Merge branch 'dev' into feature/docker-prune-rework

VERIFY_ISO.md

@@ -1,16 +1,16 @@
-### 2.3.20 ISO image built on 2020/12/20
+### 2.3.30 ISO image built on 2021/03/01
 
 ### Download and Verify
 
-2.3.20 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso
+2.3.30 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso
 
-MD5: E348FA65A46FD3FBA0D574D9C1A0582D  
-SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6  
-SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 
+MD5: 65202BA0F7661A5E27087F097B8E571E  
+SHA1: 14E842E39EDBB55A104263281CF25BF88A2E9D67  
+SHA256: 210B37B9E3DFC827AFE2940E2C87B175ADA968EDD04298A5926F63D9269847B7 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso
+gpg --verify securityonion-2.3.30.iso.sig securityonion-2.3.30.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013
+gpg: Signature made Mon 01 Mar 2021 02:15:28 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.30
+2.3.40

salt/common/tools/sbin/so-analyst-install

@@ -84,7 +84,7 @@ while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
     echo "##                                       ##"
     echo "##    Installing the Security Onion      ##"
     echo "##   analyst node on this device will    ##"
-    echo "##      make permanenet changes to       ##"
+    echo "##       make permanent changes to       ##"
     echo "##              the system.              ##"
     echo "##                                       ##"
     echo "###########################################"

salt/soc/files/soc/changes.json

@@ -5,6 +5,7 @@
 		{ "summary": "CyberChef is now at version 9.27.2." },
 		{ "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." },
 		{ "summary": "Suricata is now at version 6.0.1." },
+		{ "summary": "Salt is now at version 3002.5." },
 		{ "summary": "Suricata metadata parsing is now vastly improved." },
 		{ "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules'>here</a>." },
 		{ "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules'>here</a>." },
@@ -12,6 +13,7 @@
 		{ "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." },
 		{ "summary": "<code>so-sensor-clean</code> will no longer spawn multiple instances." },
 		{ "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." },
+		{ "summary": "Fixed a security issue where the backup directory had improper file permissions." },
 		{ "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." },
 		{ "summary": "Strelka logs are now being rotated properly." },
 		{ "summary": "Elastalert can now be customized via a pillar." },
@@ -43,6 +45,8 @@
 		{ "summary": "Changes to the <i>.security</i> analyzer yields more accurate query results when using Playbook." },
 		{ "summary": "Several Hunt queries have been updated." },
 		{ "summary": "The pfSense firewall log parser has been updated to improve compatibility." },
-		{ "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." }
+		{ "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." },
+		{ "summary": "Added a new <code>so-rule</code> script to make it easier to disable, enable, and modify SIDs." },
+		{ "summary": "ISO now gives the option to just configure the network during setup." }
   ]
 }

salt/telegraf/etc/telegraf.conf

@@ -684,8 +684,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/raid.sh"
    ]
@@ -697,8 +699,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh"
@@ -713,8 +717,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh"
@@ -728,8 +734,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
+  {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/influxdbsize.sh",
       "/scripts/raid.sh"
@@ -742,8 +750,10 @@
     "/scripts/stenoloss.sh",
     "/scripts/suriloss.sh",
     "/scripts/checkfiles.sh",
+  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
     "/scripts/zeekloss.sh",
     "/scripts/zeekcaptureloss.sh",
+  {% endif %}
     "/scripts/oldpcap.sh",
     "/scripts/helixeps.sh"
   ]

salt/telegraf/init.sls

@@ -29,6 +29,9 @@ tgrafsyncscripts:
     - file_mode: 700
     - template: jinja
     - source: salt://telegraf/scripts
+{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
+    - exclude_pat: zeekcaptureloss.sh
+{% endif %}
 
 tgrafconf:
   file.managed:

setup/automation/distributed-iso-search

@@ -55,7 +55,7 @@ MSRVIP=10.66.166.42
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
 NODESETUP=NODEBASIC
-NSMSETUP=BASIC
+NSMSETUP=ADVANCED
 NODEUPDATES=MANAGER
 # OINKCODE=
 # OSQUERY=1

setup/automation/distributed-iso-sensor

@@ -55,7 +55,7 @@ MSRVIP=10.66.166.42
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
 # NODESETUP=NODEBASIC
-NSMSETUP=BASIC
+NSMSETUP=ADVANCED
 NODEUPDATES=MANAGER
 # OINKCODE=
 # OSQUERY=1

setup/automation/distributed-net-ubuntu-suricata-search

@@ -55,7 +55,7 @@ MSRVIP=10.66.166.66
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
 NODESETUP=NODEBASIC
-NSMSETUP=BASIC
+NSMSETUP=ADVANCED
 NODEUPDATES=MANAGER
 # OINKCODE=
 # OSQUERY=1

setup/automation/distributed-net-ubuntu-suricata-sensor

@@ -27,7 +27,7 @@ BASICZEEK=2
 BASICSURI=2
 # BLOGS=
 BNICS=ens19
-ZEEKVERSION=ZEEK
+ZEEKVERSION=SURICATA
 # CURCLOSEDAYS=
 # EVALADVANCED=BASIC
 # GRAFANA=1
@@ -55,7 +55,7 @@ MSRVIP=10.66.166.66
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
 # NODESETUP=NODEBASIC
-NSMSETUP=BASIC
+NSMSETUP=ADVANCED
 NODEUPDATES=MANAGER
 # OINKCODE=
 # OSQUERY=1

setup/so-functions

@@ -744,23 +744,19 @@ compare_main_nic_ip() {
 	if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then
 	  if [[ "$MAINIP" != "$MNIC_IP" ]]; then
 		  read -r -d '' message <<- EOM
-			The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC).
+		  	The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC).
 
-			This has been known to cause installs to fail in some scenarios.
-			
-			Please select whether to continue the install or exit setup to remediate any potential issues.
-			EOM
-			whiptail --title "Security Onion Setup" \
-				--yesno "$message" 10 75 \
-				--yes-button "Continue" --no-button "Exit" --defaultno
-
-			kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
-			fi
+			This is not a supported configuration, please remediate and rerun setup.
+		EOM
+		  whiptail --title "Security Onion Setup" --msgbox "$message" 10 75
+		  kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
+	  fi
 	else
 		# Setup uses MAINIP, but since we ignore the equality condition when using a VPN 
 		# just set the variable to the IP of the VPN interface
 		MAINIP=$MNIC_IP
 	fi
+	
 }
 
 compare_versions() {