From 31bda9571a590f1aefb85fad4bbc10c6d88ac09d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 21 Feb 2018 12:14:23 -0500 Subject: [PATCH] Sensor Changes --- salt/filebeat/tmp.txt | 58 ++++++++++++++++++++++++++++++++++++++++++ salt/pcap/files/config | 15 +++++++++++ salt/pcap/init.sls | 19 +++++++++++--- salt/top.sls | 6 +---- so-setup-network.sh | 2 ++ 5 files changed, 91 insertions(+), 9 deletions(-) create mode 100644 salt/filebeat/tmp.txt create mode 100644 salt/pcap/files/config diff --git a/salt/filebeat/tmp.txt b/salt/filebeat/tmp.txt new file mode 100644 index 000000000..702f38ce3 --- /dev/null +++ b/salt/filebeat/tmp.txt @@ -0,0 +1,58 @@ +#!/bin/bash + +DIR=/etc/filebeat +YML=$DIR/filebeat.yml + +mkdir -p $DIR + +cat << EOF > $YML +filebeat.prospectors: + +EOF + +# For each Bro log type, watch current and import +grep "source(s_bro_" /etc/syslog-ng/syslog-ng.conf |cut -d\( -f2 | cut -d\) -f1 | sed 's|s_bro_||g' |sort -u | while read LOG; do +cat << EOF +- type: log + paths: + - /nsm/bro/logs/current/$LOG*.log + fields: + type: bro_$LOG + fields_under_root: true + tags: ["bro"] + clean_removed: false + close_removed: false + +- type: log + paths: + - /nsm/import/bro/$LOG*.log + fields: + type: bro_$LOG + fields_under_root: true + tags: ["bro", "import"] + clean_removed: false + close_removed: false + +EOF + done >> $YML + +# Change tunnels.log to tunnel.log +sed -i 's|tunnels\*.log|tunnel*.log|g' $YML + +# Output to logstash +cat << EOF >> $YML +output.logstash: + enabled: true + hosts: ["logstash:5044"] + +EOF + +# syslog-ng doesn't need to monitor Bro logs anymore +grep -v "source(s_bro_" /etc/syslog-ng/syslog-ng.conf > /etc/syslog-ng/syslog-ng.conf.without.bro +mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.with.bro +mv /etc/syslog-ng/syslog-ng.conf.without.bro /etc/syslog-ng/syslog-ng.conf +service syslog-ng restart + +# start filebeat and allow it to connect to logstash +docker run --detach --name so-filebeat -v /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro -v /nsm/bro:/nsm/bro:ro docker.elastic.co/beats/filebeat:6.2.1 +docker network connect --alias filebeat so-elastic-net so-filebeat diff --git a/salt/pcap/files/config b/salt/pcap/files/config new file mode 100644 index 000000000..9959efd37 --- /dev/null +++ b/salt/pcap/files/config @@ -0,0 +1,15 @@ +{ + "Threads": [ + { "PacketsDirectory": "/nsm/pcap" + , "IndexDirectory": "/nsm/pcapindex" + , "MaxDirectoryFiles": 30000 + , "DiskFreePercentage": 5 + } + ] + , "StenotypePath": "/usr/bin/stenotype" + , "Interface": "em1" + , "Port": 1234 + , "Host": "127.0.0.1" + , "Flags": [] + , "CertPath": "/etc/stenographer/certs" +} diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 619d69fda..8027da430 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -15,13 +15,24 @@ # PCAP Section -file.directory: - - name: /opt/so/conf/steno +stenoconfdir: + file.directory: + - name: /opt/so/conf/steno + - user: 941 + - group: 939 + - makedirs: True -file.directory: - - name: /nsm/pcap +pcapdir: + file.directory: + - name: /nsm/pcap + +pcapindexdir: + file.directory: + - name: /nsm/pcapindex so-steno: dockerng.running: - image: pillaritem/so-steno - network_mode: host + - /opt/so/conf/stenographer/certs:/etc/stenographer/certs:rw + - /opt/so/conf/stenographer/config:/etc/stenographer/config:ro diff --git a/salt/top.sls b/salt/top.sls index eec95c76d..37381f699 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -2,11 +2,7 @@ base: 'G@role:sensor': - common - pcap - - logstash - - nids - - syslog-ng - - bro - + 'G@role:eval': - common - sensor diff --git a/so-setup-network.sh b/so-setup-network.sh index 2df12d663..4f408871b 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -139,6 +139,8 @@ if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to in # Create bond interface if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'BACKENDNODE' ]; then echo "Setting up Bond" + alias bond0 bonding + mode=0 fi # Install Updates and the Salt Package