From 6505d3e2ce935cfa4620f95f49f8e5715210d213 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 May 2023 11:03:37 -0400 Subject: [PATCH 1/5] update annotations for suricata --- salt/suricata/soc_suricata.yaml | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index f1971f17f..33d69368e 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -12,6 +12,40 @@ suricata: title: SIDS helpLink: suricata.html config: + af-packet: + interface: + description: The network interface that Suricata will monitor. + helpLink: suricata.html + cluster-id: + advanced: True + cluster-type: + advanced: True + regex: ^(cluster_flow|cluster_qm)$ + defrag: + advanced: True + regex: ^(yes|no)$ + use-mmap: + advanced: True + readonly: True + threads: + description: The ammount of worker threads. + helpLink: suricata.html + forcedType: int + tpacket-v3: + advanced: True + readonly: True + ring-size: + description: Buffer size for packets per thread. + forcedType: int + helpLink: suricata.html + threading: + set-cpu-affinity: + description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. + regex: ^(yes|no)$ + helpLink: suricata.html + cpu-affinity: + description: Bind management and worker threads to a core or range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + helpLink: suricata.html vars: address-groups: HOME_NET: From d99d4756c37b0b792c0ed27bbb658c4cb8027f18 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 May 2023 11:11:53 -0400 Subject: [PATCH 2/5] set defaults as example in soc ui for suricata cpu affinity --- salt/suricata/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 8be41b999..460016abf 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -5,9 +5,9 @@ suricata: set-cpu-affinity: "no" cpu-affinity: - management-cpu-set: - cpu: [] + cpu: [1] - worker-cpu-set: - cpu: [] + cpu: ["2-3"] mode: exclusive prio: default: high From a3c3f08511e62b4a7386a88b909dbf21e8d3c2ca Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 May 2023 17:00:48 -0400 Subject: [PATCH 3/5] convert list to dict to work better with ui. regex on suricata vars HOME_NET for soc --- salt/suricata/defaults.yaml | 129 ++++++++++++++++++++------------ salt/suricata/map.jinja | 44 ++++++++++- salt/suricata/soc_suricata.yaml | 42 +++++++---- 3 files changed, 150 insertions(+), 65 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 460016abf..4651b7268 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -4,13 +4,15 @@ suricata: threading: set-cpu-affinity: "no" cpu-affinity: - - management-cpu-set: - cpu: [1] - - worker-cpu-set: - cpu: ["2-3"] - mode: exclusive - prio: - default: high + management-cpu-set: + cpu: + - 1 + worker-cpu-set: + cpu: + - 2-3 + mode: exclusive + prio: + default: high af-packet: interface: bond0 cluster-id: 59 @@ -22,32 +24,61 @@ suricata: ring-size: 5000 vars: address-groups: - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - EXTERNAL_NET: "any" - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" + HOME_NET: + - 192.168.0.0/16 + - 10.0.0.0/8 + - 172.16.0.0/12 + EXTERNAL_NET: + - any + HTTP_SERVERS: + - $HOME_NET + SMTP_SERVERS: + - $HOME_NET + SQL_SERVERS: + - $HOME_NET + DNS_SERVERS: + - $HOME_NET + TELNET_SERVERS: + - $HOME_NET + AIM_SERVERS: + - $EXTERNAL_NET + DC_SERVERS: + - $HOME_NET + DNP3_SERVER: + - $HOME_NET + DNP3_CLIENT: + - $HOME_NET + MODBUS_CLIENT: + - $HOME_NET + MODBUS_SERVER: + - $HOME_NET + ENIP_CLIENT: + - $HOME_NET + ENIP_SERVER: + - $HOME_NET port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: "1521" - SSH_PORTS: "22" - DNP3_PORTS: "20000" - MODBUS_PORTS: "502" - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: "21" - VXLAN_PORTS: "4789" - TEREDO_PORTS: "3544" + HTTP_PORTS: + - 80 + SHELLCODE_PORTS: + - "!80" + ORACLE_PORTS: + - 1521 + SSH_PORTS: + - 22 + DNP3_PORTS: + - 20000 + MODBUS_PORTS: + - 502 + FILE_DATA_PORTS: + - $HTTP_PORTS + - 110 + - 143 + FTP_PORTS: + - 21 + VXLAN_PORTS: + - 4789 + TEREDO_PORTS: + - 3544 default-log-dir: /var/log/suricata/ stats: enabled: "yes" @@ -66,23 +97,23 @@ suricata: community-id: true community-id-seed: 0 types: - - alert: - payload: "no" - payload-buffer-size: 4kb - payload-printable: "yes" - packet: "yes" - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - tagged-packets: "no" - xff: - enabled: "no" - mode: extra-data - deployment: reverse - header: X-Forwarded-For + alert: + payload: "no" + payload-buffer-size: 4kb + payload-printable: "yes" + packet: "yes" + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + tagged-packets: "no" + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For unified2-alert: enabled: "no" http-log: diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index b238405c8..6524221b7 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -1,4 +1,4 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} {% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} {% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %} @@ -23,6 +23,28 @@ {% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} +{# eve-log.types is a list but we convert to dict in defaults to work with ui #} +{# below they are converted back to lists #} +{% load_yaml as evelogtypes %} +{% for le, ld in SURICATAMERGED.config.outputs['eve-log'].types.items() %} + - {{ le }}: {{ ld }} +{% endfor %} +{% endload %} +{% do SURICATAMERGED.config.outputs['eve-log'].pop('types') %} +{% do SURICATAMERGED.config.outputs['eve-log'].update({'types': evelogtypes}) %} + +{# threading.cpu-affinity is a list but we convert to dict in defaults to work with ui #} +{# below they are converted back to lists #} +{% load_yaml as cpuaffinity %} +{% for le, ld in SURICATAMERGED.config.threading['cpu-affinity'].items() %} + - {{ le }}: {{ ld }} +{% endfor %} +{% endload %} +{% do SURICATAMERGED.config.threading.pop('cpu-affinity') %} +{% do SURICATAMERGED.config.threading.update({'cpu-affinity': cpuaffinity}) %} + +{# outputs is a list but we convert to dict in defaults to work with ui #} +{# below they are converted back to lists #} {% load_yaml as outputs %} {% for le, ld in SURICATAMERGED.config.outputs.items() %} - {{ le }}: {{ ld }} @@ -59,3 +81,23 @@ {% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} {% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} + +{# change address-groups vars from list to comma seperated string #} +{% for k, v in SURICATAMERGED.config.vars['address-groups'].items() %} +{# if address-group value is a list #} +{% if v is iterable and (v is not string and v is not mapping and v | length > 1) %} +{% do SURICATAMERGED.config.vars['address-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %} +{% else %} +{% do SURICATAMERGED.config.vars['address-groups'].update({k: v[0]}) %} +{% endif %} +{% endfor %} + +{# change port-groups vars from list to comma seperated string #} +{% for k, v in SURICATAMERGED.config.vars['port-groups'].items() %} +{# if address-group value is a list #} +{% if v is iterable and (v is not string and v is not mapping and v | length > 1) %} +{% do SURICATAMERGED.config.vars['port-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %} +{% else %} +{% do SURICATAMERGED.config.vars['port-groups'].update({k: v[0]}) %} +{% endif %} +{% endfor %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 33d69368e..69ff5cdff 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -44,12 +44,22 @@ suricata: regex: ^(yes|no)$ helpLink: suricata.html cpu-affinity: - description: Bind management and worker threads to a core or range of cores. set-cpu-affinity must be set to 'yes' for this to be used. - helpLink: suricata.html + management-cpu-set: + cpu: + description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + forcedType: "[]string" + helpLink: suricata.html + worker-cpu-set: + cpu: + description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + forcedType: "[]string" + helpLink: suricata.html vars: address-groups: HOME_NET: description: List of hosts or networks. + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. helpLink: suricata.html EXTERNAL_NET: description: List of hosts or networks. @@ -126,19 +136,21 @@ suricata: helpLink: suricata.html outputs: eve-log: - xff: - enabled: - description: Enable X-Forward-For support. - helpLink: suricata.html - mode: - description: Operation mode. This should always be extra-data if you use PCAP. - helpLink: suricata.html - deployment: - description: forward would use the first IP address and reverse would use the last. - helpLink: suricata.html - header: - description: Header name where the actual IP address will be reported. - helpLink: suricata.html + types: + alert: + xff: + enabled: + description: Enable X-Forward-For support. + helpLink: suricata.html + mode: + description: Operation mode. This should always be extra-data if you use PCAP. + helpLink: suricata.html + deployment: + description: forward would use the first IP