Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

2026-03-23 21:12:39 +01:00 · 2020-12-08 10:41:28 -05:00
parent 81e914ab23 f34a10a986
commit 2b412b6a48
9 changed files with 1873 additions and 62 deletions
--- a/salt/_modules/so.py
+++ b/salt/_modules/so.py
@@ -18,7 +18,7 @@ def mysql_conn(retry):
        return False

    mainint = __salt__['pillar.get']('host:mainint')
-    ip_arr = __salt__['grains.get']('ip_interfaces').get(mainint)
+    ip_arr = __salt__['grains.get']('ip4_interfaces').get(mainint)

    mysql_up = False

--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -111,7 +111,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-2
-      - docker-ce: 5:19.03.12~3-0~ubuntu-bionic
+      - docker-ce: 5:19.03.14~3-0~ubuntu-bionic
    - hold: True
    - update_holds: True

@@ -147,7 +147,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-3.2.el7
-      - docker-ce: 3:19.03.12-3.el7
+      - docker-ce: 3:19.03.14-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
--- a/salt/common/tools/sbin/so-playbook-reset
+++ b/salt/common/tools/sbin/so-playbook-reset
@@ -22,5 +22,5 @@ salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create
 /usr/sbin/so-soctopus-restart

 echo "Importing Plays - this will take some time...."
-wait 5
+sleep 5
 /usr/sbin/so-playbook-ruleupdate
--- a/salt/common/tools/sbin/so-suricata-testrule
+++ b/salt/common/tools/sbin/so-suricata-testrule
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set VERSION = salt['pillar.get']('global:soversion') %}
+{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+
+TESTRULE=$1
+TESTPCAP=$2
+
+. /usr/sbin/so-common
+
+echo ""
+echo "==============="
+echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP" 
+echo ""
+sleep 3
+
+cp /opt/so/conf/suricata/rules/all.rules /tmp/nids-testing/rules/all.rules
+cat $TESTRULE >> /tmp/nids-testing/rules/all.rules
+
+rm -rf /tmp/nids-testing/output
+mkdir -p /tmp/nids-testing/output
+chown suricata:socore /tmp/nids-testing/output
+mkdir -p /tmp/nids-testing/rules
+
+
+echo "==== Begin Suricata Output ==="
+
+  docker run --rm \
+    -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
+    -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
+    -v /tmp/nids-testing/rules:/etc/suricata/rules:ro \
+    -v "$TESTPCAP:/input.pcap:ro" \
+    -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
+    -v /tmp/nids-testing/output/:/nsm/:rw \
+    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
+    --runmode single -v -k none -r /input.pcap -l /tmp --init-errors-fatal
+echo "==== End Suricata Output ==="
+
+echo ""
+echo "If any alerts hit, they will be displayed below:"
+echo ""
+
+cat /tmp/nids-testing/output/* | jq
+
+echo ""
+echo "End so-suricata-testrule"
+echo "==============="
+echo ""
--- a/salt/playbook/files/playbook_db_init.sql
+++ b/salt/playbook/files/playbook_db_init.sql
--- a/salt/playbook/files/playbook_db_migrations.sql
+++ b/salt/playbook/files/playbook_db_migrations.sql
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -38,7 +38,7 @@ query_playbookdbuser_grants:
 query_updatwebhooks:
  mysql_query.run:
    - database: playbook
-    - query:    "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id = 1"
+    - query:    "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id in (1,2)"
    - connection_host: {{ MAINIP }}
    - connection_port: 3306
    - connection_user: root
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -43,6 +43,10 @@
        "password": "",
        "verifyCert": false
      },
+      "sostatus": {
+        "refreshIntervalMs": 30000,
+        "offlineThresholdMs": 60000
+      },
 {% if THEHIVEKEY != '' %}
      "thehive": {
        "hostUrl": "http://{{ MANAGERIP }}:9000/thehive",
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -771,7 +771,7 @@ disable_auto_start() {
 		logCmd "crontab -u $INSTALLUSERNAME -r"
 	fi

-	if grep -q so-setup /home/$INSTALLUSERNAME/.bash_profile; then
+	if grep -s -q so-setup /home/$INSTALLUSERNAME/.bash_profile; then
 		# Truncate last line of the bash profile
 		info "Removing auto-run of setup from bash profile"
 		sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
@@ -821,9 +821,9 @@ docker_install() {
 			  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
 			fi
 			if [[ ! $is_iso ]]; then
-			  yum -y install docker-ce-19.03.12-3.el7 containerd.io-1.2.13-3.2.el7;
+			  yum -y install docker-ce-19.03.14-3.el7 containerd.io-1.2.13-3.2.el7;
 			fi
-			yum versionlock docker-ce-19.03.12-3.el7;
+			yum versionlock docker-ce-19.03.14-3.el7;
 			yum versionlock containerd.io-1.2.13-3.2.el7
 		} >> "$setup_log" 2>&1