Change how zeek and suri are populated in the minion file

salt/common/tools/sbin/so-minion

@@ -160,16 +160,14 @@ function add_patch_pillar_to_minion() {
 function add_sensor_to_minion() {
 	echo "sensor:" >> $PILLARFILE
 	echo "  interface: '$INTERFACE'" >> $PILLARFILE
-	echo "  zeekpin: False" >> $PILLARFILE
-	echo "  zeekpins:" >> $PILLARFILE
-	echo "    - 1" >> $PILLARFILE
-	echo "  zeek_lbprocs: $CORECOUNT" >> $PILLARFILE
-	echo "  suripin: False" >> $PILLARFILE
-	echo "  suripins:" >> $PILLARFILE
-	echo "    - 2" >> $PILLARFILE
-	echo "  suriprocs: $CORECOUNT"  >> $PILLARFILE
 	echo "  mtu: 9000" >> $PILLARFILE
-	echo "  uniqueid: $(date '+%s')" >> $PILLARFILE
+	echo "zeek:" >> $PILLARFILE
+	echo "    config:" >> $PILLARFILE
+	echo "        lb_procs: $CORECOUNT" >> $PILLARFILE
+	echo "suricata:" >> $PILLARFILE
+	echo "    config:" >> $PILLARFILE
+	echo "        af-packet:" >> $PILLARFILE
+	echo "            threads: $CORECOUNT" >> $PILLARFILE
 	echo "steno:" >> $PILLARFILE
 	echo "  stenopin: False" >> $PILLARFILE
 	echo "  stenopins:" >> $PILLARFILE

salt/learn/files/logscan.conf

@@ -1,7 +0,0 @@
-[global]
-ts_format = iso8601
-scan_interval = 30s
-log_level = info
-
-[kratos]
-log_path = kratos/kratos.log

salt/learn/init.sls

@@ -1,19 +0,0 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-
-{% set module_dict = salt['pillar.get']('learn:modules', {} ) %}
-
-{% if module_dict.items()|length != 0 %}
-include:
-{% for module, _ in module_dict.items() %}
-  - 'learn.{{ module }}'
-{% endfor %}
-{% endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/learn/logscan.sls

@@ -1,58 +0,0 @@
-{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
-{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{% set MANAGER = salt['grains.get']('master') %}
-{% set logscan_cpu_period = salt['pillar.get']('learn:modules:logscan:cpu_period', 20000) %}
-{% set enabled = salt['pillar.get']('learn:modules:logscan:enabled', False) %}
-
-{% if enabled %}
-  {% set container_action = 'running' %}
-{% else %}
-  {% set container_action = 'absent'%}
-{% endif %}
-
-
-logscan_data_dir:
-  file.directory:
-    - name: /nsm/logscan/data
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-logscan_conf_dir:
-  file.directory:
-    - name: /opt/so/conf/logscan
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-logscan_conf:
-  file.managed:
-    - name: /opt/so/conf/logscan/logscan.conf
-    - source: salt://learn/files/logscan.conf
-    - user: 939
-    - group: 939
-    - mode: 600
-
-logscan_log_dir:
-  file.directory:
-    - name: /opt/so/log/logscan
-    - user: 939
-    - group: 939
-
-so-logscan:
-  docker_container.{{ container_action }}:
-    {% if container_action == 'running' %}
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logscan:{{ VERSION }}
-    - hostname: logscan
-    - name: so-logscan
-    - binds:
-      - /nsm/logscan/data:/logscan/data:rw
-      - /opt/so/conf/logscan/logscan.conf:/logscan/logscan.conf:ro
-      - /opt/so/log/logscan:/logscan/output:rw
-      - /opt/so/log:/logscan/logs:ro
-    - cpu_period: {{ logscan_cpu_period }}
-    - require:
-      - file: logscan_conf
-    {% else %}
-    - force: true
-    {% endif %}

salt/suricata/defaults.yaml

@@ -1,5 +1,28 @@
 suricata:
   config:
+    threading:
+        set-cpu-affinity: 'no'
+        detect-thread-ratio: 1.0
+        cpu-affinity:
+            - management-cpu-set:
+                cpu: []
+            - receive-cpu-set:
+                cpu: []
+            - worker-cpu-set:
+                cpu: []
+                mode: exclusive
+                threads: 1
+                prio:
+                    default: high
+    af-packet:
+        interface: bond0
+        cluster-id: 59
+        cluster-type: cluster_flow
+        defrag: true
+        use-mmap: true
+        threads: 1
+        tpacket-v3: true
+        ring-size: 5000
     vars:
       address-groups:
         HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
@@ -348,9 +371,6 @@ suricata:
           include-mpm-stats: false
     mpm-algo: auto
     spm-algo: auto
-    threading:
-      set-cpu-affinity: "yes"
-      detect-thread-ratio: 1.0
     luajit:
       states: 128
 

salt/zeek/fileextraction_defaults.yaml

@@ -1,29 +0,0 @@
-zeek:
-  policy:
-    file_extraction:
-      - application/x-dosexec: exe
-      - application/pdf: pdf
-      - application/msword: doc
-      - application/vnd.ms-powerpoint: doc
-      - application/rtf: doc
-      - application/vnd.ms-word.document.macroenabled.12: doc
-      - application/vnd.ms-word.template.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
-      - application/vnd.ms-excel: doc
-      - application/vnd.ms-excel.addin.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
-      - application/vnd.ms-excel.template.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
-      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument: doc

salt/zeek/init.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% from "zeek/map.jinja" import ZEEKOPTIONS with context %}
+{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 
 {% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}