CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sensor Changes

Browse Source
This commit is contained in:
Mike Reeves
2018-02-21 12:14:23 -05:00
parent efab67984c
commit 31bda9571a
5 changed files with 91 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
salt/filebeat/tmp.txt Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
DIR=/etc/filebeat
YML=$DIR/filebeat.yml
mkdir -p $DIR
cat << EOF > $YML
filebeat.prospectors:
EOF
# For each Bro log type, watch current and import
grep "source(s_bro_" /etc/syslog-ng/syslog-ng.conf |cut -d\( -f2 | cut -d\) -f1 | sed 's|s_bro_||g' |sort -u | while read LOG; do
cat << EOF
- type: log
paths:
- /nsm/bro/logs/current/$LOG*.log
fields:
type: bro_$LOG
fields_under_root: true
tags: ["bro"]
clean_removed: false
close_removed: false
- type: log
paths:
- /nsm/import/bro/$LOG*.log
fields:
type: bro_$LOG
fields_under_root: true
tags: ["bro", "import"]
clean_removed: false
close_removed: false
EOF
done >> $YML
# Change tunnels.log to tunnel.log
sed -i 's|tunnels\*.log|tunnel*.log|g' $YML
# Output to logstash
cat << EOF >> $YML
output.logstash:
enabled: true
hosts: ["logstash:5044"]
EOF
# syslog-ng doesn't need to monitor Bro logs anymore
grep -v "source(s_bro_" /etc/syslog-ng/syslog-ng.conf > /etc/syslog-ng/syslog-ng.conf.without.bro
mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.with.bro
mv /etc/syslog-ng/syslog-ng.conf.without.bro /etc/syslog-ng/syslog-ng.conf
service syslog-ng restart
# start filebeat and allow it to connect to logstash
docker run --detach --name so-filebeat -v /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro -v /nsm/bro:/nsm/bro:ro docker.elastic.co/beats/filebeat:6.2.1
docker network connect --alias filebeat so-elastic-net so-filebeat

15
salt/pcap/files/config Normal file
View File

@@ -0,0 +1,15 @@
{
"Threads": [
{ "PacketsDirectory": "/nsm/pcap"
, "IndexDirectory": "/nsm/pcapindex"
, "MaxDirectoryFiles": 30000
, "DiskFreePercentage": 5
}
]
, "StenotypePath": "/usr/bin/stenotype"
, "Interface": "em1"
, "Port": 1234
, "Host": "127.0.0.1"
, "Flags": []
, "CertPath": "/etc/stenographer/certs"
}

15
salt/pcap/init.sls
View File

@@ -15,13 +15,24 @@
# PCAP Section # PCAP Section
file.directory: stenoconfdir:
file.directory:
- name: /opt/so/conf/steno - name: /opt/so/conf/steno
- user: 941
- group: 939
- makedirs: True
file.directory: pcapdir:
file.directory:
- name: /nsm/pcap - name: /nsm/pcap
pcapindexdir:
file.directory:
- name: /nsm/pcapindex
so-steno: so-steno:
dockerng.running: dockerng.running:
- image: pillaritem/so-steno - image: pillaritem/so-steno
- network_mode: host - network_mode: host
- /opt/so/conf/stenographer/certs:/etc/stenographer/certs:rw
- /opt/so/conf/stenographer/config:/etc/stenographer/config:ro

4
salt/top.sls
View File

@@ -2,10 +2,6 @@ base:
'G@role:sensor': 'G@role:sensor':
- common - common
- pcap - pcap
- logstash
- nids
- syslog-ng
- bro
'G@role:eval': 'G@role:eval':
- common - common

2
so-setup-network.sh
View File

@@ -139,6 +139,8 @@ if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to in
# Create bond interface # Create bond interface
if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'BACKENDNODE' ]; then if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'BACKENDNODE' ]; then
echo "Setting up Bond" echo "Setting up Bond"
alias bond0 bonding
mode=0
fi fi
# Install Updates and the Salt Package # Install Updates and the Salt Package