CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-01 10:26:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move In Day

Browse Source
This commit is contained in:
Mike Reeves
2022-09-07 09:06:25 -04:00
parent dcb7b49dbe
commit 2bd9dd80e2
611 changed files with 8015 additions and 16211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
salt/suricata/cron/so-suricata-eve-clean
View File

@@ -1,19 +1,11 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.. /usr/sbin/so-common
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
APP=so-suricata-eve-clean
lf=/tmp/$APP-pidLockFile

337
salt/suricata/defaults.yaml
View File

@@ -20,21 +20,18 @@ suricata:
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
ORACLE_PORTS: "1521"
SSH_PORTS: "22"
DNP3_PORTS: "20000"
MODBUS_PORTS: "502"
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
FTP_PORTS: "21"
VXLAN_PORTS: "4789"
TEREDO_PORTS: "3544"
default-log-dir: /var/log/suricata/
stats:
enabled: "yes"
interval: 30
#decoder-events: true
#decoder-events-prefix: "decoder.event"
#stream-events: false
outputs:
- fast:
enabled: "no"
@@ -45,20 +42,6 @@ suricata:
filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour
#prefix: "@cee: "
#identity: "suricata"
#facility: local5
#level: Info
#redis:
# server: 127.0.0.1
# port: 6379
# async: true
# mode: list
# key: suricata
# pipelining:
# enabled: "yes"
# batch-size: 10
#metadata: "no"
pcap-file: false
community-id: true
community-id-seed: 0
@@ -79,8 +62,6 @@ suricata:
rule:
metadata: true
raw: true
# http-body: "yes"
# http-body-printable: "yes"
tagged-packets: "no"
- unified2-alert:
enabled: "no"
@@ -88,41 +69,26 @@ suricata:
enabled: "no"
filename: http.log
append: "yes"
#extended: "yes"
#custom: "yes"
#customformat: ""
#filetype: regular
- tls-log:
enabled: "no"
filename: tls.log
append: "yes"
#extended: "yes"
#custom: "yes"
#customformat: ""
#filetype: regular
#session-resumption: "no"
- tls-store:
enabled: "no"
#certs-log-dir: certs
- pcap-log:
enabled: "no"
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
#lz4-checksum: "no"
#lz4-level: 0
mode: normal
#dir: /nsm_data/
#ts-format: usec
use-stream-depth: "no"
honor-pass-rules: "no"
- alert-debug:
enabled: "no"
filename: alert-debug.log
append: "yes"
#filetype: regular
- alert-prelude:
enabled: "no"
profile: suricata
@@ -137,20 +103,12 @@ suricata:
null-values: "yes"
- syslog:
enabled: "no"
#identity: "suricata"
facility: local5
#level: Info
- drop:
enabled: "no"
- file-store:
version: 2
enabled: "no"
#dir: filestore
#write-fileinfo: "yes"
#force-filestore: "yes"
#stream-depth: 0
#max-open-files: 1000
#force-hash: [sha1, md5]
xff:
enabled: "no"
mode: extra-data
@@ -166,36 +124,23 @@ suricata:
filename: http-data.log
- lua:
enabled: "no"
#scripts-dir: /etc/suricata/lua-output/
scripts:
# - script1.lua
logging:
default-log-level: notice
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
outputs:
- console:
enabled: "yes"
# type: json
- file:
enabled: "yes"
level: info
filename: suricata.log
# type: json
- syslog:
enabled: "no"
facility: local5
format: "[%i] <%d> -- "
# type: json
pcap:
- interface: eth0
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
#checksum-checks: auto
#threads: 16
#promisc: "no"
#snaplen: 1518
- interface: default
#checksum-checks: auto
pcap-file:
checksum-checks: auto
app-layer:
@@ -210,13 +155,10 @@ suricata:
enabled: "yes"
detection-ports:
dp: 443
#ja3-fingerprints: auto
#encryption-handling: default
dcerpc:
enabled: "yes"
ftp:
enabled: "yes"
# memcap: 64mb
rdp:
enabled: "yes"
ssh:
@@ -241,16 +183,14 @@ suricata:
enabled: "yes"
detection-ports:
dp: 139, 445
#stream-depth: 0
nfs:
enabled: "yes"
tftp:
enabled: "yes"
dns:
#global-memcap: 16mb
#state-memcap: 512kb
#request-flood: 500
global-memcap: 16mb
state-memcap: 512kb
request-flood: 500
tcp:
enabled: "yes"
detection-ports:
@@ -261,14 +201,6 @@ suricata:
dp: 53
http:
enabled: "yes"
# memcap:
# default-config:
# personality:
# request-body-limit:
# response-body-limit:
# server-config:
# address:
# personalitiy:
libhtp:
default-config:
personality: IDS
@@ -280,49 +212,25 @@ suricata:
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
# compress-depth:
# decompress-depth:
swf-decompression:
enabled: "yes"
type: both
compress-depth: 0
decompress-depth: 0
#randomize-inspection-sizes: "yes"
#randomize-inspection-range: 10
double-decode-path: "no"
double-decode-query: "no"
#lzma-enabled: "yes"
#lzma-memlimit: 1mb
#compression-bomb-limit: 1mb
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: "no"
# double-decode-query: "no"
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: "no"
# double-decode-query: "no"
modbus:
#request-flood: 500
enabled: "no"
enabled: "yes"
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: "no"
enabled: "yes"
detection-ports:
dp: 20000
enip:
enabled: "no"
enabled: "yes"
detection-ports:
dp: 44818
sp: 44818
@@ -332,42 +240,20 @@ suricata:
enabled: "yes"
sip:
enabled: "yes"
rfb:
enabled: "yes"
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: "no"
http2:
enabled: "no"
asn1-max-frames: 256
run-as:
user: suricata
group: suricata
#sensor-name: suricata
#pid-file: /var/run/suricata.pid
#daemon-directory: "/"
#umask: 022
coredump:
max-dump: unlimited
host-mode: auto
max-pending-packets: 5000
runmode: workers
#autofp-scheduler: hash
default-packet-size: 1500
default-packet-size: 9014
unix-command:
enabled: auto
#filename: custom.socket
#magic-file: /usr/share/file/magic
#magic-file:
#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb
legacy:
uricontent: enabled
#reputation-categories-file: /etc/suricata/iprep/categories.txt
#default-reputation-path: /etc/suricata/iprep
#reputation-files:
# - reputation.list
engine-analysis:
rules-fast-pattern: "yes"
rules: "yes"
@@ -400,8 +286,6 @@ suricata:
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
#managers: 1
#recyclers: 1
vlan:
use-for-tracking: true
flow-timeouts:
@@ -447,18 +331,10 @@ suricata:
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: "yes"
#randomize-chunk-range: 10
#raw: "yes"
#segment-prealloc: 2048
#check-overlap-different-data: true
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
#ippair:
# hash-size: 4096
# prealloc: 1000
# memcap: 32mb
decoder:
teredo:
enabled: true
@@ -467,6 +343,7 @@ suricata:
enabled: true
ports: $VXLAN_PORTS
erspan:
enabled: true
detect:
profile: medium
custom-values:
@@ -474,15 +351,10 @@ suricata:
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
#delayed-detect: "yes"
prefilter:
default: mpm
grouping:
#tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
#udp-whitelist: 53, 135, 5060
profiling:
#inspect-logging-threshold: 200
grouping:
dump-to-disk: false
include-rules: false
@@ -496,12 +368,10 @@ suricata:
states: 128
profiling:
#sample-rate: 1000
rules:
enabled: "yes"
filename: rule_perf.log
append: "yes"
#sort: avgticks
limit: 10
json: "yes"
keywords:
@@ -534,14 +404,6 @@ suricata:
filename: pcaplog_stats.log
append: "yes"
nfq:
# mode: accept
# repeat-mark: 1
# repeat-mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# batchcount: 20
# fail-open: "yes"
nflog:
- group: 2
buffer-size: 18432
@@ -550,178 +412,13 @@ suricata:
qtimeout: 100
max-size: 20000
capture:
#checksum-validation: none
netmap:
- interface: eth2
#threads: auto
#copy-mode: tap
#copy-iface: eth3
# disable-promisc: "no"
#checksum-checks: auto
#bpf-filter: port 80 or udp
#- interface: eth3
#threads: auto
#copy-mode: tap
#copy-iface: eth2
- interface: default
pfring:
- interface: eth0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
#bpf-filter: tcp
#bypass: "yes"
#checksum-checks: auto
#- interface: eth1
# threads: 3
# cluster-id: 93
# cluster-type: cluster_flow
- interface: default
#threads: 2
ipfw:
# ipfw-reinjection-rule-number: 5500
napatech:
#hba: -1
#use-all-streams: "no"
streams: ["0-3"]
auto-config: "yes"
ports: [all]
hashmode: hash5tuplesorted
default-rule-path: /etc/suricata/rules
rule-files:
- all.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
threshold-file: /etc/suricata/threshold.conf
#include: include1.yaml
#include: include2.yaml
classification:
attempted-admin:
description: Attempted Administrator Privilege Gain
priority: 1
attempted-dos:
description: Attempted Denial of Service
priority: 2
attempted-recon:
description: Attempted Information Leak
priority: 2
attempted-user:
description: Attempted User Privilege Gain
priority: 1
bad-unknown:
description: Potentially Bad Traffic
priority: 2
coin-mining:
description: Crypto Currency Mining Activity Detected
priority: 2
command-and-control:
description: Malware Command and Control Activity Detected
priority: 1
credential-theft:
description: Successful Credential Theft Detected
priority: 1
default-login-attempt:
description: Attempt to login by a default username and password
priority: 2
denial-of-service:
description: Detection of a Denial of Service Attack
priority: 2
domain-c2:
description: Domain Observed Used for C2 Detected
priority: 1
exploit-kit:
description: Exploit Kit Activity Detected
priority: 1
external-ip-check:
description: Device Retrieving External IP Address Detected
priority: 2
icmp-event:
description: Generic ICMP event
priority: 3
inappropriate-content:
description: Inappropriate Content was Detected
priority: 1
misc-activity:
description: Misc activity
priority: 3
misc-attack:
description: Misc Attack
priority: 2
network-scan:
description: Detection of a Network Scan
priority: 3
non-standard-protocol:
description: Detection of a non-standard protocol or event
priority: 2
not-suspicious:
description: Not Suspicious Traffic
priority: 3
policy-violation:
description: Potential Corporate Privacy Violation
priority: 1
protocol-command-decode:
description: Generic Protocol Command Decode
priority: 3
pup-activity:
description: Possibly Unwanted Program Detected
priority: 2
rpc-portmap-decode:
description: Decode of an RPC Query
priority: 2
shellcode-detect:
description: Executable code was detected
priority: 1
social-engineering:
description: Possible Social Engineering Attempted
priority: 2
string-detect:
description: A suspicious string was detected
priority: 3
successful-admin:
description: Successful Administrator Privilege Gain
priority: 1
successful-dos:
description: Denial of Service
priority: 2
successful-recon-largescale:
description: Large Scale Information Leak
priority: 2
successful-recon-limited:
description: Information Leak
priority: 2
successful-user:
description: Successful User Privilege Gain
priority: 1
suspicious-filename-detect:
description: A suspicious filename was detected
priority: 2
suspicious-login:
description: An attempted login using a suspicious username was detected
priority: 2
system-call-detect:
description: A system call was detected
priority: 2
targeted-activity:
description: Targeted Malicious Activity was Detected
priority: 1
tcp-connection:
description: A TCP connection was detected
priority: 4
trojan-activity:
description: A Network Trojan was detected
priority: 1
unknown:
description: Unknown Traffic
priority: 3
unsuccessful-user:
description: Unsuccessful User Privilege Gain
priority: 1
unusual-client-port-connection:
description: A client was using an unusual port
priority: 2
web-application-activity:
description: access to a potentially vulnerable web application
priority: 2
web-application-attack:
description: Web Application Attack
priority: 1
threshold-file: /etc/suricata/threshold.conf

11
salt/suricata/files/classification.config.jinja
View File

@@ -1,11 +0,0 @@
{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%}
{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%}
#
# config classification:shortname,short description,priority
#
{% for sn, details in suricata_defaults.suricata.classification.items() -%}
{% if not details -%}
{% set details = {'description': 'The description is not set', 'priority': '1'} -%}
{% endif -%}
config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}
{% endfor -%}

30
salt/suricata/init.sls
View File

@@ -1,24 +1,15 @@
# Copyright 2014-2022 Security Onion Solutions, LLC
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %}
{% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
@@ -111,14 +102,6 @@ surithresholding:
- group: 940
- template: jinja
classification_config:
file.managed:
- name: /opt/so/conf/suricata/classification.config
- source: salt://suricata/files/classification.config.jinja
- user: 940
- group: 940
- template: jinja
# BPF compilation and configuration
{% if BPF_NIDS %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
@@ -156,7 +139,6 @@ so-suricata:
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- /nsm/suricata/:/nsm/:rw
@@ -168,12 +150,10 @@ so-suricata:
- file: surithresholding
- file: /opt/so/conf/suricata/rules/
- file: /opt/so/conf/suricata/bpf
- file: classification_config
- require:
- file: suriconfig
- file: surithresholding
- file: suribpf
- file: classification_config
{% else %} {# if Suricata isn't enabled, then stop and remove the container #}
- force: True

123
salt/suricata/soc_suricata.yaml Normal file
View File

@@ -0,0 +1,123 @@
suricata:
config:
vars:
address-groups:
HOME_NET:
description: List of hosts or netowrks.
EXTERNAL_NET:
description: List of hosts or netowrks.
HTTP_SERVERS:
description: List of hosts or netowrks.
SMTP_SERVERS:
description: List of hosts or netowrks.
SQL_SERVERS:
description: List of hosts or netowrks.
DNS_SERVERS:
description: List of hosts or netowrks.
TELNET_SERVERS:
description: List of hosts or netowrks.
AIM_SERVERS:
description: List of hosts or netowrks.
DC_SERVERS:
description: List of hosts or netowrks.
DNP3_SERVER:
description: List of hosts or netowrks.
DNP3_CLIENT:
description: List of hosts or netowrks.
MODBUS_CLIENT:
description: List of hosts or netowrks.
MODBUS_SERVER:
description: List of hosts or netowrks.
ENIP_CLIENT:
description: List of hosts or netowrks.
ENIP_SERVER:
description: List of hosts or netowrks.
port-groups:
HTTP_PORTS:
description: List of HTTP ports to look for HTTP traffic on.
SHELLCODE_PORTS:
description: List of SHELLCODE ports to look for SHELLCODE traffic on.
ORACLE_PORTS:
description: List of ORACLE ports to look for ORACLE traffic on.
SSH_PORTS:
description: List of SSH ports to look for SSH traffic on.
DNP3_PORTS:
description: List of DNP3 ports to look for DNP3 traffic on.
MODBUS_PORTS:
description: List of MODBUS ports to look for MODBUS traffic on.
FILE_DATA_PORTS:
description: List of FILE_DATA ports to look for FILE_DATA traffic on.
FTP_PORTS:
description: List of FTP ports to look for FTP traffic on.
VXLAN_PORTS:
description: List of VXLAN ports to look for VXLAN traffic on.
TEREDO_PORTS:
description: List of TEREDO ports to look for TEREDO traffic on.
outputs:
eve-log:
xff:
enabled:
description: Enable X-Forward-For support.
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
deployment:
description: forward would use the first IP address and reverse would use the last.
header:
description: Header name where the actual IP address will be reported.
asn1-max-frames:
description: Maximum nuber of asn1 frames to decode.
max-pending-packets:
description: Number of packets preallocated per thread.
default-packet-size:
description: Preallocated size for each packet.
pcre:
match-limit:
description: Match limit for PCRE.
match-limit-recursion:
description: Recursion limit for PCRE.
defrag:
memcap:
description: Max memory to use for defrag. You should only change this if you know what you are doing.
hash-size:
description: Hash size
trackers:
description: Number of defragmented flows to follow.
max-frags:
description: Max number of fragments to keep
prealloc:
description: Preallocate memory.
timeout:
description: Timeout value.
flow:
memcap:
description: Reserverd memory for flows.
hash-size:
description: Determines the size of the hash used to identify flows inside the engine.
prealloc:
description: Number of preallocated flows.
stream:
memcap:
description: Can be specified in kb,mb,gb.
checksum-validation:
description: Validate checksum of packets.
reassembly:
memcap:
description: Can be specified in kb,mb,gb.
host:
hash-size:
description: Hash size in bytes.
prealloc:
description: How many streams to preallocate.
memcap:
description: Memory settings for host.
decoder:
teredo:
enabled:
description: Enable TEREDO capabilities
ports:
description: Ports to listen for. This should be a variable.
vxlan:
enabled:
description: Enable VXLAN capabilities.
ports:
description: Ports to listen for. This should be a variable.