Move In Day

salt/zeek/cron/zeek_clean

@@ -2,20 +2,11 @@
 
 # Delete Zeek Logs based on defined CRIT_DISK_USAGE value
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 clean () {
 

salt/zeek/defaults.yaml

@@ -0,0 +1,120 @@
+zeek:
+  logging:
+    enabled:
+      - conn
+      - dce_rpc
+      - dhcp
+      - dnp3
+      - dns
+      - dpd
+      - files
+      - ftp
+      - http
+      - intel
+      - irc
+      - kerberos
+      - modbus
+      - notice
+      - ntlm
+      - pe
+      - radius
+      - rfb
+      - rdp
+      - sip
+      - smb_files
+      - smb_mapping
+      - smtp
+      - snmp
+      - ssh
+      - ssl
+      - tunnel
+      - weird
+      - mysql
+      - socks
+      - x509
+  config:
+    node:
+      lb_procs: 1
+      zeek_pins_enabled: False
+      zeek_pins: []
+    zeekctl:
+      MailTo: root@localhost
+      MailConnectionSummary: 1
+      MinDiskSpace: 5
+      MailHostUpDown: 1
+      LogRotationInterval: 3600
+      LogExpireInterval: 0
+      StatsLogEnable: 1
+      StatsLogExpireInterval: 0
+      StatusCmdShowAll: 0
+      CrashExpireInterval: 0
+      SitePolicyScripts: local.zeek
+      LogDir: /nsm/zeek/logs
+      SpoolDir: /nsm/zeek/spool
+      CfgDir: /opt/zeek/etc
+      CompressLogs: 1
+  policy:
+    file_extraction:
+      - application/x-dosexec: exe
+      - application/pdf: pdf
+      - application/msword: doc
+      - application/vnd.ms-powerpoint: doc
+      - application/rtf: doc
+      - application/vnd.ms-word.document.macroenabled.12: doc
+      - application/vnd.ms-word.template.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
+      - application/vnd.ms-excel: doc
+      - application/vnd.ms-excel.addin.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
+      - application/vnd.ms-excel.template.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
+      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument: doc
+    load:
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    load-sigs:
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - CaptureLoss::watch_interval = 5 mins;

salt/zeek/init.sls

@@ -1,28 +1,19 @@
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
 {% from "zeek/map.jinja" import ZEEKOPTIONS with context %}
 
-{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
 
 {% set ZEEK = salt['pillar.get']('zeek', {}) %}
 

salt/zeek/soc_zeek.yaml

@@ -0,0 +1,26 @@
+zeek:
+  logging:
+    enabled:
+      description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
+  config:
+    node:
+      lb_procs:
+        description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
+        node: True
+      zeek_pins_enabled:
+        description:
+        node: True
+      zeeek_pins:
+        description: List of CPUs you want to 
+        node: True
+    zeekctl:
+      CompressLogs:
+        description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
+  policy:
+    file_extraction:
+      description: This is a list of mime types Zeek will extract from the network streams.
+    load:
+      description: List of Zeek policies to load
+    load-sigs:
+      description: List of Zeek signatures to load
+