-
Notifications
You must be signed in to change notification settings - Fork 3
/
pillar.example
80 lines (80 loc) · 5.86 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# BRO docs https://www.bro.org/documentation/index.html
bro:
lookup:
package:
{% if grains['os_family'] == 'RedHat' %}
install_type: 'local' # Install type can be package or local (support for tarball not implemented)
local_package: # Can be multiple packages like bro, broctl, broccoli etc.
- pack_id: 'bro-full'
package: 'Bro-2.6-195-Linux-x86_64' # Custom package to be deployed
name: 'bro' # Name of installed package
type: 'rpm' # Type should be deb or rpm based on platform
source: 'salt://bro/files' # URI Path can be salt, ftp, https, or file path to package (no trailing /)
use_repo: 'False' # Bro can be installed from epel or a local rpm not just bro repos
repo_baseurl: 'http://download.opensuse.org/repositories/network:/bro/CentOS_7/'
repo_gpgkey: 'http://download.opensuse.org/repositories/network:/bro/CentOS_7/repodata/repomd.xml.key'
skip_verify: '0'
{% elif grains['os_family'] == 'Debian' %}
install_type: 'package' # Install type can be package (support for tarball or local not implemented)
use_repo: 'False' # Debian 9 does not require an external repo
repo_baseurl: 'deb http://download.opensuse.org/repositories/network:/bro/Debian_8.0/'
repo_gpgkey: 'http://download.opensuse.org/repositories/network:bro/Debian_8.0/Release.key'
skip_verify: '0'
{% endif %}
bro:
use_BroPKG: 'True' # Use bro-pkg to manage plugins (requird for plugins such as af_packet etc)
{% if grains['os_family'] == 'RedHat' %}
python_pip_pkg: 'python36-pip' # Can be pip or pip3 but only gets installed if use_BroPKG == True
{% elif grains['os_family'] == 'Debian' %}
python_pip_pkg: 'python3-pip' # Can be pip or pip3 but only gets installed if use_BroPKG == True
{% endif %}
python_pip_cmd: 'pip3' # Otherwise, the pip install is skipped and bro-pkg is not configured
addon_plugins: # List of plugins to install if bro-pkg is enabled
- plugin: 'bro-af_packet-plugin' # af_packet is required when use_afpacket == True
MailTo: 'root@localhost' # Recipient address for all emails sent out by Bro and BroControl
SendMail: '/sbin/sendmail' # Path to sendmail binary
MailConnectionSummary: '1' # Send mail connection summaries
MinDiskSpace: '5' # Threshold (in percentage of disk space) for HDD where SpoolDir lives
MailHostUpDown: '1' # Send mail when "broctl cron" notices a host in the cluster has changed
LogRotationInterval: '3600' # Log rotation interval in seconds for current logs
LogExpireInterval: '0' # Files older than this will be deleted by "broctl cron" 0 is never
StatsLogEnable: '1' # Enable BroControl to write statistics to the stats.log file
StatsLogExpireInterval: '0' # Number of days that entries in the stats.log file are kept
StatusCmdShowAll: '0' # Show all output of the broctl status command
CrashExpireInterval: '0' # Number of days that crash directories are kept
SitePolicyScripts: 'local.bro' # Site-specific policy script to load
{% if grains['os_family'] == 'RedHat' %}
base_dir: '/opt/bro' # /opt/bro is default for yum package install
{% elif grains['os_family'] == 'Debian' %}
base_dir: '/usr/bin' # /usr/bin is default for deb package install
BinDir: '/usr/bin' # Default location of executables on Debian
LogDir: '/var/log/bro' # Default location of log directory on Debian
SpoolDir: '/var/spool/bro' # Default location of spool directory on Debian
CfgDir: '/etc/bro' # Default config directory location for Debian
ShareDir: '/usr/share/bro' # Location of shared resources (site local)
{% endif %}
mode: 'lb_cluster' # Mode can be standalone or lb_cluster (load balanced cluster)
use_pfring: 'False' # If pf_ring is installed set this to True. Must use "pf_ring" lb_method
use_afpacket: 'True' # If you use AF_PACKET set this to True. Must use "custom" lb_method and use_BroPKG set to True
lb_method: 'custom' # Load balancer type ("pf_ring" or "custom" are supported)
lb_procs: '2' # Number of processors to run BRO workers with
logging:
use_rsyslog: 'True' # Enable rsyslog usage
bpf:
use_BPFconf: 'True' # Use Berkeley Packet Filter(BPF) on capture interfaces
bpf_rules: [] # Add custom BPF rules
optional:
use_LibgeoIP: 'False' # Use LibgeoIP(less useful if sending logs upstream)
use_sendmail: 'False' # Use sendmail(needs sendmail/postfix to be installed)
relayhost: 'mail.domain.tld' # Send email to a relay host
interfaces:
ip_binary_path: '/sbin/ip' # path to ip binary for managing
management: 'ens192' # Management interface name
capture:
enable: 'True'
device_names: 'ens224' # Capture interface name (currently only supports 1 interface)
enable_tx: '0' # Enable tx send on this interface (default is 0)
min_num_slots: '4096' # Min Slots check support on card using ethtool -g eth1