CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-20 14:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12271 from Security-Onion-Solutions/suripcap

Browse Source 
Suricata PCAP
This commit is contained in:
Mike Reeves
2024-03-04 17:27:38 -05:00
committed by GitHub
parent 9fd1653914 fe238755e9
commit 58d222284e
16 changed files with 184 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
salt/manager/tools/sbin/so-minion
View File

@@ -79,6 +79,30 @@ function getinstallinfo() {
source <(echo $INSTALLVARS)
}
function pcapspace() {
if [[ "$OPERATION" == "setup" ]]; then
local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n)
else
local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ')
local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ')
if [[ "$NSMSIZE" == "null" ]]; then
# Looks like there is no dedicated nsm partition. Using root
local SPACESIZE=$ROOTSIZE
else
local SPACESIZE=$NSMSIZE
fi
fi
local s=$(( $SPACESIZE / 1000000 ))
local s1=$(( $s / 2 ))
local s2=$(( $s1 / $lb_procs ))
MAXPCAPFILES=$s2
}
function testMinion() {
# Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone.
# Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image.
@@ -247,11 +271,17 @@ function add_sensor_to_minion() {
echo " config:" >> $PILLARFILE
echo " af-packet:" >> $PILLARFILE
echo " threads: '$CORECOUNT'" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " output:" >> $PILLARFILE
echo " pcap-log:" >> $PILLARFILE
echo " max-files: '$MAXPCAPFILES'" >> $PILLARFILE
fi
echo "pcap:" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " config:" >> $PILLARFILE
echo " diskfreepercentage: 60" >> $PILLARFILE
pcapspace
fi
echo " " >> $PILLARFILE
}
@@ -422,6 +452,7 @@ function updateMine() {
function createEVAL() {
is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion
add_sensor_to_minion
add_strelka_to_minion
@@ -442,6 +473,7 @@ function createEVAL() {
function createSTANDALONE() {
is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion
add_logstash_to_minion
add_sensor_to_minion
@@ -531,6 +563,7 @@ function createIDH() {
function createHEAVYNODE() {
is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion
add_elastic_agent_to_minion
add_logstash_to_minion
@@ -541,6 +574,8 @@ function createHEAVYNODE() {
}
function createSENSOR() {
is_pcaplimit=true
pcapspace
add_sensor_to_minion
add_strelka_to_minion
add_telegraf_to_minion