From bb0da2a5c5b21e23fe54f18dc78d23bb77f9e963 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 14:34:14 -0400
Subject: [PATCH 1/3] add additional suricata af-packet config items

---
 salt/suricata/defaults.yaml     |  7 +++++++
 salt/suricata/map.jinja         |  7 +++++++
 salt/suricata/soc_suricata.yaml | 35 +++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index 0252d3a813..8680fbda2a 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -33,6 +33,13 @@ suricata:
       threads: 1
       tpacket-v3: "yes"
       ring-size: 5000
+      mmap-locked: "yes"
+      block-size: 32768
+      block-timeout: 10
+      use-emergency-flush: "yes"
+      buffer-size: 32768
+      disable-promisc: "no"
+      checksum-checks: kernel
     vars:
       address-groups:
         HOME_NET:
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 7f7b04aeff..9d5581030f 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -37,6 +37,13 @@
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
   tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
+  mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
+  block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
+  block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
+  use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
+  buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
+  disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
+  checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 13a709c4a1..9843d8c972 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -94,6 +94,41 @@ suricata:
         description: Buffer size for packets per thread.
         forcedType: int
         helpLink: suricata.html
+      mmap-locked:
+        description: Prevent swapping by locking the memory map.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      block-size:
+        description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      block-timeout:
+        description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      use-emergency-flush:
+        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      buffer-size:
+        description: Increasing the value of the receive buffer may improve performance.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      disable-promisc:
+        description: Promiscuous mode can be disabled by setting this to "yes".
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      checksum-checks:
+        description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
+        advanced: True
+        regex: ^(kernel|yes|no|auto)$
+        helpLink: suricata.html
     threading:
       set-cpu-affinity:
         description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.

From 81f3d69eb9b759bd4b98048d85184d9b3c31ddfb Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 15:55:59 -0400
Subject: [PATCH 2/3] remove mmap-locked.

---
 salt/suricata/defaults.yaml     |  1 -
 salt/suricata/map.jinja         | 11 +++++------
 salt/suricata/soc_suricata.yaml |  5 -----
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index 8680fbda2a..914c045b10 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -33,7 +33,6 @@ suricata:
       threads: 1
       tpacket-v3: "yes"
       ring-size: 5000
-      mmap-locked: "yes"
       block-size: 32768
       block-timeout: 10
       use-emergency-flush: "yes"
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 9d5581030f..55c9aab4c6 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -32,17 +32,16 @@
 - interface: {{ GLOBALS.sensor.interface }}
   cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
   cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
-  defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
-  use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
+  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
+  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
-  tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
+  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
-  mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
   block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
   block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
-  use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
+  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
   buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
-  disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
+  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
   checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 9843d8c972..c9ba80f013 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -94,11 +94,6 @@ suricata:
         description: Buffer size for packets per thread.
         forcedType: int
         helpLink: suricata.html
-      mmap-locked:
-        description: Prevent swapping by locking the memory map.
-        advanced: True
-        regex: ^(yes|no)$
-        helpLink: suricata.html
       block-size:
         description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
         advanced: True

From 029d8a0e8fd50c3ffa75a04572d15e6c10c60202 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 25 Mar 2024 09:30:41 -0400
Subject: [PATCH 3/3] handle yes/no on checksum-checks

---
 salt/suricata/map.jinja | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 55c9aab4c6..2a3adf5f18 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -42,7 +42,11 @@
   use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
   buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
   disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
+{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
+  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
+{%   else %}
   checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
+{%   endif %}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}