CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 01:02:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into desktop

Browse Source
This commit is contained in:
Mike Reeves
2023-06-26 15:20:43 -04:00
parent 3952c1a9b7 d247c9d704
commit 12d10d7d42
7 changed files with 51 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
salt/elasticsearch/files/ingest/suricata.common
View File

@@ -1,20 +1,21 @@
{
"description" : "suricata.common",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } },
{ "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
{ "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } },
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } },
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } },
{ "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
{ "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } },
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } },
{ "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } },
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } },
{ "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
{ "remove":{ "field": "agent", "ignore_failure": true } },
{ "remove":{ "field": "agent", "ignore_failure": true } },
{ "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } }
]
}

4
salt/repo/client/files/rocky/yum.conf.jinja
View File

@@ -12,6 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
clean_requirements_on_remove=1
{% if proxy -%}
{%- if proxy %}
proxy={{ proxy }}
{% endif %}
{%- endif %}

4
salt/repo/client/map.jinja
View File

@@ -11,6 +11,10 @@
'Rocky-Sources.repo',
'Rocky-Vault.repo',
'Rocky-x86_64-kernel.repo',
'rocky-addons.repo',
'rocky-devel.repo',
'rocky-extras.repo',
'rocky.repo',
'docker-ce.repo',
'epel.repo',
'epel-testing.repo',

15
salt/soc/defaults.yaml
View File

@@ -580,18 +580,18 @@ soc:
- event.dataset
- process.executable
- user.name
'::process_terminated':
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
@@ -1000,12 +1000,13 @@ soc:
- destination.port
- tds.header_type
- log.id.uid
- event.dataset
- event.dataset
server:
bindAddress: 0.0.0.0:9822
baseUrl: /
maxPacketCount: 5000
htmlDir: html
importUploadDir: /nsm/soc/uploads
airgapEnabled: false
modules:
cases: soc
@@ -1033,7 +1034,7 @@ soc:
asyncThreshold: 10
influxdb:
hostUrl:
token:
token:
org: Security Onion
bucket: telegraf/so_short_term
verifyCert: false
@@ -1408,7 +1409,7 @@ soc:
- name: Host Registry Changes
description: Windows Registry changes
query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
- name: Host DNS & Process Mappings
- name: Host DNS & Process Mappings
description: DNS queries mapped to originating processes
query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data'
- name: Host Process Activity
@@ -1685,7 +1686,7 @@ soc:
- name: Templates
query: 'so_case.category:template'
case:
analyzerNodeId:
analyzerNodeId:
mostRecentlyUsedLimit: 5
renderAbbreviatedCount: 30
presets:

3
salt/soc/enabled.sls
View File

@@ -1,5 +1,5 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
@@ -23,6 +23,7 @@ so-soc:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw
- /nsm/soc/uploads:/nsm/soc/uploads:rw
- /opt/so/log/soc/:/opt/sensoroni/logs/:rw
- /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro

17
salt/soc/files/bin/salt-relay.sh
View File

@@ -4,6 +4,8 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
PIPE_OWNER=${PIPE_OWNER:-socore}
PIPE_GROUP=${PIPE_GROUP:-socore}
SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
@@ -185,7 +187,9 @@ function send_file() {
log "Cleanup: $cleanup"
log "encrypting..."
gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"
password=$(lookup_pillar_secret import_pass)
response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from")
log Response:$'\n'"$response"
fromgpg="$from.gpg"
filename=$(basename "$fromgpg")
@@ -228,18 +232,23 @@ function import_file() {
filegpg="$file.gpg"
log "decrypting..."
$CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
password=$(lookup_pillar_secret import_pass)
decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
$CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
decrypt_code=$?
if [[ $decrypt_code -eq 0 ]]; then
mv "$file.tmp" "$file"
log "importing..."
case $importer in
pcap)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
import_cmd="so-import-pcap $file --json"
response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
exit_code=$?
;;
evtx)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
import_cmd="so-import-evtx $file --json"
response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
exit_code=$?
;;
*)

9
setup/so-functions
View File

@@ -1296,6 +1296,7 @@ generate_passwords(){
KRATOSKEY=$(get_random_value)
REDISPASS=$(get_random_value)
SOCSRVKEY=$(get_random_value 64)
IMPORTPASS=$(get_random_value)
}
generate_interface_vars() {
@@ -2102,6 +2103,7 @@ secrets_pillar(){
" playbook_admin: $PLAYBOOKADMINPASS"\
" playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
" playbook_automation_api_key: "\
" import_pass: $IMPORTPASS"\
" influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
fi
}
@@ -2402,7 +2404,12 @@ update_sudoers_for_testing() {
update_packages() {
if [[ $is_rocky ]]; then
logCmd "dnf repolist"
logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*"
logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo")
info "Removing repo files added by rocky-repos package update"
for FILE in ${RMREPOFILES[@]}; do
logCmd "rm -f /etc/yum.repos.d/$FILE"
done
else
info "Running apt-get update"
retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup