A saltstack formula to install suricata on RHEL or Ubuntu based systems.

On RHEL based systems, epel is required and will default to whichever version matches the OS platform. Suricata packages for suricata v5.0.x are part of the RHEL8 ecosystem and suricata v4.1.x is part of the RHEL7 ecosystem.

There is no such versioning weirdness with Ubuntu distros, which allow installing the latest suricata.

Supports one capture interface at the moment. Adding ability to control multiple capture interfaces is on the TODO list

Credit: formula created by @alias454.

Formulas exist to help with installation and management of other optional components such as pf_ring.

pfring-formula https://github.com/saltstack-formulas/pfring-formula

See the full SaltStack Formulas installation and usage instructions.

If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.

If you want to use this formula, please pay attention to the FORMULA file and/or git tag, which contains the currently released version. This formula is versioned according to Semantic Versioning.

See Formula Versioning Section for more details.

If you need (non-default) configuration, please pay attention to the pillar.example file and/or Special notes section.

Commit message formatting is significant!!

Please see How to contribute for more details.

None.

Meta-state (This is a state that includes other states).

Installs suricata and it's requirements, manages the configuration file, and starts the service.

Install prerequisite packages

Install suricata packages and optionaly packages for suricata-update if needed.

Manage configuration file placement and user configuration

Manage suricata service and a service to manage promiscuous mode of defined network interfaces on RHEL/CentOS 7 or Debian systems.

Manage suricata rules with suricata-update package. Creates modify, drop, enable, and disable templates along with rule file management.

Manage optional suricata-update cron to setup a daily job for suricata-update.

Linux testing is done with kitchen-salt.

• Ruby
• Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

Creates the docker instance and runs the suricata main state, ready for testing.

Runs the inspec tests on the actual instance.

Removes the docker instance.

Runs all of the stages above in one go: i.e. destroy + converge + verify + destroy.

Gives you SSH access to the instance for manual testing.