CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12271 from Security-Onion-Solutions/suripcap

Browse Source 
Suricata PCAP
This commit is contained in:
Mike Reeves
2024-03-04 17:27:38 -05:00
committed by GitHub
parent 9fd1653914 fe238755e9
commit 58d222284e
16 changed files with 184 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/global/defaults.yaml Normal file
View File

@@ -0,0 +1,2 @@
global:
pcapengine: STENO

2
salt/global/map.jinja Normal file
View File

@@ -0,0 +1,2 @@
{% import_yaml 'global/defaults.yaml' as GLOBALDEFAULTS %}
{% set GLOBALMERGED = salt['pillar.get']('global', GLOBALDEFAULTS.global, merge=True) %}

7
salt/global/soc_global.yaml
View File

@@ -10,10 +10,15 @@ global:
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR. regexFailureMessage: You must enter a valid IP address or CIDR.
mdengine: mdengine:
description: What engine to use for meta data generation. Options are ZEEK and SURICATA. description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
regex: ^(ZEEK|SURICATA)$ regex: ^(ZEEK|SURICATA)$
regexFailureMessage: You must enter either ZEEK or SURICATA. regexFailureMessage: You must enter either ZEEK or SURICATA.
global: True global: True
pcapengine:
description: Which engine to use for generating pcap. Options are STENO and SURICATA.
regex: ^(STENO|SURICATA)$
regexFailureMessage: You must enter either STENO or SURICATA.
global: True
ids: ids:
description: Which IDS engine to use. Currently only Suricata is supported. description: Which IDS engine to use. Currently only Suricata is supported.
global: True global: True

35
salt/manager/tools/sbin/so-minion
View File

@@ -79,6 +79,30 @@ function getinstallinfo() {
source <(echo $INSTALLVARS) source <(echo $INSTALLVARS)
} }
function pcapspace() {
if [[ "$OPERATION" == "setup" ]]; then
local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n)
else
local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ')
local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ')
if [[ "$NSMSIZE" == "null" ]]; then
# Looks like there is no dedicated nsm partition. Using root
local SPACESIZE=$ROOTSIZE
else
local SPACESIZE=$NSMSIZE
fi
fi
local s=$(( $SPACESIZE / 1000000 ))
local s1=$(( $s / 2 ))
local s2=$(( $s1 / $lb_procs ))
MAXPCAPFILES=$s2
}
function testMinion() { function testMinion() {
# Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone. # Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone.
# Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image. # Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image.
@@ -247,11 +271,17 @@ function add_sensor_to_minion() {
echo " config:" >> $PILLARFILE echo " config:" >> $PILLARFILE
echo " af-packet:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE
echo " threads: '$CORECOUNT'" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " output:" >> $PILLARFILE
echo " pcap-log:" >> $PILLARFILE
echo " max-files: '$MAXPCAPFILES'" >> $PILLARFILE
fi
echo "pcap:" >> $PILLARFILE echo "pcap:" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then if [[ $is_pcaplimit ]]; then
echo " config:" >> $PILLARFILE echo " config:" >> $PILLARFILE
echo " diskfreepercentage: 60" >> $PILLARFILE echo " diskfreepercentage: 60" >> $PILLARFILE
pcapspace
fi fi
echo " " >> $PILLARFILE echo " " >> $PILLARFILE
} }
@@ -422,6 +452,7 @@ function updateMine() {
function createEVAL() { function createEVAL() {
is_pcaplimit=true is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion add_elasticsearch_to_minion
add_sensor_to_minion add_sensor_to_minion
add_strelka_to_minion add_strelka_to_minion
@@ -442,6 +473,7 @@ function createEVAL() {
function createSTANDALONE() { function createSTANDALONE() {
is_pcaplimit=true is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion add_elasticsearch_to_minion
add_logstash_to_minion add_logstash_to_minion
add_sensor_to_minion add_sensor_to_minion
@@ -531,6 +563,7 @@ function createIDH() {
function createHEAVYNODE() { function createHEAVYNODE() {
is_pcaplimit=true is_pcaplimit=true
pcapspace
add_elasticsearch_to_minion add_elasticsearch_to_minion
add_elastic_agent_to_minion add_elastic_agent_to_minion
add_logstash_to_minion add_logstash_to_minion
@@ -541,6 +574,8 @@ function createHEAVYNODE() {
} }
function createSENSOR() { function createSENSOR() {
is_pcaplimit=true
pcapspace
add_sensor_to_minion add_sensor_to_minion
add_strelka_to_minion add_strelka_to_minion
add_telegraf_to_minion add_telegraf_to_minion

6
salt/pcap/config.map.jinja
View File

@@ -3,5 +3,11 @@
https://securityonion.net/license; you may not use this file except in compliance with the https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #} Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %} {% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %} {% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
{# disable stenographer if the pcap engine is set to SURICATA #}
{% if GLOBALS.pcap_engine == "SURICATA" %}
{% do PCAPMERGED.update({'enabled': False}) %}
{% endif %}

4
salt/sensoroni/enabled.sls
View File

@@ -23,6 +23,10 @@ so-sensoroni:
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
{% if GLOBALS.pcap_engine == "SURICATA" %}
- /nsm/suripcap/:/nsm/suripcap:rw
- /nsm/suripcaptmp:/nsm/suripcaptmp:rw
{% endif %}
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}

10
salt/sensoroni/files/sensoroni.json
View File

@@ -1,6 +1,7 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %} {%- from 'sensoroni/map.jinja' import SENSORONIMERGED %}
{%- from 'pcap/config.map.jinja' import PCAPMERGED %} {%- from 'pcap/config.map.jinja' import PCAPMERGED %}
{%- from 'suricata/map.jinja' import SURICATAMERGED %}
{ {
"logFilename": "/opt/sensoroni/logs/sensoroni.log", "logFilename": "/opt/sensoroni/logs/sensoroni.log",
"logLevel":"info", "logLevel":"info",
@@ -23,6 +24,8 @@
"importer": {}, "importer": {},
"statickeyauth": { "statickeyauth": {
"apiKey": "{{ GLOBALS.sensoroni_key }}" "apiKey": "{{ GLOBALS.sensoroni_key }}"
{#- if PCAPMERGED.enabled is true then we know that steno is the pcap engine #}
{#- if it is false, then user has steno disabled in ui or has selected suricata for pcap engine #}
{%- if PCAPMERGED.enabled %} {%- if PCAPMERGED.enabled %}
}, },
"stenoquery": { "stenoquery": {
@@ -30,6 +33,13 @@
"pcapInputPath": "/nsm/pcap", "pcapInputPath": "/nsm/pcap",
"pcapOutputPath": "/nsm/pcapout" "pcapOutputPath": "/nsm/pcapout"
} }
{%- elif GLOBALS.pcap_engine == "SURICATA" and SURICATAMERGED.enabled %}
},
"suriquery": {
"executablePath": "/opt/sensoroni/scripts/suriquery.sh",
"pcapInputPath": "/nsm/suripcap",
"pcapOutputPath": "/nsm/pcapout"
}
{%- else %} {%- else %}
} }
{%- endif %} {%- endif %}

10
salt/suricata/defaults.yaml
View File

@@ -128,6 +128,16 @@ suricata:
enabled: "no" enabled: "no"
pcap-log: pcap-log:
enabled: "no" enabled: "no"
compression: "none"
lz4-checksum: "no"
lz4-level: 8
filename: "%n/so-pcap.%t"
limit: "1000mb"
mode: "multi"
max-files: 10
use-stream-depth: "no"
conditional: "all"
dir: "/nsm/suripcap"
alert-debug: alert-debug:
enabled: "no" enabled: "no"
alert-prelude: alert-prelude:

6
salt/suricata/enabled.sls
View File

@@ -12,6 +12,9 @@
include: include:
- suricata.config - suricata.config
- suricata.sostatus - suricata.sostatus
{% if GLOBALS.pcap_engine == "SURICATA" %}
- suricata.pcap
{% endif %}
so-suricata: so-suricata:
docker_container.running: docker_container.running:
@@ -33,6 +36,9 @@ so-suricata:
- /nsm/suricata/:/nsm/:rw - /nsm/suricata/:/nsm/:rw
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
{% if GLOBALS.pcap_engine == "SURICATA" %}
- /nsm/suripcap/:/nsm/suripcap:rw
{% endif %}
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %} {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}

5
salt/suricata/map.jinja
View File

@@ -60,6 +60,11 @@
{% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %} {% endif %}
{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
{% if GLOBALS.pcap_engine == "SURICATA" %}
{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
{% endif %}
{# outputs is a list but we convert to dict in defaults to work with ui #} {# outputs is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #} {# below they are converted back to lists #}
{% load_yaml as outputs %} {% load_yaml as outputs %}

22
salt/suricata/pcap.sls Normal file
View File

@@ -0,0 +1,22 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
suripcapdir:
file.directory:
- name: /nsm/suripcap
- user: 940
- group: 939
- mode: 755
- makedirs: True
{# there should only be 1 interface in af-packet so we can just reference the first list item #}
{% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}
suripcapthread{{i}}dir:
file.directory:
- name: /nsm/suripcap/{{i}}
- user: 940
- group: 939
- mode: 755
{% endfor %}

