Misc pillars

2025-12-06 09:12:45 +01:00 · 2020-07-17 17:38:10 -04:00
parent 693a101d34
commit 1d24d7bc7f
11 changed files with 68 additions and 44 deletions
--- a/salt/idstools/etc/disable.conf
+++ b/salt/idstools/etc/disable.conf
@@ -1,4 +1,4 @@
-{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
+{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
 # idstools - disable.conf

 # Example of disabling a rule by signature ID (gid is optional).
--- a/salt/idstools/etc/enable.conf
+++ b/salt/idstools/etc/enable.conf
@@ -1,4 +1,4 @@
-{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
+{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
 # idstools-rulecat - enable.conf

 # Example of enabling a rule by signature ID (gid is optional).
--- a/salt/idstools/etc/modify.conf
+++ b/salt/idstools/etc/modify.conf
@@ -1,18 +1,10 @@
-{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
+{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
 # idstools-rulecat - modify.conf

 # Format: <sid> "<from>" "<to>"

 # Example changing the seconds for rule 2019401 to 3600.
 #2019401 "seconds \d+" "seconds 3600"
-
-# Change all trojan-activity rules to drop. Its better to setup a
-# drop.conf for this, but this does show the use of back references.
-#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
-
-# For compatibility, most Oinkmaster modifysid lines should work as
-# well.
-#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
 {%- for sid in modify_sids %}
 {{ sid }}
 {%- endfor %}
--- a/salt/idstools/etc/rulecat.conf
+++ b/salt/idstools/etc/rulecat.conf
@@ -1,4 +1,4 @@
-{% set URLS = salt['pillar.get']('idstools:config:urls') -%}
+{% set URLS = salt['pillar.get']('idstools:config:urls', {}) -%}
 {% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
 {% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%}
 --suricata-version=5.0
--- a/salt/zeek/fileextraction_defaults.yaml
+++ b/salt/zeek/fileextraction_defaults.yaml
@@ -0,0 +1,29 @@
+zeek:
+  policy:
+    file_extraction:
+      - application/x-dosexec: exe
+      - application/pdf: pdf
+      - application/msword: doc
+      - application/vnd.ms-powerpoint: doc
+      - application/rtf: doc
+      - application/vnd.ms-word.document.macroenabled.12: doc
+      - application/vnd.ms-word.template.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
+      - application/vnd.ms-excel: doc
+      - application/vnd.ms-excel.addin.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
+      - application/vnd.ms-excel.template.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
+      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument: doc
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -68,6 +68,14 @@ zeekpolicysync:
    - group: 939
    - template: jinja

+# Sync Intel
+zeekintelloadsync:
+  file.managed:
+    - name: /opt/so/conf/policy/intel/__load__.zeek
+    - source: salt://zeek/policy/intel/__load__.zeek
+    - user: 937
+    - group: 939
+
 zeekctlcfg:
  file.managed:
    - name: /opt/so/conf/zeek/zeekctl.cfg
--- a/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE
+++ b/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE
--- a/salt/zeek/policy/intel/load.zeek
+++ b/salt/zeek/policy/intel/load.zeek
@@ -1 +1,6 @@
-#Intel
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+redef Intel::read_files += {
+        "/opt/zeek/share/zeek/policy/intel/intel.dat"
+};
--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -1,3 +1,4 @@
+{%- from zeek/fileextraction_defaults.yaml import zeek %}
 # Directory to stage Zeek extracted files before processing
 redef FileExtract::prefix = "/nsm/zeek/extracted/";
 # Set a limit to the file size
@@ -5,33 +6,15 @@ redef FileExtract::default_limit = 9000000;
 # These are the mimetypes we want to rip off the networks
 export {
    global _mime_whitelist: table[string] of string = {
-        ["application/x-dosexec"] = "exe",
-        ["application/pdf"] = "pdf",
-        ["application/msword"] = "doc",
-        ["application/vnd.ms-powerpoint"] = "doc",
-        ["application/rtf"] = "doc",
-        ["application/vnd.ms-word.document.macroenabled.12"] = "doc",
-        ["application/vnd.ms-word.template.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.template.macroenabled.12"] = "doc",
-        ["application/vnd.ms-excel"] = "doc",
-        ["application/vnd.ms-excel.addin.macroenabled.12"] = "doc",
-        ["application/vnd.ms-excel.sheet.binary.macroenabled.12"] = "doc",
-        ["application/vnd.ms-excel.template.macroenabled.12"] = "doc",
-        ["application/vnd.ms-excel.sheet.macroenabled.12"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.slide"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.template"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "doc",
-        ["application/vnd.ms-powerpoint.addin.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.slide.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.presentation.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.slideshow.macroenabled.12"] = "doc",
-        ["application/vnd.openxmlformats-officedocument"] = "doc"
-        # Need to add other types such as zip, ps1, etc
+        {%- for li in zeek.policy.file_extraction %}
+          {%- for k,v in li %}
+          {%- if not loop.last %}
+        ["{{ k }}"] = "{{ v }}",
+          {%- else %}
+        ["{{ k }}"] = "{{ v }}"
+          {%- endif %}
+          {%- endfor %}
+        {%- endfor %}
        };
 }
 # Start grabbing the file from the network if it matches the mimetype
--- a/setup/files/intel.dat
+++ b/setup/files/intel.dat
@@ -0,0 +1,5 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# EXAMPLES:
+#66.32.119.38	Intel::ADDR	Test Address	T
+#www.honeynet.org	Intel::DOMAIN	Test Domain	T
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -986,12 +986,12 @@ manager_pillar() {
 		"  config:"\
 		"    ruleset: $RULESETUP"\
 		"    oinkcode: $OINKCODE"\
-		"    url:"\
+		"    urls:"\
 		"  sids:"\
 		"    enabled:"\
 		"    disabled:"\
 		"    modify:"\
-		""
+		""\
 		"kratos:" >> "$pillar_file"
 		

@@ -1441,9 +1441,11 @@ setup_salt_master_dirs() {
 	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	else
-		cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
-		cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
+		cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	fi

 	echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1