From 7415ed8dd080ba68067986e9f9931e72f2cbc0d5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 3 Jan 2020 13:31:19 -0500
Subject: [PATCH] manage threshold.conf with Salt -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/127

---
 pillar/thresholding/pillar.example       | 44 ++++++++++++++++++++++++
 pillar/thresholding/pillar.usage         | 20 +++++++++++
 salt/suricata/files/threshold.conf.jinja | 32 +++++++++++++++++
 salt/suricata/init.sls                   | 10 ++++++
 4 files changed, 106 insertions(+)
 create mode 100644 pillar/thresholding/pillar.example
 create mode 100644 pillar/thresholding/pillar.usage
 create mode 100644 salt/suricata/files/threshold.conf.jinja

diff --git a/pillar/thresholding/pillar.example b/pillar/thresholding/pillar.example
new file mode 100644
index 000000000..705cb606c
--- /dev/null
+++ b/pillar/thresholding/pillar.example
@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24
diff --git a/pillar/thresholding/pillar.usage b/pillar/thresholding/pillar.usage
new file mode 100644
index 000000000..1626433b1
--- /dev/null
+++ b/pillar/thresholding/pillar.usage
@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>
diff --git a/salt/suricata/files/threshold.conf.jinja b/salt/suricata/files/threshold.conf.jinja
new file mode 100644
index 000000000..6c40f6cb9
--- /dev/null
+++ b/salt/suricata/files/threshold.conf.jinja
@@ -0,0 +1,32 @@
+{% set THRESHOLDING  = salt['pillar.get']('thresholding', {}) -%}
+
+{% if THRESHOLDING %}
+{%- for EACH_SID in THRESHOLDING.sids %}
+  {%- for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] %}
+    {% for EACH_ACTION in ACTIONS_LIST %}
+      
+      {% if EACH_ACTION == 'threshold' %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
+      
+      {% elif EACH_ACTION == 'rate_filter' %}
+        {% if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+        {% else %}
+##### Security Onion does not support drop or reject actions for rate_filter
+#####{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+        {% endif %}
+      
+      {% elif EACH_ACTION == 'suppress' %}
+        {% if ACTIONS_LIST[EACH_ACTION].track is defined %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
+        {% else %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
+        {% endif %}
+      
+      {% endif %}
+    {% endfor -%}
+  {% endfor -%}
+{% endfor -%}
+{% else %}
+
+{% endif %}
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a30010d5e..ac876212c 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -70,6 +70,14 @@ suriconfigsync:
     - group: 940
     - template: jinja
 
+surithresholding:
+  file.managed:
+    - name: /opt/so/conf/suricata/threshold.conf
+    - source: salt://suricata/files/threshold.conf.jinja
+    - user: 940
+    - group: 940
+    - template: jinja
+
 so-suricataimage:
  cmd.run:
    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
       - INTERFACE={{ interface }}
     - binds:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
+      - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
     - network_mode: host
     - watch:
       - file: /opt/so/conf/suricata/suricata.yaml
+      - file: surithresholding
       - file: /opt/so/conf/suricata/rules/