From 1e73232b190be4e20319d31789ab6c13b234a8b5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Nov 2018 09:37:10 -0600 Subject: [PATCH 01/29] Setup Script - Change tmp location and delte key if its already there --- VERSION | 2 +- so-setup-network.sh | 29 ++++++++++++++++++++++++----- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/VERSION b/VERSION index 6d7de6e6a..21e8796a0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.2 +1.0.3 diff --git a/so-setup-network.sh b/so-setup-network.sh index 9a0e95645..4673518a1 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -35,8 +35,27 @@ accept_salt_key_local() { accept_salt_key_remote() { - # Accept the key remotely so the device can check in - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y + # See if the key is already there. If so nuke it. + GETKEYSACCEPTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l accepted) + GETKEYSREJECTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l rejected) + + if grep -q $HOSTNAME $GETKEYSACCEPTED; then + SKACPT=1 + else + SKACPT=0 + fi + if grep -q $HOSTNAME $GETKEYSREJECTED; then + SKRJCT=1 + else + SKRJCT=0 + fi + + if [ $SKACPT=1 ] || [ $SKRJCT=1 ]; then + ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y + else + # Accept the key remotely so the device can check in + ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y + fi } @@ -333,15 +352,15 @@ got_root() { install_cleanup() { # Clean up after ourselves - rm -rf ./installtmp + rm -rf /root/installtmp } install_prep() { # Create a tmp space that isn't in /tmp - mkdir ./installtmp - TMP=./installtmp + mkdir /root/installtmp + TMP=/root/installtmp } From eeddb27e4c6250be0c94c53c004a49d7d5e57a88 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Nov 2018 13:37:20 -0500 Subject: [PATCH 02/29] Setup Script - Fix Key Accept --- so-setup-network.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 4673518a1..a86ed8d3b 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -38,7 +38,9 @@ accept_salt_key_remote() { # See if the key is already there. If so nuke it. GETKEYSACCEPTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l accepted) GETKEYSREJECTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l rejected) - + echo "Seeing if the key exists" + echo $GETKEYSACCEPTED + echo $GETKEYSREJECTED if grep -q $HOSTNAME $GETKEYSACCEPTED; then SKACPT=1 else From f53a5450387d0bd606571a040afce20adff5634e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 10:09:09 -0500 Subject: [PATCH 03/29] Setup Script - Delete key then accept it --- so-setup-network.sh | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index a86ed8d3b..96b4f476b 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -35,30 +35,11 @@ accept_salt_key_local() { accept_salt_key_remote() { - # See if the key is already there. If so nuke it. - GETKEYSACCEPTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l accepted) - GETKEYSREJECTED=$(ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -l rejected) - echo "Seeing if the key exists" - echo $GETKEYSACCEPTED - echo $GETKEYSREJECTED - if grep -q $HOSTNAME $GETKEYSACCEPTED; then - SKACPT=1 - else - SKACPT=0 - fi - if grep -q $HOSTNAME $GETKEYSREJECTED; then - SKRJCT=1 - else - SKRJCT=0 - fi - - if [ $SKACPT=1 ] || [ $SKRJCT=1 ]; then - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y - else - # Accept the key remotely so the device can check in - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y - fi - + # Delete the key just in case. + ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y + salt-call state.apply ca + ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y + } add_master_hostfile() { From 74e2655ce53be63e7407251b0facfe80f480fcd7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 10:24:41 -0500 Subject: [PATCH 04/29] Setup Script - Turn down the volume --- so-setup-network.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 96b4f476b..5ba3324b5 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -36,10 +36,10 @@ accept_salt_key_local() { accept_salt_key_remote() { # Delete the key just in case. - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y + ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y salt-call state.apply ca - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y - + ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y + } add_master_hostfile() { @@ -688,14 +688,14 @@ set_initial_firewall_policy() { fi if [ $INSTALLTYPE == 'SENSORONLY' ]; then - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP + ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP + ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP fi if [ $INSTALLTYPE == 'STORAGENODE' ]; then - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP - ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP + ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP + ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP + ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP fi if [ $INSTALLTYPE == 'PARSINGNODE' ]; then From d52514f1f4ddf7c4f2a247c94c347b4a656e3e00 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 10:26:50 -0500 Subject: [PATCH 05/29] Setup Script - Filter out bond --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 5ba3324b5..d2a6491df 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -311,7 +311,7 @@ es_heapsize() { filter_nics() { # Filter the NICs that we don't want to see in setup - FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') + FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|bond|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') } From 5514742eed0b2359d197b03d2fbb31b9c59931ea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 10:37:13 -0500 Subject: [PATCH 06/29] Setup Script - Setup Cleanup --- so-setup-network.sh | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index d2a6491df..6b7b6e851 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -158,13 +158,13 @@ create_bond() { if [ $OS == 'centos' ]; then modprobe --first-time bonding touch /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "DEVICE=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0 + echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0 echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0 - echo "ONBOOT=yes" + echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0 # Create Bond configs for the selected monitor interface for BNIC in ${BNICS[@]}; do @@ -210,7 +210,6 @@ create_bond() { for BNIC in ${BNICS[@]}; do BNIC=$(echo $BNIC | cut -d\" -f2) - echo "" echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC @@ -218,13 +217,12 @@ create_bond() { echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC - echo "" done BN=("${BNICS[@]//\"/}") - echo "auto bond0" >> /etc/network/interfaces.d/bond0 + echo "auto bond0" > /etc/network/interfaces.d/bond0 echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0 echo " bond-mode 0" >> /etc/network/interfaces.d/bond0 echo " bond-slaves $BN" >> /etc/network/interfaces.d/bond0 @@ -650,12 +648,6 @@ sensor_pillar() { SPIN=$(echo $SPIN | cut -d\" -f2) echo " - $SPIN" >> $TMP/$HOSTNAME.sls done - #SP=("${SURIPINS[@]//\"/}") - #SPINS=${SP// /,} - #SCOUNT=${#SURIPINS[@]} - - #echo " suripins: $SPINS" >> $TMP/$HOSTNAME.sls - #echo " surithreads: $SCOUNT" else echo " bro_lbprocs: $BASICBRO" >> $TMP/$HOSTNAME.sls echo " suriprocs: $BASICSURI" >> $TMP/$HOSTNAME.sls From 513e11f8ecd527dd240c822b38462fdf82909539 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 10:38:21 -0500 Subject: [PATCH 07/29] Setup Script - Setup Cleanup --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 6b7b6e851..8070f1a6d 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -309,7 +309,7 @@ es_heapsize() { filter_nics() { # Filter the NICs that we don't want to see in setup - FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|bond|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') + FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') } From c935191d41cf8f37468bac95b11f4eabddc66e77 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 12:33:03 -0500 Subject: [PATCH 08/29] Update Script - Only sync the salt dir --- updatemaster.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/updatemaster.sh b/updatemaster.sh index be2209d41..76e85b878 100644 --- a/updatemaster.sh +++ b/updatemaster.sh @@ -5,9 +5,8 @@ mkdir /tmp/sogh cd /tmp/sogh git clone https://github.com/TOoSmOotH/securityonion-saltstack.git cd securityonion-saltstack -rsync -a pillar /opt/so/saltstack/ rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ -chown -R socore:socore /opt/so +chown -R socore:socore /opt/so/saltstack/salt chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh cd ~ rm -rf /tmp/sogh From 22b93ed4b52114f3e773f1dd502e7e1cc84db7d3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 13:23:03 -0500 Subject: [PATCH 09/29] Suricata Module - Update location of container --- salt/suricata/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 94d01d175..22e753c67 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -67,7 +67,7 @@ suriconfigsync: so-suricata: docker_container.running: - - image: toosmooth/so-suricata:techpreview + - image: soshybridhunter/so-suricata:HH1.0.3 - privileged: True - environment: - INTERFACE={{ interface }} From ae331d0b231ae0f08cfaf5b23944a259b3e1a133 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 13:29:18 -0500 Subject: [PATCH 10/29] PCAP Module - Update PCAP location --- salt/pcap/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index f9b1a378d..9c227447b 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -73,7 +73,7 @@ stenolog: so-steno: docker_container.running: - - image: toosmooth/so-steno:techpreview + - image: soshybridhunter/so-steno:HH1.0.3 - network_mode: host - privileged: True - port_bindings: From 553e257dbfd0c127ebb2d45398381b8532785472 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 13:49:54 -0500 Subject: [PATCH 11/29] Setup Script - Install bind-utils --- so-setup-network.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/so-setup-network.sh b/so-setup-network.sh index 8070f1a6d..718ebd396 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -240,6 +240,7 @@ detect_os() { echo "Detecting Base OS" if [ -f /etc/redhat-release ]; then OS=centos + yum -y install bind-utils elif [ -f /etc/os-release ]; then OS=ubuntu else From 7effa9beb82da3423738b825d010e1290df5995e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Nov 2018 13:54:04 -0500 Subject: [PATCH 12/29] Readme - Change version --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 82a7e79f8..6a9baf34b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Security Onion Hybrid Hunter Tech Preview 1.0.2 +# Security Onion Hybrid Hunter Tech Preview 1.0.3 ### About Hybrid Hunter is a brand new Security Onion platform with the following characteristics: From 62d28942f8623dc32a9a3c3014c9bddac8371dbd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 08:59:16 -0500 Subject: [PATCH 13/29] Move docker location --- salt/bro/init.sls | 4 ++-- salt/common/init.sls | 2 +- salt/elasticsearch/init.sls | 4 ++-- salt/filebeat/init.sls | 2 +- salt/idstools/init.sls | 3 +-- salt/kibana/init.sls | 2 +- salt/logstash/init.sls | 2 +- salt/master/init.sls | 2 +- salt/redis/init.sls | 3 +-- 9 files changed, 11 insertions(+), 13 deletions(-) diff --git a/salt/bro/init.sls b/salt/bro/init.sls index b2ba614ad..0dcccf21f 100644 --- a/salt/bro/init.sls +++ b/salt/bro/init.sls @@ -65,7 +65,7 @@ localbrosync: so-bro: docker_container.running: - - image: toosmooth/so-communitybro:techpreview + - image: soshybridhunter/so-communitybro:HH1.0.3 - privileged: True - binds: - /nsm/bro/logs:/nsm/bro/logs:rw @@ -88,7 +88,7 @@ localbrosync: so-bro: docker_container.running: - - image: toosmooth/so-bro:techpreview + - image: soshybridhunter/so-bro:HH1.0.3 - privileged: True - binds: - /nsm/bro/logs:/nsm/bro/logs:rw diff --git a/salt/common/init.sls b/salt/common/init.sls index 954c5c1ba..f53ee8eeb 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -112,7 +112,7 @@ nginxtmp: # Start the core docker so-core: docker_container.running: - - image: toosmooth/so-core:techpreview + - image: soshybridhunter/so-core:HH1.0.3 - hostname: so-core - user: socore - binds: diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index c1503f534..16a3a60fb 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -95,9 +95,9 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: securityonionsolutions/so-elasticsearch:latest + - image: soshybridhunter/so-elasticsearch:HH1.0.3 - hostname: elasticsearch - - name: elasticsearch + - name: so-elasticsearch - user: elasticsearch - environment: - bootstrap.memory_lock=true diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6fb65bd63..a9be46951 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -52,7 +52,7 @@ filebeatconfsync: so-filebeat: docker_container.running: - - image: toosmooth/so-filebeat:techpreview + - image: soshybridhunter/so-filebeat:HH1.0.3 - hostname: so-filebeat - user: root - extra_hosts: {{ MASTER }}:{{ MASTERIP }} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 11750a606..62a338769 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -53,10 +53,9 @@ toosmooth/so-idstools:test2: so-idstools: docker_container.running: - - image: toosmooth/so-idstools:test2 + - image: soshybridhunter/so-idstools:HH1.0.3 - hostname: so-idstools - user: socore - binds: - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - /opt/so/rules/nids:/opt/so/rules/nids:rw - diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index edf5575f8..b4b641862 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -59,7 +59,7 @@ synckibanacustom: # Start the kibana docker so-kibana: docker_container.running: - - image: toosmooth/so-kibana:techpreview + - image: soshybridhunter/so-kibana:HH1.0.3 - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 442eced33..5b78fec4f 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -109,7 +109,7 @@ lslogdir: so-logstash: docker_container.running: - - image: toosmooth/so-logstash:HH1.0.2 + - image: soshybridhunter/so-logstash:HH1.0.3 - hostname: so-logstash - name: so-logstash - user: logstash diff --git a/salt/master/init.sls b/salt/master/init.sls index 1e37d54c9..8dd1fcae5 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -49,7 +49,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: toosmooth/so-acng:techpreview + - image: soshybridhunter/so-acng:HH1.0.3 - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 1640ae6e6..81c47da93 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -49,7 +49,7 @@ toosmooth/so-redis:test2: so-redis: docker_container.running: - - image: toosmooth/so-redis:test2 + - image: soshybridhunter/so-redis:HH1.0.3 - hostname: so-redis - user: socore - port_bindings: @@ -59,4 +59,3 @@ so-redis: - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/working:/redis:rw - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - From a70b7ed3ded5f4d92e86f2d603febc5a1fa88cd7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 11:25:30 -0500 Subject: [PATCH 14/29] Suricata Meta Data Option --- exclude-list.txt | 1 - salt/filebeat/etc/filebeat.yml | 4 +- salt/suricata/files/suricataMETA.yaml | 1928 +++++++++++++++++++++++++ so-setup-network.sh | 3 +- 4 files changed, 1933 insertions(+), 3 deletions(-) create mode 100644 salt/suricata/files/suricataMETA.yaml diff --git a/exclude-list.txt b/exclude-list.txt index 1ca4cbe54..98efb2c36 100644 --- a/exclude-list.txt +++ b/exclude-list.txt @@ -1,3 +1,2 @@ salt/bro/files/local.bro salt/bro/files/local.bro.community -salt/suricata/suricata.yaml diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 15317921e..4dca9ff91 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -1,5 +1,6 @@ {%- set MASTER = grains['master'] %} {%- set HOSTNAME = salt['grains.get']('host', '') %} +{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} name: {{ HOSTNAME }} @@ -10,7 +11,7 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.prospectors: #------------------------------ Log prospector -------------------------------- - +{%- if BROVER != SURICATA %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - type: log paths: @@ -23,6 +24,7 @@ filebeat.prospectors: close_removed: false {%- endfor %} +{%- endif %} - type: log paths: diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml new file mode 100644 index 000000000..ff8860630 --- /dev/null +++ b/salt/suricata/files/suricataMETA.yaml @@ -0,0 +1,1928 @@ +%YAML 1.1 +--- +{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} +{%- if salt['pillar.get']('sensor:homenet') %} + {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} +{%- else %} + {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} +{%- endif %} +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html + +## +## Step 1: inform Suricata about your network +## + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[{{ homenet }}]" + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + +## +## Step 2: select outputs to enable +## + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + # Add decode events as stats. + #decoder-events: true + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: no + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + rotate-interval: hour + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: false + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: no + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + # Note: version 1 is not available with rust enabled + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + #- dnp3 + - nfs + - smb + - tftp + - ikev2 + - krb5 + - dhcp: + # DHCP logging requires Rust. + enabled: yes + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + extended: no + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: no + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # By default unified2 log files have the file creation time (in + # unix epoch