From 903ad530fe9f6f4c72f7bae29d1e5a8a2a80b76b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 15:28:33 -0400 Subject: [PATCH 1/3] move zeek bpf from zeek pillar to bpf pillar --- pillar/top.sls | 2 ++ salt/bpf/defaults.yaml | 7 ++++--- salt/bpf/soc_bpf.yaml | 3 +++ salt/bpf/zeek.map.jinja | 4 ++++ salt/vars/standalone.map.jinja | 4 +++- salt/zeek/defaults.yaml | 1 - salt/zeek/init.sls | 8 +++++--- 7 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 salt/bpf/zeek.map.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 0c4c11957..c16b556d1 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -19,6 +19,8 @@ base: '*_eval or *_heavynode or *_sensor or *_standalone or *_import': - match: compound - zeek + - bpf.soc_bpf + - bpf.adv_bpf '*_managersearch or *_heavynode': - match: compound diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml index 329537494..e9bc76dfb 100644 --- a/salt/bpf/defaults.yaml +++ b/salt/bpf/defaults.yaml @@ -1,4 +1,5 @@ bpf: - pcap: [] - suricata: [] - zeek: [] \ No newline at end of file + pcap: [] + suricata: [] + zeek: + - ip or not ip diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 86e4c0ee8..0474b2e62 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,10 +1,13 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. + multiline: True helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. + multiline: True helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. + multiline: True helpLink: bpf.html diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja new file mode 100644 index 000000000..1bfb6799e --- /dev/null +++ b/salt/bpf/zeek.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set ZEEKBPF = BPFMERGED.zeek %} diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja index 2efabefed..0e49a327d 100644 --- a/salt/vars/standalone.map.jinja +++ b/salt/vars/standalone.map.jinja @@ -1,12 +1,14 @@ {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} {% set ROLE_GLOBALS = {} %} {% set STANDALONE_GLOBALS = [ ELASTICSEARCH_GLOBALS, - LOGSTASH_GLOBALS + LOGSTASH_GLOBALS, + SENSOR_GLOBALS ] %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 18e8a4d8a..a21bf3389 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -102,4 +102,3 @@ zeek: - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - application/vnd.openxmlformats-officedocument: doc - bpf: [] diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5cc6310b9..41103f399 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -10,6 +10,8 @@ {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKMERGED with context %} +{% from 'bpf/zeek.map.jinja' import ZEEKBPF %} + {% set BPF_STATUS = 0 %} # Zeek Salt State @@ -162,8 +164,8 @@ zeekpacketlosscron: - dayweek: '*' # BPF compilation and configuration -{% if ZEEKMERGED.zeek.bpf %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %} +{% if ZEEKBPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -181,7 +183,7 @@ zeekbpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents: {{ ZEEKMERGED.bpf }} + - contents: {{ ZEEKBPF }} {% else %} - contents: - "ip or not ip" From 252afa84996671269932622f86e03cefe79fd356 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 17:10:34 -0400 Subject: [PATCH 2/3] bpf for pcap --- salt/bpf/pcap.map.jinja | 4 ++++ salt/bpf/soc_bpf.yaml | 3 +++ salt/pcap/init.sls | 8 ++++---- 3 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 salt/bpf/pcap.map.jinja diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja new file mode 100644 index 000000000..a160f2f7a --- /dev/null +++ b/salt/bpf/pcap.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set PCAPBPF = BPFMERGED.pcap %} diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 0474b2e62..379eaa022 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -2,12 +2,15 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. multiline: True + forcedType: "[]string" helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. multiline: True + forcedType: "[]string" helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. multiline: True + forcedType: "[]string" helpLink: bpf.html diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 401b5d616..73b384a53 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -9,8 +9,8 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} {% from "pcap/config.map.jinja" import PCAPMERGED with context %} -{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF %} + {% set BPF_COMPILED = "" %} # PCAP Section @@ -33,8 +33,8 @@ stenoconfdir: - group: 939 - makedirs: True -{% if BPF_STENO %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %} +{% if PCAPBPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} {% else %} From 0fff3a5a11c52a479d1658ef6638d3d2135fb1f7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 17:31:56 -0400 Subject: [PATCH 3/3] suricata bpf --- salt/bpf/suricata.map.jinja | 4 ++++ salt/suricata/init.sls | 12 +++++------- 2 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 salt/bpf/suricata.map.jinja diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja new file mode 100644 index 000000000..bec763783 --- /dev/null +++ b/salt/bpf/suricata.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set SURICATABPF = BPFMERGED.suricata %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 6ef8c690e..07350d8e1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -9,11 +9,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "suricata/map.jinja" import SURICATAOPTIONS with context %} -{% set interface = salt['pillar.get']('sensor:interface') %} -{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF %} {% set BPF_STATUS = 0 %} -{# import_yaml 'suricata/files/defaults2.yaml' as suricata #} {% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} {% from "suricata/map.jinja" import START with context %} @@ -109,8 +107,8 @@ surithresholding: - template: jinja # BPF compilation and configuration -{% if BPF_NIDS %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} +{% if SURICATABPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -128,7 +126,7 @@ suribpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents_pillar: nids:bpf + - contents: {{ SURICATABPF }} {% else %} - contents: - "" @@ -141,7 +139,7 @@ so-suricata: - start: {{ SURICATAOPTIONS.start }} - privileged: True - environment: - - INTERFACE={{ interface }} + - INTERFACE={{ GLOBALS.sensor.interface }} - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro