Merge pull request #199 from Security-Onion-Solutions/feature/issue127

manage threshold.conf with Salt - #127
2025-12-09 18:52:52 +01:00 · 2020-01-03 14:57:43 -05:00
parent cc4b536042 4dc667d805
commit fbf6e5590d
4 changed files with 110 additions and 0 deletions
--- a/pillar/thresholding/pillar.example
+++ b/pillar/thresholding/pillar.example
@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24
--- a/pillar/thresholding/pillar.usage
+++ b/pillar/thresholding/pillar.usage
@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>
--- a/salt/suricata/files/threshold.conf.jinja
+++ b/salt/suricata/files/threshold.conf.jinja
@@ -0,0 +1,36 @@
+{% set THRESHOLDING  = salt['pillar.get']('thresholding', {}) -%}
+
+{% if THRESHOLDING -%}
+  
+  {% for EACH_SID in THRESHOLDING.sids -%}
+    {% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%}
+      {% for EACH_ACTION in ACTIONS_LIST -%}
+        
+        {%- if EACH_ACTION == 'threshold' %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
+        
+        {%- elif EACH_ACTION == 'rate_filter' %}
+          {%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+          {%- else %}
+##### Security Onion does not support drop or reject actions for rate_filter
+##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+          {%- endif %}
+        
+        {%- elif EACH_ACTION == 'suppress' %}
+          {%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
+          {%- else %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
+          {%- endif %}
+        
+        {%- endif %}
+      
+      {%- endfor %}
+    {%- endfor %}
+  {%- endfor %}
+
+{%- else %}
+##### The thresholding pillar has not been defined
+
+{%- endif %}
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -70,6 +70,14 @@ suriconfigsync:
    - group: 940
    - template: jinja

+surithresholding:
+  file.managed:
+    - name: /opt/so/conf/suricata/threshold.conf
+    - source: salt://suricata/files/threshold.conf.jinja
+    - user: 940
+    - group: 940
+    - template: jinja
+
 so-suricataimage:
 cmd.run:
   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
      - INTERFACE={{ interface }}
    - binds:
      - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
+      - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
      - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
      - /opt/so/log/suricata/:/var/log/suricata/:rw
    - network_mode: host
    - watch:
      - file: /opt/so/conf/suricata/suricata.yaml
+      - file: surithresholding
      - file: /opt/so/conf/suricata/rules/