From 79785fc0531fcfa739997d041152c769038432c2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 19 Sep 2022 15:26:32 -0400 Subject: [PATCH 1/5] zeek jinja --- salt/zeek/config.map.jinja | 7 ++++++ salt/zeek/files/node.cfg | 45 ---------------------------------- salt/zeek/files/node.cfg.jinja | 34 +++++++++++++++++++++++++ salt/zeek/init.sls | 9 ++++--- 4 files changed, 46 insertions(+), 49 deletions(-) delete mode 100644 salt/zeek/files/node.cfg create mode 100644 salt/zeek/files/node.cfg.jinja diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index a0f92463e..e321b3e3f 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,3 +1,10 @@ +{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} +{% set zeek_pillar = pillar.zeek %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} +{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} + + + {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg deleted file mode 100644 index 55f77982c..000000000 --- a/salt/zeek/files/node.cfg +++ /dev/null @@ -1,45 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} - {%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} - {%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} - {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} - {%- endif %} - {%- endif %} -[manager] -type=manager -host=localhost - -[logger] -type=logger -host=localhost - -[proxy] -type=proxy -host=localhost - -[worker-1] -type=worker -host=localhost -interface=af_packet::{{ interface }} -lb_method=custom - {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} - {%- else %} -lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} - {%- endif %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} - {%- endif %} -af_packet_fanout_id=23 -af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} -{%- else %} -[zeeksa] -type=standalone -host=localhost -interface={{ interface }} -{%- endif %} diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja new file mode 100644 index 000000000..201a2ab6e --- /dev/null +++ b/salt/zeek/files/node.cfg.jinja @@ -0,0 +1,34 @@ +[manager] +type=manager +host=localhost + +[logger] +type=logger +host=localhost + +[proxy] +type=proxy +host=localhost + +[worker-1] +type=worker +host=localhost +interface=af_packet::{{ ZEEKNODE.interface }} +lb_method=custom + {%- if ZEEKNODE.lbprocs %} +lb_procs={{ ZEEKNODE.lbprocs }} + {%- else %} +lb_procs={{ ZEEKNODE.zeek_pins | length }} + {%- endif %} + {%- if ZEEKNODE.zeek_pins %} +pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }} + {%- endif %} +af_packet_fanout_id=23 +af_packet_fanout_mode=AF_Packet::FANOUT_HASH +af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }} +{%- else %} +[zeeksa] +type=standalone +host=localhost +interface={{ ZEEKNODE.interface }} +{%- endif %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index b6f3231ae..e5bc34716 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -7,6 +7,7 @@ {% if sls in allowed_states %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} +{% from "zeek/config.map.jinja" import ZEEKMERGED with context %} {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -15,8 +16,6 @@ {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface') %} -{% set ZEEK = salt['pillar.get']('zeek', {}) %} - # Zeek Salt State # Add Zeek group @@ -107,16 +106,18 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEK.zeekctl | tojson }} + ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }} # Sync node.cfg nodecfg: file.managed: - name: /opt/so/conf/zeek/node.cfg - - source: salt://zeek/files/node.cfg + - source: salt://zeek/files/node.cfg,jinja - user: 937 - group: 939 - template: jinja + - defaults: + ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }} networkscfg: file.managed: From d1ee3a7d040cfa50b50d71da3b1d2ebb20d4fdd8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 20 Sep 2022 11:11:29 -0400 Subject: [PATCH 2/5] zeek 2.4 --- pillar/zeek/init.sls | 55 -------- salt/vars/sensor.map.jinja | 5 +- salt/zeek/config.map.jinja | 7 +- salt/zeek/defaults.yaml | 133 +++++++++--------- salt/zeek/files/networks.cfg.jinja | 12 +- salt/zeek/files/node.cfg.jinja | 16 +-- salt/zeek/init.sls | 22 +-- .../file-extraction/extract.zeek | 4 +- 8 files changed, 99 insertions(+), 155 deletions(-) delete mode 100644 pillar/zeek/init.sls diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls deleted file mode 100644 index 5eeb273b9..000000000 --- a/pillar/zeek/init.sls +++ /dev/null @@ -1,55 +0,0 @@ -zeek: - zeekctl: - MailTo: root@localhost - MailConnectionSummary: 1 - MinDiskSpace: 5 - MailHostUpDown: 1 - LogRotationInterval: 3600 - LogExpireInterval: 0 - StatsLogEnable: 1 - StatsLogExpireInterval: 0 - StatusCmdShowAll: 0 - CrashExpireInterval: 0 - SitePolicyScripts: local.zeek - LogDir: /nsm/zeek/logs - SpoolDir: /nsm/zeek/spool - CfgDir: /opt/zeek/etc - CompressLogs: 1 - local: - '@load': - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - '@load-sigs': - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja index 477761d7c..33f26de84 100644 --- a/salt/vars/sensor.map.jinja +++ b/salt/vars/sensor.map.jinja @@ -1,6 +1,9 @@ {% set ROLE_GLOBALS = {} %} -{% set SENSOR_GLOBALS = [] +{% set SENSOR_GLOBALS = { + 'sensor': { + 'interface': INIT.PILLAR.sensor.interface + } %} {% for sg in SENSOR_GLOBALS %} diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index e321b3e3f..74e4942c2 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,10 +1,9 @@ +{% from 'vars/sensor.map.jinja' import GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} -{% set zeek_pillar = pillar.zeek %} -{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} +{% set zeek_pillar = salt['pillar.get']('zeek', []) %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': GLOBALS.sensor.interface}) %} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} {% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} - - {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 8d2a96444..b3cd183cd 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -20,68 +20,71 @@ zeek: SpoolDir: /nsm/zeek/spool CfgDir: /opt/zeek/etc CompressLogs: 1 - policy: - file_extraction: - - application/x-dosexec: exe - - application/pdf: pdf - - application/msword: doc - - application/vnd.ms-powerpoint: doc - - application/rtf: doc - - application/vnd.ms-word.document.macroenabled.12: doc - - application/vnd.ms-word.template.macroenabled.12: doc - - application/vnd.ms-powerpoint.template.macroenabled.12: doc - - application/vnd.ms-excel: doc - - application/vnd.ms-excel.addin.macroenabled.12: doc - - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - - application/vnd.ms-excel.template.macroenabled.12: doc - - application/vnd.ms-excel.sheet.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - - application/vnd.openxmlformats-officedocument.presentationml.template: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument: doc - load: - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - load-sigs: - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file + local: + load: + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + load-sigs: + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - CaptureLoss::watch_interval = 5 mins; + networks: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc + bpf: [] diff --git a/salt/zeek/files/networks.cfg.jinja b/salt/zeek/files/networks.cfg.jinja index f1ee065de..5818380ce 100644 --- a/salt/zeek/files/networks.cfg.jinja +++ b/salt/zeek/files/networks.cfg.jinja @@ -1,9 +1,5 @@ -{%- if salt['pillar.get']('sensor:hnsensor') %} -{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %} -{%- else %} -{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %} -{%- endif %} -{%- set HNLIST = HOME_NET.split(',') %} -{%- for HN in HNLIST %} +{%- if NETWORKS.HOME_NET %} +{%- for HN in NETWORKS.HOME_NET.split(',') %} {{ HN }} -{%- endfor %} +{%- endfor %} +{%- endif %} diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja index 201a2ab6e..f852e2ef0 100644 --- a/salt/zeek/files/node.cfg.jinja +++ b/salt/zeek/files/node.cfg.jinja @@ -13,22 +13,22 @@ host=localhost [worker-1] type=worker host=localhost -interface=af_packet::{{ ZEEKNODE.interface }} +interface=af_packet::{{ NODE.interface }} lb_method=custom - {%- if ZEEKNODE.lbprocs %} -lb_procs={{ ZEEKNODE.lbprocs }} + {%- if NODE.lbprocs %} +lb_procs={{ NODE.lbprocs }} {%- else %} -lb_procs={{ ZEEKNODE.zeek_pins | length }} +lb_procs={{ NODE.zeek_pins | length }} {%- endif %} - {%- if ZEEKNODE.zeek_pins %} -pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }} + {%- if NODE.zeek_pins %} +pin_cpus={{ NODE.zeek_pins | join(", ") }} {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }} +af_packet_buffer_size={{ NODE.zeek_buffer }} {%- else %} [zeeksa] type=standalone host=localhost -interface={{ ZEEKNODE.interface }} +interface={{ NODE.interface }} {%- endif %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index e5bc34716..c2b1af5d0 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -6,15 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS with context %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKMERGED with context %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} -{% set INTERFACE = salt['pillar.get']('sensor:interface') %} # Zeek Salt State @@ -76,6 +72,8 @@ zeekpolicysync: - user: 937 - group: 939 - template: jinja + - defaults: + FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -117,7 +115,7 @@ nodecfg: - group: 939 - template: jinja - defaults: - ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }} + NODE: {{ ZEEKMERGED.zeek.config.node }} networkscfg: file.managed: @@ -126,6 +124,8 @@ networkscfg: - user: 937 - group: 939 - template: jinja + - defaults: + NETWORKS: {{ ZEEKMERGED.zeek.networks }} #zeekcleanscript: # file.managed: @@ -159,8 +159,8 @@ zeekpacketlosscron: - dayweek: '*' # BPF compilation and configuration -{% if BPF_ZEEK %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %} +{% if ZEEKMERGED.zeek.bpf %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -178,7 +178,7 @@ zeekbpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents_pillar: zeek:bpf + - contents: {{ ZEEKMERGED.bpf }} {% else %} - contents: - "ip or not ip" @@ -193,12 +193,12 @@ localzeek: - group: 939 - template: jinja - defaults: - LOCAL: {{ ZEEK.local | tojson }} + LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }} so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: {% if ZEEKOPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: {{ ZEEKOPTIONS.start }} - privileged: True - ulimits: diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index 8cdaf42dd..d4ba0551e 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,5 +1,3 @@ -{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%} -{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - {%- for li in zeek.policy.file_extraction %} + {%- for li in FILE_EXTRACTION %} {%- if not loop.last %} {%- for k,v in li.items() %} ["{{ k }}"] = "{{ v }}", From 75aa121b2d29fa9298a5d43b131c4d1ffc48e508 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 20 Sep 2022 13:19:15 -0400 Subject: [PATCH 3/5] fix some things --- pillar/zeek/init.sls | 1 + salt/vars/sensor.map.jinja | 7 +++---- salt/zeek/config.map.jinja | 4 ++-- salt/zeek/defaults.yaml | 2 +- salt/zeek/init.sls | 6 +++--- 5 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 pillar/zeek/init.sls diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls new file mode 100644 index 000000000..c06759744 --- /dev/null +++ b/pillar/zeek/init.sls @@ -0,0 +1 @@ +zeek: diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja index 33f26de84..425d72969 100644 --- a/salt/vars/sensor.map.jinja +++ b/salt/vars/sensor.map.jinja @@ -2,10 +2,9 @@ {% set SENSOR_GLOBALS = { 'sensor': { - 'interface': INIT.PILLAR.sensor.interface + 'interface': pillar.sensor.interface + } } %} -{% for sg in SENSOR_GLOBALS %} -{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} -{% endfor %} +{% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %} diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index 74e4942c2..ced2175e7 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,8 +1,8 @@ -{% from 'vars/sensor.map.jinja' import GLOBALS %} +{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} {% set zeek_pillar = salt['pillar.get']('zeek', []) %} -{% do ZEEKMERGED.zeek.config.node.update({'interface': GLOBALS.sensor.interface}) %} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} {% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index b3cd183cd..eb7ce8453 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -59,7 +59,7 @@ zeek: - LogAscii::use_json = T; - CaptureLoss::watch_interval = 5 mins; networks: - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 file_extraction: - application/x-dosexec: exe - application/pdf: pdf diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index c2b1af5d0..b292a20a3 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -73,7 +73,7 @@ zeekpolicysync: - group: 939 - template: jinja - defaults: - FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }} + FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -110,7 +110,7 @@ zeekctlcfg: nodecfg: file.managed: - name: /opt/so/conf/zeek/node.cfg - - source: salt://zeek/files/node.cfg,jinja + - source: salt://zeek/files/node.cfg.jinja - user: 937 - group: 939 - template: jinja @@ -125,7 +125,7 @@ networkscfg: - group: 939 - template: jinja - defaults: - NETWORKS: {{ ZEEKMERGED.zeek.networks }} + NETWORKS: {{ ZEEKMERGED.zeek.config.networks }} #zeekcleanscript: # file.managed: From 1685e0e6db563a7374eee749dc486e5362cbf8e3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 20 Sep 2022 15:25:50 -0400 Subject: [PATCH 4/5] few more --- salt/zeek/defaults.yaml | 11 ++++++----- salt/zeek/files/node.cfg.jinja | 13 +++++++------ 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index eb7ce8453..681f29df0 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -1,9 +1,10 @@ zeek: config: node: - lb_procs: 1 - zeek_pins_enabled: False - zeek_pins: [] + lb_procs: 0 + pins_enabled: False + pins: [] + buffer: 128*1024*1024 zeekctl: MailTo: root@localhost MailConnectionSummary: 1 @@ -21,7 +22,7 @@ zeek: CfgDir: /opt/zeek/etc CompressLogs: 1 local: - load: + '@load': - misc/loaded-scripts - tuning/defaults - misc/capture-loss @@ -53,7 +54,7 @@ zeek: - securityonion/bpfconf - securityonion/communityid - securityonion/file-extraction - load-sigs: + '@load-sigs': - frameworks/signatures/detect-windows-shells redef: - LogAscii::use_json = T; diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja index f852e2ef0..9ef06bd5a 100644 --- a/salt/zeek/files/node.cfg.jinja +++ b/salt/zeek/files/node.cfg.jinja @@ -1,3 +1,4 @@ +{%- if NODE.pins or NODE.lb_procs %} [manager] type=manager host=localhost @@ -15,17 +16,17 @@ type=worker host=localhost interface=af_packet::{{ NODE.interface }} lb_method=custom - {%- if NODE.lbprocs %} -lb_procs={{ NODE.lbprocs }} + {%- if NODE.lb_procs %} +lb_procs={{ NODE.lb_procs }} {%- else %} -lb_procs={{ NODE.zeek_pins | length }} +lb_procs={{ NODE.pins | length }} {%- endif %} - {%- if NODE.zeek_pins %} -pin_cpus={{ NODE.zeek_pins | join(", ") }} + {%- if NODE.pins %} +pin_cpus={{ NODE.pins | join(", ") }} {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ NODE.zeek_buffer }} +af_packet_buffer_size={{ NODE.buffer }} {%- else %} [zeeksa] type=standalone From e1ea3c20315ffd07b816480009aad29cc779efd6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 20 Sep 2022 16:22:54 -0400 Subject: [PATCH 5/5] soc for zeek --- salt/zeek/soc_zeek.yaml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index a48ec20dc..7da21aa41 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -3,16 +3,23 @@ zeek: enabled: description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. config: + local: + '@load': + description: List of Zeek policies to load + '@load-sigs': + description: List of Zeek signatures to load node: lb_procs: description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. node: True - zeek_pins_enabled: - description: + pins_enabled: + description: Enabled CPU pinning node: True - zeek_pins: - description: List of CPUs you want to + advanced: True + pins: + description: List of CPUs you want to pin to node: True + advanced: True zeekctl: CompressLogs: description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. @@ -24,10 +31,6 @@ zeek: file: True global: True advanced: True - file_extraction: - description: This is a list of mime types Zeek will extract from the network streams. - load: - description: List of Zeek policies to load - load-sigs: - description: List of Zeek signatures to load + file_extraction: + description: This is a list of mime types Zeek will extract from the network streams. \ No newline at end of file