Detected
+  not-suspicious: pup-activity
+- '3': 1
+  Not Suspicious Traffic: Successful Credential Theft Detected
+  not-suspicious: credential-theft
+- '3': 2
+  Not Suspicious Traffic: Possible Social Engineering Attempted
+  not-suspicious: social-engineering
+- '3': 2
+  Not Suspicious Traffic: Crypto Currency Mining Activity Detected
+  not-suspicious: coin-mining
+- '3': 1
+  Not Suspicious Traffic: Malware Command and Control Activity Detected
+  not-suspicious: command-and-control

salt/suricata/defaults.yaml

@@ -586,4 +586,133 @@ suricata:
     threshold-file: /etc/suricata/threshold.conf
     #include: include1.yaml
     #include: include2.yaml
-    
+  classification:
+    attempted-admin:
+      description: Attempted Administrator Privilege Gain
+      priority: 1
+    attempted-dos:
+      description: Attempted Denial of Service
+      priority: 2
+    attempted-recon:
+      description: Attempted Information Leak
+      priority: 2
+    attempted-user:
+      description: Attempted User Privilege Gain
+      priority: 1
+    bad-unknown:
+      description: Potentially Bad Traffic
+      priority: 2
+    coin-mining:
+      description: Crypto Currency Mining Activity Detected
+      priority: 2
+    command-and-control:
+      description: Malware Command and Control Activity Detected
+      priority: 1
+    credential-theft:
+      description: Successful Credential Theft Detected
+      priority: 1
+    default-login-attempt:
+      description: Attempt to login by a default username and password
+      priority: 2
+    denial-of-service:
+      description: Detection of a Denial of Service Attack
+      priority: 2
+    domain-c2:
+      description: Domain Observed Used for C2 Detected
+      priority: 1
+    exploit-kit:
+      description: Exploit Kit Activity Detected
+      priority: 1
+    external-ip-check:
+      description: Device Retrieving External IP Address Detected
+      priority: 2
+    icmp-event:
+      description: Generic ICMP event
+      priority: 3
+    inappropriate-content:
+      description: Inappropriate Content was Detected
+      priority: 1
+    misc-activity:
+      description: Misc activity
+      priority: 3
+    misc-attack:
+      description: Misc Attack 
+      priority: 2
+    network-scan:
+      description: Detection of a Network Scan
+      priority: 3
+    non-standard-protocol:
+      description: Detection of a non-standard protocol or event
+      priority: 2
+    not-suspicious:
+      description: Not Suspicious Traffic
+      priority: 3
+    policy-violation:
+      description: Potential Corporate Privacy Violation
+      priority: 1
+    protocol-command-decode:
+      description: Generic Protocol Command Decode
+      priority: 3
+    pup-activity:
+      description: Possibly Unwanted Program Detected
+      priority: 2
+    rpc-portmap-decode:
+      description: Decode of an RPC Query
+      priority: 2
+    shellcode-detect:
+      description: Executable code was detected
+      priority: 1
+    social-engineering:
+      description: Possible Social Engineering Attempted
+      priority: 2
+    string-detect:
+      description: A suspicious string was detected
+      priority: 3
+    successful-admin:
+      description: Successful Administrator Privilege Gain
+      priority: 1
+    successful-dos:
+      description: Denial of Service
+      priority: 2
+    successful-recon-largescale:
+      description: Large Scale Information Leak
+      priority: 2
+    successful-recon-limited:
+      description: Information Leak
+      priority: 2
+    successful-user:
+      description: Successful User Privilege Gain
+      priority: 1
+    suspicious-filename-detect:
+      description: A suspicious filename was detected
+      priority: 2
+    suspicious-login:
+      description: An attempted login using a suspicious username was detected
+      priority: 2
+    system-call-detect:
+      description: A system call was detected
+      priority: 2
+    targeted-activity:
+      description: Targeted Malicious Activity was Detected
+      priority: 1
+    tcp-connection:
+      description: A TCP connection was detected
+      priority: 4
+    trojan-activity:
+      description: A Network Trojan was detected
+      priority: 1
+    unknown:
+      description: Unknown Traffic
+      priority: 3
+    unsuccessful-user:
+      description: Unsuccessful User Privilege Gain
+      priority: 1
+    unusual-client-port-connection:
+      description: A client was using an unusual port
+      priority: 2
+    web-application-activity:
+      description: access to a potentially vulnerable web application
+      priority: 2
+    web-application-attack:
+      description: Web Application Attack
+      priority: 1

salt/suricata/files/classification.config.jinja

@@ -0,0 +1,11 @@
+{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%}
+{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%}
+#
+# config classification:shortname,short description,priority
+#
+{% for sn, details in suricata_defaults.suricata.classification.items() -%}
+{%   if not details -%}
+{%     do details.update({'description': 'The description is not set', 'priority': '1'}) -%}
+{%   endif -%}
+config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}
+{% endfor -%}

salt/suricata/init.sls

@@ -111,6 +111,14 @@ surithresholding:
     - group: 940
     - template: jinja
 
+classification_config:
+  file.managed:
+    - name: /opt/so/conf/suricata/classification.config
+    - source: salt://suricata/files/classification.config.jinja
+    - user: 940
+    - group: 940
+    - template: jinja
+
 # BPF compilation and configuration
 {% if BPF_NIDS %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
@@ -148,6 +156,7 @@ so-suricata:
     - binds:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
+      - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
       - /nsm/suricata/:/nsm/:rw
@@ -159,10 +168,12 @@ so-suricata:
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
+      - file: classification_config
     - require:
       - file: suriconfig
       - file: surithresholding
       - file: suribpf
+      - file: classification_config
 
   {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
     - force: True