-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsuricata-deploy.yaml
241 lines (207 loc) · 8.5 KB
/
suricata-deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
########
# On the central machine:
# sudo apt-get install python-yaml python-jinja2 python-paramiko python-crypto python-keyczar ansible
#
#######
# On the remote (to be managed) machine:
# sudo apt-get install python-keyczar
#
########
# NOTE: python-keyczar must be installed on the control (central AND remote) machine to use accelerated modes
#
#Released under GPLv2 - a copy of which can be found in the LICESNE file
#Author: Peter Manev <[email protected]>
#
# THIS SET UP IS FOR DEBIAN/UBUNTU LIKE SYSTEMS !!
#
########
# This script comes with ABSOLUTELY NO WARRANTY!
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
- hosts: all
# you can also use "- hosts: HoneyPots", but
# make sure you have that defined in your hosts file,
# and check the variables in "group_vars" folder ,
# otherwise it will be done on ALL machines defind in the hosts file
serial: 5 #parallel execution
accelerate: true #fast secure execution
tasks:
- name: Ensure Suricata, Ansible latest dev build dependencies are installed plus some more tools
apt: pkg={{item}} state=latest update-cache=yes
with_items:
- build-essential
- git-core
- libnss3-dev
- libnspr4-dev
- libpcre3
- libpcre3-dbg
- libpcre3-dev
- autoconf
- automake
- libtool
- libpcap-dev
- libnet1-dev
- libyaml-0-2
- libyaml-dev
- pkg-config
- zlib1g
- zlib1g-dev
- libcap-ng-dev
- libcap-ng0
- libgeoip1
- libgeoip-dev
- make
- libmagic-dev
- flex
- bison
- subversion
- ethtool
- htop
- chkconfig
- lshw
- mc
- python-keyczar
- tcpdump
- iptraf
- iftop
- tcpstat
- bwm-ng
- traceroute
- python-apt
- aptitude
- perl
- perl-modules
- wget
tags:
- deploy-packages
- update-upgrade-packages
sudo: yes
- name: Update/upgrade all packages to the latest version
apt: update_cache=yes upgrade=dist
async: 1200 #fire and forget - wait up to 20 min for the job to finish
poll: 10 #check every 10 sec if the job is done
sudo: yes
tags:
- update-upgrade-packages
- name: Ensure Suricata latest GIT is pulled/cloned
git: repo=git://phalanx.openinfosecfoundation.org/oisf.git
dest=/opt/oisf
update=yes
retries: 3 #upon err, it will retrying the task 3 times,
delay: 4 # 4 seconds apart
sudo: yes
tags: git-pull-suricata
- name: Ensure libhtp latest GIT master is pulled/cloned
git: repo=https://github.com/ironbee/libhtp.git
dest=/opt/oisf/libhtp
version=0.5.x
update=yes
retries: 3
delay: 4
sudo: yes
tags:
- git-pull-libhtp
- git-pull-suricata
- name: Check if Suricata process is runnning
command: pgrep Suricata
ignore_errors: True #if err occurs, do not stop the whole execution
register: suricata_process_rc_code
sudo: yes
tags:
- check-suricata-process
- kill-suricata-process
- compile-suricata
- name: IF there is Suricata process runnning - kill it before we compile
command: "kill -9 {{suricata_process_rc_code.stdout}}"
when: ( suricata_process_rc_code|success )
ignore_errors: True #if err occurs, do not stop the whole execution
sudo: yes
tags:
- kill-suricata-process
- compile-suricata
- name: Execute autogen.sh - latest Suricata dev edition from git
shell: ./autogen.sh chdir=/opt/oisf
async: 480 #fire and forget - wait up to 8 min for the job to finish
poll: 10 #check every 10 sec if the job is done
sudo: yes
tags: compile-suricata
- name: Configure latest Suricata dev edition from git
shell: "./configure \
--prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--disable-gccmarch-native \
--enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr chdir=/opt/oisf "
async: 720 #fire and forget - wait up to 12 min for the job to finish
poll: 10 #check every 10 sec if the job is done
sudo: yes
tags: compile-suricata
- name: Compile and make install-conf the latest Suricata dev edition from git
shell: make clean && make && make install-conf && ldconfig chdir=/opt/oisf
async: 2400 #fire and forget - wait up to 40 min for the job to finish
poll: 10 #check every 10 sec if the job is done
sudo: yes
tags: compile-suricata
- name: DISABLE - Network sniffing interface offloading
command: "{{item}} chdir=/opt"
with_items:
- ethtool -K {{sniffing_interface}} tso off
- ethtool -K {{sniffing_interface}} gro off
- ethtool -K {{sniffing_interface}} lro off
- ethtool -K {{sniffing_interface}} gso off
- ethtool -K {{sniffing_interface}} rx off
- ethtool -K {{sniffing_interface}} tx off
- ethtool -K {{sniffing_interface}} sg off
- ethtool -K {{sniffing_interface}} rxvlan off
- ethtool -K {{sniffing_interface}} txvlan off
# the value of the variable {{sniffing_interface}} is taken from
# the definitions in the "group_vars" folder
ignore_errors: True #if err occurs, do not stop the whole execution
sudo: yes
tags:
- disable-network-offloading
- deploy-packages
#this above is how you do multiple tags
- name: Check if irqbalance is enabled
command: chkconfig -t irqbalance
register: chkconfig_status
sudo: yes
tags: disable-network-offloading
- name: DISABLE irqbalance if enabled
command: chkconfig irqbalance off
ignore_errors: True #if err occurs, do not stop the whole execution
when: chkconfig_status.stdout.find("irqbalance on") != -1
sudo: yes
tags: disable-network-offloading
- name: Deploy suricata.yaml from jinja2 template
template: src=templates/suricata.yaml.j2 dest=/etc/suricata/suricata.yaml mode=0640 owner=root group=root
sudo: yes
tags: deploy-confs
# this will deploy and configure the suricata.yaml to the machines
# out of a jinja2 template.
# Again values that are to be used in the template
# (found itself under folder "templates") are taken from the
# the definitions in the "group_vars" folder
- name: Deploy disable-network-offloading.sh from jinja2 template
template: src=templates/disable-network-offload.sh.j2 dest=/opt/disable-network-offload.sh
mode=755
owner=root
group=root
sudo: yes
tags:
- deploy-cronjobs
# Found on the remote machine under /var/spool/cron/crontab
- cron: name="add cronjob at reboot - disbale network offload"
special_time=reboot
job="/opt/disable-network-offload.sh"
sudo: yes
tags:
- deploy-cronjobs