Change how zeek and suri are populated in the minion file

2025-12-06 17:22:49 +01:00 · 2022-09-14 09:53:57 -04:00
parent 064b64f68a
commit a4dc63f3a4
8 changed files with 31 additions and 126 deletions
--- a/salt/common/tools/sbin/so-minion
+++ b/salt/common/tools/sbin/so-minion
@@ -160,16 +160,14 @@ function add_patch_pillar_to_minion() {
 function add_sensor_to_minion() {
 	echo "sensor:" >> $PILLARFILE
 	echo "  interface: '$INTERFACE'" >> $PILLARFILE
-	echo "  zeekpin: False" >> $PILLARFILE
-	echo "  zeekpins:" >> $PILLARFILE
-	echo "    - 1" >> $PILLARFILE
-	echo "  zeek_lbprocs: $CORECOUNT" >> $PILLARFILE
-	echo "  suripin: False" >> $PILLARFILE
-	echo "  suripins:" >> $PILLARFILE
-	echo "    - 2" >> $PILLARFILE
-	echo "  suriprocs: $CORECOUNT"  >> $PILLARFILE
 	echo "  mtu: 9000" >> $PILLARFILE
-	echo "  uniqueid: $(date '+%s')" >> $PILLARFILE
+	echo "zeek:" >> $PILLARFILE
+	echo "    config:" >> $PILLARFILE
+	echo "        lb_procs: $CORECOUNT" >> $PILLARFILE
+	echo "suricata:" >> $PILLARFILE
+	echo "    config:" >> $PILLARFILE
+	echo "        af-packet:" >> $PILLARFILE
+	echo "            threads: $CORECOUNT" >> $PILLARFILE
 	echo "steno:" >> $PILLARFILE
 	echo "  stenopin: False" >> $PILLARFILE
 	echo "  stenopins:" >> $PILLARFILE
--- a/salt/learn/files/logscan.conf
+++ b/salt/learn/files/logscan.conf
@@ -1,7 +0,0 @@
-[global]
-ts_format = iso8601
-scan_interval = 30s
-log_level = info
-
-[kratos]
-log_path = kratos/kratos.log
--- a/salt/learn/init.sls
+++ b/salt/learn/init.sls
@@ -1,19 +0,0 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-
-{% set module_dict = salt['pillar.get']('learn:modules', {} ) %}
-
-{% if module_dict.items()|length != 0 %}
-include:
-{% for module, _ in module_dict.items() %}
-  - 'learn.{{ module }}'
-{% endfor %}
-{% endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/learn/logscan.sls
+++ b/salt/learn/logscan.sls
@@ -1,58 +0,0 @@
-{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
-{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{% set MANAGER = salt['grains.get']('master') %}
-{% set logscan_cpu_period = salt['pillar.get']('learn:modules:logscan:cpu_period', 20000) %}
-{% set enabled = salt['pillar.get']('learn:modules:logscan:enabled', False) %}
-
-{% if enabled %}
-  {% set container_action = 'running' %}
-{% else %}
-  {% set container_action = 'absent'%}
-{% endif %}
-
-
-logscan_data_dir:
-  file.directory:
-    - name: /nsm/logscan/data
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-logscan_conf_dir:
-  file.directory:
-    - name: /opt/so/conf/logscan
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-logscan_conf:
-  file.managed:
-    - name: /opt/so/conf/logscan/logscan.conf
-    - source: salt://learn/files/logscan.conf
-    - user: 939
-    - group: 939
-    - mode: 600
-
-logscan_log_dir:
-  file.directory:
-    - name: /opt/so/log/logscan
-    - user: 939
-    - group: 939
-
-so-logscan:
-  docker_container.{{ container_action }}:
-    {% if container_action == 'running' %}
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logscan:{{ VERSION }}
-    - hostname: logscan
-    - name: so-logscan
-    - binds:
-      - /nsm/logscan/data:/logscan/data:rw
-      - /opt/so/conf/logscan/logscan.conf:/logscan/logscan.conf:ro
-      - /opt/so/log/logscan:/logscan/output:rw
-      - /opt/so/log:/logscan/logs:ro
-    - cpu_period: {{ logscan_cpu_period }}
-    - require:
-      - file: logscan_conf
-    {% else %}
-    - force: true
-    {% endif %}
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,5 +1,28 @@
 suricata:
  config:
+    threading:
+        set-cpu-affinity: 'no'
+        detect-thread-ratio: 1.0
+        cpu-affinity:
+            - management-cpu-set:
+                cpu: []
+            - receive-cpu-set:
+                cpu: []
+            - worker-cpu-set:
+                cpu: []
+                mode: exclusive
+                threads: 1
+                prio:
+                    default: high
+    af-packet:
+        interface: bond0
+        cluster-id: 59
+        cluster-type: cluster_flow
+        defrag: true
+        use-mmap: true
+        threads: 1
+        tpacket-v3: true
+        ring-size: 5000
    vars:
      address-groups:
        HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
@@ -348,9 +371,6 @@ suricata:
          include-mpm-stats: false
    mpm-algo: auto
    spm-algo: auto
-    threading:
-      set-cpu-affinity: "yes"
-      detect-thread-ratio: 1.0
    luajit:
      states: 128

--- a/salt/zeek/config.map.jinja
+++ b/salt/zeek/config.map.jinja
--- a/salt/zeek/fileextraction_defaults.yaml
+++ b/salt/zeek/fileextraction_defaults.yaml
@@ -1,29 +0,0 @@
-zeek:
-  policy:
-    file_extraction:
-      - application/x-dosexec: exe
-      - application/pdf: pdf
-      - application/msword: doc
-      - application/vnd.ms-powerpoint: doc
-      - application/rtf: doc
-      - application/vnd.ms-word.document.macroenabled.12: doc
-      - application/vnd.ms-word.template.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
-      - application/vnd.ms-excel: doc
-      - application/vnd.ms-excel.addin.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
-      - application/vnd.ms-excel.template.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
-      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument: doc
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

-{% from "zeek/map.jinja" import ZEEKOPTIONS with context %}
+{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}

 {% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}