Sensor Changes

2025-12-06 17:22:49 +01:00 · 2018-02-21 12:14:23 -05:00
parent efab67984c
commit 31bda9571a
5 changed files with 91 additions and 9 deletions
--- a/salt/filebeat/tmp.txt
+++ b/salt/filebeat/tmp.txt
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+DIR=/etc/filebeat
+YML=$DIR/filebeat.yml
+
+mkdir -p $DIR
+
+cat << EOF > $YML
+filebeat.prospectors:
+
+EOF
+
+# For each Bro log type, watch current and import
+grep "source(s_bro_" /etc/syslog-ng/syslog-ng.conf |cut -d\( -f2 | cut -d\) -f1 | sed 's|s_bro_||g' |sort -u | while read LOG; do
+cat << EOF
+- type: log
+  paths:
+    - /nsm/bro/logs/current/$LOG*.log
+  fields:
+    type: bro_$LOG
+  fields_under_root: true
+  tags: ["bro"]
+  clean_removed: false
+  close_removed: false
+
+- type: log
+  paths:
+    - /nsm/import/bro/$LOG*.log
+  fields:
+    type: bro_$LOG
+  fields_under_root: true
+  tags: ["bro", "import"]
+  clean_removed: false
+  close_removed: false
+
+EOF
+     done >> $YML
+
+# Change tunnels.log to tunnel.log
+sed -i 's|tunnels\*.log|tunnel*.log|g' $YML
+
+# Output to logstash
+cat << EOF >> $YML
+output.logstash:
+  enabled: true
+  hosts: ["logstash:5044"]
+
+EOF
+
+# syslog-ng doesn't need to monitor Bro logs anymore
+grep -v "source(s_bro_" /etc/syslog-ng/syslog-ng.conf > /etc/syslog-ng/syslog-ng.conf.without.bro
+mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.with.bro
+mv /etc/syslog-ng/syslog-ng.conf.without.bro /etc/syslog-ng/syslog-ng.conf
+service syslog-ng restart
+
+# start filebeat and allow it to connect to logstash
+docker run --detach --name so-filebeat  -v /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro -v /nsm/bro:/nsm/bro:ro  docker.elastic.co/beats/filebeat:6.2.1
+docker network connect --alias filebeat so-elastic-net so-filebeat
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -0,0 +1,15 @@
+{
+  "Threads": [
+    { "PacketsDirectory": "/nsm/pcap"
+    , "IndexDirectory": "/nsm/pcapindex"
+    , "MaxDirectoryFiles": 30000
+    , "DiskFreePercentage": 5
+    }
+  ]
+  , "StenotypePath": "/usr/bin/stenotype"
+  , "Interface": "em1"
+  , "Port": 1234
+  , "Host": "127.0.0.1"
+  , "Flags": []
+  , "CertPath": "/etc/stenographer/certs"
+}
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -15,13 +15,24 @@

 # PCAP Section

-file.directory:
-  - name: /opt/so/conf/steno
+stenoconfdir:
+  file.directory:
+    - name: /opt/so/conf/steno
+    - user: 941
+    - group: 939
+    - makedirs: True

-file.directory:
-  - name: /nsm/pcap
+pcapdir:
+  file.directory:
+    - name: /nsm/pcap
+
+pcapindexdir:
+  file.directory:
+    - name: /nsm/pcapindex

 so-steno:
  dockerng.running:
    - image: pillaritem/so-steno
    - network_mode: host
+    - /opt/so/conf/stenographer/certs:/etc/stenographer/certs:rw
+    - /opt/so/conf/stenographer/config:/etc/stenographer/config:ro
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -2,10 +2,6 @@ base:
  'G@role:sensor':
    - common
    - pcap
-    - logstash
-    - nids
-    - syslog-ng
-    - bro
    
  'G@role:eval':
    - common
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -139,6 +139,8 @@ if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to in
  # Create bond interface
  if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'BACKENDNODE' ]; then
    echo "Setting up Bond"
+    alias bond0 bonding
+    mode=0
  fi

  # Install Updates and the Salt Package