From a2701ab2e8609ec40988d44f3424570e8c2f59f6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 11 Apr 2018 15:57:55 -0400
Subject: [PATCH] Setup Script - Suricata yaml

---
 salt/logstash/files/logstash.yml  |  2 +-
 salt/suricata/files/suricata.yaml | 32 +++++++++++++++++++++++--------
 so-setup-network.sh               | 15 +++++++++------
 3 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/salt/logstash/files/logstash.yml b/salt/logstash/files/logstash.yml
index aa7e7acc7..8677b5f53 100644
--- a/salt/logstash/files/logstash.yml
+++ b/salt/logstash/files/logstash.yml
@@ -2,5 +2,5 @@ path.config: /usr/share/logstash/pipeline
 http.host: 0.0.0.0
 queue.type: persisted
 queue.max_bytes: 1gb
-pipeline.workers: 1
+pipeline.workers: {{ pipeline.workers }}
 path.logs: /var/log/logstash
diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index 847acb5ee..ff8816024 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -123,7 +123,7 @@ outputs:
               rule:
                 metadata: true
                 raw: true
-                
+
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.
             tagged-packets: no
@@ -1309,7 +1309,7 @@ spm-algo: auto
 
 # Suricata is multi-threaded. Here the threading can be influenced.
 threading:
-  set-cpu-affinity: no
+  set-cpu-affinity: yes
   # Tune cpu affinity of threads. Each family of threads can be bound
   # on specific CPUs.
   #
@@ -1321,22 +1321,38 @@ threading:
   # receive-cpu-set is used for capture threads
   # verdict-cpu-set is used for IPS verdict threads
   #
+  {%- if salt['pillar.get']('sensor:suriprocs') %}
   cpu-affinity:
     - management-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these cpus in affinity settings
     - receive-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these cpus in affinity settings
     - worker-cpu-set:
         cpu: [ "all" ]
         mode: "exclusive"
         # Use explicitely 3 threads and don't compute number by using
         # detect-thread-ratio variable:
-        # threads: 3
+        threads: {{ salt['pillar.get']('sensor:suriprocs') }}
         prio:
-          low: [ 0 ]
-          medium: [ "1-2" ]
-          high: [ 3 ]
           default: "medium"
+  {% endif %}
+  
+  {%- if salt['pillar.get']('sensor:suripins') %}
+  cpu-affinity:
+    - management-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]  # include only these cpus in affinity settings
+    - receive-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]  # include only these cpus in affinity settings
+    - worker-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]
+        mode: "exclusive"
+        # Use explicitely 3 threads and don't compute number by using
+        # detect-thread-ratio variable:
+        threads: {{ salt['pillar.get']('sensor:surithreads') }}
+        prio:
+          default: "high"
+  {% endif %}
+
     #- verdict-cpu-set:
     #    cpu: [ 0 ]
     #    prio:
diff --git a/so-setup-network.sh b/so-setup-network.sh
index 1830048d3..f339f5cfa 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -210,7 +210,7 @@ es_heapsize() {
   if [ $TOTAL_MEM -lt 8000 ] ; then
       ES_HEAP_SIZE="600m"
   elif [ $TOTAL_MEM -ge 100000 ]; then
-      # Set a max of 25GB for heap size  
+      # Set a max of 25GB for heap size
       # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
       ES_HEAP_SIZE="25000m"
   else
@@ -386,12 +386,15 @@ sensor_pillar() {
       PIN=$(echo $PIN |  cut -d\" -f2)
     echo "    - $PIN" >> /tmp/$HOSTNAME.sls
     done
-    ST=("${SURITHREADS[@]//\"/}")
-    STHREADS=${ST// /,}
-    echo "  surithreads: $STHREADS" >> /tmp/$HOSTNAME.sls
+    SP=("${SURIPINS[@]//\"/}")
+    SPINS=${SP// /,}
+    SCOUNT=${#SURIPINS[@]}
+
+    echo "  suripins: $SPINS" >> /tmp/$HOSTNAME.sls
+    echo "  surithreads: $SCOUNT"
   else
     echo "  bro_lbprocs: $BASICBRO" >> /tmp/$HOSTNAME.sls
-    echo "  surithreads: $BASICSURI" >> /tmp/$HOSTNAME.sls
+    echo "  suriprocs: $BASICSURI" >> /tmp/$HOSTNAME.sls
   fi
   echo "  brobpf:" >> /tmp/$HOSTNAME.sls
   echo "  pcapbpf:" >> /tmp/$HOSTNAME.sls
@@ -641,7 +644,7 @@ whiptail_setup_complete() {
 whiptail_suricata_pins() {
 
   FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
-  SURITHREADS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
+  SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
 
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus