merge files from the blockchain infra repo (#59)

code/chef/recipes/centos.rb

@@ -0,0 +1,138 @@
+# Cookbook Name:: suricata
+# Recipe:: centos
+#
+
+# Variable Definitions
+suropts = node[:suricata]
+
+suricata_interface = suropts[:interface]
+
+# Do we have multiple interfaces to listen on?
+if suricata_interface.is_a? String
+	suricata_interface = [ suricata_interface ]
+end
+
+raise 'No suricata rules defined for this host' if suropts[:rules].nil?
+rules = suropts[:rules]
+
+
+# Setup
+yum_package 'libcap-ng'
+
+yum_package 'libhtp'
+
+%w[ libmnl libnetfilter_queue ].each do |pkg|
+    yum_package pkg
+end
+
+
+# Install Suricata
+yum_package 'suricata' do
+    notifies :restart, 'service[suricata]', :delayed
+end
+
+group 'suricata' do
+    gid 683
+    action :create
+end
+
+user 'suricata' do
+    comment 'suricata IDS user'
+    gid 683
+    shell '/sbin/nologin'
+    system true
+    action :create
+end
+
+if node[:platform_version][0] == '6'
+    template '/etc/init.d/suricata' do
+      mode 0555
+      owner 'root'
+      group 'root'
+      source 'suricata.init.erb'
+      variables({:interface => suricata_interface})
+    end
+else
+    template '/etc/systemd/system/suricata.service' do
+      mode 0444
+      owner 'root'
+      group 'root'
+      source 'suricata.service.erb'
+      variables({:interface => suricata_interface})
+    end
+end
+
+cookbook_file '/etc/logrotate.d/suricata' do
+      source 'suricata_logrotate'
+      owner 'root'
+      group 'root'
+      mode 0644
+end
+
+# Set Rules Up
+directory '/etc/suricata/rules' do
+    action :create
+end
+
+# Need to create these rules when time comes.
+#template '/etc/suricata/rules/local.rules' do
+#    mode 0644
+#    owner 'root'
+#    group 'wheel'
+#    source 'centos/local.rules.erb'
+#end
+
+
+# Set and configurate Suricata for centos
+magic_file = '/usr/share/file/magic'
+
+service_name = 'suricata'
+
+corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
+
+template '/etc/suricata/suricata.yaml' do
+    mode 0644
+    source 'suricata.yaml.erb'
+    variables({:pcapinterface => suricata_interface,
+               :rules => rules,
+               :magic_file => magic_file,
+               :corpmacs => corpmacs})
+    notifies :restart, "service[#{service_name}]", :delayed
+end
+
+%w[ classification.config reference.config threshold.config ].each do |configfile|
+    cookbook_file "/etc/suricata/#{configfile}" do
+        source configfile
+        mode 0644
+        owner 'root'
+    end
+end
+
+
+# Setup logging
+directory '/var/log/suricata/' do
+    owner 'root'
+    group 'suricata'
+    mode 0775
+    action :create
+end
+
+logfile_group = 'suricata'
+if system('getent group splunk')
+  logfile_group = 'splunk'
+end
+
+%w[ fast.log  outputs.log  suricata.log tls.log eve.json ].each do |logfile|
+      file "/var/log/suricata/#{logfile}" do
+          mode 0640
+          owner 'suricata'
+          group logfile_group
+      end
+end
+
+
+# Start Suricata
+service 'suricata' do
+      supports :status => true, :restart => true, :reload => true
+      action [ :enable, :start ]
+end

code/chef/recipes/default.rb

@@ -0,0 +1,25 @@
+#
+# Cookbook Name:: suricata
+# Recipe:: default
+#
+
+suropts = node[:suricata]
+
+raise 'No suricata interface defined for this host' if suropts[:interface].nil?
+suricata_interface = suropts[:interface]
+
+# Do we have multiple interfaces to listen on?
+if suricata_interface.is_a? String
+  suricata_interface = [ suricata_interface ]
+end
+
+# The list of rules to populate the yaml config with.
+raise 'No suricata rules defined for this host' if suropts[:rules].nil?
+rules = suropts[:rules]
+
+case node[:platform]
+when 'centos'
+  include_recipe 'suricata::centos'
+else
+  include_recipe 'suricata::corpmac'
+end

code/chef/recipes/mac.rb

@@ -0,0 +1,172 @@
+# Cookbook Name:: suricata
+# Recipe:: corpmac.rb
+#
+
+# Variable Definitions
+suropts = node[:suricata]
+
+raise 'No suricata interface defined for this host' if suropts[:interface].nil?
+suricata_interface = suropts[:interface]
+
+if suricata_interface.is_a? String
+    suricata_interface = [ suricata_interface ]
+end
+
+raise 'No suricata rules defined for this host' if suropts[:rules].nil?
+rules = suropts[:rules]
+
+
+# Setup
+group 'suricata' do
+    gid 683
+    action :create
+end
+
+user 'suricata' do
+    comment 'suricata IDS user'
+    gid 683
+    shell '/sbin/nologin'
+    system true
+    action :create
+end
+
+
+# Install Suricata
+package "libmagic" do
+    action :install
+    provider Chef::Provider::Package::Homebrew
+end
+
+homebrew_package "suricata" do
+    homebrew_user 'user'
+    action :install
+end
+
+
+directory '/etc/suricata/' do
+    action :create
+end
+
+
+# Set Rules Up
+directory '/etc/suricata/rules' do
+    action :create
+end
+
+template '/etc/suricata/rules/local.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/local.rules.erb'
+end
+
+template '/etc/suricata/rules/shellcode.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/shellcode.rules.erb'
+end
+
+template '/etc/suricata/rules/osxmalware.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/osxmalware.rules.erb'
+end
+
+template '/etc/suricata/rules/nmap.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/nmap.rules.erb'
+end
+
+template '/etc/suricata/rules/mobilemalware.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/mobilemalware.rules.erb'
+end
+
+template '/etc/suricata/rules/emerging-exploit.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/emerging-exploit.rules.erb'
+end
+
+template '/etc/suricata/rules/emerging-shellcode.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/emerging-shellcode.rules.erb'
+end
+
+template '/etc/suricata/rules/dshield.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/dshield.rules.erb'
+end
+
+template '/etc/suricata/rules/compromised.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/compromised.rules.erb'
+end
+
+template '/etc/suricata/rules/tor.rules' do
+    mode 0644
+    owner 'root'
+    group 'wheel'
+    source 'mac_os_x/tor.rules.erb'
+end
+
+
+magic_file = '/usr/local/share/misc/magic.mgc'
+
+include_recipe "logrotate::suricata_os_x"
+
+service_name = 'com.host.suricata'
+
+corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
+
+template '/etc/suricata/suricata.yaml' do
+    mode 0644
+    source 'suricata.yaml.erb'
+    variables({:pcapinterface => suricata_interface,
+               :rules => rules,
+               :magic_file => magic_file,
+               :corpmacs => corpmacs})
+    notifies :restart, "service[#{service_name}]", :delayed
+end
+
+%w[ classification.config reference.config threshold.config ].each do |configfile|
+    cookbook_file "/etc/suricata/#{configfile}" do
+        source configfile
+        mode 0644
+        owner 'root'
+    end
+end
+
+
+# Setup logging
+directory '/var/log/suricata/' do
+    owner 'root'
+    group 'suricata'
+    mode 0775
+    action :create
+end
+
+logfile_group = 'suricata'
+if system('getent group splunk')
+  logfile_group = 'splunk'
+end
+
+
+# Start Suricata
+service 'com.host.suricata' do
+    action [ :start ]
+    restart_command "kill -USR2 `cat /var/run/suricata.pid`"
+end