suricata-formula

Travis CI Build Status Semantic Release

A saltstack formula to install suricata on RHEL or Ubuntu based systems.

On RHEL based systems, epel is required and will default to whichever version matches the OS platform. Suricata packages for suricata v5.0.x are part of the RHEL8 ecosystem and suricata v4.1.x is part of the RHEL7 ecosystem.

There is no such versioning weirdness with Ubuntu distros, which allow installing the latest suricata.

Supports one capture interface at the moment. Adding ability to control multiple capture interfaces is on the TODO list

Credit: formula created by @alias454.

1. Optional

Formulas exist to help with installation and management of other optional components such as pf_ring.

pfring-formula https://github.com/saltstack-formulas/pfring-formula

2. General notes

See the full SaltStack Formulas installation and usage instructions.

If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.

If you want to use this formula, please pay attention to the FORMULA file and/or git tag, which contains the currently released version. This formula is versioned according to Semantic Versioning.

See Formula Versioning Section for more details.

If you need (non-default) configuration, please pay attention to the pillar.example file and/or Special notes section.

3. Contributing to this repo

Commit message formatting is significant!!

Please see How to contribute for more details.

4. Special notes

None.

5. Available states

5.1. suricata

Meta-state (This is a state that includes other states).

Installs suricata and it’s requirements, manages the configuration file, and starts the service.

5.2. suricata.suri-prereqs

Install prerequisite packages

5.3. suricata.suri-package

Install suricata packages and optionaly packages for suricata-update if needed.

5.4. suricata.suri-config

Manage configuration file placement and user configuration

5.5. suricata.suri-service

Manage suricata service and a service to manage promiscuous mode of defined network interfaces on RHEL/CentOS 7 or Debian systems.

5.6. suricata.suri-rules

Manage suricata rules with suricata-update package. Creates modify, drop, enable, and disable templates along with rule file management.

5.7. suricata.suri-cron

Manage optional suricata-update cron to setup a daily job for suricata-update.

6. Testing

Linux testing is done with kitchen-salt.

6.1. Requirements

  • Ruby

  • Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

6.2. bin/kitchen converge

Creates the docker instance and runs the suricata main state, ready for testing.

6.3. bin/kitchen verify

Runs the inspec tests on the actual instance.

6.4. bin/kitchen destroy

Removes the docker instance.

6.5. bin/kitchen test

Runs all of the stages above in one go: i.e. destroy + converge
verify + destroy.

6.6. bin/kitchen login

Gives you SSH access to the instance for manual testing.