From 12653eec8c4565e9d2538c803fc9a8e53edfb1c6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 08:14:33 -0500 Subject: [PATCH] add new pcap annotations --- salt/sensoroni/defaults.yaml | 118 ++++++++++++++-------------- salt/sensoroni/files/sensoroni.json | 3 +- salt/sensoroni/soc_sensoroni.yaml | 5 ++ salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 3 + 5 files changed, 71 insertions(+), 59 deletions(-) diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 4ebd666a9..7777985dd 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -1,58 +1,60 @@ -sensoroni: - enabled: False - config: - analyze: - enabled: False - timeout_ms: 900000 - parallel_limit: 5 - node_checkin_interval_ms: 10000 - sensoronikey: - soc_host: - analyzers: - echotrail: - base_url: https://api.echotrail.io/insights/ - api_key: - elasticsearch: - base_url: - auth_user: - auth_pwd: - num_results: 10 - api_key: - index: _all - time_delta_minutes: 14400 - timestamp_field_name: '@timestamp' - map: {} - cert_path: - emailrep: - base_url: https://emailrep.io/ - api_key: - greynoise: - base_url: https://api.greynoise.io/ - api_key: - api_version: community - localfile: - file_path: [] - otx: - base_url: https://otx.alienvault.com/api/v1/ - api_key: - pulsedive: - base_url: https://pulsedive.com/api/ - api_key: - spamhaus: - lookup_host: zen.spamhaus.org - nameservers: [] - sublime_platform: - base_url: https://api.platform.sublimesecurity.com - api_key: - live_flow: False - mailbox_email_address: - message_source_id: - urlscan: - base_url: https://urlscan.io/api/v1/ - api_key: - enabled: False - visibility: public - timeout: 180 - virustotal: - base_url: https://www.virustotal.com/api/v3/search?query= - api_key: +sensoroni: + enabled: False + config: + analyze: + enabled: False + timeout_ms: 900000 + parallel_limit: 5 + node_checkin_interval_ms: 10000 + sensoronikey: + soc_host: + suripcap: + pcapMaxCount: 999999 + analyzers: + echotrail: + base_url: https://api.echotrail.io/insights/ + api_key: + elasticsearch: + base_url: + auth_user: + auth_pwd: + num_results: 10 + api_key: + index: _all + time_delta_minutes: 14400 + timestamp_field_name: '@timestamp' + map: {} + cert_path: + emailrep: + base_url: https://emailrep.io/ + api_key: + greynoise: + base_url: https://api.greynoise.io/ + api_key: + api_version: community + localfile: + file_path: [] + otx: + base_url: https://otx.alienvault.com/api/v1/ + api_key: + pulsedive: + base_url: https://pulsedive.com/api/ + api_key: + spamhaus: + lookup_host: zen.spamhaus.org + nameservers: [] + sublime_platform: + base_url: https://api.platform.sublimesecurity.com + api_key: + live_flow: False + mailbox_email_address: + message_source_id: + urlscan: + base_url: https://urlscan.io/api/v1/ + api_key: + enabled: False + visibility: public + timeout: 180 + virustotal: + base_url: https://www.virustotal.com/api/v3/search?query= + api_key: diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 5090967ef..eb9c1131d 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -39,7 +39,8 @@ "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", - "pcapOutputPath": "/nsm/pcapout" + "pcapOutputPath": "/nsm/pcapout", + "pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }} } {% endif %} {%- else %} diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index f7a10c6f7..7b8495dc5 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -37,6 +37,11 @@ sensoroni: helpLink: grid.html global: True advanced: True + suripcap: + pcapMaxCount: + description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface. + helpLink: sensoroni.html + advanced: True analyzers: echotrail: api_key: diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d5ecbe71f..abcd12308 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1103,6 +1103,7 @@ soc: esSearchOffsetMs: 1800000 maxLogLength: 1024 asyncThreshold: 10 + lookupTunnelParent: true influxdb: hostUrl: token: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e80e98a7e..645a4c8a9 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -126,6 +126,9 @@ soc: description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete. global: True advanced: True + lookupTunnelParent: + description: When true, if a pivoted event appears to be encapsulated, such as in a VxLan packet, then SOC will pivot to the VxLan packet stream. This can be useful if the PCAP parser is unable to locate the encapsulated packets. However, if the parser is written in a way that it can find a given filter even if its encapsulated, this is best left to false, as the analyst will see the intended packet data rather than the wrapping packet data. + global: True sostatus: refreshIntervalMs: description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.