Add fileanalyze module salt configuration

Adds sensoroni agent configuration for the new fileanalyze module that replaces the Strelka file analysis containers: - defaults.yaml: default config values (watchDirs, concurrency, dedup, etc.) - sensoroni.json: Jinja2 template to render module config when enabled - soc_sensoroni.yaml: SOC config schema with descriptions for all settings
2026-04-10 06:41:55 +02:00 · 2026-04-06 14:12:48 -04:00
parent 88de246ce3
commit c6c538363d
3 changed files with 87 additions and 2 deletions
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -16,6 +16,21 @@ sensoroni:
    soc_host:
    suripcap:
      pcapMaxCount: 100000
+    fileanalyze:
+      enabled: False
+      watchDirs:
+        - /nsm/zeek/extracted/complete
+      processedDir: /nsm/strelka/processed
+      historyDir: /nsm/strelka/history
+      logFile: /var/log/strelka/strelka.log
+      concurrency: 8
+      maxDepth: 15
+      recycleSeconds: 300
+      dedupMaxEntries: 100000
+      dedupTTLSeconds: 3600
+      yaraRulesPath: /opt/so/conf/strelka/rules/compiled/rules.compiled
+      passwordsPath: /etc/strelka/passwords.dat
+      scannerTimeout: 150
  analyzers:
      echotrail:
        base_url: https://api.echotrail.io/insights/
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -14,7 +14,7 @@
    "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents",
    "verifyCert": false,
    "modules": {
-{%- if SENSORONIMERGED.config.analyze.enabled %} 
+{%- if SENSORONIMERGED.config.analyze.enabled %}
      "analyze": {
        "timeoutMs": {{ SENSORONIMERGED.config.analyze.timeout_ms }},
        "parallelLimit": {{ SENSORONIMERGED.config.analyze.parallel_limit }}
@@ -31,11 +31,27 @@
      "statickeyauth": {
        "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%  if GLOBALS.is_sensor %}
-      },     
+      },
      "suriquery": {
        "pcapInputPath": "/nsm/suripcap",
        "pcapOutputPath": "/nsm/pcapout",
        "pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }}
+{%- endif %}
+{%- if SENSORONIMERGED.config.fileanalyze.enabled %}
+      },
+      "fileanalyze": {
+        "watchDirs": {{ SENSORONIMERGED.config.fileanalyze.watchDirs | tojson }},
+        "processedDir": "{{ SENSORONIMERGED.config.fileanalyze.processedDir }}",
+        "historyDir": "{{ SENSORONIMERGED.config.fileanalyze.historyDir }}",
+        "logFile": "{{ SENSORONIMERGED.config.fileanalyze.logFile }}",
+        "concurrency": {{ SENSORONIMERGED.config.fileanalyze.concurrency }},
+        "maxDepth": {{ SENSORONIMERGED.config.fileanalyze.maxDepth }},
+        "recycleSeconds": {{ SENSORONIMERGED.config.fileanalyze.recycleSeconds }},
+        "dedupMaxEntries": {{ SENSORONIMERGED.config.fileanalyze.dedupMaxEntries }},
+        "dedupTTLSeconds": {{ SENSORONIMERGED.config.fileanalyze.dedupTTLSeconds }},
+        "yaraRulesPath": "{{ SENSORONIMERGED.config.fileanalyze.yaraRulesPath }}",
+        "passwordsPath": "{{ SENSORONIMERGED.config.fileanalyze.passwordsPath }}",
+        "scannerTimeout": {{ SENSORONIMERGED.config.fileanalyze.scannerTimeout }}
 {%- endif %}
      }
    }
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -65,6 +65,60 @@ sensoroni:
        description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
        helpLink: pcap
        advanced: True
+    fileanalyze:
+      enabled:
+        description: Enable or disable the file analysis module. When enabled, this replaces Strelka for file scanning on sensor nodes.
+        forcedType: bool
+        advanced: False
+        helpLink: strelka
+      watchDirs:
+        description: Directories to watch for new files to analyze. Typically the Zeek or Suricata extracted file directories.
+        advanced: True
+        helpLink: strelka
+      processedDir:
+        description: Directory to move files to after scanning is complete.
+        advanced: True
+        helpLink: strelka
+      historyDir:
+        description: Directory for on-disk deduplication history. Each scanned file hash is recorded here to survive restarts.
+        advanced: True
+        helpLink: strelka
+      logFile:
+        description: Path to the JSON log file where scan results are written. This file is picked up by the existing filebeat pipeline.
+        advanced: True
+        helpLink: strelka
+      concurrency:
+        description: Maximum number of files to scan concurrently.
+        advanced: True
+        helpLink: strelka
+      maxDepth:
+        description: Maximum recursive extraction depth for nested archives.
+        advanced: True
+        helpLink: strelka
+      recycleSeconds:
+        description: Interval in seconds to recycle the file watcher to pick up new subdirectories.
+        advanced: True
+        helpLink: strelka
+      dedupMaxEntries:
+        description: Maximum number of entries in the in-memory deduplication cache.
+        advanced: True
+        helpLink: strelka
+      dedupTTLSeconds:
+        description: Time-to-live in seconds for deduplication cache entries.
+        advanced: True
+        helpLink: strelka
+      yaraRulesPath:
+        description: Path to compiled YARA rules file.
+        advanced: True
+        helpLink: strelka
+      passwordsPath:
+        description: Path to password dictionary for encrypted file cracking attempts.
+        advanced: True
+        helpLink: strelka
+      scannerTimeout:
+        description: Timeout in seconds for individual scanner execution.
+        advanced: True
+        helpLink: strelka
  analyzers:
    echotrail:
      api_key: