From 4c677961c4bbf35b7d0ee3cc3a14b4fb5a857b24 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 11 Aug 2022 08:49:25 -0400 Subject: [PATCH 01/35] FIX: Fix TLP options in Cases to align with TLP 2.0 #8469 --- salt/soc/files/soc/presets.tlp.json | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json index 6ef37164d..5ae860b28 100644 --- a/salt/soc/files/soc/presets.tlp.json +++ b/salt/soc/files/soc/presets.tlp.json @@ -1,9 +1,10 @@ { "labels": [ - "white", - "green", - "amber", - "red" + "CLEAR", + "GREEN", + "AMBER", + "AMBER+STRICT", + "RED" ], "customEnabled": false -} \ No newline at end of file +} From 4003876465bb26abafc2ce0ec5036f24fb88d849 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 11 Aug 2022 08:49:54 -0400 Subject: [PATCH 02/35] FIX: Fix TLP options in Cases to align with TLP 2.0 #8469 --- salt/soc/files/soc/presets.pap.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json index 6ef37164d..22aca7536 100644 --- a/salt/soc/files/soc/presets.pap.json +++ b/salt/soc/files/soc/presets.pap.json @@ -1,9 +1,9 @@ { "labels": [ - "white", - "green", - "amber", - "red" + "WHITE", + "GREEN", + "AMBER", + "RED" ], "customEnabled": false -} \ No newline at end of file +} From 7bf26034140f78f206b2b32439e7f4dbb6e0733b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 11 Aug 2022 15:32:49 -0400 Subject: [PATCH 03/35] revert to lower case #8469 --- salt/soc/files/soc/presets.pap.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json index 22aca7536..8b254b020 100644 --- a/salt/soc/files/soc/presets.pap.json +++ b/salt/soc/files/soc/presets.pap.json @@ -1,9 +1,9 @@ { "labels": [ - "WHITE", - "GREEN", - "AMBER", - "RED" + "white", + "green", + "amber", + "red" ], "customEnabled": false } From 32c29b28eba30bf6769539bf449b88ebedf948a6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 11 Aug 2022 15:33:30 -0400 Subject: [PATCH 04/35] revert to lower case #8469 --- salt/soc/files/soc/presets.tlp.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json index 5ae860b28..5cefe4ada 100644 --- a/salt/soc/files/soc/presets.tlp.json +++ b/salt/soc/files/soc/presets.tlp.json @@ -1,10 +1,10 @@ { "labels": [ - "CLEAR", - "GREEN", - "AMBER", - "AMBER+STRICT", - "RED" + "clear", + "green", + "amber", + "amber+strict", + "red" ], "customEnabled": false } From 179f669acfbaebe719f96b3bba83d9edca394054 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 12 Aug 2022 13:10:47 -0400 Subject: [PATCH 05/35] FIX: so-curator-closed-delete-delete needs to reference new Elasticsearch directory #8529 --- salt/curator/files/bin/so-curator-closed-delete-delete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index b872a7aeb..5476b1390 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -29,7 +29,7 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log" overlimit() { - [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] + [[ $(du -hs --block-size=1GB /nsm/elasticsearch/indices | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] } closedindices() { From 86519d43dcbcebf435ac1ab488c01123ae378739 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 12 Aug 2022 13:20:15 -0400 Subject: [PATCH 06/35] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 8ab213017..4641686bb 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20220719 +20220815 From 991a601a3d99156cd79fca6c690decd993fb05e3 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 12 Aug 2022 13:21:06 -0400 Subject: [PATCH 07/35] FIX: so-curator-closed-delete-delete needs to reference new Elasticsearch directory #8529 --- salt/curator/files/bin/so-curator-closed-delete-delete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index b872a7aeb..5476b1390 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -29,7 +29,7 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log" overlimit() { - [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] + [[ $(du -hs --block-size=1GB /nsm/elasticsearch/indices | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] } closedindices() { From 3f435c5c1ac80dba719f630940efb531c8133ee7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 15 Aug 2022 13:03:25 -0400 Subject: [PATCH 08/35] 2.3.140 Hotfix --- HOTFIX | 2 +- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.140-20220812.iso.sig | Bin 0 -> 543 bytes 3 files changed, 12 insertions(+), 12 deletions(-) create mode 100644 sigs/securityonion-2.3.140-20220812.iso.sig diff --git a/HOTFIX b/HOTFIX index 4641686bb..4ef69f63b 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20220815 +20220719 20220812 \ No newline at end of file diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 73735f3b7..cd5959ce8 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220719 ISO image built on 2022/07/19 +### 2.3.140-20220812 ISO image built on 2022/08/12 ### Download and Verify -2.3.140-20220719 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso +2.3.140-20220812 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso -MD5: 68768DF9861B93BB8CC9637C80239803 -SHA1: F15421C045227B334C7044E5F7F309A2BC7AEB19 -SHA256: 4736E3E80E28EFBAB1923C121A3F78DBDBCBBBF65D715924A88B2E96EB3C6093 +MD5: 13D4A5D663B5A36D045B980E5F33E6BC +SHA1: 85DC36B7E96575259DFD080BC860F6508D5F5899 +SHA256: DE5D0F82732B81456180AA40C124E5C82688611941EEAF03D85986806631588C Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220719.