57
salt/suricata/soc_suricata.yaml
View File

@@ -52,6 +52,7 @@ suricata:
set-cpu-affinity: set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$ regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html helpLink: suricata.html
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
@@ -161,6 +162,59 @@ suricata:
header: header:
description: Header name where the actual IP address will be reported. description: Header name where the actual IP address will be reported.
helpLink: suricata.html helpLink: suricata.html
pcap-log:
enabled:
description: This value is ignored by SO. pcapengine in globals takes precidence.
readonly: True
helpLink: suricata.html
advanced: True
compression:
description: Enable compression of Suricata PCAP. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-checksum:
description: Enable PCAP lz4 checksum. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-level:
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
filename:
description: Filename output for Suricata PCAP.
advanced: True
readonly: True
helpLink: suricata.html
limit:
description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit.
helpLink: suricata.html
mode:
description: Suricata PCAP mode. Currently only multi is supported.
advanced: True
readonly: True
helpLink: suricata.html
max-files:
description: Max PCAP files per thread. To determine max PCAP size multiple threads x max-files x limit.
helpLink: suricata.html
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
conditional:
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
regex: ^(all|alert|tag)$
regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata.html
dir:
description: Parent directory to store PCAP.
advanced: True
readonly: True
helpLink: suricata.html
asn1-max-frames: asn1-max-frames:
description: Maximum nuber of asn1 frames to decode. description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html helpLink: suricata.html
@@ -217,6 +271,9 @@ suricata:
memcap: memcap:
description: Can be specified in kb,mb,gb. description: Can be specified in kb,mb,gb.
helpLink: suricata.html helpLink: suricata.html
depth:
description: Controls how far into a stream that reassembly is done.
helpLink: suricata.html
host: host:
hash-size: hash-size:
description: Hash size in bytes. description: Hash size in bytes.

2
salt/telegraf/config.sls
View File

@@ -41,6 +41,8 @@ tgraf_sync_script_{{script}}:
- mode: 770 - mode: 770
- template: jinja - template: jinja
- source: salt://telegraf/scripts/{{script}} - source: salt://telegraf/scripts/{{script}}
- defaults:
GLOBALS: {{ GLOBALS }}
{% endfor %} {% endfor %}
telegraf_sbin: telegraf_sbin:

7
salt/telegraf/map.jinja
View File

@@ -14,4 +14,11 @@
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %} {% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %} {% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
{% endif %} {% endif %}
{% from 'pcap/config.map.jinja' import PCAPMERGED %}
{# PCAPMERGED.enabled is set false in soc ui or if suricata is the pcap engine #}
{% if not PCAPMERGED.enabled %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('stenoloss.sh') %}
{% endif %}
{% endif %} {% endif %}

8
salt/telegraf/scripts/oldpcap.sh
View File

@@ -5,13 +5,17 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- if GLOBALS.pcap_engine == "SURICATA" %}
PCAPLOC=/host/nsm/suripcap
{%- else %}
PCAPLOC=/host/nsm/pcap
{%- endif %}
# if this script isn't already running # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
# Get the data # Get the data
OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) OLDPCAP=$(find $PCAPLOC -type f -exec stat -c'%n %Z' {} + | sort | grep -v "/\." | head -n 1 | awk {'print $2'})
DATE=$(date +%s) DATE=$(date +%s)
AGE=$(($DATE - $OLDPCAP)) AGE=$(($DATE - $OLDPCAP))

2
salt/vars/globals.map.jinja
View File

@@ -1,5 +1,6 @@
{% import 'vars/init.map.jinja' as INIT %} {% import 'vars/init.map.jinja' as INIT %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'global/map.jinja' import GLOBALMERGED %}
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -20,6 +21,7 @@
'influxdb_host': INIT.PILLAR.global.influxdb_host, 'influxdb_host': INIT.PILLAR.global.influxdb_host,
'manager_ip': INIT.PILLAR.global.managerip, 'manager_ip': INIT.PILLAR.global.managerip,
'md_engine': INIT.PILLAR.global.mdengine, 'md_engine': INIT.PILLAR.global.mdengine,
'pcap_engine': GLOBALMERGED.pcapengine,
'pipeline': INIT.PILLAR.global.pipeline, 'pipeline': INIT.PILLAR.global.pipeline,
'so_version': INIT.PILLAR.global.soversion, 'so_version': INIT.PILLAR.global.soversion,
'so_docker_gateway': DOCKER.gateway, 'so_docker_gateway': DOCKER.gateway,