CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix suricata thresholding

Browse Source
This commit is contained in:
m0duspwnens
2023-05-23 11:16:32 -04:00
parent eb633be437
commit cc47f9a595
3 changed files with 7 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
salt/suricata/files/threshold.conf.jinja
View File

@@ -1,9 +1,8 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%} {% import_yaml 'suricata/thresholding/sids.yaml' as THRESHOLDING %}
{% if THRESHOLDING -%} {% if THRESHOLDING -%}
{% for EACH_SID in THRESHOLDING.sids -%} {% for EACH_SID in THRESHOLDING -%}
{% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%} {% for ACTIONS_LIST in THRESHOLDING[EACH_SID] -%}
{% for EACH_ACTION in ACTIONS_LIST -%} {% for EACH_ACTION in ACTIONS_LIST -%}
{%- if EACH_ACTION == 'threshold' %} {%- if EACH_ACTION == 'threshold' %}
@@ -31,6 +30,6 @@
{%- endfor %} {%- endfor %}
{%- else %} {%- else %}
##### The thresholding pillar has not been defined ##### Navigate to suricata > thresholding > SIDS in SOC to define thresholding
{%- endif %} {%- endif %}

4
salt/suricata/soc_suricata.yaml
View File

@@ -5,8 +5,10 @@ suricata:
thresholding: thresholding:
sids__yaml: sids__yaml:
description: Threshold SIDS List description: Threshold SIDS List
file: True
syntax: yaml syntax: yaml
file: True
global: True
multiline: True
title: SIDS title: SIDS
helpLink: suricata.html helpLink: suricata.html
config: config:

44
salt/suricata/thresholding/sids.yaml
View File

@@ -1,44 +0,0 @@
thresholding:
sids:
99999999999999999:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
99999999999999998:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24