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220719.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220719.iso.sig securityonion-2.3.140-20220719.iso +gpg --verify securityonion-2.3.140-20220812.iso.sig securityonion-2.3.140-20220812.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 19 Jul 2022 02:00:29 PM EDT using RSA key ID FE507013 +gpg: Signature made Fri 12 Aug 2022 03:59:11 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.140-20220812.iso.sig b/sigs/securityonion-2.3.140-20220812.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..2db1b2c9195027703cf9ccea3f63f8bfa4de8caf GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;FBu@3+W2@re`V7LBIa1+Xm5Bv^PnS-6o1%XH*V-ils zH6x5QsnI1`jgg-1Ob~QFVaJC72*OVcLEQw`o*jQ5Ks;m#&oLDC+`O;Hh?>KUzu@_+ z0@}bO*Hw|I{b*ZJ=Pv&r4D}$IHOr`*7l=bhS7{pI6kv)%`x!R1Wx({CGNulA?30iQ zH0V;-(7gn4KAU8;soTX8u7ICWE;H<)jrS{9rtWC{azaYv4k-LkRIhH8M}uO%@=2ag+_kDEnTDSqQnQ$({%eI08Y=)fXz$(}G2 zJ!t9y2Q*>{g=IeU^ulMIl3y?i?);&y8!C;eyFBn(M^W2Dn>=mMWh~sfNR|4^hQU3} zQ$Amz&lih=XhnI<-6+@@tz z)p@+N6pw$s*QZ1*o%xfj_c?Q>DdD}6o`vpthuxpQ8n!BPRKn`@m*5b17T`|Dt>YCa zpyO7n-BXZBiLrmIn@?r?524_QfS Date: Wed, 17 Aug 2022 09:17:27 -0400 Subject: [PATCH 09/35] remove pipeline time panel - https://github.com/Security-Onion-Solutions/securityonion/issues/8369 --- salt/grafana/defaults.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/salt/grafana/defaults.yaml b/salt/grafana/defaults.yaml index 024fd5dfd..8714381d3 100644 --- a/salt/grafana/defaults.yaml +++ b/salt/grafana/defaults.yaml @@ -3085,12 +3085,6 @@ grafana: y: 16 h: 8 w: 24 - elasticsearch_pipeline_time_nontc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 pipeline_overview_tc: @@ -3140,9 +3134,3 @@ grafana: y: 16 h: 8 w: 24 - elasticsearch_pipeline_time_tc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 From 5deda45b6618bd722f78b36cb5ce05fb139701a7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 18 Aug 2022 09:11:38 -0400 Subject: [PATCH 10/35] Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8 Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8. Also clean up the output to only emit one notification regarding index deletion, and additional verbiage around function operation. --- salt/common/tools/sbin/soup | 85 ++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 39 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 09d1dc141..85ef432d1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -387,12 +387,7 @@ clone_to_tmp() { } elastalert_indices_check() { - - # Stop Elastalert to prevent Elastalert indices from being re-created - if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then - so-elastalert-stop || true - fi - + echo "Checking Elastalert indices for compatibility..." # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." COUNT=0 @@ -409,8 +404,8 @@ elastalert_indices_check() { echo -n "." fi done - - # Unable to connect to Elasticsearch + + # Unable to connect to Elasticsearch if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" @@ -418,39 +413,51 @@ elastalert_indices_check() { exit 1 fi - # Check Elastalert indices - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." - CHECK_COUNT=0 - while [[ "$CHECK_COUNT" -le 2 ]]; do - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do - so-elasticsearch-query $i -XDELETE; + MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1) + if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then + + # Stop Elastalert to prevent Elastalert indices from being re-created + if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then + so-elastalert-stop || true + fi + + # Check Elastalert indices + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query "elastalert*") + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) done - # Check to ensure Elastalert indices are deleted - COUNT=0 - ELASTALERT_INDICES_DELETED="no" - while [[ "$COUNT" -le 240 ]]; do - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - ELASTALERT_INDICES_DELETED="yes" - echo "Elastalert indices successfully deleted." - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - ((CHECK_COUNT+=1)) - done - - # If we were unable to delete the Elastalert indices, exit the script - if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then - echo - echo -e "Unable to connect to delete Elastalert indices. Exiting." - echo - exit 1 + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then + echo "Elastalert indices successfully deleted." + else + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 + fi + else + echo "Major Elasticsearch version is greater than 7...skipping Elastalert index maintenance." fi } From fbf0803906970653f5f403042198a3245622315f Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 18 Aug 2022 09:16:22 -0400 Subject: [PATCH 11/35] Update verbiage around major Elasticsearch version and not requiring Elastalert index maintenance --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 85ef432d1..8971e4371 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -457,7 +457,7 @@ elastalert_indices_check() { exit 1 fi else - echo "Major Elasticsearch version is greater than 7...skipping Elastalert index maintenance." + echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance." fi } From fea2b481e33a5ff48b9dc8ab005a15605872691d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 19 Aug 2022 13:12:49 -0400 Subject: [PATCH 12/35] Update rulecat.conf --- salt/idstools/etc/rulecat.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 2b1a8cae1..a799bba4b 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -31,11 +31,11 @@ {%- elif RULESET == 'ETPRO' %} --etpro={{ OINKCODE }} {%- elif RULESET == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} +--url=https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={{ OINKCODE }} {%- endif %} {%- endif %} {%- if URLS != None %} {%- for URL in URLS %} --url={{ URL }} {%- endfor %} -{%- endif %} \ No newline at end of file +{%- endif %} From f00d9074ffff7470a270172846df28d10aea1d1a Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 19 Aug 2022 16:07:14 -0400 Subject: [PATCH 13/35] Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function --- salt/common/tools/sbin/soup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8971e4371..51eaafa52 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -227,13 +227,13 @@ check_local_mods() { echo "" echo "To reference this list later, check $SOUP_LOG". echo - if [[ -z $UNATTENDED ]]; then + if [[ -z $UNATTENDED ]] && ! [[ "${1}" == "skip-prompt" ]]; then while true; do read -p "Please review the local modifications shown above as they may cause problems during or after the update. Would you like to proceed with the update anyway? -If so, type 'YES'. Otherwise, type anything else to exit SOUP." yn +If so, type 'YES'. Otherwise, type anything else to exit SOUP. " yn case $yn in [yY][eE][sS] ) echo "Local modifications accepted. Continuing..."; break;; @@ -1405,7 +1405,7 @@ main() { fi echo "Checking for local modifications." - check_local_mods + check_local_mods skip-prompt echo "Checking sudoers file." check_sudoers From 33ebed34688d4b1c8ca74ddad0a6e85fcbf21393 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 22 Aug 2022 14:31:04 -0400 Subject: [PATCH 14/35] 2.3.150 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.150-20220820.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.150-20220820.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index cd5959ce8..b8555c3b2 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220812 ISO image built on 2022/08/12 +### 2.3.150-20220820 ISO image built on 2022/08/12 ### Download and Verify -2.3.140-20220812 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso +2.3.150-20220820 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso -MD5: 13D4A5D663B5A36D045B980E5F33E6BC -SHA1: 85DC36B7E96575259DFD080BC860F6508D5F5899 -SHA256: DE5D0F82732B81456180AA40C124E5C82688611941EEAF03D85986806631588C +MD5: D2C0B67F19C18F0AB6FD1EC9B1E4034A +SHA1: F14BF42C6C634BDECA654B169FE6815BB6798F70 +SHA256: 9E37E5CCCBD209486EB79E8F991DE83F64E2208D32E5B56F8E0A6C3933EB42AC Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220812.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220812.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220812.iso.sig securityonion-2.3.140-20220812.iso +gpg --verify securityonion-2.3.150-20220820.iso.sig securityonion-2.3.150-20220820.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 12 Aug 2022 03:59:11 PM EDT using RSA key ID FE507013 +gpg: Signature made Sat 20 Aug 2022 08:07:10 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.150-20220820.iso.sig b/sigs/securityonion-2.3.150-20220820.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..68a5a7a543c2c3871fa98eb0248c3bb3999cac80 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;FMcP;=52@re`V7LBIa1*W)5BmkfBc)l{3YG*lH_;dw z$TS0UP_=C3V%Vs`NwiW=z##7x2Zi{6Ryc}Vzu&#Ji2(NB?&9ZE)ti&*y4v}st38tRim|&eG7z0%K8Oi;k4Tz z^5zPxZx(X;Cpuk^RJm+pV;~9ZLaL?AvP!~_mm1h9_a|8S2|=e&zP|(y{aHPJQi}vk zFRn<>GXnSY^HxqUiQ~T~HJu0~V18uhIXVO@ zg)D^%;=UL~uF2!4z_R(gEr1v-5zRpiv(7L6l71l%udD}7K6=Hvx2655>>`xyV)dqx zr)gHH*RhmBD1aOvGU&=xePws1sq@JocqsJFhpM*haa)3u<$ZU3 zrIpBbB^mrp%<=O7_vv^CEZ&dWgG+Lm1HkNG-W}hE3Dzuc7H?6rQnD;oyI>#LI`f5f hana1<6eb{L}*xkLIJ>DmVk7mZ%(y2QdHu literal 0 HcmV?d00001 From bd7b4c92bc7a70f6cd0ea86a263cf823a99f8899 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 22 Aug 2022 14:31:36 -0400 Subject: [PATCH 15/35] 2.3.150 --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b8555c3b2..0ff07c6e3 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,4 +1,4 @@ -### 2.3.150-20220820 ISO image built on 2022/08/12 +### 2.3.150-20220820 ISO image built on 2022/08/20 From 2e32c0d236efc099ee1f55b12ee7f054d2671497 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Aug 2022 07:00:14 -0400 Subject: [PATCH 16/35] Increment version to 2.3.160 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 70a2b29d7..7401275df 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.150 +2.3.160 From 2128550df22f573e2d92f9dcf68e82ce4a8b093a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 26 Aug 2022 07:50:08 -0400 Subject: [PATCH 17/35] increment to 2.3.160 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 170bb0039..cfb90fe85 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.150 +## Security Onion 2.3.160 -Security Onion 2.3.150 is here! +Security Onion 2.3.160 is here! ## Screenshots From 30b9868de105135a46462e62673ebebedb0e191b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Aug 2022 09:32:46 -0400 Subject: [PATCH 18/35] Update soup --- salt/common/tools/sbin/soup | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 51eaafa52..b78816e87 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -544,6 +544,8 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120 [[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130 [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140 + [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150 + [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160 true } @@ -560,6 +562,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120 [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130 [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140 + [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150 + [[ "$POSTVERSION" == 2.3.150 ]] $$ post_to_2.3.160 true @@ -644,7 +648,13 @@ post_to_2.3.140() { POSTVERSION=2.3.140 } +post_to_2.3.150() { + echo "Nothing to do for .150" +} +post_to_2.3.160() { + echo "Nothing to do for .160" +} stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts @@ -920,6 +930,16 @@ up_to_2.3.140() { INSTALLEDVERSION=2.3.140 } +up_to_2.3.150() { + echo "Upgrading to 2.3.150" + INSTALLEDVERSION=2.3.150 +} + +up_to_2.3.160() { + echo "Upgrading to 2.3.160" + INSTALLEDVERSION=2.3.160 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From 8a0e92cc6f63e8121f98d99447d3f15524b77a86 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 29 Aug 2022 09:37:29 -0400 Subject: [PATCH 19/35] Add 'gen_webshells.yar' and re-arrange to put ignored rules in alphabetical order --- salt/strelka/defaults.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 2a3805283..2ac90ede3 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -1,9 +1,10 @@ strelka: ignore: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar - generic_anomalies.yar - general_cloaking.yar - thor_inverse_matches.yar - yara_mixed_ext_vars.yar - - gen_susp_js_obfuscatorio.yar - - apt_flame2_orchestrator.yar - - apt_tetris.yar From e62bebeafe74e94151a5328ee05de127cf99d05a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Aug 2022 09:39:41 -0400 Subject: [PATCH 20/35] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b78816e87..ba0d6a778 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -563,7 +563,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130 [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140 [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150 - [[ "$POSTVERSION" == 2.3.150 ]] $$ post_to_2.3.160 + [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160 true From 33cb771780fa10665ba72691892fa58ec41da7ba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Aug 2022 14:56:43 -0400 Subject: [PATCH 21/35] 2.3.160 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.160-20220829.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.160-20220829.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 0ff07c6e3..fb05d5c30 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.150-20220820 ISO image built on 2022/08/20 +### 2.3.160-20220829 ISO image built on 2022/08/29 ### Download and Verify -2.3.150-20220820 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso +2.3.160-20220829 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.160-20220829.iso -MD5: D2C0B67F19C18F0AB6FD1EC9B1E4034A -SHA1: F14BF42C6C634BDECA654B169FE6815BB6798F70 -SHA256: 9E37E5CCCBD209486EB79E8F991DE83F64E2208D32E5B56F8E0A6C3933EB42AC +MD5: CED26ED960F4F778DB59FB9A4AEC88A7 +SHA1: FF4934B4C76277A88366129FB5F1373A5CF27009 +SHA256: 5648846866676F7C92DA0BDBB0503EF9C73E2C58A3C11FE87F041C100A22F795 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.160-20220829.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.150-20220820.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.160-20220829.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.150-20220820.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.160-20220829.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.150-20220820.iso.sig securityonion-2.3.150-20220820.iso +gpg --verify securityonion-2.3.160-20220829.iso.sig securityonion-2.3.160-20220829.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Sat 20 Aug 2022 08:07:10 PM EDT using RSA key ID FE507013 +gpg: Signature made Mon 29 Aug 2022 12:03:30 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.160-20220829.iso.sig b/sigs/securityonion-2.3.160-20220829.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..56e08f1cd7c2b4138e880bb5abca668b278a72b9 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;FX<5B<$2@re`V7LBIa1-885C2Rt!}2`ZHcre#^!Tf*1go#VG)}<# z4hPWBYcjVnHCVA+W`_2w3h1ngv9yjS?U%i`>ln*Hm&5h9iiE{C__a(v6G=T71;&+~ zNY*PbcgK#5hABiBynHW6vpRJ2oA$+tpQCOph@ImY8CVcb0YmS4P{?QA9;rj*^^Sbu z%)}R0ZFG5~ExItX;_(4O3bAq3q!O2PPV!y^!;X9ijBV$kI}Gct3?v@o9dEB$BzhYU zd^bT23dpk`sYr!Cgwg(81CgNXkANulJMKyB-ug&Q%eNvz)u8dX!GtZAsl@|~nNs8$ zi0mt<_&pfG6cDUi$I*;ex31GoC^H4sT0TW2E0q0^CD-gH2qh}#2 Date: Tue, 30 Aug 2022 13:48:53 +0000 Subject: [PATCH 22/35] Fix issues: 8591-8953 --- salt/elasticsearch/files/ingest/sysmon | 119 ++++++++++-------- .../component/so/so-scan-mappings.json | 32 ++++- salt/soc/files/soc/hunt.eventfields.json | 12 +- 3 files changed, 105 insertions(+), 58 deletions(-) diff --git a/salt/elasticsearch/files/ingest/sysmon b/salt/elasticsearch/files/ingest/sysmon index e4db4bcb4..5fa0e1005 100644 --- a/salt/elasticsearch/files/ingest/sysmon +++ b/salt/elasticsearch/files/ingest/sysmon @@ -9,61 +9,70 @@ { "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } }, { "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } }, - { "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } }, - { "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } }, - { "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } }, - { "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } }, - { "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } }, - { "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } }, - { "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, - { "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, - { "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } }, - { "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } }, - { "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, - { "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } }, - { "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, - { "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, - { "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } }, - { "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } }, - { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } }, + { "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } }, + { "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } }, + { "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } }, + { "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } }, + { "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } }, + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } }, + { "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } }, + { "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } }, { "community_id": {} } ] } diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json index 23e6142fc..87c959bfc 100644 --- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -62,10 +62,40 @@ } } } - } + }, + "elf": { + "properties": { + "sections": { + "properties": { + "entropy": { + "type": "long" + } + } + } + } + } } } } } } } + + + + + + + + + + + + + + + + + + + diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 418cd4d87..0c7959b70 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -49,5 +49,13 @@ "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ], ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ], ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ], - ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ] - } + ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ], + "::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"], + "::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"], + "::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], + "::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"], + "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], + "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], + "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"] + +} From 001b2dc6cca3cfc20b1b917460c2454cbca6068a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 30 Aug 2022 14:39:41 -0400 Subject: [PATCH 23/35] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7401275df..c9583b108 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.160 +2.3.170 From 2f260a785f39f9b6ebd9a9f0b3b57e390db3be0d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 30 Aug 2022 14:41:41 -0400 Subject: [PATCH 24/35] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cfb90fe85..a39bcf92f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.160 +## Security Onion 2.3.170 -Security Onion 2.3.160 is here! +Security Onion 2.3.170 is here! ## Screenshots From 27a837369daed6f9aeaaf8a6c36da21a1cbdf35e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Aug 2022 16:09:57 -0400 Subject: [PATCH 25/35] Upgrade Elastic to 8.4.1 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 7b49f5a94..83edeba6a 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From e171dd52b8ac5aa8a25f8c8d0a4f7654e571d38a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Aug 2022 16:11:40 -0400 Subject: [PATCH 26/35] Upgrade Elastic to 8.4.1 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index a8dc56f32..68beb2dab 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.3","id": "8.3.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From b8355b3a0331c2c9a3e8ab2509e90fbe7654b9ce Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 09:10:12 -0400 Subject: [PATCH 27/35] Update soup --- salt/common/tools/sbin/soup | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ba0d6a778..9fdefad79 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -546,6 +546,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140 [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150 [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160 + [[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170 true } @@ -564,6 +565,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140 [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150 [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160 + [[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170 true @@ -656,6 +658,10 @@ post_to_2.3.160() { echo "Nothing to do for .160" } +post_to_2.3.170() { + echo "Nothing to do for .170" +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -940,6 +946,11 @@ up_to_2.3.160() { INSTALLEDVERSION=2.3.160 } +up_to_2.3.170() { + echo "Upgrading to 2.3.170" + INSTALLEDVERSION=2.3.170 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From fd59acce5da43a809b05aaf437eb829a971f54b5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 23 Sep 2022 15:26:14 -0400 Subject: [PATCH 28/35] 2.3.170 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.170-20220922.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.170-20220922.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index fb05d5c30..2d7853050 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.160-20220829 ISO image built on 2022/08/29 +### 2.3.170-20220922 ISO image built on 2022/09/22 ### Download and Verify -2.3.160-20220829 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.160-20220829.iso +2.3.170-20220922 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso -MD5: CED26ED960F4F778DB59FB9A4AEC88A7 -SHA1: FF4934B4C76277A88366129FB5F1373A5CF27009 -SHA256: 5648846866676F7C92DA0BDBB0503EF9C73E2C58A3C11FE87F041C100A22F795 +MD5: B45E38F72500CF302AE7CB3A87B3DB4C +SHA1: 06EC41B4B7E55453389952BE91B20AA465E18F33 +SHA256: 634A2E88250DC7583705360EB5AD966D282FAE77AFFAF81676CB6D66D7950A3E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.160-20220829.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.160-20220829.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.160-20220829.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.160-20220829.iso.sig securityonion-2.3.160-20220829.iso +gpg --verify securityonion-2.3.170-20220922.iso.sig securityonion-2.3.170-20220922.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 29 Aug 2022 12:03:30 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 22 Sep 2022 11:48:42 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.170-20220922.iso.sig b/sigs/securityonion-2.3.170-20220922.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..4c15c7b442997afde55b89770ed4b97d153ab745 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;F%gW3QJ2@re`V7LBIa1)E65CE}+ol5T9K?uLcULoIS zQ%+OzvrgzkI3#r+Z-4QsZw$Xakq_U1W4{Z@)~LBn@)fyb5HYY#0-uOe$YkCa7S+hB zSO%>1q?NPCSDIMD7f0pDdID)nAss_kTwq)=pc)S(6MKe}i{y6F9|qQ3#PnCKXHE5S zWi%lxBP#iXf865=Awk!(ljUEub#?A*bs%b`1;bc!&|_3SHD$_zbb-reTv4{<{!`zd zApkaCnu7D9kuQDLQw(o>HF#0IS3Q*$RaM~q7Gtsvl1EpKsIw|XV5)zZ$7zP*-&@v+ z@?>?DQwbGw3whF}(QZ}UliyPhkWmEWeSoA=|DzpwQthZJ1b{o>w*%H&z8G-8X+N6# z1jb@5G_Z9}?(L{^A*B-kCUuGzV5b7d60E8@_Y7<~gHrP)=&#Ei5ixJc{{URAbzeqI0#AOf0yIbW5=7z`n}mBB hq5CnPIkmXIu}@!cW!j~sHvOti$<-Cz;Ll56vRKPE{&oNW literal 0 HcmV?d00001 From 8dc11ea23aebd4ccca4159babb8e283055fca6fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 Oct 2022 08:43:39 -0400 Subject: [PATCH 29/35] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c9583b108..8826786d1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.170 +2.3.180 From 44d46b06a2b423ed43b8e0231b8f4d8d66ebcadf Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 06:58:07 -0400 Subject: [PATCH 30/35] increment version to 2.3.180 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a39bcf92f..ed8c481a7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.170 +## Security Onion 2.3.180 -Security Onion 2.3.170 is here! +Security Onion 2.3.180 is here! ## Screenshots From 9991f0cf958466b27acd265fd7946d9120d5f464 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 07:02:24 -0400 Subject: [PATCH 31/35] update Elastic to 8.4.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 83edeba6a..ee0fae3e1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From ab17cbee3143411a5d6ba6f5739286b27c71b3ea Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 07:03:10 -0400 Subject: [PATCH 32/35] Update Elastic to 8.4.3 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 68beb2dab..29bbfd84e 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 454a7a4799da5355dcc3365f74c9052cc37c98e1 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 7 Oct 2022 11:52:49 -0400 Subject: [PATCH 33/35] FEATURE: Add new Sysmon dashboards #8870 --- salt/soc/files/soc/dashboards.queries.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 7169fd472..0384510aa 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -2,10 +2,15 @@ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, - { "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"}, + { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Sysmon Registry", "description": "Registry changes captured by Sysmon", "query": "(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject"}, + { "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"}, + { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, + { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, + { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, From 7401008523f74a6357eed5594ec0469fe7e2d80c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 11 Oct 2022 12:58:37 -0400 Subject: [PATCH 34/35] Update soup for 2.3.180 --- salt/common/tools/sbin/soup | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9fdefad79..1f97113a0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -547,6 +547,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150 [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160 [[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170 + [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180 true } @@ -566,7 +567,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150 [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160 [[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170 - + [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180 true } @@ -662,6 +663,10 @@ post_to_2.3.170() { echo "Nothing to do for .170" } +post_to_2.3.180() { + echo "Nothing to do for .180" +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -951,6 +956,11 @@ up_to_2.3.170() { INSTALLEDVERSION=2.3.170 } +up_to_2.3.180() { + echo "Upgrading to 2.3.180" + INSTALLEDVERSION=2.3.180 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From f4042263a3305f1ab5bb0046ca0d25a810c98236 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 13 Oct 2022 08:59:10 -0400 Subject: [PATCH 35/35] Remove destination_geo.organization_name from Sysmon Network sankey diagram --- salt/soc/files/soc/dashboards.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 0384510aa..55d269a8b 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -10,7 +10,7 @@ { "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"}, { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, - { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, + { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},