CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8014 from Security-Onion-Solutions/issue/7918

Browse Source 
manage suricata classifications.config
This commit is contained in:
Josh Patterson
2022-05-26 13:13:03 -04:00
committed by GitHub
parent 1a0ac4d253 53d6e1d30d
commit 76bb1fbbcc
3 changed files with 152 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
salt/suricata/defaults.yaml
View File

@@ -586,4 +586,133 @@ suricata:
threshold-file: /etc/suricata/threshold.conf threshold-file: /etc/suricata/threshold.conf
#include: include1.yaml #include: include1.yaml
#include: include2.yaml #include: include2.yaml
classification:
attempted-admin:
description: Attempted Administrator Privilege Gain
priority: 1
attempted-dos:
description: Attempted Denial of Service
priority: 2
attempted-recon:
description: Attempted Information Leak
priority: 2
attempted-user:
description: Attempted User Privilege Gain
priority: 1
bad-unknown:
description: Potentially Bad Traffic
priority: 2
coin-mining:
description: Crypto Currency Mining Activity Detected
priority: 2
command-and-control:
description: Malware Command and Control Activity Detected
priority: 1
credential-theft:
description: Successful Credential Theft Detected
priority: 1
default-login-attempt:
description: Attempt to login by a default username and password
priority: 2
denial-of-service:
description: Detection of a Denial of Service Attack
priority: 2
domain-c2:
description: Domain Observed Used for C2 Detected
priority: 1
exploit-kit:
description: Exploit Kit Activity Detected
priority: 1
external-ip-check:
description: Device Retrieving External IP Address Detected
priority: 2
icmp-event:
description: Generic ICMP event
priority: 3
inappropriate-content:
description: Inappropriate Content was Detected
priority: 1
misc-activity:
description: Misc activity
priority: 3
misc-attack:
description: Misc Attack
priority: 2
network-scan:
description: Detection of a Network Scan
priority: 3
non-standard-protocol:
description: Detection of a non-standard protocol or event
priority: 2
not-suspicious:
description: Not Suspicious Traffic
priority: 3
policy-violation:
description: Potential Corporate Privacy Violation
priority: 1
protocol-command-decode:
description: Generic Protocol Command Decode
priority: 3
pup-activity:
description: Possibly Unwanted Program Detected
priority: 2
rpc-portmap-decode:
description: Decode of an RPC Query
priority: 2
shellcode-detect:
description: Executable code was detected
priority: 1
social-engineering:
description: Possible Social Engineering Attempted
priority: 2
string-detect:
description: A suspicious string was detected
priority: 3
successful-admin:
description: Successful Administrator Privilege Gain
priority: 1
successful-dos:
description: Denial of Service
priority: 2
successful-recon-largescale:
description: Large Scale Information Leak
priority: 2
successful-recon-limited:
description: Information Leak
priority: 2
successful-user:
description: Successful User Privilege Gain
priority: 1
suspicious-filename-detect:
description: A suspicious filename was detected
priority: 2
suspicious-login:
description: An attempted login using a suspicious username was detected
priority: 2
system-call-detect:
description: A system call was detected
priority: 2
targeted-activity:
description: Targeted Malicious Activity was Detected
priority: 1
tcp-connection:
description: A TCP connection was detected
priority: 4
trojan-activity:
description: A Network Trojan was detected
priority: 1
unknown:
description: Unknown Traffic
priority: 3
unsuccessful-user:
description: Unsuccessful User Privilege Gain
priority: 1
unusual-client-port-connection:
description: A client was using an unusual port
priority: 2
web-application-activity:
description: access to a potentially vulnerable web application
priority: 2
web-application-attack:
description: Web Application Attack
priority: 1

11
salt/suricata/files/classification.config.jinja Normal file
View File

@@ -0,0 +1,11 @@
{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%}
{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%}
#
# config classification:shortname,short description,priority
#
{% for sn, details in suricata_defaults.suricata.classification.items() -%}
{% if not details -%}
{% set details = {'description': 'The description is not set', 'priority': '1'} -%}
{% endif -%}
config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}
{% endfor -%}

11
salt/suricata/init.sls
View File

@@ -111,6 +111,14 @@ surithresholding:
- group: 940 - group: 940
- template: jinja - template: jinja
classification_config:
file.managed:
- name: /opt/so/conf/suricata/classification.config
- source: salt://suricata/files/classification.config.jinja
- user: 940
- group: 940
- template: jinja
# BPF compilation and configuration # BPF compilation and configuration
{% if BPF_NIDS %} {% if BPF_NIDS %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
@@ -148,6 +156,7 @@ so-suricata:
- binds: - binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw - /opt/so/log/suricata/:/var/log/suricata/:rw
- /nsm/suricata/:/nsm/:rw - /nsm/suricata/:/nsm/:rw
@@ -159,10 +168,12 @@ so-suricata:
- file: surithresholding - file: surithresholding
- file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/rules/
- file: /opt/so/conf/suricata/bpf - file: /opt/so/conf/suricata/bpf
- file: classification_config
- require: - require:
- file: suriconfig - file: suriconfig
- file: surithresholding - file: surithresholding
- file: suribpf - file: suribpf
- file: classification_config
{% else %} {# if Suricata isn't enabled, then stop and remove the container #} {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
- force: True - force: True