CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12561 from Security-Onion-Solutions/jppnocap

Browse Source 
transitional pcap
This commit is contained in:
Josh Patterson
2024-03-11 15:57:16 -04:00
committed by GitHub
parent 8c54a19698 ba32b3e6e9
commit b7f058a8ca
5 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/bpf/pcap.map.jinja
View File

@@ -1,7 +1,10 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
{% set PCAPBPF = BPFMERGED.pcap %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.pcap_engine == "TRANSITION" %}
{% set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
{% else %}
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
{% set PCAPBPF = BPFMERGED.pcap %}
{% endif %}

6
salt/global/soc_global.yaml
View File

@@ -15,9 +15,9 @@ global:
regexFailureMessage: You must enter either ZEEK or SURICATA.
global: True
pcapengine:
description: Which engine to use for generating pcap. Options are STENO and SURICATA.
regex: ^(STENO|SURICATA)$
regexFailureMessage: You must enter either STENO or SURICATA.
description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
regex: ^(STENO|SURICATA|TRANSITION)$
regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
global: True
ids:
description: Which IDS engine to use. Currently only Suricata is supported.

2
salt/suricata/map.jinja
View File

@@ -9,7 +9,7 @@
{% set surimeta_filestore_index = [] %}
{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
{% if GLOBALS.pcap_engine == "SURICATA" %}
{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
{# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
{% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}

2
salt/suricata/pcap.sls
View File

@@ -11,7 +11,7 @@ suripcapdir:
- mode: 775
- makedirs: True
{% if GLOBALS.pcap_engine == "SURICATA" %}
{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
{# there should only be 1 interface in af-packet so we can just reference the first list item #}
{% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}

2
salt/telegraf/scripts/oldpcap.sh
View File

@@ -5,7 +5,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- if GLOBALS.pcap_engine == "SURICATA" %}
{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
PCAPLOC=/host/nsm/suripcap
{%- else %}
PCAPLOC=/host/nsm/pcap