transition pcap

2025-12-06 09:12:45 +01:00 · 2024-03-11 12:20:28 -04:00
parent a55e04e64a
commit 907cf9f992
5 changed files with 16 additions and 13 deletions
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,7 +1,10 @@
-{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% if GLOBALS.pcap_engine == "TRANSITION" %}
-{% import 'bpf/macros.jinja' as MACROS %}
+{%   set PCAPBPF = "ip and host 255.255.255.1 and port 1" %}
-
+{% else %}
-{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
+{%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
-
+{%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
-{% set PCAPBPF = BPFMERGED.pcap %}
+{%   import 'bpf/macros.jinja' as MACROS %}
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
 {% endif %}
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -15,9 +15,9 @@ global:
    regexFailureMessage: You must enter either ZEEK or SURICATA.
    global: True
  pcapengine:
-    description: Which engine to use for generating pcap. Options are STENO and SURICATA.
+    description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
-    regex: ^(STENO|SURICATA)$
+    regex: ^(STENO|SURICATA|TRANSITION)$
-    regexFailureMessage: You must enter either STENO or SURICATA.
+    regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
    global: True
  ids:
    description: Which IDS engine to use. Currently only Suricata is supported.
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -9,7 +9,7 @@
 {% set surimeta_filestore_index = [] %}
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
-{% if GLOBALS.pcap_engine == "SURICATA" %}
+{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
--- a/salt/suricata/pcap.sls
+++ b/salt/suricata/pcap.sls
@@ -11,7 +11,7 @@ suripcapdir:
    - mode: 775
    - makedirs: True
-{%   if GLOBALS.pcap_engine == "SURICATA" %}
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}
 {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}
--- a/salt/telegraf/scripts/oldpcap.sh
+++ b/salt/telegraf/scripts/oldpcap.sh
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- if GLOBALS.pcap_engine == "SURICATA" %}
+{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 PCAPLOC=/host/nsm/suripcap
 {%- else %}
 PCAPLOC=/host/nsm/pcap