CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-05 20:35:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

manage threshold.conf with Salt - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/127

Browse Source
This commit is contained in:
m0duspwnens
2020-01-03 13:31:19 -05:00
parent bbd95c977c
commit 7415ed8dd0
4 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
salt/suricata/files/threshold.conf.jinja Normal file
View File

@@ -0,0 +1,32 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%}
{% if THRESHOLDING %}
{%- for EACH_SID in THRESHOLDING.sids %}
{%- for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] %}
{% for EACH_ACTION in ACTIONS_LIST %}
{% if EACH_ACTION == 'threshold' %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
{% elif EACH_ACTION == 'rate_filter' %}
{% if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{% else %}
##### Security Onion does not support drop or reject actions for rate_filter
#####{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{% endif %}
{% elif EACH_ACTION == 'suppress' %}
{% if ACTIONS_LIST[EACH_ACTION].track is defined %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
{% else %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
{% endif %}
{% endif %}
{% endfor -%}
{% endfor -%}
{% endfor -%}
{% else %}
{% endif %}

10
salt/suricata/init.sls
View File

@@ -70,6 +70,14 @@ suriconfigsync:
- group: 940
- template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
so-suricataimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
- INTERFACE={{ interface }}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- network_mode: host
- watch:
- file: /opt/so/conf/suricata/suricata.yaml
- file: surithresholding
- file: /opt/so/conf/suricata/rules/