Merge pull request #12561 from Security-Onion-Solutions/jppnocap

transitional pcap
Security-Onion-Solutions · Mar 11, 2024 · b7f058a · b7f058a
2 parents 8c54a19 + ba32b3e
commit b7f058a
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 13 deletions.
diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja
@@ -1,7 +1,10 @@
-{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
-{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
-{% import 'bpf/macros.jinja' as MACROS %}
-
-{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
-
-{% set PCAPBPF = BPFMERGED.pcap %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% if GLOBALS.pcap_engine == "TRANSITION" %}
+{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
+{% else %}
+{%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{%   import 'bpf/macros.jinja' as MACROS %}
+{{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
+{%   set PCAPBPF = BPFMERGED.pcap %}
+{% endif %}
diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml
@@ -15,9 +15,9 @@ global:
     regexFailureMessage: You must enter either ZEEK or SURICATA.
     global: True
   pcapengine:
-    description: Which engine to use for generating pcap. Options are STENO and SURICATA.
-    regex: ^(STENO|SURICATA)$
-    regexFailureMessage: You must enter either STENO or SURICATA.
+    description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
+    regex: ^(STENO|SURICATA|TRANSITION)$
+    regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
     global: True
   ids:
     description: Which IDS engine to use. Currently only Suricata is supported.

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
@@ -9,7 +9,7 @@
 {% set surimeta_filestore_index = [] %}
 
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
-{% if GLOBALS.pcap_engine == "SURICATA" %}
+{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}

diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls
@@ -11,7 +11,7 @@ suripcapdir:
     - mode: 775
     - makedirs: True
 
-{%   if GLOBALS.pcap_engine == "SURICATA" %}
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}
 {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}

diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- if GLOBALS.pcap_engine == "SURICATA" %}
+{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 PCAPLOC=/host/nsm/suripcap
 {%- else %}
 PCAPLOC=/host/nsm/pcap