format) appended to the filename. Set this to yes to + # disable this behaviour. + #nostamp: no + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + + # HTTP X-Forwarded-For support by adding the unified2 extra header or + # overwriting the source or destination IP address (depending on flow + # direction) with the one reported in the X-Forwarded-For HTTP header. + # This is helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #extended: yes # Log extended information like fingerprint + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + # Note: not available when Rust is enabled (--enable-rust). + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: normal # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Output module for storing files on disk. Files are stored in a + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the existing file is touched to + # have its timestamps updated. + # + # Unlike the older filestore, metadata is not written out by default + # as each file should already have a "fileinfo" record in the + # eve.log. If write-fileinfo is set to yes, the each file will have + # one more associated .json files that consists of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. If the path is not + # absolute will be be relative to the default-log-dir. + #dir: filestore + + # Write out a fileinfo record for each occurrence of a + # file. Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + + # Force logging of checksums, available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # output module to store extracted files to disk (old style, deprecated) + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. Before they are finalized, they will + # have a ".tmp" suffix to indicate that they are still being processed. + # + # If include-pid is yes, then the files are instead "file..", with + # meta files named as "file...meta" + # + # File extraction depends on a lot of things to be fully done: + # - file-store stream-depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + force-filestore: no # force storing of all files + # override global stream-depth for sessions in which we want to + # perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + #waldo: file.waldo # waldo file to store the file_id across runs + # uncomment to disable meta file writing + #write-meta: no + # uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + include-pid: no # set to yes to include pid in file names + + # output module to log files tracked in a easily parsable JSON format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.depth + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://suricata.readthedocs.io/en/latest/output/lua-output.html + - lua: + enabled: no + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This value is overridden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: /var/log/suricata/suricata.log + # type: json + - syslog: + enabled: no + +## +## Step 4: configure common capture settings +## +## See "Advanced Capture Options" below for more options, including NETMAP +## and PF_RING. +## + +# Linux high speed capture support +af-packet: + - interface: {{ interface }} + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 59 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_random: packets are sent randomly to sockets but with an equipartition. + # Requires at least Linux 3.14. + # * cluster_rollover: kernel rotates between sockets filling each socket before moving + # to the next. Requires at least Linux 3.10. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture/ebpf-xdt.rst for + # more info. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (require cpu affinity tuning and system irq tuning) + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is + # full then kernel will send the packet on the next socket with room available. This option + # can minimize packet drop and increase the treated bandwidth on single intensive flow. + #rollover: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + #use-mmap: yes + # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock + # your system + #mmap-locked: yes + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency + #tpacket-v3: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independently of the number + # of threads: + #ring-size: 2048 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + # For eBPF and XDP setup including bypass, filter and load balancing, please + # see doc/userguide/capture/ebpf-xdt.rst for more info. + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: no + #rollover: yes + #tpacket-v3: yes + +# Cross platform libpcap capture support +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# See "Advanced Capture Options" below for more options, including NETMAP +# and PF_RING. + + +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + krb5: + enabled: yes + ikev2: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello + ja3-fingerprints: yes + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encrypt-handling: default + + dcerpc: + enabled: yes + ftp: + enabled: yes + # memcap: 64mb + ssh: + enabled: yes + smtp: + enabled: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + msn: + enabled: detection-only + # Note: --enable-rust is required for full SMB1/2 support. W/o rust + # only minimal SMB1 support is available. + smb: + enabled: yes + detection-ports: + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + # Note: NFS parser depends on Rust support: pass --enable-rust + # to configure. + nfs: + enabled: yes + tftp: + enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # response-body-decompress-layer-limit: + # Limit to how many layers of compression will be + # decompressed. Defaults to 2. + # + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 0 + decompress-depth: 0 + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + + # Note: parser depends on Rust support + ntp: + enabled: yes + + dhcp: + enabled: yes + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run suricata as user and group. +#run-as: +# user: suri +# group: suri + +# Some logging module will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If Suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow allocated using the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: auto + #filename: custom.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +#magic-file: + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# pruning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a handshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated traffic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# bypass: no # Bypass packets when stream.depth is reached +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# segment-prealloc: 2048 # number of segments preallocated per thread +# +# check-overlap-different-data: true|false +# # check if a segment contains different data +# # than what we've already seen for that +# # position in the stream. +# # This is enabled automatically if inline mode +# # is used or when stream-event:reassembly_overlap_different_data; +# # is used in a rule. +# +stream: + memcap: 64mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: yes + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + {%- if salt['pillar.get']('sensor:suriprocs') %} + cpu-affinity: + - management-cpu-set: + cpu: [ all ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ all ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + threads: {{ salt['pillar.get']('sensor:suriprocs') }} + prio: + default: "medium" + {% endif %} + + {%- if salt['pillar.get']('sensor:suripins') %} + cpu-affinity: + - management-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + threads: {{ salt['pillar.get']('sensor:suripins')|length }} + prio: + default: "high" + {% endif %} + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + +# Luajit has a strange memory requirement, it's 'states' need to be in the +# first 2G of the process' memory. +# +# 'luajit.states' is used to control how many states are preallocated. +# State use: per detect script: 1 per detect thread. Per output script: 1 per +# script. +luajit: + states: 128 + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + prefilter: + enabled: yes + filename: prefilter_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to Suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if Suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Nefilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# bypass-mark: 1 +# bypass-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +## +## Advanced Capture Options +## + +# general settings affecting packet capture +capture: + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # commandline. + #checksum-validation: none + +# Netmap support +# +# Netmap operates with NIC directly in driver, so you need FreeBSD which have +# built-in netmap support or compile and install netmap module and appropriate +# NIC driver on your Linux system. +# To reach maximum throughput disable all receive-, segmentation-, +# checksum- offloadings on NIC. +# Disabling Tx checksum offloading is *required* for connecting OS endpoint +# with NIC endpoint. +# You can find more information at https://github.com/luigirizzo/netmap +# +netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of receive threads. "auto" uses number of RSS queues on interface. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/products/pf_ring/ +pfring: + - interface: eth0 + # Number of receive threads. If set to 'auto' Suricata will first try + # to use CPU (core) count and otherwise RSS queue count. + threads: auto + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are cluster_flow or cluster_round_robin. + cluster-type: cluster_flow + + # bpf filter for this interface + #bpf-filter: tcp + + # If bypass is set then the PF_RING hw bypass is activated, when supported + # by the interface in use. Suricata will instruct the interface to bypass + # all future packets for a flow that need to be bypassed. + #bypass: yes + + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + # This may be enabled when sharing streams with another application. + # Otherwise, it should be turned off. + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on. This can be either: + # a list of individual streams (e.g. streams: [0,1,2,3]) + # or + # a range of streams (e.g. streams: ["0-3"]) + streams: ["0-3"] + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +## +## Configure Suricata to load Suricata-Update managed rules. +## +## If this section is completely commented out move down to the "Advanced rule +## file configuration". +## + +default-rule-path: /etc/suricata/rules +rule-files: + - all.rules + +## +## Advanced rule file configuration. +## +## If this section is completely commented out then your configuration +## is setup for suricata-update as it was most likely bundled and +## installed with Suricata. +## + +#default-rule-path: /var/lib/suricata/rules + +#rule-files: +# - botcc.rules +# # - botcc.portgrouped.rules +# - ciarmy.rules +# - compromised.rules +# - drop.rules +# - dshield.rules +## - emerging-activex.rules +# - emerging-attack_response.rules +# - emerging-chat.rules +# - emerging-current_events.rules +# - emerging-dns.rules +# - emerging-dos.rules +# - emerging-exploit.rules +# - emerging-ftp.rules +## - emerging-games.rules +## - emerging-icmp_info.rules +## - emerging-icmp.rules +# - emerging-imap.rules +## - emerging-inappropriate.rules +## - emerging-info.rules +# - emerging-malware.rules +# - emerging-misc.rules +# - emerging-mobile_malware.rules +# - emerging-netbios.rules +# - emerging-p2p.rules +# - emerging-policy.rules +# - emerging-pop3.rules +# - emerging-rpc.rules +## - emerging-scada.rules +## - emerging-scada_special.rules +# - emerging-scan.rules +## - emerging-shellcode.rules +# - emerging-smtp.rules +# - emerging-snmp.rules +# - emerging-sql.rules +# - emerging-telnet.rules +# - emerging-tftp.rules +# - emerging-trojan.rules +# - emerging-user_agents.rules +# - emerging-voip.rules +# - emerging-web_client.rules +# - emerging-web_server.rules +## - emerging-web_specific_apps.rules +# - emerging-worm.rules +# - tor.rules +## - decoder-events.rules # available in suricata sources under rules dir +## - stream-events.rules # available in suricata sources under rules dir +# - http-events.rules # available in suricata sources under rules dir +# - smtp-events.rules # available in suricata sources under rules dir +# - dns-events.rules # available in suricata sources under rules dir +# - tls-events.rules # available in suricata sources under rules dir +## - modbus-events.rules # available in suricata sources under rules dir +## - app-layer-events.rules # available in suricata sources under rules dir +## - dnp3-events.rules # available in suricata sources under rules dir +## - ntp-events.rules # available in suricata sources under rules dir +## - ipsec-events.rules # available in suricata sources under rules dir +## - kerberos-events.rules # available in suricata sources under rules dir + +## +## Auxiliary configuration files. +## + +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config +# threshold-file: /etc/suricata/threshold.config + +## +## Include other configs +## + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/so-setup-network.sh b/so-setup-network.sh index 718ebd396..817e87ab9 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -786,7 +786,8 @@ whiptail_bro_pins() { whiptail_bro_version() { - BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "Which version of Bro would you like to use?" 20 78 4 "COMMUNITY" "Install Community Bro" ON "ZEEK" "Install Zeek" OFF 3>&1 1>&2 2>&3) + BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 78 4 "COMMUNITY" "Install Community Bro" ON \ + "ZEEK" "Install Zeek" OFF "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 2a300263e193224fd03887b6ee71c4ab27e7e365 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 13:40:25 -0500 Subject: [PATCH 15/29] Added Watch Statements --- salt/bro/init.sls | 9 +++++++++ salt/common/init.sls | 2 ++ salt/filebeat/init.sls | 2 ++ salt/suricata/init.sls | 8 ++++++++ salt/top.sls | 3 +++ 5 files changed, 24 insertions(+) diff --git a/salt/bro/init.sls b/salt/bro/init.sls index 0dcccf21f..41a89a94b 100644 --- a/salt/bro/init.sls +++ b/salt/bro/init.sls @@ -76,6 +76,10 @@ so-bro: - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - network_mode: host + - watch: + - file: /opt/so/conf/bro/local.bro + - file: /opt/so/conf/bro/node.cfg + - file: /opt/so/conf/bro/policy/* {% else %} localbrosync: @@ -99,5 +103,10 @@ so-bro: - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - network_mode: host + - watch: + - file: /opt/so/conf/bro/local.bro + - file: /opt/so/conf/bro/node.cfg + - file: /opt/so/conf/bro/policy/* + {% endif %} diff --git a/salt/common/init.sls b/salt/common/init.sls index f53ee8eeb..6f15c3647 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -127,3 +127,5 @@ so-core: - port_bindings: - 80:80 - 443:443 + - watch: + - file: /opt/so/conf/nginx/nginx.conf diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index a9be46951..be829bfb1 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -64,3 +64,5 @@ so-filebeat: - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro + - watch: + - file: /opt/so/conf/filebeat/etc/filebeat.yml diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 22e753c67..f41ba5069 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -14,6 +14,7 @@ # along with this program. If not, see . {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} +{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} # Suricata @@ -60,7 +61,11 @@ surirulesync: suriconfigsync: file.managed: - name: /opt/so/conf/suricata/suricata.yaml + {%- if BROVER != SURICATA %} - source: salt://suricata/files/suricata.yaml + {%- else %} + - source: salt://suricata/files/suricataMETA.yaml + {%- endif %} - user: 940 - group: 940 - template: jinja @@ -76,3 +81,6 @@ so-suricata: - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - network_mode: host + - watch: + - file: /opt/so/conf/suricata/suricata.yaml + - file: /opt/so/conf/rules/all.rules diff --git a/salt/top.sls b/salt/top.sls index 23878e70e..f7ea450ac 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,3 +1,4 @@ +{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} base: 'G@role:so-sensor': - ssl @@ -5,7 +6,9 @@ base: - firewall - pcap - suricata + {%- if BROVER != SURICATA %} - bro + {%- endif %} - filebeat 'G@role:so-eval': From 2360555b5ce55c1f1dbcdf96bf891aaf71ef0881 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 13:50:42 -0500 Subject: [PATCH 16/29] Fix Jinja in top.sls --- salt/top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index f7ea450ac..571558a75 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -6,7 +6,7 @@ base: - firewall - pcap - suricata - {%- if BROVER != SURICATA %} + {%- if BROVER != 'SURICATA' %} - bro {%- endif %} - filebeat From 7a3f56da9797981e600d407a8c36be863e8ca433 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 13:53:13 -0500 Subject: [PATCH 17/29] Suricata Module - Fix Jinja --- salt/suricata/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index f41ba5069..d9f67b172 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -61,7 +61,7 @@ surirulesync: suriconfigsync: file.managed: - name: /opt/so/conf/suricata/suricata.yaml - {%- if BROVER != SURICATA %} + {%- if BROVER != 'SURICATA' %} - source: salt://suricata/files/suricata.yaml {%- else %} - source: salt://suricata/files/suricataMETA.yaml From 0a3c20fccf99878229e7a42ced02211657bdf72e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 14:10:21 -0500 Subject: [PATCH 18/29] Suricata Module - Fix Jinja --- salt/filebeat/etc/filebeat.yml | 2 +- salt/suricata/files/suricataMETA.yaml | 2 -- salt/suricata/init.sls | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 4dca9ff91..8b4520a3a 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -11,7 +11,7 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.prospectors: #------------------------------ Log prospector -------------------------------- -{%- if BROVER != SURICATA %} +{%- if BROVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - type: log paths: diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml index ff8860630..df6aa878a 100644 --- a/salt/suricata/files/suricataMETA.yaml +++ b/salt/suricata/files/suricataMETA.yaml @@ -280,7 +280,6 @@ outputs: append: yes #extended: yes # enable this for extended logging information #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # a line based log of TLS handshake parameters (no alerts) @@ -290,7 +289,6 @@ outputs: append: yes #extended: yes # Log extended information like fingerprint #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # output TLS transaction where the session is resumed using a # session id diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index d9f67b172..90ce29e4a 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -83,4 +83,4 @@ so-suricata: - network_mode: host - watch: - file: /opt/so/conf/suricata/suricata.yaml - - file: /opt/so/conf/rules/all.rules + - file: /opt/so/conf/suricata/rules/all.rules From 2cdd5c5ddf46bd71c8b8635c8512d791e385ba79 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 14:17:39 -0500 Subject: [PATCH 19/29] Suricata Module - Fix watch --- salt/filebeat/init.sls | 2 +- salt/suricata/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index be829bfb1..251274606 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -65,4 +65,4 @@ so-filebeat: - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - watch: - - file: /opt/so/conf/filebeat/etc/filebeat.yml + - file: /opt/so/conf/filebeat/etc diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 90ce29e4a..8024a1807 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -83,4 +83,4 @@ so-suricata: - network_mode: host - watch: - file: /opt/so/conf/suricata/suricata.yaml - - file: /opt/so/conf/suricata/rules/all.rules + - file: /opt/so/conf/suricata/rules/ From 7853a6dfebf63757f62dc547be8a17d6dd263694 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 14:19:30 -0500 Subject: [PATCH 20/29] Bro Module - Fix watch --- salt/bro/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/bro/init.sls b/salt/bro/init.sls index 41a89a94b..93a81069e 100644 --- a/salt/bro/init.sls +++ b/salt/bro/init.sls @@ -79,7 +79,7 @@ so-bro: - watch: - file: /opt/so/conf/bro/local.bro - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy/* + - file: /opt/so/conf/bro/policy {% else %} localbrosync: @@ -106,7 +106,7 @@ so-bro: - watch: - file: /opt/so/conf/bro/local.bro - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy/* + - file: /opt/so/conf/bro/policy {% endif %} From b88a9b57692e3209f632323f6e121ac2e233a751 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 14:41:07 -0500 Subject: [PATCH 21/29] Logstash Module - Wes Mods --- salt/logstash/conf/conf.enabled.txt.parser | 2 +- .../Drop.Your.Custom.Parsers.Here.conf | 0 .../Drop.Your.Custom.Templates.Here.conf | 2 ++ salt/logstash/init.sls | 16 ++++++++++++++++ 4 files changed, 19 insertions(+), 1 deletion(-) rename salt/logstash/files/custom/{ => parsers}/Drop.Your.Custom.Parsers.Here.conf (100%) create mode 100644 salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf diff --git a/salt/logstash/conf/conf.enabled.txt.parser b/salt/logstash/conf/conf.enabled.txt.parser index d71f4d651..a34b39c5f 100644 --- a/salt/logstash/conf/conf.enabled.txt.parser +++ b/salt/logstash/conf/conf.enabled.txt.parser @@ -81,4 +81,4 @@ /usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf /usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf /usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf -/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf \ No newline at end of file +/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf diff --git a/salt/logstash/files/custom/Drop.Your.Custom.Parsers.Here.conf b/salt/logstash/files/custom/parsers/Drop.Your.Custom.Parsers.Here.conf similarity index 100% rename from salt/logstash/files/custom/Drop.Your.Custom.Parsers.Here.conf rename to salt/logstash/files/custom/parsers/Drop.Your.Custom.Parsers.Here.conf diff --git a/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf b/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf new file mode 100644 index 000000000..9ee9e27b5 --- /dev/null +++ b/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf @@ -0,0 +1,2 @@ +# Reference /usr/share/logstash/pipeline.custom/templates/YOURTEMPLATE.json +# diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 5b78fec4f..ee8aa8c62 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -63,6 +63,20 @@ lscustdir: - group: 939 - makedirs: True +lscustparserdir: + file.directory: + - name: /opt/so/conf/logstash/custom/parsers + - user: 931 + - group: 939 + - makedirs: True + +lscusttemplatedir: + file.directory: + - name: /opt/so/conf/logstash/custom/templates + - user: 931 + - group: 939 + - makedirs: True + # Copy down all the configs including custom - TODO add watch restart lssync: file.recurse: @@ -145,3 +159,5 @@ so-logstash: - /nsm/bro:/nsm/bro:ro - /opt/so/log/suricata:/suricata:ro {%- endif %} + - watch: + - file: /opt/so/conf/logstash From 034a0ed7b2c5b9dfce869ad6c92177f932ea371b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Nov 2018 15:27:38 -0500 Subject: [PATCH 22/29] Logstash Module - Fix formatting --- salt/logstash/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index ee8aa8c62..e7b05f81d 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -159,5 +159,5 @@ so-logstash: - /nsm/bro:/nsm/bro:ro - /opt/so/log/suricata:/suricata:ro {%- endif %} - - watch: - - file: /opt/so/conf/logstash + - watch: + - file: /opt/so/conf/logstash From 2e9fe9a1061992006238f66f99e886f3fe8657e1 Mon Sep 17 00:00:00 2001 From: Dustin Lee Date: Tue, 13 Nov 2018 18:18:39 -0500 Subject: [PATCH 23/29] Define bond0 interface for steno --- salt/pcap/files/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/files/config b/salt/pcap/files/config index 4e3994e12..422c46bde 100644 --- a/salt/pcap/files/config +++ b/salt/pcap/files/config @@ -1,4 +1,4 @@ -{%- set interface = salt['pillar.get']('sensor:interface', '') %} +{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} { "Threads": [ { "PacketsDirectory": "/nsm/pcap" From ca627994ab0dc79a96065dad2e4e6ae1c4b4909a Mon Sep 17 00:00:00 2001 From: Dustin Lee Date: Tue, 13 Nov 2018 18:36:57 -0500 Subject: [PATCH 24/29] Check for socore in /etc/sudoers prior to append Related to Issue #42 --- so-setup-network.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 817e87ab9..0d93bba0c 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -741,10 +741,14 @@ set_updates() { update_sudoers() { - # Update Sudoers so that socore can accept keys without a password - echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers - echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers - echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | sudo tee -a /etc/sudoers + if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then + # Update Sudoers so that socore can accept keys without a password + echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers + echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers + echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | sudo tee -a /etc/sudoers + else + echo "User socore already granted sudo privileges" + fi } From 85bc764ad6b07b6a7b245743984a46f43caffd22 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Nov 2018 08:21:04 -0500 Subject: [PATCH 25/29] Suricata Module - Turn off stats in eve.log --- salt/suricata/files/suricataMETA.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml index df6aa878a..b064acd8e 100644 --- a/salt/suricata/files/suricataMETA.yaml +++ b/salt/suricata/files/suricataMETA.yaml @@ -217,10 +217,10 @@ outputs: # to an IP address is logged. extended: no - ssh - - stats: - totals: yes # stats for all threads merged together - threads: no # per thread stats - deltas: no # include delta values + #- stats: + # totals: yes # stats for all threads merged together + # threads: no # per thread stats + # deltas: no # include delta values # bi-directional flows - flow # uni-directional flows From 799c08900b9147ef8970e4a56f4751fe314b2564 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Nov 2018 10:11:28 -0500 Subject: [PATCH 26/29] ElasticSearch Module - enable HH docker repo --- salt/elasticsearch/init.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 16a3a60fb..4baf68e60 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -148,7 +148,7 @@ freqlogdir: so-freq: docker_container.running: - - image: securityonionsolutions/so-freqserver + - image: soshybridhunter/so-freqserver:HH1.0.3 - hostname: freqserver - user: freqserver - binds: @@ -183,7 +183,7 @@ dstatslogdir: so-domainstats: docker_container.running: - - image: securityonionsolutions/so-domainstats + - image: soshybridhunter/so-domainstats:HH1.0.3 - hostname: domainstats - name: domainstats - user: domainstats @@ -248,7 +248,7 @@ curconf: so-curator: docker_container.running: - - image: securityonionsolutions/so-curator + - image: soshybridhunter/so-curator:HH1.0.3 - hostname: curator - name: curator - user: curator @@ -309,7 +309,7 @@ elastaconf: so-elastalert: docker_container.running: - - image: securityonionsolutions/so-elastalert + - image: soshybridhunter/so-elastalert:HH1.0.3 - hostname: elastalert - name: elastalert - user: elastalert From 3609bef0a167bd4678686bd4ed0e5d3471d6a595 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Nov 2018 11:03:28 -0500 Subject: [PATCH 27/29] Kibana Module - Change default Index for Eval --- salt/kibana/etc/config.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/kibana/etc/config.json b/salt/kibana/etc/config.json index 5088f6b2b..e627641df 100644 --- a/salt/kibana/etc/config.json +++ b/salt/kibana/etc/config.json @@ -1,6 +1,10 @@ { "attributes": { - "defaultIndex": "*:logstash-*", + {%- if grains['role'] == 'so-eval' %} + "defaultIndex": "logstash-*", + {%- else %} + "defaultIndex": "*:logstash-*", + {%- endif %} "discover:sampleSize":"10", "dashboard:defaultDarkTheme":true, "timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}" From adf00c6357ca885e61c081b199630b4bce5e4d70 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Nov 2018 13:09:46 -0500 Subject: [PATCH 28/29] Kibana Module - Change default Index for Eval --- salt/kibana/etc/config.json | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/salt/kibana/etc/config.json b/salt/kibana/etc/config.json index e627641df..89cb1dcf5 100644 --- a/salt/kibana/etc/config.json +++ b/salt/kibana/etc/config.json @@ -1,11 +1,7 @@ { "attributes": { - {%- if grains['role'] == 'so-eval' %} - "defaultIndex": "logstash-*", - {%- else %} - "defaultIndex": "*:logstash-*", - {%- endif %} - "discover:sampleSize":"10", + "defaultIndex": "*:logstash-*", + "discover:sampleSize":"10", "dashboard:defaultDarkTheme":true, "timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}" } From afdefeada6ecea7e1d8cd950aa25102d2f6ffb83 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Nov 2018 14:56:51 -0500 Subject: [PATCH 29/29] Update Script Points to prod --- updatemaster.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/updatemaster.sh b/updatemaster.sh index 76e85b878..0ee09b9e4 100644 --- a/updatemaster.sh +++ b/updatemaster.sh @@ -3,7 +3,8 @@ # Clone github mkdir /tmp/sogh cd /tmp/sogh -git clone https://github.com/TOoSmOotH/securityonion-saltstack.git +#git clone https://github.com/TOoSmOotH/securityonion-saltstack.git +git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git cd securityonion-saltstack rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ chown -R socore:socore /opt/so/saltstack/salt