From 028d84b805aeab6f58fe84f5b2408122f738cbe4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 May 2020 10:25:05 -0400 Subject: [PATCH 1/5] remove commas from groupby segments --- salt/soc/files/soc/soc.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index fb5fadd88..13b796601 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -93,17 +93,17 @@ { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.name"}, { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event_id", "query": "event_type:sysmon | groupby event_id"}, { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event_type:sysmon | groupby username"}, - { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note,notice.message"}, - { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module:zeek AND event.dataset:conn | groupby source.ip,destination.ip,network.protocol,destination.port"}, - { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol,destination.port"}, + { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note notice.message"}, + { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module:zeek AND event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, + { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol destination.port"}, { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source Geo", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.name,destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.type_name,destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.name destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.type_name destination.port"}, { "name": "DNS", "description": "DNS highest registered domain", "query": "event.module:zeek AND event.dataset:dns | groupby dns.highest_registered_domain.keyword"}, { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.module:zeek AND event.dataset:dns | groupby dns.parent_domain.keyword"}, { "name": "Files", "description": "Files grouped by mimetype", "query": "event.module:zeek AND event.dataset:files | groupby file.mime_type source.ip"}, @@ -125,7 +125,7 @@ { "name": "NOTICE", "description": "Zeek notice logs grouped by note", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note"}, { "name": "NOTICE", "description": "Zeek notice logs grouped by message", "query": "event.module:zeek AND event.dataset:notice | groupby notice.message"}, { "name": "NTLM", "description": "NTLM grouped by computer name", "query": "event.module:zeek AND event.dataset:ntlm | groupby ntlm.server.dns.name"}, - { "name": "PE", "description": "PE files list", "query": "event.module:zeek AND event.dataset:pe | groupby file.machine,file.os,file.subsystem"}, + { "name": "PE", "description": "PE files list", "query": "event.module:zeek AND event.dataset:pe | groupby file.machine file.os file.subsystem"}, { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module:zeek AND event.dataset:radius | groupby user.name"}, { "name": "RDP", "description": "RDP grouped by client name", "query": "event.module:zeek AND event.dataset:rdp | groupby client.name"}, { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module:zeek AND event.dataset:rfb | groupby rfb.desktop.name"}, @@ -134,11 +134,11 @@ { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.module:zeek AND event.dataset:smb_files | groupby file.action"}, { "name": "SMB_Mapping", "description": "SMB mapping grouped by path", "query": "event.module:zeek AND event.dataset:smb_mapping | groupby smb.path"}, { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.module:zeek AND event.dataset:smtp | groupby smtp.subject"}, - { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.module:zeek AND event.dataset:snmp | groupby snmp.community,snmp.version"}, - { "name": "Software", "description": "List of software seen on the network", "query": "event.module:zeek AND event.dataset:software | groupby software.type,software.name"}, + { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.module:zeek AND event.dataset:snmp | groupby snmp.community snmp.version"}, + { "name": "Software", "description": "List of software seen on the network", "query": "event.module:zeek AND event.dataset:software | groupby software.type software.name"}, { "name": "SSH", "description": "SSH grouped by version", "query": "event.module:zeek AND event.dataset:ssh | groupby ssh.version"}, - { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.module:zeek AND event.dataset:ssl | groupby ssl.version,ssl.server_name"}, - { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.module:zeek AND event.dataset:syslog | groupby syslog.severity,syslog.facility"}, + { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.module:zeek AND event.dataset:ssl | groupby ssl.version ssl.server_name"}, + { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.module:zeek AND event.dataset:syslog | groupby syslog.severity syslog.facility"}, { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.module:zeek AND event.dataset:tunnels | groupby event.action"}, { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.module:zeek AND event.dataset:weird | groupby weird.name"}, { "name": "x509", "description": "x.509 grouped by key length", "query": "event.module:zeek AND event.dataset:x509 | groupby x509.certificate.key.length"}, From 00f6e8d61b729df27da08e29a03f1e322e922f0f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 May 2020 10:27:03 -0400 Subject: [PATCH 2/5] update geoip country descriptions --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 13b796601..28ab2175e 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -96,8 +96,8 @@ { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note notice.message"}, { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module:zeek AND event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol destination.port"}, - { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, - { "name": "Connections", "description": "Connections grouped by source Geo", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by source country", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby message_types"}, From 15cd0c6b49914af7a08cde98b65f1b9de7d8b7d7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 May 2020 10:41:39 -0400 Subject: [PATCH 3/5] change strelka ip for sensor nodes --- salt/strelka/files/backend/backend.yaml | 7 ++++++- salt/strelka/files/filestream/filestream.yaml | 7 ++++++- salt/strelka/files/frontend/frontend.yaml | 7 ++++++- salt/strelka/files/manager/manager.yaml | 8 +++++++- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 40ea1b5b3..0333afb18 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -1,4 +1,9 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains.role == 'so-sensor' -%} + {%- set mainint = salt['pillar.get']('sensor:mainint') %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} +{%- else %} + {%- set ip = salt['pillar.get']('static:masterip') %} +{%- endif -%} logging_cfg: '/etc/strelka/logging.yaml' limits: max_files: 5000 diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index 0475840c9..34ec48052 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -1,4 +1,9 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains.role == 'so-sensor' -%} + {%- set mainint = salt['pillar.get']('sensor:mainint') %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} +{%- else %} + {%- set ip = salt['pillar.get']('static:masterip') %} +{%- endif -%} conn: server: '{{ ip }}:57314' cert: '' diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml index 1c7b15175..0e02b708e 100644 --- a/salt/strelka/files/frontend/frontend.yaml +++ b/salt/strelka/files/frontend/frontend.yaml @@ -1,4 +1,9 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains.role == 'so-sensor' -%} + {%- set mainint = salt['pillar.get']('sensor:mainint') %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} +{%- else %} + {%- set ip = salt['pillar.get']('static:masterip') %} +{%- endif -%} server: ":57314" coordinator: addr: '{{ ip }}:6380' diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml index 16a4c697b..b8ffc038f 100644 --- a/salt/strelka/files/manager/manager.yaml +++ b/salt/strelka/files/manager/manager.yaml @@ -1,4 +1,10 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} + +{%- if grains.role == 'so-sensor' -%} + {%- set mainint = salt['pillar.get']('sensor:mainint') %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} +{%- else %} + {%- set ip = salt['pillar.get']('static:masterip') %} +{%- endif -%} coordinator: addr: '{{ ip }}:6380' db: 0 From 037bedb0c0816ac16b16595cda4b0b8c1a10a8f1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 May 2020 10:48:02 -0400 Subject: [PATCH 4/5] remove whitespace at top of file --- salt/strelka/files/manager/manager.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml index b8ffc038f..17351e8a7 100644 --- a/salt/strelka/files/manager/manager.yaml +++ b/salt/strelka/files/manager/manager.yaml @@ -1,4 +1,3 @@ - {%- if grains.role == 'so-sensor' -%} {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} From eebe0eb618d8c1228c0fd7c169b30e74d3f8876c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 18 May 2020 10:54:07 -0400 Subject: [PATCH 5/5] get the first ip for the ip_interfaces:mainint grain --- salt/strelka/files/backend/backend.yaml | 2 +- salt/strelka/files/filestream/filestream.yaml | 2 +- salt/strelka/files/frontend/frontend.yaml | 2 +- salt/strelka/files/manager/manager.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 0333afb18..76a2ae3af 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -1,6 +1,6 @@ {%- if grains.role == 'so-sensor' -%} {%- set mainint = salt['pillar.get']('sensor:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} {%- set ip = salt['pillar.get']('static:masterip') %} {%- endif -%} diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index 34ec48052..c45fd8644 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -1,6 +1,6 @@ {%- if grains.role == 'so-sensor' -%} {%- set mainint = salt['pillar.get']('sensor:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} {%- set ip = salt['pillar.get']('static:masterip') %} {%- endif -%} diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml index 0e02b708e..56df323f9 100644 --- a/salt/strelka/files/frontend/frontend.yaml +++ b/salt/strelka/files/frontend/frontend.yaml @@ -1,6 +1,6 @@ {%- if grains.role == 'so-sensor' -%} {%- set mainint = salt['pillar.get']('sensor:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} {%- set ip = salt['pillar.get']('static:masterip') %} {%- endif -%} diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml index 17351e8a7..8a5966ac9 100644 --- a/salt/strelka/files/manager/manager.yaml +++ b/salt/strelka/files/manager/manager.yaml @@ -1,6 +1,6 @@ {%- if grains.role == 'so-sensor' -%} {%- set mainint = salt['pillar.get']('sensor:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint, salt['pillar.get']('sensor:mainip')) %} + {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} {%- set ip = salt['pillar.get']('static:masterip') %} {%- endif -%}