From 5fba3c58721fc9620d1bfba2392a5be47ba11486 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Thu, 2 Feb 2023 14:48:01 +0000
Subject: [PATCH] Add Suricata metadata configuration

---
 salt/suricata/suricata_config.map.jinja | 34 +++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja
index 2a03f5fbb..fb4c22af3 100644
--- a/salt/suricata/suricata_config.map.jinja
+++ b/salt/suricata/suricata_config.map.jinja
@@ -1,6 +1,11 @@
 {% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %}
+{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %}
 {% set suricata_pillar = pillar.suricata %}
 {% set surimerge = salt['defaults.merge'](suricata_defaults, suricata_pillar, in_place=False) %}
+{% set default_evelog_index = [] %}
+{% set default_filestore_index = [] %}
+{% set surimeta_evelog_index = [] %}
+{% set surimeta_filestore_index = [] %}
 
 {% load_yaml as afpacket %}
 - interface: {{ surimerge.suricata.config['af-packet'].interface }}
@@ -20,3 +25,32 @@
 {% endfor %}
 {% endload %}
 {% do suricata_defaults.suricata.config.update({'outputs': outputs}) %}
+
+{# Find the index of eve-log so it can be updated later #}
+{% for li in suricata_defaults.suricata.config.outputs %}
+  {% if 'eve-log' in li.keys() %}
+    {% do default_evelog_index.append(loop.index0) %}
+  {% endif %}
+  {% if 'file-store' in li.keys() %}
+    {% do default_filestore_index.append(loop.index0) %}
+  {% endif %}
+{% endfor %}
+{% set default_evelog_index = default_evelog_index[0]  %}
+{% set default_filestore_index = default_filestore_index[0]  %}
+
+{# Find the index of eve-log so it can be grabbed later #}
+{% for li in suricata_meta.suricata.config.outputs %}
+  {% if 'eve-log' in li.keys() %}
+    {% do surimeta_evelog_index.append(loop.index0) %}
+  {% endif %}
+  {% if 'file-store' in li.keys() %}
+    {% do surimeta_filestore_index.append(loop.index0) %}
+  {% endif %}
+{% endfor %}
+{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
+{% set surimeta_filestore_index = surimeta_filestore_index[0] %}
+
+{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
+  {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
+  {% do suricata_defaults.suricata.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_meta.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
+{% endif %}