From 0d92a1594a9715c7396a96b116b68a679133053c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 22 Jun 2023 14:41:39 -0400 Subject: [PATCH 1/5] fix quotations --- salt/soc/files/bin/salt-relay.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 22be8d3e4..7f68677ce 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -229,18 +229,19 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" + $CMD_PREFIX salt "$node" cmd.run "gpg --passphrase \"infected\" -o \"$file.tmp\" --batch --decrypt \"$filegpg\"" decrypt_code=$? if [[ $decrypt_code -eq 0 ]]; then + mv "$file.tmp" "$file" log "importing..." case $importer in pcap) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") + response=$($CMD_PREFIX salt "$node" cmd.run "so-import-pcap $file --json") exit_code=$? ;; evtx) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") + response=$($CMD_PREFIX salt "$node" cmd.run "so-import-evtx $file --json") exit_code=$? ;; *) From 2b323ab6613abdb9ecaadb7bf28e256ee95cb68b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 22 Jun 2023 17:30:56 -0600 Subject: [PATCH 2/5] Fix `salt cmd.run` commands for importing Functional and easy to read. --- salt/soc/files/bin/salt-relay.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 7f68677ce..832067316 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -229,7 +229,8 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - $CMD_PREFIX salt "$node" cmd.run "gpg --passphrase \"infected\" -o \"$file.tmp\" --batch --decrypt \"$filegpg\"" + decrypt_cmd="gpg --passphrase infected -o $file.tmp --batch --decrypt $filegpg" + $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\"" decrypt_code=$? if [[ $decrypt_code -eq 0 ]]; then @@ -237,11 +238,13 @@ function import_file() { log "importing..." case $importer in pcap) - response=$($CMD_PREFIX salt "$node" cmd.run "so-import-pcap $file --json") + import_cmd="so-import-pcap $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; evtx) - response=$($CMD_PREFIX salt "$node" cmd.run "so-import-evtx $file --json") + import_cmd="so-import-evtx $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; *) From b21b545756277fbbccca4fbaf47f0599da765f6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 23 Jun 2023 09:37:41 -0400 Subject: [PATCH 3/5] use cluster-unique password for import encryption --- salt/soc/files/bin/salt-relay.sh | 8 ++++++-- setup/so-functions | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 832067316..a9a37ba3e 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -4,6 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe} @@ -185,7 +187,8 @@ function send_file() { log "Cleanup: $cleanup" log "encrypting..." - response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from") + password=$(lookup_pillar_secret import_pass) + response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from") log Response:$'\n'"$response" fromgpg="$from.gpg" @@ -229,7 +232,8 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - decrypt_cmd="gpg --passphrase infected -o $file.tmp --batch --decrypt $filegpg" + password=$(lookup_pillar_secret import_pass) + decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg" $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\"" decrypt_code=$? diff --git a/setup/so-functions b/setup/so-functions index ef4e44eaa..d43469edb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1296,6 +1296,7 @@ generate_passwords(){ KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) SOCSRVKEY=$(get_random_value 64) + IMPORTPASS=$(get_random_value) } generate_interface_vars() { @@ -2102,6 +2103,7 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ + " import_pass: $IMPORTPASS"\ " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls fi } From 261acee8a0a5d884f25b8e2e09127932bb41a0ca Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 20 Jun 2023 13:15:15 -0600 Subject: [PATCH 4/5] New Hunt queryToggleFilter New filter to exclude soc logs from hunt results. --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 156446b7f..2e7bdcaf0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1117,6 +1117,9 @@ soc: - name: caseExcludeToggle filter: 'NOT _index:"*:so-case*"' enabled: true + - name: socExcludeToggle + filter: 'NOT event.module:"soc"' + enabled: true queries: - name: Default Query description: Show all events grouped by the observer host From fb27e7c479b1d25712545ce139d8f19e09dd7376 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 22 Jun 2023 17:29:11 -0600 Subject: [PATCH 5/5] Also add to dashboard Duplicate new queryToggleFilter from hunt to dashboard. --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2e7bdcaf0..81c334d32 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1387,6 +1387,9 @@ soc: - name: caseExcludeToggle filter: 'NOT _index:"*:so-case*"' enabled: true + - name: socExcludeToggle + filter: 'NOT event.module:"soc"' + enabled: true queries: - name: Overview description: Overview of all events