address and reverse would use the last. + helpLink: suricata.html + header: + description: Header name where the actual IP address will be reported. + helpLink: suricata.html asn1-max-frames: description: Maximum nuber of asn1 frames to decode. helpLink: suricata.html From 5c933910aa6edefdb238cce76fd4c0e378deeb55 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 May 2023 17:25:54 -0400 Subject: [PATCH 4/5] simplify map for updating suricata config if md engine is suricata --- salt/suricata/map.jinja | 46 +++++++++++++++-------------------------- 1 file changed, 17 insertions(+), 29 deletions(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 6524221b7..5576117cc 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -43,6 +43,23 @@ {% do SURICATAMERGED.config.threading.pop('cpu-affinity') %} {% do SURICATAMERGED.config.threading.update({'cpu-affinity': cpuaffinity}) %} +{# Find the index of eve-log and file-store in suricata_mdengine.suricata.config.outputs #} +{# update outputs eve-log.types and filestore with config for Suricata metadata engine #} +{% if GLOBALS.md_engine == 'SURICATA' %} +{% for li in suricata_mdengine.suricata.config.outputs %} +{% if 'eve-log' in li.keys() %} +{% do surimeta_evelog_index.append(loop.index0) %} +{% endif %} +{% if 'file-store' in li.keys() %} +{% do surimeta_filestore_index.append(loop.index0) %} +{% endif %} +{% endfor %} +{% set surimeta_evelog_index = surimeta_evelog_index[0] %} +{% set surimeta_filestore_index = surimeta_filestore_index[0] %} +{% do SURICATAMERGED.config.outputs['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} +{% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} +{% endif %} + {# outputs is a list but we convert to dict in defaults to work with ui #} {# below they are converted back to lists #} {% load_yaml as outputs %} @@ -53,35 +70,6 @@ {% do SURICATAMERGED.config.pop('outputs') %} {% do SURICATAMERGED.config.update({'outputs': outputs}) %} -{# Find the index of eve-log so it can be updated later #} -{% for li in SURICATAMERGED.config.outputs %} - {% if 'eve-log' in li.keys() %} - {% do default_evelog_index.append(loop.index0) %} - {% endif %} - {% if 'file-store' in li.keys() %} - {% do default_filestore_index.append(loop.index0) %} - {% endif %} -{% endfor %} -{% set default_evelog_index = default_evelog_index[0] %} -{% set default_filestore_index = default_filestore_index[0] %} - -{# Find the index of eve-log so it can be grabbed later #} -{% for li in suricata_mdengine.suricata.config.outputs %} - {% if 'eve-log' in li.keys() %} - {% do surimeta_evelog_index.append(loop.index0) %} - {% endif %} - {% if 'file-store' in li.keys() %} - {% do surimeta_filestore_index.append(loop.index0) %} - {% endif %} -{% endfor %} -{% set surimeta_evelog_index = surimeta_evelog_index[0] %} -{% set surimeta_filestore_index = surimeta_filestore_index[0] %} - -{% if GLOBALS.md_engine == 'SURICATA' %} - {% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} - {% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} -{% endif %} - {# change address-groups vars from list to comma seperated string #} {% for k, v in SURICATAMERGED.config.vars['address-groups'].items() %} {# if address-group value is a list #} From 5b4ec70ca6d3f4e6cd7ec8603a809cdd05a96843 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 26 May 2023 09:37:57 -0400 Subject: [PATCH 5/5] fix typo on suricata annotations. add to global annotations --- salt/global/soc_global.yaml | 5 +++++ salt/suricata/soc_suricata.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 6861affd7..14d637d50 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -6,8 +6,13 @@ global: managerip: description: The IP address of the grid manager. global: True + advanced: True + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. mdengine: description: What engine to use for meta data generation. Options are ZEEK and SURICATA. + regex: ^(ZEEK|SURICATA)$ + regexFailureMessage: You must enter either ZEEK or SURICATA. global: True ids: description: Which IDS engine to use. Currently only Suricata is supported. diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 69ff5cdff..f13e89618 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -28,7 +28,7 @@ suricata: advanced: True readonly: True threads: - description: The ammount of worker threads. + description: The amount of worker threads. helpLink: suricata.html forcedType: int tpacket-v3: