CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Setup Script - Suricata yaml

Browse Source
This commit is contained in:
Mike Reeves
2018-04-11 15:57:55 -04:00
parent ee4ff2fa4d
commit a2701ab2e8
3 changed files with 34 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/logstash/files/logstash.yml
View File

@@ -2,5 +2,5 @@ path.config: /usr/share/logstash/pipeline
http.host: 0.0.0.0
queue.type: persisted
queue.max_bytes: 1gb
pipeline.workers: 1
pipeline.workers: {{ pipeline.workers }}
path.logs: /var/log/logstash

32
salt/suricata/files/suricata.yaml
View File

@@ -123,7 +123,7 @@ outputs:
rule:
metadata: true
raw: true
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: no
@@ -1309,7 +1309,7 @@ spm-algo: auto
# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
set-cpu-affinity: yes
# Tune cpu affinity of threads. Each family of threads can be bound
# on specific CPUs.
#
@@ -1321,22 +1321,38 @@ threading:
# receive-cpu-set is used for capture threads
# verdict-cpu-set is used for IPS verdict threads
#
{%- if salt['pillar.get']('sensor:suriprocs') %}
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
cpu: [ all ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
cpu: [ all ] # include only these cpus in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
threads: {{ salt['pillar.get']('sensor:suriprocs') }}
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
{% endif %}
{%- if salt['pillar.get']('sensor:suripins') %}
cpu-affinity:
- management-cpu-set:
cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ] # include only these cpus in affinity settings
- worker-cpu-set:
cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]
mode: "exclusive"
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
threads: {{ salt['pillar.get']('sensor:surithreads') }}
prio:
default: "high"
{% endif %}
#- verdict-cpu-set:
# cpu: [ 0 ]
# prio:

15
so-setup-network.sh
View File

@@ -210,7 +210,7 @@ es_heapsize() {
if [ $TOTAL_MEM -lt 8000 ] ; then
ES_HEAP_SIZE="600m"
elif [ $TOTAL_MEM -ge 100000 ]; then
# Set a max of 25GB for heap size
# Set a max of 25GB for heap size
# https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
ES_HEAP_SIZE="25000m"
else
@@ -386,12 +386,15 @@ sensor_pillar() {
PIN=$(echo $PIN | cut -d\" -f2)
echo " - $PIN" >> /tmp/$HOSTNAME.sls
done
ST=("${SURITHREADS[@]//\"/}")
STHREADS=${ST// /,}
echo " surithreads: $STHREADS" >> /tmp/$HOSTNAME.sls
SP=("${SURIPINS[@]//\"/}")
SPINS=${SP// /,}
SCOUNT=${#SURIPINS[@]}
echo " suripins: $SPINS" >> /tmp/$HOSTNAME.sls
echo " surithreads: $SCOUNT"
else
echo " bro_lbprocs: $BASICBRO" >> /tmp/$HOSTNAME.sls
echo " surithreads: $BASICSURI" >> /tmp/$HOSTNAME.sls
echo " suriprocs: $BASICSURI" >> /tmp/$HOSTNAME.sls
fi
echo " brobpf:" >> /tmp/$HOSTNAME.sls
echo " pcapbpf:" >> /tmp/$HOSTNAME.sls
@@ -641,7 +644,7 @@ whiptail_setup_complete() {
whiptail_suricata_pins() {
FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
SURITHREADS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus