CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-10 13:20:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8920 from Security-Onion-Solutions/dev

Browse Source 
Merge Dev into Foxtrot
This commit is contained in:
Mike Reeves
2022-10-17 09:34:57 -04:00
committed by GitHub
parent fd7a118664 0d807d20f4
commit 3c2510acd7
21 changed files with 231 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files
HOTFIX
-1
View File
@@ -1 +0,0 @@
README.md
+2 -2
View File
@@ -1,6 +1,6 @@
## Security Onion 2.3.150
## Security Onion 2.3.180
Security Onion 2.3.150 is here!
Security Onion 2.3.180 is here!
## Screenshots
VERIFY_ISO.md
+11 -11
View File
@@ -1,18 +1,18 @@
### 2.3.140-20220719 ISO image built on 2022/07/19
### 2.3.170-20220922 ISO image built on 2022/09/22
### Download and Verify
2.3.140-20220719 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso
2.3.170-20220922 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso
MD5: 68768DF9861B93BB8CC9637C80239803
SHA1: F15421C045227B334C7044E5F7F309A2BC7AEB19
SHA256: 4736E3E80E28EFBAB1923C121A3F78DBDBCBBBF65D715924A88B2E96EB3C6093
MD5: B45E38F72500CF302AE7CB3A87B3DB4C
SHA1: 06EC41B4B7E55453389952BE91B20AA465E18F33
SHA256: 634A2E88250DC7583705360EB5AD966D282FAE77AFFAF81676CB6D66D7950A3E
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.3.140-20220719.iso.sig securityonion-2.3.140-20220719.iso
gpg --verify securityonion-2.3.170-20220922.iso.sig securityonion-2.3.170-20220922.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Tue 19 Jul 2022 02:00:29 PM EDT using RSA key ID FE507013
gpg: Signature made Thu 22 Sep 2022 11:48:42 AM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
VERSION
+1 -1
View File
@@ -1 +1 @@
2.3.150
2.3.180
salt/common/tools/sbin/soup
+91 -43
View File
@@ -227,13 +227,13 @@ check_local_mods() {
echo ""
echo "To reference this list later, check $SOUP_LOG".
echo
if [[ -z $UNATTENDED ]]; then
if [[ -z $UNATTENDED ]] && ! [[ "${1}" == "skip-prompt" ]]; then
while true; do
read -p "Please review the local modifications shown above as they may cause problems during or after the update.
Would you like to proceed with the update anyway?
If so, type 'YES'. Otherwise, type anything else to exit SOUP." yn
If so, type 'YES'. Otherwise, type anything else to exit SOUP. " yn
case $yn in
[yY][eE][sS] ) echo "Local modifications accepted. Continuing..."; break;;
@@ -387,12 +387,7 @@ clone_to_tmp() {
}
elastalert_indices_check() {
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
echo "Checking Elastalert indices for compatibility..."
# Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..."
COUNT=0
@@ -409,8 +404,8 @@ elastalert_indices_check() {
echo -n "."
fi
done
# Unable to connect to Elasticsearch
# Unable to connect to Elasticsearch
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'"
@@ -418,39 +413,51 @@ elastalert_indices_check() {
exit 1
fi
# Check Elastalert indices
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do
# Delete Elastalert indices
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
so-elasticsearch-query $i -XDELETE;
MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
# Check Elastalert indices
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do
# Delete Elastalert indices
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
so-elasticsearch-query $i -XDELETE;
done
# Check to ensure Elastalert indices are deleted
COUNT=0
ELASTALERT_INDICES_DELETED="no"
while [[ "$COUNT" -le 240 ]]; do
RESPONSE=$(so-elasticsearch-query "elastalert*")
if [[ "$RESPONSE" == "{}" ]]; then
ELASTALERT_INDICES_DELETED="yes"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done
# Check to ensure Elastalert indices are deleted
COUNT=0
ELASTALERT_INDICES_DELETED="no"
while [[ "$COUNT" -le 240 ]]; do
RESPONSE=$(so-elasticsearch-query elastalert*)
if [[ "$RESPONSE" == "{}" ]]; then
ELASTALERT_INDICES_DELETED="yes"
echo "Elastalert indices successfully deleted."
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done
# If we were unable to delete the Elastalert indices, exit the script
if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then
echo
echo -e "Unable to connect to delete Elastalert indices. Exiting."
echo
exit 1
# If we were unable to delete the Elastalert indices, exit the script
if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
echo "Elastalert indices successfully deleted."
else
echo
echo -e "Unable to connect to delete Elastalert indices. Exiting."
echo
exit 1
fi
else
echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
fi
}
@@ -537,6 +544,10 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120
[[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130
[[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140
[[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150
[[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160
[[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170
[[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180
true
}
@@ -553,7 +564,10 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120
[[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130
[[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140
[[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150
[[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160
[[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170
[[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180
true
}
@@ -637,7 +651,21 @@ post_to_2.3.140() {
POSTVERSION=2.3.140
}
post_to_2.3.150() {
echo "Nothing to do for .150"
}
post_to_2.3.160() {
echo "Nothing to do for .160"
}
post_to_2.3.170() {
echo "Nothing to do for .170"
}
post_to_2.3.180() {
echo "Nothing to do for .180"
}
stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
@@ -913,6 +941,26 @@ up_to_2.3.140() {
INSTALLEDVERSION=2.3.140
}
up_to_2.3.150() {
echo "Upgrading to 2.3.150"
INSTALLEDVERSION=2.3.150
}
up_to_2.3.160() {
echo "Upgrading to 2.3.160"
INSTALLEDVERSION=2.3.160
}
up_to_2.3.170() {
echo "Upgrading to 2.3.170"
INSTALLEDVERSION=2.3.170
}
up_to_2.3.180() {
echo "Upgrading to 2.3.180"
INSTALLEDVERSION=2.3.180
}
verify_upgradespace() {
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -1398,7 +1446,7 @@ main() {
fi
echo "Checking for local modifications."
check_local_mods
check_local_mods skip-prompt
echo "Checking sudoers file."
check_sudoers
salt/curator/files/bin/so-curator-closed-delete-delete
+1 -1
View File
@@ -29,7 +29,7 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log"
overlimit() {
[[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
[[ $(du -hs --block-size=1GB /nsm/elasticsearch/indices | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
}
closedindices() {
salt/elasticsearch/files/ingest/sysmon
+64 -55
View File
@@ -9,61 +9,70 @@
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } },
{ "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } },
{ "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } },
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } },
{ "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } },
{ "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } },
{ "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } },
{ "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } },
{ "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } },
{ "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } },
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } },
{ "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } },
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } },
{ "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } },
{ "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } },
{ "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } },
{ "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } },
{ "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } },
{ "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } },
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } },
{ "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } },
{ "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } },
{ "community_id": {} }
]
}
salt/elasticsearch/templates/component/so/so-scan-mappings.json
+31 -1
View File
@@ -62,10 +62,40 @@
}
}
}
}
},
"elf": {
"properties": {
"sections": {
"properties": {
"entropy": {
"type": "long"
}
}
}
}
}
}
}
}
}
}
}
salt/grafana/defaults.yaml
-12
View File
@@ -3085,12 +3085,6 @@ grafana:
y: 16
h: 8
w: 24
elasticsearch_pipeline_time_nontc_graph:
gridPos:
x: 0
y: 24
h: 8
w: 24
pipeline_overview_tc:
@@ -3140,9 +3134,3 @@ grafana:
y: 16
h: 8
w: 24
elasticsearch_pipeline_time_tc_graph:
gridPos:
x: 0
y: 24
h: 8
w: 24
salt/idstools/etc/rulecat.conf
+2 -2
View File
@@ -31,11 +31,11 @@
{%- elif RULESET == 'ETPRO' %}
--etpro={{ OINKCODE }}
{%- elif RULESET == 'TALOS' %}
--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
--url=https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={{ OINKCODE }}
{%- endif %}
{%- endif %}
{%- if URLS != None %}
{%- for URL in URLS %}
--url={{ URL }}
{%- endfor %}
{%- endif %}
{%- endif %}
salt/kibana/bin/so-kibana-config-load
+1 -1
View File
@@ -59,7 +59,7 @@ update() {
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do
RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
done
salt/kibana/files/config_saved_objects.ndjson
+1 -1
View File
@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.3","id": "8.3.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
salt/soc/files/soc/dashboards.queries.json
+8 -3
View File
@@ -2,10 +2,15 @@
{ "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"},
{ "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"},
{ "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"},
{ "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"},
{ "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Sysmon Registry", "description": "Registry changes captured by Sysmon", "query": "(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject"},
{ "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"},
{ "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"},
{ "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"},
{ "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"},
{ "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},
salt/soc/files/soc/hunt.eventfields.json
+10 -2
View File
@@ -49,5 +49,13 @@
"::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ],
":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ],
":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ],
":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ]
}
":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ],
"::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"],
"::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"],
"::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],
"::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"],
"::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],
"::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"],
"::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"]
}
salt/soc/files/soc/presets.pap.json
+1 -1
View File
@@ -6,4 +6,4 @@
"red"
],
"customEnabled": false
}
}
salt/soc/files/soc/presets.tlp.json
+3 -2
View File
@@ -1,9 +1,10 @@
{
"labels": [
"white",
"clear",
"green",
"amber",
"amber+strict",
"red"
],
"customEnabled": false
}
}
salt/strelka/defaults.yaml
+4 -3
View File
@@ -1,9 +1,10 @@
strelka:
ignore:
- apt_flame2_orchestrator.yar
- apt_tetris.yar
- gen_susp_js_obfuscatorio.yar
- gen_webshells.yar
- generic_anomalies.yar
- general_cloaking.yar
- thor_inverse_matches.yar
- yara_mixed_ext_vars.yar
- gen_susp_js_obfuscatorio.yar
- apt_flame2_orchestrator.yar
- apt_tetris.yar
sigs/securityonion-2.3.140-20220812.iso.sig
BIN
View File
Binary file not shown.
sigs/securityonion-2.3.150-20220820.iso.sig
BIN
View File
Binary file not shown.
sigs/securityonion-2.3.160-20220829.iso.sig
BIN
View File
Binary file not shown.
sigs/securityonion-2.3.170-20220922.iso.sig
BIN
View File
Binary file not shown.