From 4e7e19af54bad60029f285d9bf2dfccc5a0ec887 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:26:27 -0400 Subject: [PATCH 1/4] pillarize zeek node.cfg. change reference from bro to zeek. --- salt/deprecated-bro/files/node.cfg | 22 +++++++++++----------- salt/zeek/files/node.cfg | 30 ++++++++++++++++++------------ setup/so-functions | 6 +++--- setup/so-setup | 2 +- setup/so-whiptail | 2 +- 5 files changed, 34 insertions(+), 28 deletions(-) diff --git a/salt/deprecated-bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg index 6f9608113..804771728 100644 --- a/salt/deprecated-bro/files/node.cfg +++ b/salt/deprecated-bro/files/node.cfg @@ -1,13 +1,13 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} +{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} +{%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} {%- endif %} {%- endif %} [manager] @@ -28,13 +28,13 @@ host=localhost interface=af_packet::{{ interface }} lb_method=custom -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} +{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} +lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} {%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} +lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} {%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} +{%- if salt['pillar.get']('sensor:zeek_pins') %} +pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6f9608113..3ba38cb1b 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -1,15 +1,17 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} +{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} + +{%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} {%- endif %} {%- endif %} + [manager] type=manager host=localhost @@ -28,17 +30,21 @@ host=localhost interface=af_packet::{{ interface }} lb_method=custom -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} +{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} +lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} {%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} +lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} {%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} + +{%- if salt['pillar.get']('sensor:zeek_pins') %} +pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} {%- endif %} + af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size=128*1024*1024 +af_packet_buffer_size={{salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} + + {%- else %} [brosa] type=standalone diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..fdfcf37eb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1322,7 +1322,7 @@ sensor_pillar() { " mainint: $MNIC" >> "$pillar_file" if [ "$NSMSETUP" = 'ADVANCED' ]; then - echo " bro_pins:" >> "$pillar_file" + echo " zeek_pins:" >> "$pillar_file" for PIN in "${BROPINS[@]}"; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" @@ -1333,10 +1333,10 @@ sensor_pillar() { echo " - $SPIN" >> "$pillar_file" done elif [ "$install_type" = 'HELIXSENSOR' ]; then - echo " bro_lbprocs: $lb_procs" >> "$pillar_file" + echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else - echo " bro_lbprocs: $BASICBRO" >> "$pillar_file" + echo " zeek_lbprocs: $BASICBRO" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..f2db6775a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -281,7 +281,7 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_bro_pins + whiptail_zeek_pins whiptail_suricata_pins whiptail_bond_nics_mtu else diff --git a/setup/so-whiptail b/setup/so-whiptail index 008d24e1f..ee9ba5b4b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_bro_pins() { +whiptail_zeek_pins() { [ -n "$TESTING" ] && return From 38db512edaf93c0bead4403ac2fb68903ae0db29 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:29:19 -0400 Subject: [PATCH 2/4] fix spacing --- salt/zeek/files/node.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 3ba38cb1b..6cbdf1052 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -42,7 +42,7 @@ pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} +af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} {%- else %} From fd939a06b9bb4ece499068f3502c55aee45814c4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:40:40 -0400 Subject: [PATCH 3/4] whitespace cleanup --- salt/zeek/files/node.cfg | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6cbdf1052..6be5aa5b1 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -1,17 +1,14 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} - -{%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} -{%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} + {%- else %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} + {%- endif %} {%- endif %} -{%- endif %} - [manager] type=manager host=localhost @@ -29,22 +26,17 @@ type=worker host=localhost interface=af_packet::{{ interface }} lb_method=custom - -{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} + {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} -{%- else %} + {%- else %} lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} -{%- endif %} - -{%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- endif %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} -{%- endif %} - + {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} - - {%- else %} [brosa] type=standalone From f98c497d7963f5822f4c48a003b30371962cd7fa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:43:37 -0400 Subject: [PATCH 4/4] change setup and whiptail back to bro --- setup/so-setup | 2 +- setup/so-whiptail | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index f2db6775a..a5b57f13d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -281,7 +281,7 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_zeek_pins + whiptail_bro_pins whiptail_suricata_pins whiptail_bond_nics_mtu else diff --git a/setup/so-whiptail b/setup/so-whiptail index ee9ba5b4b..008d24e1f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_zeek_pins() { +whiptail_bro_pins() { [ -n "$TESTING" ] && return