convert list to dict to work better with ui. regex on suricata vars HOME_NET for soc

salt/suricata/defaults.yaml

@@ -4,10 +4,12 @@ suricata:
     threading:
       set-cpu-affinity: "no"
       cpu-affinity:
-        - management-cpu-set:
+        management-cpu-set:
-            cpu: [1]
+          cpu:
-        - worker-cpu-set:
+            - 1
-            cpu: ["2-3"]
+        worker-cpu-set:
+          cpu:
+            - 2-3
           mode: exclusive
           prio:
             default: high
@@ -22,32 +24,61 @@ suricata:
       ring-size: 5000
     vars:
       address-groups:
-        HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+        HOME_NET:
-        EXTERNAL_NET: "any"
+          - 192.168.0.0/16
-        HTTP_SERVERS: "$HOME_NET"
+          - 10.0.0.0/8
-        SMTP_SERVERS: "$HOME_NET"
+          - 172.16.0.0/12
-        SQL_SERVERS: "$HOME_NET"
+        EXTERNAL_NET:
-        DNS_SERVERS: "$HOME_NET"
+          - any
-        TELNET_SERVERS: "$HOME_NET"
+        HTTP_SERVERS:
-        AIM_SERVERS: "$EXTERNAL_NET"
+          - $HOME_NET
-        DC_SERVERS: "$HOME_NET"
+        SMTP_SERVERS:
-        DNP3_SERVER: "$HOME_NET"
+          - $HOME_NET
-        DNP3_CLIENT: "$HOME_NET"
+        SQL_SERVERS:
-        MODBUS_CLIENT: "$HOME_NET"
+          - $HOME_NET
-        MODBUS_SERVER: "$HOME_NET"
+        DNS_SERVERS:
-        ENIP_CLIENT: "$HOME_NET"
+          - $HOME_NET
-        ENIP_SERVER: "$HOME_NET"  
+        TELNET_SERVERS:
+          - $HOME_NET
+        AIM_SERVERS:
+          - $EXTERNAL_NET
+        DC_SERVERS:
+          - $HOME_NET
+        DNP3_SERVER:
+          - $HOME_NET
+        DNP3_CLIENT:
+          - $HOME_NET
+        MODBUS_CLIENT:
+          - $HOME_NET
+        MODBUS_SERVER:
+          - $HOME_NET
+        ENIP_CLIENT:
+          - $HOME_NET
+        ENIP_SERVER:
+          - $HOME_NET
       port-groups:
-        HTTP_PORTS: "80"
+        HTTP_PORTS:
-        SHELLCODE_PORTS: "!80"
+          - 80
-        ORACLE_PORTS: "1521"
+        SHELLCODE_PORTS:
-        SSH_PORTS: "22"
+          - "!80"
-        DNP3_PORTS: "20000"
+        ORACLE_PORTS:
-        MODBUS_PORTS: "502"
+          - 1521
-        FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+        SSH_PORTS:
-        FTP_PORTS: "21"
+          - 22
-        VXLAN_PORTS: "4789"
+        DNP3_PORTS:
-        TEREDO_PORTS: "3544"
+          - 20000
+        MODBUS_PORTS:
+          - 502
+        FILE_DATA_PORTS:
+          - $HTTP_PORTS
+          - 110
+          - 143
+        FTP_PORTS:
+          - 21
+        VXLAN_PORTS:
+          - 4789
+        TEREDO_PORTS:
+          - 3544
     default-log-dir: /var/log/suricata/
     stats:
       enabled: "yes"
@@ -66,7 +97,7 @@ suricata:
         community-id: true
         community-id-seed: 0
         types:
-          - alert:
+          alert:
             payload: "no"
             payload-buffer-size: 4kb
             payload-printable: "yes"

salt/suricata/map.jinja

@@ -23,6 +23,28 @@
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
 
+{# eve-log.types is a list but we convert to dict in defaults to work with ui #}
+{# below they are converted back to lists #}
+{% load_yaml as evelogtypes %}
+{% for le, ld in SURICATAMERGED.config.outputs['eve-log'].types.items() %}
+  - {{ le }}: {{ ld }}
+{% endfor %}
+{% endload %}
+{% do SURICATAMERGED.config.outputs['eve-log'].pop('types') %}
+{% do SURICATAMERGED.config.outputs['eve-log'].update({'types': evelogtypes}) %}
+
+{# threading.cpu-affinity is a list but we convert to dict in defaults to work with ui #}
+{# below they are converted back to lists #}
+{% load_yaml as cpuaffinity %}
+{% for le, ld in SURICATAMERGED.config.threading['cpu-affinity'].items() %}
+  - {{ le }}: {{ ld }}
+{% endfor %}
+{% endload %}
+{% do SURICATAMERGED.config.threading.pop('cpu-affinity') %}
+{% do SURICATAMERGED.config.threading.update({'cpu-affinity': cpuaffinity}) %}
+
+{# outputs is a list but we convert to dict in defaults to work with ui #}
+{# below they are converted back to lists #}
 {% load_yaml as outputs %}
 {% for le, ld in SURICATAMERGED.config.outputs.items() %}
   - {{ le }}: {{ ld }}
@@ -59,3 +81,23 @@
   {% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
   {% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
 {% endif %}
+
+{# change address-groups vars from list to comma seperated string #}
+{% for k, v in SURICATAMERGED.config.vars['address-groups'].items() %}
+{#   if address-group value is a list #}
+{%   if v is iterable and (v is not string and v is not mapping and v | length > 1) %}
+{%     do SURICATAMERGED.config.vars['address-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.vars['address-groups'].update({k: v[0]}) %}
+{%   endif %}
+{% endfor %}
+
+{# change port-groups vars from list to comma seperated string #}
+{% for k, v in SURICATAMERGED.config.vars['port-groups'].items() %}
+{#   if address-group value is a list #}
+{%   if v is iterable and (v is not string and v is not mapping and v | length > 1) %}
+{%     do SURICATAMERGED.config.vars['port-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.vars['port-groups'].update({k: v[0]}) %}
+{%   endif %}
+{% endfor %}

salt/suricata/soc_suricata.yaml

@@ -44,12 +44,22 @@ suricata:
         regex: ^(yes|no)$
         helpLink: suricata.html
       cpu-affinity:
-        description: Bind management and worker threads to a core or range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
+        management-cpu-set:
+          cpu:
+            description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
+            forcedType: "[]string"
+            helpLink: suricata.html
+        worker-cpu-set:
+          cpu:
+            description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
+            forcedType: "[]string"
             helpLink: suricata.html
     vars:
       address-groups:
         HOME_NET:
           description: List of hosts or networks.
+          regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
+          regexFailureMessage: You must enter a valid IP address or CIDR.
           helpLink: suricata.html
         EXTERNAL_NET: 
           description: List of hosts or networks.
@@ -126,6 +136,8 @@ suricata:
           helpLink: suricata.html
     outputs:
       eve-log:
+        types:
+          alert:
             xff:
               enabled:
                 description: Enable X-Forward-For support.