diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 695e43f08..9c358b448 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -586,4 +586,133 @@ suricata: threshold-file: /etc/suricata/threshold.conf #include: include1.yaml #include: include2.yaml - \ No newline at end of file + classification: + attempted-admin: + description: Attempted Administrator Privilege Gain + priority: 1 + attempted-dos: + description: Attempted Denial of Service + priority: 2 + attempted-recon: + description: Attempted Information Leak + priority: 2 + attempted-user: + description: Attempted User Privilege Gain + priority: 1 + bad-unknown: + description: Potentially Bad Traffic + priority: 2 + coin-mining: + description: Crypto Currency Mining Activity Detected + priority: 2 + command-and-control: + description: Malware Command and Control Activity Detected + priority: 1 + credential-theft: + description: Successful Credential Theft Detected + priority: 1 + default-login-attempt: + description: Attempt to login by a default username and password + priority: 2 + denial-of-service: + description: Detection of a Denial of Service Attack + priority: 2 + domain-c2: + description: Domain Observed Used for C2 Detected + priority: 1 + exploit-kit: + description: Exploit Kit Activity Detected + priority: 1 + external-ip-check: + description: Device Retrieving External IP Address Detected + priority: 2 + icmp-event: + description: Generic ICMP event + priority: 3 + inappropriate-content: + description: Inappropriate Content was Detected + priority: 1 + misc-activity: + description: Misc activity + priority: 3 + misc-attack: + description: Misc Attack + priority: 2 + network-scan: + description: Detection of a Network Scan + priority: 3 + non-standard-protocol: + description: Detection of a non-standard protocol or event + priority: 2 + not-suspicious: + description: Not Suspicious Traffic + priority: 3 + policy-violation: + description: Potential Corporate Privacy Violation + priority: 1 + protocol-command-decode: + description: Generic Protocol Command Decode + priority: 3 + pup-activity: + description: Possibly Unwanted Program Detected + priority: 2 + rpc-portmap-decode: + description: Decode of an RPC Query + priority: 2 + shellcode-detect: + description: Executable code was detected + priority: 1 + social-engineering: + description: Possible Social Engineering Attempted + priority: 2 + string-detect: + description: A suspicious string was detected + priority: 3 + successful-admin: + description: Successful Administrator Privilege Gain + priority: 1 + successful-dos: + description: Denial of Service + priority: 2 + successful-recon-largescale: + description: Large Scale Information Leak + priority: 2 + successful-recon-limited: + description: Information Leak + priority: 2 + successful-user: + description: Successful User Privilege Gain + priority: 1 + suspicious-filename-detect: + description: A suspicious filename was detected + priority: 2 + suspicious-login: + description: An attempted login using a suspicious username was detected + priority: 2 + system-call-detect: + description: A system call was detected + priority: 2 + targeted-activity: + description: Targeted Malicious Activity was Detected + priority: 1 + tcp-connection: + description: A TCP connection was detected + priority: 4 + trojan-activity: + description: A Network Trojan was detected + priority: 1 + unknown: + description: Unknown Traffic + priority: 3 + unsuccessful-user: + description: Unsuccessful User Privilege Gain + priority: 1 + unusual-client-port-connection: + description: A client was using an unusual port + priority: 2 + web-application-activity: + description: access to a potentially vulnerable web application + priority: 2 + web-application-attack: + description: Web Application Attack + priority: 1 diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja new file mode 100644 index 000000000..122cf4baf --- /dev/null +++ b/salt/suricata/files/classification.config.jinja @@ -0,0 +1,11 @@ +{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%} +{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%} +# +# config classification:shortname,short description,priority +# +{% for sn, details in suricata_defaults.suricata.classification.items() -%} +{% if not details -%} +{% set details = {'description': 'The description is not set', 'priority': '1'} -%} +{% endif -%} +config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} +{% endfor -%} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 4c2347302..db09e310b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -111,6 +111,14 @@ surithresholding: - group: 940 - template: jinja +classification_config: + file.managed: + - name: /opt/so/conf/suricata/classification.config + - source: salt://suricata/files/classification.config.jinja + - user: 940 + - group: 940 + - template: jinja + # BPF compilation and configuration {% if BPF_NIDS %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} @@ -148,6 +156,7 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro + - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw @@ -159,10 +168,12 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf + - file: classification_config - require: - file: suriconfig - file: surithresholding - file: suribpf + - file: classification_config {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - force: True