From 36fc3bbd6dd0df4d9ba4110f6269e3605ec8e347 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 30 Oct 2024 10:24:11 -0400 Subject: [PATCH 1/9] add so-ip-mappings index Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 29 +++++++++++++++++++ .../component/so/so-ip-mappings.json | 22 ++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/so-ip-mappings.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f0178728e..c8684e775 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -599,6 +599,35 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-ip-mappings: + index_sorting: false + index_template: + composed_of: + - so-ip-mappings + ignore_missing_component_templates: [] + index_patterns: + - so-ip* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + mapping: + total_fields: + limit: 1500 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc so-items: index_sorting: false index_template: diff --git a/salt/elasticsearch/templates/component/so/so-ip-mappings.json b/salt/elasticsearch/templates/component/so/so-ip-mappings.json new file mode 100644 index 000000000..ab80e365c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-ip-mappings.json @@ -0,0 +1,22 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "so": { + "properties": { + "ip_address": { + "type": "ip" + }, + "description": { + "type": "text" + } + } + } + } + } + } +} \ No newline at end of file From 6b468eaed3ec886442ed1cfcf496ff7c2dc4e489 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 30 Oct 2024 16:52:44 -0400 Subject: [PATCH 2/9] rm eaintegration state file --- salt/manager/tools/sbin/soup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 3fda54fb9..bd2db98d7 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -719,6 +719,9 @@ up_to_2.4.120() { mkdir /opt/so/saltstack/local/pillar/versionlock touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls + # New Grid Integration added this release + rm -f /opt/so/state/eaintegrations.txt + INSTALLEDVERSION=2.4.120 } From 7896f951f3f7f267b7db65febf83b255280f8635 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 31 Oct 2024 10:24:58 -0400 Subject: [PATCH 3/9] timestamp fix --- salt/elasticsearch/templates/component/so/so-ip-mappings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/so-ip-mappings.json b/salt/elasticsearch/templates/component/so/so-ip-mappings.json index ab80e365c..a61eae5fd 100644 --- a/salt/elasticsearch/templates/component/so/so-ip-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-ip-mappings.json @@ -6,6 +6,9 @@ "template": { "mappings": { "properties": { + "@timestamp": { + "type": "date" + }, "so": { "properties": { "ip_address": { From 083c678400f1905cb0abe25dee0ea22551f75e83 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Nov 2024 09:46:26 -0500 Subject: [PATCH 4/9] new salt repo --- setup/so-functions | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e3c8a5615..cc55ec21d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1843,9 +1843,9 @@ repo_sync_local() { fi dnf install -y yum-utils device-mapper-persistent-data lvm2 curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo - rpm --import https://repo.saltproject.io/salt/py3/redhat/9/x86_64/SALT-PROJECT-GPG-PUBKEY-2023.pub + rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo - curl -fsSL "https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/$SALTVERSION.repo" | tee /etc/yum.repos.d/salt.repo + curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo dnf repolist curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install else @@ -1878,24 +1878,19 @@ saltify() { logCmd "mkdir -vp /etc/apt/keyrings" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" + # Download public key + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public" + # Create apt repo target configuration + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list + if [[ $is_ubuntu ]]; then - - # Add Salt Repo - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/ $OSVER main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" else - # Add Salt Repo *NOTE* You have to use debian 11 since it isn't out for 12 - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/ bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list - fi logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" From 6e14f7b6267d7419c9ac3807a1817dcde1280918 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Nov 2024 11:14:00 -0500 Subject: [PATCH 5/9] fix pub key name --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index cc55ec21d..c6aadef3d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1893,7 +1893,7 @@ saltify() { echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list fi - logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" + logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" logCmd "apt-key add /etc/apt/keyrings/docker.pub" From 69dd35c30a49587f08261c40f2b56458a7dbc96b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 4 Nov 2024 14:31:53 -0700 Subject: [PATCH 6/9] Add Option for Ignoring Ranges of SIDs in Suricata Integrity Check --- salt/soc/defaults.yaml | 2 ++ salt/soc/soc_soc.yaml | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6a9a1bfc6..068a9c9b7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1435,6 +1435,8 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 + ignoredSidRanges: + - '1100000-1199999' client: enableReverseLookup: false docsUrl: /docs/ diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 14296dade..fd3295daf 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -390,6 +390,11 @@ soc: advanced: True forcedType: "[]{}" helpLink: suricata.html + ignoredSidRanges: + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + global: True + advanced: True + forcedType: "[]string" client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From 5e48ccafce5ab3b4a04d6e059b311b8efac975b4 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:11:34 -0700 Subject: [PATCH 7/9] Update Default Value --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 068a9c9b7..73446abd7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1436,7 +1436,7 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 ignoredSidRanges: - - '1100000-1199999' + - '1100000-1101000' client: enableReverseLookup: false docsUrl: /docs/ From 25d55feeefd8f6955271daac729b94be1d2e4d4a Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:41:14 -0700 Subject: [PATCH 8/9] More Detailed Description --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fd3295daf..3bd1774bc 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -391,7 +391,7 @@ soc: forcedType: "[]{}" helpLink: suricata.html ignoredSidRanges: - description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' global: True advanced: True forcedType: "[]string" From 52a144c0521a3a4f5b7e476f60251b66f2c0a332 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 12:11:17 -0700 Subject: [PATCH 9/9] Added Help Link to Annotation for IgnoredSidRanges --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 3bd1774bc..c27228ab6 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -395,6 +395,7 @@ soc: global: True advanced: True forcedType: "[]string" + helpLink: detections.html#rule-engine-status client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.