beginning to pillarize suricata

2025-12-06 17:22:49 +01:00 · 2020-06-04 09:40:38 -04:00
parent 45d17c5148
commit f8193cb914
4 changed files with 1878 additions and 0 deletions
--- a/salt/suricata/defaults3.yaml
+++ b/salt/suricata/defaults3.yaml
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -20,6 +20,9 @@
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
 {% set BPF_STATUS = 0  %}

+{# import_yaml 'suricata/files/defaults2.yaml' as suricata #}
+{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %}
+
 # Suricata

 # Add Suricata Group
@@ -80,6 +83,14 @@ suriconfigsync:
    - group: 940
    - template: jinja

+test_suri_config:
+  file.managed:
+    - name: /opt/so/conf/suricata/test.yaml
+    - source: salt://suricata/files/test.jinja
+    - context:
+        suricata: {{ suricata|json }}
+    - template: jinja
+
 surithresholding:
  file.managed:
    - name: /opt/so/conf/suricata/threshold.conf
--- a/salt/suricata/suricata_config.map.jinja
+++ b/salt/suricata/suricata_config.map.jinja
@@ -0,0 +1,36 @@
+{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %}
+{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %}
+{% set evelog_index = [] %}
+
+{% set hardware_header = 15 %}
+{% set default_packet_size = salt['grains.filter_by']({
+    '*_eval': {
+      'default-packet-size': 1500 + hardware_header,
+    },
+    '*_helix': {
+      'default-packet-size': 9000 + hardware_header,
+    },
+    '*': {
+      'default-packet-size': 1500 + hardware_header,
+    },
+},grain='id', merge=salt['pillar.get']('suricata')) %}
+
+{% set meta_data = salt['pillar.filter_by']({
+    'SURICATA': suricata_meta.suricata.lookup.outputs[0],
+    'default': suricata_defaults.suricata.lookup.outputs[1]
+},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %}
+
+{% do suricata_defaults.suricata.lookup.update(default_packet_size) %}
+{% for li in suricata_defaults.suricata.lookup.outputs %}
+  {% for k, v in li.items() %}
+    {% if k == 'eve-log' %}
+      {% do evelog_index.append(li) %}
+      {# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #}
+    {% endif %}
+  {% endfor %}
+{% endfor %}
+
+
+{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #}
+
+{% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %}
--- a/salt/suricata/suricata_meta.yaml
+++ b/salt/suricata/suricata_meta.yaml
@@ -0,0 +1,136 @@
+suricata:
+  lookup:
+    outputs:
+        - eve-log:
+          - anomaly:
+              # Anomaly log records describe unexpected conditions such
+              # as truncated packets, packets with invalid IP/UDP/TCP
+              # length values, and other events that render the packet
+              # invalid for further processing or describe unexpected
+              # behavior on an established stream. Networks which
+              # experience high occurrences of anomalies may experience
+              # packet processing degradation.
+              #
+              # Anomalies are reported for the following:
+              # 1. Decode: Values and conditions that are detected while
+              # decoding individual packets. This includes invalid or
+              # unexpected values for low-level protocol lengths as well
+              # as stream related events (TCP 3-way handshake issues,
+              # unexpected sequence number, etc).
+              # 2. Stream: This includes stream related events (TCP
+              # 3-way handshake issues, unexpected sequence number,
+              # etc).
+              # 3. Application layer: These denote application layer
+              # specific conditions that are unexpected, invalid or are
+              # unexpected given the application monitoring state.
+              #
+              # By default, anomaly logging is disabled. When anomaly
+              # logging is enabled, applayer anomaly reporting is
+              # enabled.
+              enabled: "no"
+              #
+              # Choose one or more types of anomaly logging and whether to enable
+              # logging of the packet header for packet anomalies.
+              types:
+                 decode: "no"
+                 stream: "no"
+                 applayer: "yes"
+              packethdr: "no"
+          - http:
+              extended: "yes"     # enable this for extended logging information
+              # custom allows additional http fields to be included in eve-log
+              # the example below adds three additional fields when uncommented
+              #custom: [Accept-Encoding, Accept-Language, Authorization]
+              # set this value to one and only one among {both, request, response}
+              # to dump all http headers for every http request and/or response
+              # dump-all-headers: none
+          - dns:
+              # This configuration uses the new DNS logging format,
+              # the old configuration is still available:
+              # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+
+              # As of Suricata 5.0, version 2 of the eve dns output
+              # format is the default.
+              version: 2
+
+              # Enable/disable this logger. Default: enabled.
+              enabled: "yes"
+
+              # Control logging of requests and responses:
+              # - requests: enable logging of DNS queries
+              # - responses: enable logging of DNS answers
+              # By default both requests and responses are logged.
+              #requests: "no"
+              #responses: "no"
+
+              # Format of answer logging:
+              # - detailed: array item per answer
+              # - grouped: answers aggregated by type
+              # Default: all
+              #formats: [detailed, grouped]
+
+              # Types to log, based on the query type.
+              # Default: all.
+              #types: [a, aaaa, cname, mx, ns, ptr, txt]
+          - tls:
+              extended: "yes"     # enable this for extended logging information
+              # output TLS transaction where the session is resumed using a
+              # session id
+              #session-resumption: "no"
+              # custom allows to control which tls fields that are included
+              # in eve-log
+              #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
+          - files:
+              force-magic: "no"   # force logging magic on all logged files
+              # force logging of checksums, available hash functions are md5,
+              # sha1 and sha256
+              #force-hash: [md5]
+          #- drop:
+          #    alerts: "yes"      # log alerts that caused drops
+          #    flows: all       # start or all: 'start' logs only a single drop
+          #                     # per flow direction. All logs each dropped pkt.
+
+          - smtp:
+              extended: "yes" # enable this for extended logging information
+              # this includes: bcc, message-id, subject, x_mailer, user-agent
+              # custom fields logging from the list:
+              #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+              #  x-originating-ip, in-reply-to, references, importance, priority,
+              #  sensitivity, organization, content-md5, date
+              #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+              # output md5 of fields: body, subject
+              # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+              # to yes
+              #md5: [body, subject]
+
+          - dnp3
+          - ftp
+          - rdp
+          - nfs
+          - smb
+          - tftp
+          - ikev2
+          - krb5
+          - snmp
+          - sip
+          - dhcp:
+              enabled: "yes"
+              # When extended mode is on, all DHCP messages are logged
+              # with full detail. When extended mode is off (the
+              # default), just enough information to map a MAC address
+              # to an IP address is logged.
+          #    extended: "no"
+          - ssh
+          #- stats:
+          #    totals: "yes"       # stats for all threads merged together
+          #    threads: "no"       # per thread stats
+          #    deltas: "no"        # include delta values
+          # bi-directional flows
+          - flow
+          # uni-directional flows
+          #- netflow
+
+          # Metadata event type. Triggered whenever a pktvar is saved
+          # and will include the pktvars, flowvars, flowbits and
+          # flowints.
+          #- metadata