diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index ff7197360..e667d54c7 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,4 +1,4 @@ -{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} +{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index c16b25986..da2dfb6af 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,4 +1,4 @@ -{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} +{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index a32725ada..52c4ca2ea 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -1,18 +1,10 @@ -{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} +{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} # idstools-rulecat - modify.conf # Format: "" "" # Example changing the seconds for rule 2019401 to 3600. #2019401 "seconds \d+" "seconds 3600" - -# Change all trojan-activity rules to drop. Its better to setup a -# drop.conf for this, but this does show the use of back references. -#re:classtype:trojan-activity "(alert)(.*)" "drop\\2" - -# For compatibility, most Oinkmaster modifysid lines should work as -# well. -#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" {%- for sid in modify_sids %} {{ sid }} {%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 59a5ccda5..1957c6c13 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,4 +1,4 @@ -{% set URLS = salt['pillar.get']('idstools:config:urls') -%} +{% set URLS = salt['pillar.get']('idstools:config:urls', {}) -%} {% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} --suricata-version=5.0 diff --git a/salt/zeek/fileextraction_defaults.yaml b/salt/zeek/fileextraction_defaults.yaml new file mode 100644 index 000000000..3823b8203 --- /dev/null +++ b/salt/zeek/fileextraction_defaults.yaml @@ -0,0 +1,29 @@ +zeek: + policy: + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 103f36c5a..7b91632c9 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -68,6 +68,14 @@ zeekpolicysync: - group: 939 - template: jinja +# Sync Intel +zeekintelloadsync: + file.managed: + - name: /opt/so/conf/policy/intel/__load__.zeek + - source: salt://zeek/policy/intel/__load__.zeek + - user: 937 + - group: 939 + zeekctlcfg: file.managed: - name: /opt/so/conf/zeek/zeekctl.cfg diff --git a/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE b/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/zeek/policy/intel/__load__.zeek b/salt/zeek/policy/intel/__load__.zeek index 4a4d603a7..4df4e0265 100644 --- a/salt/zeek/policy/intel/__load__.zeek +++ b/salt/zeek/policy/intel/__load__.zeek @@ -1 +1,6 @@ -#Intel +@load frameworks/intel/seen +@load frameworks/intel/do_notice +@load frameworks/files/hash-all-files +redef Intel::read_files += { + "/opt/zeek/share/zeek/policy/intel/intel.dat" +}; \ No newline at end of file diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index fbb635982..cf7b307ab 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,3 +1,4 @@ +{%- from zeek/fileextraction_defaults.yaml import zeek %} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -5,33 +6,15 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["application/pdf"] = "pdf", - ["application/msword"] = "doc", - ["application/vnd.ms-powerpoint"] = "doc", - ["application/rtf"] = "doc", - ["application/vnd.ms-word.document.macroenabled.12"] = "doc", - ["application/vnd.ms-word.template.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel"] = "doc", - ["application/vnd.ms-excel.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.binary.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slide"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "doc", - ["application/vnd.ms-powerpoint.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slide.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.presentation.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slideshow.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument"] = "doc" - # Need to add other types such as zip, ps1, etc + {%- for li in zeek.policy.file_extraction %} + {%- for k,v in li %} + {%- if not loop.last %} + ["{{ k }}"] = "{{ v }}", + {%- else %} + ["{{ k }}"] = "{{ v }}" + {%- endif %} + {%- endfor %} + {%- endfor %} }; } # Start grabbing the file from the network if it matches the mimetype diff --git a/setup/files/intel.dat b/setup/files/intel.dat new file mode 100644 index 000000000..ca10994b6 --- /dev/null +++ b/setup/files/intel.dat @@ -0,0 +1,5 @@ +#fields indicator indicator_type meta.source meta.do_notice +# EXAMPLES: +#66.32.119.38 Intel::ADDR Test Address T +#www.honeynet.org Intel::DOMAIN Test Domain T +#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T diff --git a/setup/so-functions b/setup/so-functions index 7493b3f0d..ddf20c6d0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -986,12 +986,12 @@ manager_pillar() { " config:"\ " ruleset: $RULESETUP"\ " oinkcode: $OINKCODE"\ - " url:"\ + " urls:"\ " sids:"\ " enabled:"\ " disabled:"\ " modify:"\ - "" + ""\ "kratos:" >> "$pillar_file" @@ -1441,9 +1441,11 @@ setup_salt_master_dirs() { if [ "$setup_type" = 'iso' ]; then rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 else - cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 fi echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1