From b7e1989d45754d3e0e1f9aa1dc2cb4df27513d28 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 6 Nov 2025 09:49:46 -0500 Subject: [PATCH 1/9] resolve block-size not large enough for max fragmented IP packet size warning --- salt/suricata/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index d819d1cf9..88435a70a 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -34,7 +34,7 @@ suricata: threads: 1 tpacket-v3: "yes" ring-size: 5000 - block-size: 32768 + block-size: 69632 block-timeout: 10 use-emergency-flush: "yes" buffer-size: 32768 From da1cac0d53e00e2f667a3d09c4f8249b3da021a4 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 6 Nov 2025 16:32:55 -0500 Subject: [PATCH 2/9] tls-log, http-log and syslog outputs deprecated https://github.com/Security-Onion-Solutions/securityonion/issues/15203 --- salt/suricata/defaults.yaml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 88435a70a..e1b68e9d1 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -134,14 +134,6 @@ suricata: header: X-Forwarded-For unified2-alert: enabled: "no" - http-log: - enabled: "no" - filename: http.log - append: "yes" - tls-log: - enabled: "no" - filename: tls.log - append: "yes" tls-store: enabled: "no" pcap-log: @@ -157,9 +149,6 @@ suricata: totals: "yes" threads: "no" null-values: "yes" - syslog: - enabled: "no" - facility: local5 drop: enabled: "no" file-store: @@ -463,3 +452,6 @@ suricata: classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config threshold-file: /etc/suricata/threshold.conf + + +# ENABLE for From 6c7ef622c1a5458ea9b1bd0830fbc3c0531065e7 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 7 Nov 2025 17:08:33 -0500 Subject: [PATCH 3/9] spaces removed from expected output --- salt/suricata/tools/sbin/so-suricata-reload-rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules index 2d60c3422..e21e28e2f 100644 --- a/salt/suricata/tools/sbin/so-suricata-reload-rules +++ b/salt/suricata/tools/sbin/so-suricata-reload-rules @@ -7,5 +7,5 @@ . /usr/sbin/so-common -retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." -retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time." +retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time." From 274295bc97382f6d670dfe19124b4ab865f43f1d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 7 Nov 2025 17:39:13 -0500 Subject: [PATCH 4/9] return exit codes --- salt/common/tools/sbin/so-bpf-compile | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile index f1136cd0e..316a26775 100755 --- a/salt/common/tools/sbin/so-bpf-compile +++ b/salt/common/tools/sbin/so-bpf-compile @@ -29,9 +29,26 @@ fi interface="$1" shift -tcpdump -i $interface -ddd $@ | tail -n+2 | -while read line; do + +# Capture tcpdump output and exit code +tcpdump_output=$(tcpdump -i "$interface" -ddd "$@" 2>&1) +tcpdump_exit=$? + +if [ $tcpdump_exit -ne 0 ]; then + echo "$tcpdump_output" >&2 + exit $tcpdump_exit +fi + +# Process the output, skipping the first line +echo "$tcpdump_output" | tail -n+2 | while read -r line; do cols=( $line ) - printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]} + printf "%04x%02x%02x%08x" "${cols[0]}" "${cols[1]}" "${cols[2]}" "${cols[3]}" done + +# Check if the pipeline succeeded +if [ "${PIPESTATUS[0]}" -ne 0 ]; then + exit 1 +fi + echo "" +exit 0 From 78c193f0a2848cd4fbae5f04144c63a81a59900e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 7 Nov 2025 17:40:24 -0500 Subject: [PATCH 5/9] handle bpf for suricata 8 pcap --- salt/suricata/config.sls | 68 +++++++++++++++++++--------------------- salt/suricata/map.jinja | 11 +++++++ 2 files changed, 44 insertions(+), 35 deletions(-) diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index 00364f384..c5ca72da3 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -7,9 +7,40 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} {% from 'suricata/map.jinja' import SURICATAMERGED %} -{% set BPF_STATUS = 0 %} + +suridir: + file.directory: + - name: /opt/so/conf/suricata + - user: 940 + - group: 940 + +{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF %} +{% from 'suricata/map.jinja' import BPF_STATUS %} +{% from 'suricata/map.jinja' import BPF_CALC %} + +# BPF compilation and configuration +{% if SURICATABPF and not BPF_STATUS %} +suribpfcompilationfailure: + test.configurable_test_state: + - changes: False + - result: False + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ BPF_CALC['stderr'] }}" +{% endif %} + +suribpf: + file.managed: + - name: /opt/so/conf/suricata/bpf + - user: 940 + - group: 940 + {% if BPF_STATUS %} + - contents: {{ SURICATABPF }} + {% else %} + - contents: + - "" + {% endif %} +{% endif %} # Add Suricata Group suricatagroup: @@ -49,18 +80,11 @@ suricata_sbin_jinja: - file_mode: 755 - template: jinja -suridir: - file.directory: - - name: /opt/so/conf/suricata - - user: 940 - - group: 940 - suriruledir: file.directory: - name: /opt/so/conf/suricata/rules - user: 940 - group: 940 - - makedirs: True surilogdir: file.directory: @@ -136,32 +160,6 @@ suriclassifications: - user: 940 - group: 940 -# BPF compilation and configuration -{% if SURICATABPF %} - {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} -suribpfcompilationfailure: - test.configurable_test_state: - - changes: False - - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} -{% endif %} - -suribpf: - file.managed: - - name: /opt/so/conf/suricata/bpf - - user: 940 - - group: 940 - {% if BPF_STATUS %} - - contents: {{ SURICATABPF }} - {% else %} - - contents: - - "" - {% endif %} - so-suricata-eve-clean: file.managed: - name: /usr/sbin/so-suricata-eve-clean diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index a2c7072e0..5080b8620 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -7,9 +7,20 @@ {% set default_filestore_index = [] %} {% set surimeta_evelog_index = [] %} {% set surimeta_filestore_index = [] %} +{% set BPF_STATUS = 0 %} {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} + +{% from 'bpf/suricata.map.jinja' import SURICATABPF %} +{% if SURICATABPF %} + {% set BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} + {% if BPF_CALC['retcode'] == 0 %} + {% set BPF_STATUS = 1 %} + {% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': SURICATABPF|join(" ")}) %} + {% endif %} +{% endif %} + {% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} {# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %} From 18c0f197b21a3d187241cd97bf68cd2df95c944c Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 10 Nov 2025 13:28:19 -0500 Subject: [PATCH 6/9] suricata bpf --- salt/bpf/pcap.map.jinja | 11 +++++++++++ salt/bpf/soc_bpf.yaml | 4 ++-- salt/bpf/suricata.map.jinja | 9 +++++++++ salt/bpf/zeek.map.jinja | 9 +++++++++ salt/pcap/config.sls | 19 +++++-------------- salt/pcap/files/config.jinja | 2 +- salt/suricata/config.sls | 23 +++++++++++++++-------- salt/suricata/map.jinja | 13 ++++--------- salt/zeek/config.sls | 16 +++++----------- 9 files changed, 61 insertions(+), 45 deletions(-) diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index 4d8fef460..1b561b8d0 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -1,4 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} +{% set PCAP_BPF_STATUS = 0 %} +{% set STENO_BPF_COMPILED = "" %} + {% if GLOBALS.pcap_engine == "TRANSITION" %} {% set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %} {% else %} @@ -8,3 +11,11 @@ {{ MACROS.remove_comments(BPFMERGED, 'pcap') }} {% set PCAPBPF = BPFMERGED.pcap %} {% endif %} + +{% if PCAPBPF %} + {% set PCAP_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ PCAPBPF|join(" "), cwd='/root') %} + {% if PCAP_BPF_CALC['retcode'] == 0 %} + {% set PCAP_BPF_STATUS = 1 %} + {% set STENO_BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} + {% endif %} +{% endif %} diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index d93ec98fd..629ef9d5d 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,11 +1,11 @@ bpf: pcap: - description: List of BPF filters to apply to Stenographer. + description: List of BPF filters to apply to the packet capture application. multiline: True forcedType: "[]string" helpLink: bpf.html suricata: - description: List of BPF filters to apply to Suricata. + description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata. multiline: True forcedType: "[]string" helpLink: bpf.html diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja index fe4adb663..5ee1e5a92 100644 --- a/salt/bpf/suricata.map.jinja +++ b/salt/bpf/suricata.map.jinja @@ -1,7 +1,16 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} +{% set SURICATA_BPF_STATUS = 0 %} {% import 'bpf/macros.jinja' as MACROS %} {{ MACROS.remove_comments(BPFMERGED, 'suricata') }} {% set SURICATABPF = BPFMERGED.suricata %} + +{% if SURICATABPF %} + {% set SURICATA_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} + {% if SURICATA_BPF_CALC['retcode'] == 0 %} + {% set SURICATA_BPF_STATUS = 1 %} + {% endif %} +{% endif %} diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja index fdcc5e99f..789648bdb 100644 --- a/salt/bpf/zeek.map.jinja +++ b/salt/bpf/zeek.map.jinja @@ -1,7 +1,16 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} +{% set ZEEK_BPF_STATUS = 0 %} {% import 'bpf/macros.jinja' as MACROS %} {{ MACROS.remove_comments(BPFMERGED, 'zeek') }} {% set ZEEKBPF = BPFMERGED.zeek %} + +{% if ZEEKBPF %} + {% set ZEEK_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ ZEEKBPF|join(" "), cwd='/root') %} + {% if ZEEK_BPF_CALC['retcode'] == 0 %} + {% set ZEEK_BPF_STATUS = 1 %} + {% endif %} +{% endif %} diff --git a/salt/pcap/config.sls b/salt/pcap/config.sls index 173fecfd1..c37da9694 100644 --- a/salt/pcap/config.sls +++ b/salt/pcap/config.sls @@ -8,12 +8,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "pcap/config.map.jinja" import PCAPMERGED %} -{% from 'bpf/pcap.map.jinja' import PCAPBPF %} - -{% set BPF_COMPILED = "" %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %} # PCAP Section - stenographergroup: group.present: - name: stenographer @@ -40,18 +37,12 @@ pcap_sbin: - group: 939 - file_mode: 755 -{% if PCAPBPF %} - {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} - {% else %} - -bpfcompilationfailure: +{% if PCAPBPF and not PCAP_BPF_STATUS %} +stenoPCAPbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Compilation Failed - Discarding Specified BPF" - {% endif %} + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}" {% endif %} stenoconf: @@ -64,7 +55,7 @@ stenoconf: - template: jinja - defaults: PCAPMERGED: {{ PCAPMERGED }} - BPF_COMPILED: "{{ BPF_COMPILED }}" + STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}" stenoca: file.directory: diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index f0a4fc51d..90c197938 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -6,6 +6,6 @@ , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 , "Host": "127.0.0.1" - , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] + , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" } diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index c5ca72da3..7de1a0fd4 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -8,6 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'suricata/map.jinja' import SURICATAMERGED %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %} suridir: file.directory: @@ -16,30 +17,36 @@ suridir: - group: 940 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} -{% from 'suricata/map.jinja' import BPF_STATUS %} -{% from 'suricata/map.jinja' import BPF_CALC %} - +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %} # BPF compilation and configuration -{% if SURICATABPF and not BPF_STATUS %} -suribpfcompilationfailure: +{% if PCAPBPF and not PCAP_BPF_STATUS %} +suriPCAPbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ BPF_CALC['stderr'] }}" + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}" {% endif %} +{% endif %} +# BPF applied to all of Suricata - alerts/metadata/pcap suribpf: file.managed: - name: /opt/so/conf/suricata/bpf - user: 940 - group: 940 - {% if BPF_STATUS %} + {% if SURICATA_BPF_STATUS %} - contents: {{ SURICATABPF }} {% else %} - contents: - "" {% endif %} + +{% if SURICATABPF and not SURICATA_BPF_STATUS %} +suribpfcompilationfailure: + test.configurable_test_state: + - changes: False + - result: False + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ SURICATA_BPF_CALC['stderr'] }}" {% endif %} # Add Suricata Group diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 5080b8620..3d378b69d 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -7,19 +7,14 @@ {% set default_filestore_index = [] %} {% set surimeta_evelog_index = [] %} {% set surimeta_filestore_index = [] %} -{% set BPF_STATUS = 0 %} {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} -{% if SURICATABPF %} - {% set BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} - {% if BPF_CALC['retcode'] == 0 %} - {% set BPF_STATUS = 1 %} - {% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': SURICATABPF|join(" ")}) %} - {% endif %} -{% endif %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %} +{% if PCAPBPF and PCAP_BPF_STATUS %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %} +{% endif %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} {# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls index b3ea97507..42ea74fc9 100644 --- a/salt/zeek/config.sls +++ b/salt/zeek/config.sls @@ -8,8 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "zeek/config.map.jinja" import ZEEKMERGED %} -{% from 'bpf/zeek.map.jinja' import ZEEKBPF %} -{% set BPF_STATUS = 0 %} +{% from 'bpf/zeek.map.jinja' import ZEEKBPF, ZEEK_BPF_STATUS, ZEEK_BPF_CALC %} # Add Zeek group zeekgroup: @@ -158,18 +157,13 @@ zeekja4cfg: - user: 937 - group: 939 -# BPF compilation and configuration -{% if ZEEKBPF %} - {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} +# BPF compilation failed +{% if ZEEKBPF and not ZEEK_BPF_STATUS %} zeekbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ ZEEK_BPF_CALC['stderr'] }}" {% endif %} zeekbpf: @@ -177,7 +171,7 @@ zeekbpf: - name: /opt/so/conf/zeek/bpf - user: 940 - group: 940 -{% if BPF_STATUS %} +{% if ZEEK_BPF_STATUS %} - contents: {{ ZEEKBPF }} {% else %} - contents: From a2ff66b5d0c2e60092c432169726fb7b45246d88 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 10 Nov 2025 14:12:20 -0500 Subject: [PATCH 7/9] update annotation --- salt/bpf/soc_bpf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 629ef9d5d..416c5fc60 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,6 +1,6 @@ bpf: pcap: - description: List of BPF filters to apply to the packet capture application. + description: List of BPF filters to apply to the PCAP engine. multiline: True forcedType: "[]string" helpLink: bpf.html From 1876c4d9df25a04d4dd95c29d1f4905f8995358f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 10 Nov 2025 14:16:16 -0500 Subject: [PATCH 8/9] fix var name --- salt/bpf/pcap.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index 1b561b8d0..953b01a08 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -16,6 +16,6 @@ {% set PCAP_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ PCAPBPF|join(" "), cwd='/root') %} {% if PCAP_BPF_CALC['retcode'] == 0 %} {% set PCAP_BPF_STATUS = 1 %} - {% set STENO_BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} + {% set STENO_BPF_COMPILED = ",\\\"--filter=" + PCAP_BPF_CALC['stdout'] + "\\\"" %} {% endif %} {% endif %} From 245ceb2d4950d661e1fb522f90ac902beff0b086 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 10 Nov 2025 16:40:11 -0500 Subject: [PATCH 9/9] suricata defaults and annotation --- salt/suricata/defaults.yaml | 44 ++++++++++++++++++++++----------- salt/suricata/soc_suricata.yaml | 11 ++++++++- 2 files changed, 40 insertions(+), 15 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index e1b68e9d1..9c9a7a8ed 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -97,6 +97,11 @@ suricata: - 4789 TEREDO_PORTS: - 3544 + SIP_PORTS: + - 5060 + - 5061 + GENEVE_PORTS: + - 6081 default-log-dir: /var/log/suricata/ stats: enabled: "yes" @@ -195,6 +200,9 @@ suricata: enabled: "yes" detection-ports: dp: 443 + ja3-fingerprints: auto + ja4-fingerprints: auto + encryption-handling: track-only dcerpc: enabled: "yes" ftp: @@ -244,19 +252,21 @@ suricata: libhtp: default-config: personality: IDS - request-body-limit: 100kb - response-body-limit: 100kb - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 100 KiB + response-body-limit: 100 KiB + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: - enabled: "yes" + enabled: "no" type: both - compress-depth: 0 - decompress-depth: 0 + compress-depth: 100 KiB + decompress-depth: 100 KiB + randomize-inspection-sizes: "yes" + randomize-inspection-range: 10 double-decode-path: "no" double-decode-query: "no" server-config: @@ -390,8 +400,12 @@ suricata: vxlan: enabled: true ports: $VXLAN_PORTS - erspan: + geneve: enabled: true + ports: $GENEVE_PORTS + max-layers: 16 + recursion-level: + use-for-tracking: true detect: profile: medium custom-values: @@ -411,7 +425,12 @@ suricata: spm-algo: auto luajit: states: 128 - + security: + lua: + allow-rules: false + max-bytes: 500000 + max-instructions: 500000 + allow-restricted-functions: false profiling: rules: enabled: "yes" @@ -452,6 +471,3 @@ suricata: classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config threshold-file: /etc/suricata/threshold.conf - - -# ENABLE for diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 8b5ce7b11..03f30be75 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -190,6 +190,8 @@ suricata: FTP_PORTS: *suriportgroup VXLAN_PORTS: *suriportgroup TEREDO_PORTS: *suriportgroup + SIP_PORTS: *suriportgroup + GENEVE_PORTS: *suriportgroup outputs: eve-log: types: @@ -209,7 +211,7 @@ suricata: helpLink: suricata.html pcap-log: enabled: - description: This value is ignored by SO. pcapengine in globals takes precidence. + description: This value is ignored by SO. pcapengine in globals takes precedence. readonly: True helpLink: suricata.html advanced: True @@ -297,3 +299,10 @@ suricata: ports: description: Ports to listen for. This should be a variable. helpLink: suricata.html + geneve: + enabled: + description: Enable VXLAN capabilities. + helpLink: suricata.html + ports: + description: Ports to listen for. This should be a variable. + helpLink: suricata.html