CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-20 16:03:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into issue/11390

Browse Source
This commit is contained in:
m0duspwnens
2023-09-26 11:01:44 -04:00
parent 2abf434ebe 4dc477cc1d
commit 036a21ff17
8 changed files with 90 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
salt/common/tools/sbin_jinja/so-import-evtx
View File

@@ -80,8 +80,8 @@ function evtx2es() {
-e "SHIFTTS=$SHIFTDATE" \ -e "SHIFTTS=$SHIFTDATE" \
-v "$EVTX:/tmp/data.evtx" \ -v "$EVTX:/tmp/data.evtx" \
-v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
-v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
--entrypoint "/evtx_calc_timestamps.sh" \ --entrypoint "/evtx_calc_timestamps.sh" \
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
} }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
VALID_EVTXS_COUNT=0 VALID_EVTXS_COUNT=0
SKIPPED_EVTXS_COUNT=0 SKIPPED_EVTXS_COUNT=0
touch /nsm/import/evtx-start_oldest
touch /nsm/import/evtx-end_newest
echo $START_OLDEST > /nsm/import/evtx-start_oldest
echo $END_NEWEST > /nsm/import/evtx-end_newest
# paths must be quoted in case they include spaces # paths must be quoted in case they include spaces
for EVTX in $INPUT_FILES; do for EVTX in $INPUT_FILES; do
EVTX=$(/usr/bin/realpath "$EVTX") EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
status "- this EVTX has already been imported; skipping" status "- this EVTX has already been imported; skipping"
SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
else else
# create EVTX directory
EVTX_DIR=$HASH_DIR/evtx EVTX_DIR=$HASH_DIR/evtx
mkdir -p $EVTX_DIR mkdir -p $EVTX_DIR
# create import timestamp files
for i in evtx-start_oldest evtx-end_newest; do
if ! [ -f "$i" ]; then
touch /nsm/import/$HASH/$i
fi
done
# import evtx and write them to import ingest pipeline # import evtx and write them to import ingest pipeline
status "- importing logs to Elasticsearch..." status "- importing logs to Elasticsearch..."
@@ -154,8 +155,23 @@ for EVTX in $INPUT_FILES; do
VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
fi fi
cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
chmod 644 "${EVTX_DIR}"/data.evtx
fi # end of valid evtx
# determine start and end and make sure they aren't reversed
START=$(cat /nsm/import/$HASH/evtx-start_oldest)
END=$(cat /nsm/import/$HASH/evtx-end_newest)
START_EPOCH=`date -d "$START" +"%s"`
END_EPOCH=`date -d "$END" +"%s"`
if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
TEMP=$START
START=$END
END=$TEMP
fi
# compare $START to $START_OLDEST # compare $START to $START_OLDEST
START=$(cat /nsm/import/evtx-start_oldest)
START_COMPARE=$(date -d $START +%s) START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
@@ -163,7 +179,6 @@ for EVTX in $INPUT_FILES; do
fi fi
# compare $ENDNEXT to $END_NEWEST # compare $ENDNEXT to $END_NEWEST
END=$(cat /nsm/import/evtx-end_newest)
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
@@ -171,11 +186,6 @@ for EVTX in $INPUT_FILES; do
END_NEWEST=$ENDNEXT END_NEWEST=$ENDNEXT
fi fi
cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
chmod 644 "${EVTX_DIR}"/data.evtx
fi # end of valid evtx
status status
done # end of for-loop processing evtx files done # end of for-loop processing evtx files

1
salt/elasticsearch/defaults.yaml
View File

@@ -3689,6 +3689,7 @@ elasticsearch:
refresh_interval: 30s refresh_interval: 30s
number_of_shards: 1 number_of_shards: 1
number_of_replicas: 0 number_of_replicas: 0
final_pipeline: ".fleet_final_pipeline-1"
composed_of: composed_of:
- agent-mappings - agent-mappings
- dtc-agent-mappings - dtc-agent-mappings

1
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -80,6 +80,7 @@
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
{ "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
{ "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
], ],

3
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -20,6 +20,9 @@
"type": "float" "type": "float"
} }
} }
},
"image_version": {
"type": "float"
} }
} }
}, },

4
salt/manager/tools/sbin/soup
View File

@@ -441,8 +441,8 @@ post_to_2.4.10() {
} }
post_to_2.4.20() { post_to_2.4.20() {
echo "Pruning unused volumes" echo "Pruning unused docker volumes on all nodes - This process will run in the background."
docker volume prune -f salt --async \* cmd.run "docker volume prune -f"
POSTVERSION=2.4.20 POSTVERSION=2.4.20
} }

13
salt/nginx/etc/nginx.conf
View File

@@ -230,6 +230,19 @@ http {
proxy_cookie_path /api/ /influxdb/api/; proxy_cookie_path /api/ /influxdb/api/;
} }
location /app/dashboards/ {
auth_request /auth/sessions/whoami;
rewrite /app/dashboards/(.*) /app/dashboards/$1 break;
proxy_pass http://{{ GLOBALS.manager }}:5601/app/;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
location /kibana/ { location /kibana/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;

6
salt/sensoroni/files/analyzers/README.md
View File

@@ -154,6 +154,12 @@ The analyzer itself will only run when a user in SOC enqueues an analyzer job, s
python -m urlhaus '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}' python -m urlhaus '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}'
``` ```
To manually test an analyzer outside of the Sensoroni Docker container, use a command similar to the following:
```bash
PYTHONPATH=. python urlhaus/urlhaus.py '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}'
```
It is up to each analyzer to determine whether the provided input is compatible with that analyzer. This is assisted by the analyzer metadata, as described earlier in this document, with the use of the `supportedTypes` list. It is up to each analyzer to determine whether the provided input is compatible with that analyzer. This is assisted by the analyzer metadata, as described earlier in this document, with the use of the `supportedTypes` list.
Once the analyzer completes its functionality, it must terminate promptly. See the following sections for more details on expected internal behavior of the analyzer. Once the analyzer completes its functionality, it must terminate promptly. See the following sections for more details on expected internal behavior of the analyzer.

54
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -2,53 +2,53 @@ sensoroni:
enabled: enabled:
description: Enable or disable Sensoroni. description: Enable or disable Sensoroni.
advanced: True advanced: True
helpLink: sensoroni.html helpLink: grid.html
config: config:
analyze: analyze:
enabled: enabled:
description: Enable or disable the analyzer. description: Enable or disable the analyzer.
advanced: True advanced: True
helpLink: sensoroni.html helpLink: cases.html
timeout_ms: timeout_ms:
description: Timeout period for the analyzer. description: Timeout period for the analyzer.
advanced: True advanced: True
helpLink: sensoroni.html helpLink: cases.html
parallel_limit: parallel_limit:
description: Parallel limit for the analyzer. description: Parallel limit for the analyzer.
advanced: True advanced: True
helpLink: sensoroni.html helpLink: cases.html
node_checkin_interval_ms: node_checkin_interval_ms:
description: Interval in ms to checkin to the soc_host. description: Interval in ms to checkin to the soc_host.
advanced: True advanced: True
helpLink: sensoroni.html helpLink: grid.html
node_description: node_description:
description: Description of the specific node. description: Description of the specific node.
helpLink: sensoroni.html helpLink: grid.html
node: True node: True
forcedType: string forcedType: string
sensoronikey: sensoronikey:
description: Shared key for sensoroni authentication. description: Shared key for sensoroni authentication.
helpLink: sensoroni.html helpLink: grid.html
global: True global: True
sensitive: True sensitive: True
advanced: True advanced: True
soc_host: soc_host:
description: Host for sensoroni agents to connect to. description: Host for sensoroni agents to connect to.
helpLink: sensoroni.html helpLink: grid.html
global: True global: True
advanced: True advanced: True
analyzers: analyzers:
emailrep: emailrep:
api_key: api_key:
description: API key for the EmailRep analyzer. description: API key for the EmailRep analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the EmailRep analyzer. description: Base URL for the EmailRep analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -56,21 +56,21 @@ sensoroni:
greynoise: greynoise:
api_key: api_key:
description: API key for the GreyNoise analyzer. description: API key for the GreyNoise analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
api_version: api_version:
description: API version for the GreyNoise analyzer. description: API version for the GreyNoise analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the GreyNoise analyzer. description: Base URL for the GreyNoise analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -78,7 +78,7 @@ sensoroni:
localfile: localfile:
file_path: file_path:
description: File path for the LocalFile analyzer. description: File path for the LocalFile analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -86,14 +86,14 @@ sensoroni:
otx: otx:
api_key: api_key:
description: API key for the OTX analyzer. description: API key for the OTX analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the OTX analyzer. description: Base URL for the OTX analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -101,14 +101,14 @@ sensoroni:
pulsedive: pulsedive:
api_key: api_key:
description: API key for the Pulsedive analyzer. description: API key for the Pulsedive analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Pulsedive analyzer. description: Base URL for the Pulsedive analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -116,14 +116,14 @@ sensoroni:
spamhaus: spamhaus:
lookup_host: lookup_host:
description: Host to use for lookups. description: Host to use for lookups.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
nameservers: nameservers:
description: Nameservers used for queries. description: Nameservers used for queries.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -131,35 +131,35 @@ sensoroni:
urlscan: urlscan:
api_key: api_key:
description: API key for the Urlscan analyzer. description: API key for the Urlscan analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the Urlscan analyzer. description: Base URL for the Urlscan analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
enabled: enabled:
description: Analyzer enabled description: Analyzer enabled
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: bool forcedType: bool
timeout: timeout:
description: Timeout for the Urlscan analyzer. description: Timeout for the Urlscan analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: int forcedType: int
visibility: visibility:
description: Type of visibility. description: Type of visibility.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True
@@ -167,14 +167,14 @@ sensoroni:
virustotal: virustotal:
api_key: api_key:
description: API key for the VirusTotal analyzer. description: API key for the VirusTotal analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: True sensitive: True
advanced: True advanced: True
forcedType: string forcedType: string
base_url: base_url:
description: Base URL for the VirusTotal analyzer. description: Base URL for the VirusTotal analyzer.
helpLink: sensoroni.html helpLink: cases.html
global: False global: False
sensitive: False sensitive: False
advanced: True advanced: True