PulledPork Salt Module

2025-12-06 17:22:49 +01:00 · 2018-02-07 10:48:53 -05:00
parent 8db0269051
commit 7826705469
6 changed files with 386 additions and 1 deletions
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -38,9 +38,12 @@ dockernet:
    - name: so-elastic-net
    - driver: bridge
 toosmooth/so-core:test2:
  docker_image.present
 so-core:
  docker_container.running:
-    - image: toosmooth/so-bro:test1
+    - image: toosmooth/so-core:test2
    - hostname: so-core
    - user: socore
    - binds:
--- a/salt/pulledpork/etc/disablesid.conf
+++ b/salt/pulledpork/etc/disablesid.conf
@@ -0,0 +1,38 @@
 # example disablesid.conf V3.1
 # Example of modifying state for individual rules
 # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 # Comments are allowed in this file, and can also be on the same line
 # As the modify state syntax, as long as it is a trailing comment
 # 1:1011 # I Disabled this rule because I could!
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
 # matching only after you have specified what you are looking for, i.e. 
 # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
 # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
 # for this.
 # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
 # Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
 # allows for full use of regular expression syntax, you do not need to designate
 # with / and all pcre searches are treated as case insensitive. For more information 
 # about regular expression syntax: http://www.regular-expressions.info/
 # The following example modifies state for all MS07 through MS10 
 # pcre:MS(0[7-9]|10)-\d+
 # Example of modifying state for specific categories entirely (see README.CATEGORIES)
 # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
 # Any of the above values can be on a single line or multiple lines, when 
 # on a single line they simply need to be separated by a ,
 # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
 # The modifications in this file are for sample/example purposes only and
 # should not actively be used, you need to modify this file to fit your 
 # environment.
--- a/salt/pulledpork/etc/dropsid.conf
+++ b/salt/pulledpork/etc/dropsid.conf
@@ -0,0 +1,42 @@
 # example dropsid.conf V3.1
 #
 # Note: This file is used to specify what rules you wish to be set to have
 # an action of drop rather than alert.  This means that you are running
 # snort inline (more info about inline deployments at snort.org).
 # Example of modifying state for individual rules
 # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 # Comments are allowed in this file, and can also be on the same line
 # As the modify state syntax, as long as it is a trailing comment
 # 1:1011 # I Disabled this rule because I could!
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
 # matching only after you have specified what you are looking for, i.e. 
 # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
 # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
 # for this.
 # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
 # Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
 # allows for full use of regular expression syntax, you do not need to designate
 # with / and all pcre searches are treated as case insensitive. For more information 
 # about regular expression syntax: http://www.regular-expressions.info/
 # The following example modifies state for all MS07 through MS10 
 # pcre:MS(0[7-9]|10)-\d+
 # Example of modifying state for specific categories entirely (see README.CATEGORIES)
 # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
 # Any of the above values can be on a single line or multiple lines, when 
 # on a single line they simply need to be separated by a ,
 # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
 # The modifications in this file are for sample/example purposes only and
 # should not actively be used, you need to modify this file to fit your 
 # environment.
--- a/salt/pulledpork/etc/enablesid.conf
+++ b/salt/pulledpork/etc/enablesid.conf
@@ -0,0 +1,48 @@
 # example enablesid.conf v3.1
 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file 
 # will be set back to their ORIGINAL state as it was read when they were 
 # originally extracted from the source tarball!
 # Example of modifying state for individual rules
 # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 # Comments are allowed in this file, and can also be on the same line
 # As the modify state syntax, as long as it is a trailing comment
 # 1:1011 # I Disabled this rule because I could!
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
 # matching only after you have specified what you are looking for, i.e. 
 # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
 # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
 # for this.
 # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
 # Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
 # allows for full use of regular expression syntax, you do not need to designate
 # with / and all pcre searches are treated as case insensitive. For more information 
 # about regular expression syntax: http://www.regular-expressions.info/
 # The following example modifies state for all MS07 through MS10 
 # pcre:MS(0[7-9]|10)-\d+
 # FOR TESTING ONLY:
 # The following will enable ALL signatures for which Pulledpork has been configured
 # to download
 # pcre:.
 # Example of modifying state for specific categories entirely (see README.CATEGORIES)
 # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
 # Any of the above values can be on a single line or multiple lines, when 
 # on a single line they simply need to be separated by a ,
 # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
 # The modifications in this file are for sample/example purposes only and
 # should not actively be used, you need to modify this file to fit your 
 # environment.
--- a/salt/pulledpork/etc/modifysid.conf
+++ b/salt/pulledpork/etc/modifysid.conf
@@ -0,0 +1,40 @@
 # example modifysid.conf v1.1 2/18/2011 Alan Ptak
 #
 # Change history:
 # -----------------------------------------------
 # v1.1 2/18/2011  Alan Ptak
 # - Inserted comments around example elements that would otherwise modify rules
 #
 # v1.0 7/25/2010 JJC
 # - original release
 # -----------------------------------------------
 #
 # formatting is simple
 # <sid or sid list> "what I'm replacing" "what I'm replacing it with"
 #
 # Note that this will only work with GID:1 rules, simply because modifying
 # GID:3 stub rules would not actually affect the rule, thusly it will remain
 # non modifyable!
 #
 # If you are attempting to change rulestate (enable,drop,disable) from here
 # then you are doing it wrong, it is much more efficient to do so from within 
 # the respective rulestate modification configuration files, please see doc/
 # and the README file!
 # the following applies to sid 10010 only and represents what would normally
 # be s/to_client/from_server/
 # 10010 "to_client" "from_server"
 # the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
 # rules
 # "HTTP_PORTS" "HTTPS_PORTS"
 # multiple sids can be specified as noted below:
 # 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"
 # example of modification of a rule to make snortsam BLOCK the rule:
 # note that one rule changes from alert to BLOCK and that the other 
 # modifies the msg:" field value so that when the alert occurs it is noted
 # that it is a SNORTSAM block rule!
 # 17803 "\(msg:"" "\(msg:"SNORTSAM ";
 # 17803 "^\s*alert" "BLOCK";
--- a/salt/pulledpork/etc/pulledpork.conf
+++ b/salt/pulledpork/etc/pulledpork.conf
@@ -0,0 +1,214 @@
 # Config file for pulledpork
 # Be sure to read through the entire configuration file
 # If you specify any of these items on the command line, it WILL take 
 # precedence over any value that you specify in this file!
 #######
 #######  The below section defines what your oinkcode is (required for 
 #######  VRT rules), defines a temp path (must be writable) and also 
 #######  defines what version of rules that you are getting (for your 
 #######  snort version and subscription etc...)
 ####### 
 # You can specify one or as many rule_urls as you like, they 
 # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You can specify
 # each on an individual line, or you can specify them in a , separated list
 # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
 # note that the url, rule file, and oinkcode itself are separated by a pipe |
 # i.e. url|tarball|123456789, 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
 # NEW Community ruleset:
 rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
 # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
 # This format MUST be followed to let pulledpork know that this is a blacklist
 rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open
 # URL for rule documentation! (slow to process)
 rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource
 # THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
 # and open-nogpl, to avoid conflicts.
 #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl
 # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
 # and the et oinkcode requirement!
 #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
 # NOTE above that the VRT snortrules-snapshot does not contain the version
 # portion of the tarball name, this is because PP now automatically populates
 # this value for you, if, however you put the version information in, PP will
 # NOT populate this value but will use your value!
 # Specify rule categories to ignore from the tarball in a comma separated list
 # with no spaces.  There are four ways to do this:
 # 1) Specify the category name with no suffix at all to ignore the category
 #    regardless of what rule-type it is, ie: netbios
 # 2) Specify the category name with a '.rules' suffix to ignore only gid 1
 #    rulefiles located in the /rules directory of the tarball, ie: policy.rules
 # 3) Specify the category name with a '.preproc' suffix to ignore only
 #    preprocessor rules located in the /preproc_rules directory of the tarball,
 #    ie: sensitive-data.preproc
 # 4) Specify the category name with a '.so' suffix to ignore only shared-object
 #    rules located in the /so_rules directory of the tarball, ie: netbios.so
 # The example below ignores dos rules wherever they may appear, sensitive-
 # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
 # and netbios gid-1 rules (while including netbios so-rules):
 # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
 # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
 ignore=deleted.rules,experimental.rules,local.rules
 # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
 # previous ignore line and uncomment the following!
 # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
 # What is our temp path, be sure this path has a bit of space for rule 
 # extraction and manipulation, no trailing slash
 temp_path=/tmp
 #######
 #######  The below section is for rule processing.  This section is 
 #######  required if you are not specifying the configuration using
 #######  runtime switches.  Note that runtime switches do SUPERSEED 
 #######  any values that you have specified here!
 #######
 # What path you want the .rules file containing all of the processed 
 # rules? (this value has changed as of 0.4.0, previously we copied 
 # all of the rules, now we are creating a single large rules file
 # but still keeping a separate file for your so_rules!
 rule_path=/usr/local/etc/snort/rules/snort.rules
 # What path you want the .rules files to be written to, this is UNIQUE
 # from the rule_path and cannot be used in conjunction, this is to be used with the
 # -k runtime flag, this can be set at runtime using the -K flag or specified
 # here.  If specified here, the -k option must also be passed at runtime, however
 # specifying -K <path> at runtime forces the -k option to also be set
 # out_path=/usr/local/etc/snort/rules/
 # If you are running any rules in your local.rules file, we need to
 # know about them to properly build a sid-msg.map that will contain your
 # local.rules metadata (msg) information.  You can specify other rules
 # files that are local to your system here by adding a comma and more paths...
 # remember that the FULL path must be specified for EACH value.
 # local_rules=/path/to/these.rules,/path/to/those.rules
 local_rules=/usr/local/etc/snort/rules/local.rules
 # Where should I put the sid-msg.map file?
 sid_msg=/usr/local/etc/snort/sid-msg.map
 # New for by2 and more advanced msg mapping.  Valid options are 1 or 2
 # specify version 2 if you are running barnyard2.2+.  Otherwise use 1
 sid_msg_version=1
 # Where do you want me to put the sid changelog?  This is a changelog 
 # that pulledpork maintains of all new sids that are imported
 sid_changelog=/var/log/sid_changes.log
 # this value is optional
 #######
 #######  The below section is for so_rule processing only.  If you don't
 #######  need to use them.. then comment this section out!
 #######  Alternately, if you are not using pulledpork to process 
 #######  so_rules, you can specify -T at runtime to bypass this altogether
 #######
 # What path you want the .so files to actually go to *i.e. where is it
 # defined in your snort.conf, needs a trailing slash
 sorule_path=/usr/local/lib/snort_dynamicrules/
 # Path to the snort binary, we need this to generate the stub files
 snort_path=/usr/local/bin/snort
 # We need to know where your snort.conf file lives so that we can
 # generate the stub files
 config_path=/usr/local/etc/snort/snort.conf
 ##### Deprecated - The stubs are now  categorically written to the  single rule file!
 # sostub_path=/usr/local/etc/snort/rules/so_rules.rules
 # Define your distro, this is for the precompiled shared object libs!
 # Valid Distro Types:
 # Debian-6-0, Ubuntu-10-4
 # Ubuntu-12-04, Centos-5-4
 # FC-12, FC-14, RHEL-5-5, RHEL-6-0
 # FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0
 # OpenBSD-5-2, OpenBSD-5-3
 # OpenSUSE-11-4, OpenSUSE-12-1
 # Slackware-13-1
 distro=FreeBSD-8-1
 #######  This next section is optional, but probably pretty useful to you.
 #######  Please read thoroughly!
 # If you are using IP Reputation and getting some public lists, you will probably
 # want to tell pulledpork where your blacklist file lives, PP automagically will
 # de-dupe any duplicate IPs from different sources.
 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
 # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
 # the IP list can be reloaded while snort is running through the use of a control
 # socket.  Please be sure that you built snort with the following optins:
 # -enable-shared-rep and --enable-control-socket.  Be sure to read about how to
 # configure these!  The following option tells pulledpork where to place the version
 # file for use with control socket ip list reloads!
 # This should be the same path where your black_list lives!
 IPRVersion=/usr/local/etc/snort/rules/iplists
 # The following option tells snort where the snort_control tool is located.
 snort_control=/usr/local/bin/snort_control
 # What do you want to backup and archive?  This is a comma separated list
 # of file or directory values.  If a directory is specified, PP will recurse
 # through said directory and all subdirectories to archive all files.
 # The following example backs up all snort config files, rules, pulledpork
 # config files, and snort shared object binary rules.
 # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
 # what path and filename should we use for the backup tarball?
 # note that an epoch time value and the .tgz extension is automatically added
 # to the backup_file name on completeion i.e. the written file is:
 # pp_backup.1295886020.tgz
 # backup_file=/tmp/pp_backup
 # Where do you want the signature docs to be copied, if this is commented 
 # out then they will not be copied / extracted.  Note that extracting them 
 # will add considerable runtime to pulledpork.
 # docs=/path/to/base/www
 # The following option, state_order, allows you to more finely control the order
 # that pulledpork performs the modify operations, specifically the enablesid
 # disablesid and dropsid functions.  An example use case here would be to
 # disable an entire category and later enable only a rule or two out of it.
 # the valid values are disable, drop, and enable.
 # state_order=disable,drop,enable
 # Define the path to the pid files of any running process that you want to
 # sent a signal (specified with -H option) after PP has completed its run.
 # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
 # and so on...
 # pid_path=/var/run/snort_eth0.pid
 # This defines the version of snort that you are using, for use ONLY if the 
 # proper snort binary is not on the system that you are fetching the rules with
 # This value MUST contain all 4 minor version
 # numbers. ET rules are now also dependant on this, verify supported ET versions
 # prior to simply throwing rubbish in this variable kthx!
 #
 # Suricata users - set this to 'suricata-3.x.x' to process rule files
 # for suricata, this mimics the -S flag on the command line.
 # snort_version=2.9.0.0
 # Here you can specify what rule modification files to run automatically.
 # simply uncomment and specify the apt path.
 # enablesid=/usr/local/etc/snort/enablesid.conf
 # dropsid=/usr/local/etc/snort/dropsid.conf
 # disablesid=/usr/local/etc/snort/disablesid.conf
 # modifysid=/usr/local/etc/snort/modifysid.conf
 # What is the base ruleset that you want to use, please uncomment to use
 # and see the README.RULESETS for a description of the options.  
 # Note that setting this value will disable all ET rulesets if you are 
 # Running such rulesets
 # ips_policy=security
 ####### Remember, a number of these values are optional.. if you don't 
 ####### need to process so_rules, simply comment out the so_rule section
 ####### you can also specify -T at runtime to process only GID 1 rules.
 version=0.7.3