CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-20 19:52:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9163 from Security-Onion-Solutions/dev

Browse Source 
Update Foxtrot from Dev
This commit is contained in:
Peter Di Giorgio
2022-11-17 10:44:24 -06:00
committed by GitHub
parent 13b6b43324 7319cb07e2
commit 33bf0c6902
21 changed files with 115 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/elasticsearch/files/ingest/zeek.bsap_serial_header
View File

@@ -5,7 +5,7 @@
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } },
{ "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } },
{ "rename": { "field": "message2.sadd", "target_field": "bsap.scource.address", "ignore_missing": true } },
{ "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } },
{ "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
@@ -14,4 +14,4 @@
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}
}

12
salt/elasticsearch/files/ingest/zeek.ecat_aoe_info
View File

@@ -3,12 +3,12 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.targetid", "target_field": "ecat.target.id", "ignore_missing": true } },
{ "rename": { "field": "message2.targetport", "target_field": "ecat.target.port", "ignore_missing": true } },
{ "convert": { "field": "ecat.target.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.senderid", "target_field": "ecat.sender.id", "ignore_missing": true } },
{ "rename": { "field": "message2.senderport", "target_field": "ecat.sender.port", "ignore_missing": true } },
{ "convert": { "field": "ecat.sender.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } },
{ "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } },
{ "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },

8
salt/elasticsearch/files/ingest/zeek.ecat_arp_info
View File

@@ -4,11 +4,11 @@
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_src", "target_field": "ecat.srcmac", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_dst", "target_field": "ecat.dstmac", "ignore_missing": true } },
{ "rename": { "field": "message2.SPA", "target_field": "ecat.sender.protocol.address", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } },
{ "rename": { "field": "message2.TPA", "target_field": "ecat.target.protocol.address", "ignore_missing": true } },
{ "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]

4
salt/elasticsearch/files/ingest/zeek.ecat_log_address
View File

@@ -3,8 +3,8 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },

4
salt/elasticsearch/files/ingest/zeek.ecat_registers
View File

@@ -3,8 +3,8 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } },

14
salt/elasticsearch/files/ingest/zeek.opcua_browse
View File

@@ -4,13 +4,13 @@
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
{ "rename": { "field": "browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } },
{ "rename": { "field": "browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } },
{ "rename": { "field": "browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } },
{ "rename": { "field": "req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

23
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description
View File

@@ -4,17 +4,18 @@
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.final", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.message_size", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.secure_channel.id", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.request_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.identifier", "ignore_missing": true } },
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua_read_nodes_to_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.opcua_read_results Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.opcua_read_results",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } },
{ "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read_results_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read_results_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

2
salt/sensoroni/files/analyzers/emailrep/emailrep.py
View File

@@ -53,7 +53,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search Greynoise for a given artifact')
parser = argparse.ArgumentParser(description='Search EmailRep for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/emailrep.yaml", help='optional config file to use instead of the default config file')

2
salt/sensoroni/files/analyzers/pulsedive/README.md
View File

@@ -5,7 +5,7 @@ Search Pulsedive for a domain, hash, IP, URI, URL, or User Agent.
## Configuration Requirements
``api_key`` - API key used for communication with the Virustotal API
``api_key`` - API key used for communication with the Pulsedive API
This value should be set in the ``sensoroni`` pillar, like so:

2
salt/sensoroni/files/analyzers/pulsedive/pulsedive.py
View File

@@ -91,7 +91,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search VirusTotal for a given artifact')
parser = argparse.ArgumentParser(description='Search Pulsedive for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/pulsedive.yaml", help='optional config file to use instead of the default config file')

2
salt/sensoroni/files/analyzers/urlscan/README.md
View File

@@ -5,7 +5,7 @@ Submit a URL to Urlscan for analysis.
## Configuration Requirements
``api_key`` - API key used for communication with the Virustotal API
``api_key`` - API key used for communication with the urlscan API
``enabled`` - Determines whether or not the analyzer is enabled. Defaults to ``False``
``visibility`` - Determines whether or not scan results are visibile publicly. Defaults to ``public``
``timeout`` - Time to wait for scan results. Defaults to ``180``s

2
salt/sensoroni/files/analyzers/urlscan/urlscan.py
View File

@@ -77,7 +77,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search Alienvault OTX for a given artifact')
parser = argparse.ArgumentParser(description='Search urlscan for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/urlscan.yaml", help='optional config file to use instead of the default config file')

2
salt/soc/files/soc/motd.md
View File

@@ -6,7 +6,7 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/#release-notes) link.
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Customize This Space

8
salt/soc/files/soc/soc.json
View File

@@ -123,15 +123,9 @@
}
},
"client": {
{%- if ISAIRGAP is sameas true %}
"docsUrl": "/docs/",
"cheatsheetUrl": "/docs/cheatsheet.pdf",
"releaseNotesUrl": "/docs/#release-notes",
{%- else %}
"docsUrl": "https://docs.securityonion.net/en/2.3/",
"cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf",
"releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes",
{%- endif %}
"releaseNotesUrl": "/docs/release-notes.html",
"apiTimeoutMs": {{ API_TIMEOUT }},
"webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }},
"tipTimeoutMs": {{ TIP_TIMEOUT }},

4
salt/zeek/policy/securityonion/file-extraction/extract.zeek
View File

@@ -47,7 +47,7 @@ event file_state_remove(f: fa_file)
# Delete the file if it didn't pass our requirements check.
local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted);
when ( local nukeit = Exec::run([$cmd=nuke]) )
when [nuke] ( local nukeit = Exec::run([$cmd=nuke]) )
{
}
return;
@@ -58,7 +58,7 @@ event file_state_remove(f: fa_file)
local dest = fmt("%scomplete/%s-%s-%s.%s", FileExtract::prefix, f$source, f$id, f$info$md5, extension);
# Copy it to the $prefix/complete folder then delete it. I got some weird results with moving when it came to watchdog in python.
local cmd = fmt("cp %s/%s %s && rm %s/%s", FileExtract::prefix, orig, dest, FileExtract::prefix, orig);
when ( local result = Exec::run([$cmd=cmd]) )
when [cmd] ( local result = Exec::run([$cmd=cmd]) )
{
}
f$info$extracted = dest;