CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1b55642c868287bb2bb49d9adbb022bcb9c586a5
securityonion/salt/suricata/enabled.sls
DefensiveDepth 1b55642c86 Refactor rules location
2025-11-18 09:58:14 -05:00

100 lines
3.4 KiB
Plaintext
Raw Blame History

# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
include:
- suricata.config
- suricata.sostatus
so-suricata:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-suricata:{{ GLOBALS.so_version }}
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKER.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
- /opt/so/rules/suricata:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- /nsm/suricata/:/nsm/:rw
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKER.containers['so-suricata'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- watch:
- file: suriconfig
- file: surithresholding
- file: /opt/so/conf/suricata/bpf
- file: suriclassifications
- require:
- file: suriconfig
- file: surithresholding
- file: suribpf
- file: suriclassifications
surirulereload:
cmd.run:
- name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
- onchanges:
- file: surirulesync
- require:
- docker_container: so-suricata
delete_so-suricata_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-suricata$
# Add eve clean cron
clean_suricata_eve_files:
cron.present:
- name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
- identifier: clean_suricata_eve_files
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
Reference in New Issue View Git Blame Copy Permalink