From 09ce3e088a487342ffd61df3bdb2b005f2c6c0b3 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 11 May 2020 22:39:13 -0400 Subject: [PATCH 1/7] playbook mysql fixes --- salt/playbook/files/playbook_db_init.sh | 5 ++ salt/playbook/init.sls | 75 ++++++++++--------------- 2 files changed, 36 insertions(+), 44 deletions(-) create mode 100644 salt/playbook/files/playbook_db_init.sh diff --git a/salt/playbook/files/playbook_db_init.sh b/salt/playbook/files/playbook_db_init.sh new file mode 100644 index 000000000..c77b93df1 --- /dev/null +++ b/salt/playbook/files/playbook_db_init.sh @@ -0,0 +1,5 @@ +{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} +#!/bin/sh + +docker cp /opt/so/saltstack/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql +docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b -uroot -p{{MYSQLPASS}} < /tmp/playbook_db_init.sql" \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 772577822..ab2a0b614 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -6,51 +6,16 @@ {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} {% if salt['mysql.db_exists']('playbook') %} - #Playbook database exists - Do nothing + #Playbook database exists - Do nothing {% else %} +salt://playbook/files/playbook_db_init.sh: + cmd.script: + - cwd: /root + - template: jinja -{% set PLAYBOOK_DB_COPY = salt['docker.copy_to']('so-mysql','salt://playbook/files/playbook_db_init.sql','/tmp/playbook_db_init.sql',overwrite=True) %} -{% set PLAYBOOK_DB_CREATE = salt['docker.run']('so-mysql','/bin/bash -c "/usr/bin/mysql -uroot -p' + MYSQLPASS + ' < /tmp/playbook_db_init.sql"') %} - -{% if PLAYBOOK_DB_COPY and PLAYBOOK_DB_CREATE %} -PLAYBOOK_DB_INIT_SUCCESS: - test.configurable_test_state: - - changes: False - - result: True - - comment: "Playbook database initialization was successful" -{% else %} -PLAYBOOK_DB_INIT_FAILURE: - test.configurable_test_state: - - changes: False - - result: False - - comment: "Playbook database initialization was not successful" +'sleep 5': + cmd.run {% endif %} -{% endif %} - -query_updatwebhooks: - mysql_query.run: - - database: playbook - - query: "update webhooks set url = 'http://{{MASTERIP}}:7000/playbook/webhook' where project_id = 1" - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - -query_updatepluginurls: - mysql_query.run: - - database: playbook - - query: |- - update settings set value = - "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess - project: '1' - convert_url: http://{{MASTERIP}}:7000/playbook/sigmac - create_url: http://{{MASTERIP}}:7000/playbook/play" - where id = 43 - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} playbookdbuser: mysql_user.present: @@ -72,6 +37,30 @@ playbookdbdbpriv: - connection_user: root - connection_pass: {{ MYSQLPASS }} +query_updatwebhooks: + mysql_query.run: + - database: playbook + - query: "update webhooks set url = 'http://{{MASTERIP}}:7000/playbook/webhook' where project_id = 1" + - connection_host: {{ MAINIP }} + - connection_port: 3306 + - connection_user: root + - connection_pass: {{ MYSQLPASS }} + +query_updatepluginurls: + mysql_query.run: + - database: playbook + - query: |- + update settings set value = + "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess + project: '1' + convert_url: http://{{MASTERIP}}:7000/playbook/sigmac + create_url: http://{{MASTERIP}}:7000/playbook/play" + where id = 43 + - connection_host: {{ MAINIP }} + - connection_port: 3306 + - connection_user: root + - connection_pass: {{ MYSQLPASS }} + {% if PLAYBOOKPASS == None %} playbook_password_none: @@ -92,8 +81,6 @@ so-playbook: - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} - - binds: - - /opt/so/conf/playbook/redmine.db:/usr/src/redmine/sqlite/redmine.db:rw - port_bindings: - 0.0.0.0:3200:3000 From 4bd8e136be61a8394422991d61ca403d7aa09373 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 11 May 2020 22:41:02 -0400 Subject: [PATCH 2/7] Enabled playbook --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 93e48290e..a50b10dbe 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -97,6 +97,9 @@ base: {%- if THEHIVE != 0 %} - hive {%- endif %} + {%- if PLAYBOOK != 0 %} + - playbook + {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} From d1eac195d89d193b77582074b053d28f89643a61 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 11 May 2020 22:41:54 -0400 Subject: [PATCH 3/7] Enable Navigator --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index a50b10dbe..42203b13e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -100,6 +100,9 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} + {%- if NAVIGATOR != 0 %} + - navigator + {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} From 0b7568e08f5b5bb68cb0777be6570835d89e45c8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 12 May 2020 13:57:40 -0400 Subject: [PATCH 4/7] Update soc.json with default search info --- salt/elasticsearch/files/ingest/common | 4 +- salt/soc/files/soc/soc.json | 122 ++++++++++++------------- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index e63a575f9..29f3ef9e6 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -4,7 +4,7 @@ { "geoip": { "field": "destination.ip", - "target_field": "geo", + "target_field": "destination.geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] @@ -13,7 +13,7 @@ { "geoip": { "field": "source.ip", - "target_field": "geo", + "target_field": "source.geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index ef2535eb3..88274995c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -82,68 +82,68 @@ "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "log_name", "source_name", "task" ] }, "queries": [ - { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby syslog-host_from"}, - { "name": "", "description": "", "query": "_type:elastalert | groupby rule_name"}, - { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby classification,description"}, - { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby command"}, - { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby process"}, - { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby username"}, - { "name": "", "description": "", "query": "event_type:snort | groupby category,classification,alert"}, - { "name": "", "description": "", "query": "event_type:sysmon | groupby event_id"}, - { "name": "", "description": "", "query": "event_type:sysmon | groupby username"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note,msg"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source.ip,destination.ip,protocol,destination.port"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby service,destination.port"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby destination_geo.country_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source_geo.country_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dce_rpc | groupby operation"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby hostname,domain_name,destination.ip"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby message_types"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dnp3 | groupby fc_reply"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query,destination.port"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query_type_name,destination.port"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby highest_registered_domain"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby parent_domain"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:files | groupby mimetype,source"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_argument"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_command"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby username"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby destination.port"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby method"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_code"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_message"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby useragent"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby virtual_host"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby virtual_host"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:intel | groupby indicator"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:irc | groupby irc_command"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:kerberos | groupby service"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:modbus | groupby function"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:mysql | groupby mysql_command"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby msg"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ntlm | groupby server_dns_computer_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:pe | groupby machine,os,subsystem"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:radius | groupby username"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rdp | groupby client_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rfb | groupby desktop_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:signatures | groupby signature_id"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:sip | groupby user_agent"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_files | groupby action"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_mapping | groupby path"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smtp | groupby subject"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:snmp | groupby community,version"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:software | groupby software_type,name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssh | groupby version"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssl | groupby version,server_name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:syslog | groupby severity,facility"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:tunnels | groupby action"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:weird | groupby name"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_country_code"}, - { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_key_length"}, - { "name": "", "description": "", "query": "event_type:firewall | groupby action"} + { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name.keyword"}, + { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name.keyword"}, + { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset.keyword: alert | groupby event.module.keyword"}, + { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name.keyword"}, + { "name": "OSSEC Alerts", "description": "", "query": "event_type:ossec AND alert | groupby rule.category.keyword"}, + { "name": "OSSEC Commands", "description": "", "query": "event_type:ossec AND alert | groupby process.command_line.keyword"}, + { "name": "OSSEC Processes", "description": "", "query": "event_type:ossec AND alert | groupby process.name.keyword"}, + { "name": "OSSEC Users", "description": "", "query": "event_type:ossec AND alert | groupby user.name.keyword"}, + { "name": "SYSMON", "description": "", "query": "event_type:sysmon | groupby event_id"}, + { "name": "SYSMON", "description": "", "query": "event_type:sysmon | groupby username"}, + { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.note.keyword,notice.message.keyword"}, + { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby source.ip.keyword,destination.ip.keyword,network.protocol.keyword,destination.port"}, + { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby network.protocol.keyword,destination.port"}, + { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby destination_geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by source Geo", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby source.geo.country_name.keyword"}, + { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module.keyword:zeek AND event.dataset:dce_rpc | groupby operation.keyword"}, + { "name": "DHCP", "description": "DHCP leases", "query": "event.module.keyword:zeek AND event.dataset:dhcp | groupby host.hostname.keyword,host.domain.keyword,destination.ip.keyword"}, + { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module.keyword:zeek AND event.dataset:dhcp | groupby message_types.keyword"}, + { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module.keyword:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply.keyword"}, + { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby dns.query.name.keyword,destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby dns.query.type_name.keyword,destination.port"}, + { "name": "DNS", "description": "DNS highest registered domain", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby highest_registered_domain"}, + { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby parent_domain"}, + { "name": "Files", "description": "Files grouped by mimetype", "query": "event.module.keyword:zeek AND event.dataset:files | groupby file.mime_type.keyword source.ip.keyword"}, + { "name": "FTP", "description": "FTP grouped by argument", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp_argument"}, + { "name": "FTP", "description": "FTP grouped by command", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp.command.keyword"}, + { "name": "FTP", "description": "FTP grouped by username", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp.user.keyword"}, + { "name": "HTTP", "description": "HTTP grouped by destination port", "query": "event.module.keyword:zeek AND event.dataset:http | groupby destination.port"}, + { "name": "HTTP", "description": "HTTP grouped by method", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.method.keyword"}, + { "name": "HTTP", "description": "HTTP grouped by status code", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.status_code"}, + { "name": "HTTP", "description": "HTTP grouped by status message", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.status_message.keyword"}, + { "name": "HTTP", "description": "HTTP grouped by user agent", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.useragent.keyword"}, + { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.virtual_host.keyword"}, + { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.module.keyword:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby http.virtual_host.keyword"}, + { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.module.keyword:zeek AND event.dataset:intel | groupby intel.indicator.keyword"}, + { "name": "IRC", "description": "IRC grouped by command", "query": "event.module.keyword:zeek AND event.dataset:irc | groupby irc.command.type.keyword"}, + { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.module.keyword:zeek AND event.dataset:kerberos | groupby kerberos.service.keyword"}, + { "name": "MODBUS", "description": "MODBUS grouped by function", "query": "event.module.keyword:zeek AND event.dataset:modbus | groupby modbus.function.keyword"}, + { "name": "MYSQL", "description": "MYSQL grouped by command", "query": "event.module.keyword:zeek AND event.dataset:mysql | groupby mysql.command.keyword"}, + { "name": "NOTICE", "description": "Zeek notice logs grouped by note", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.note.keyword"}, + { "name": "NOTICE", "description": "Zeek notice logs grouped by message", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.message.keyword"}, + { "name": "NTLM", "description": "NTLM grouped by computer name", "query": "event.module.keyword:zeek AND event.dataset:ntlm | groupby ntlm.server.dns.name.keyword"}, + { "name": "PE", "description": "PE files list", "query": "event.module.keyword:zeek AND event.dataset:pe | groupby file.machine.keyword,file.os.keyword,file.subsystem.keyword"}, + { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module.keyword:zeek AND event.dataset:radius | groupby user.name.keyword"}, + { "name": "RDP", "description": "RDP grouped by client name", "query": "event.module.keyword:zeek AND event.dataset:rdp | groupby client.name.keyword"}, + { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module.keyword:zeek AND event.dataset:rfb | groupby rfp.desktop.name.keyword"}, + { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.module.keyword:zeek AND event.dataset:signatures | groupby signature_id"}, + { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.module.keyword:zeek AND event.dataset:sip | groupby client.user_agent.keyword"}, + { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.module.keyword:zeek AND event.dataset:smb_files | groupby file.action.keyword"}, + { "name": "SMB_Mapping", "description": "SMB mapping grouped by path", "query": "event.module.keyword:zeek AND event.dataset:smb_mapping | groupby file.path.keyword"}, + { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.module.keyword:zeek AND event.dataset:smtp | groupby smtp.subject.keyword"}, + { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.module.keyword:zeek AND event.dataset:snmp | groupby snmp.community.keyword,snmp.version.keyword"}, + { "name": "Software", "description": "List of software seen on the network", "query": "event.module.keyword:zeek AND event.dataset:software | groupby software.type.keyword,software.name.keyword"}, + { "name": "SSH", "description": "SSH grouped by version", "query": "event.module.keyword:zeek AND event.dataset:ssh | groupby ssh.version.keyword"}, + { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.module.keyword:zeek AND event.dataset:ssl | groupby ssl.version.keyword,ssl.server_name.keyword"}, + { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.module.keyword:zeek AND event.dataset:syslog | groupby syslog.severity.keyword,syslog.facility.keyword"}, + { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.module.keyword:zeek AND event.dataset:tunnels | groupby event.action.keyword"}, + { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.module.keyword:zeek AND event.dataset:weird | groupby weird.name.keyword"}, + { "name": "x509", "description": "x.509 grouped by key length", "query": "event.module.keyword:zeek AND event.dataset:x509 | groupby x509.certificate.key.length"}, + { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"} ] } } } -} +} \ No newline at end of file From 62bec931904477be7814fc6d07d67ae60c17a508 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 12 May 2020 14:04:02 -0400 Subject: [PATCH 5/7] suricata parsing --- salt/elasticsearch/files/ingest/suricata.alert | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index d58715f8a..365c4c2cb 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -6,6 +6,8 @@ { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, { "rename":{ "field": "rule.ref", "target_field": "rule.version", "ignore_failure": true } }, + { "rename":{ "field": "rule.signature_id", "target_field": "rule.uuid", "ignore_failure": true } }, + { "rename":{ "field": "rule.signature_id", "target_field": "rule.signature", "ignore_failure": true } }, { "pipeline": { "name": "suricata.common" } } ] } From f8da001b7c9f3cb758aaa002dc86e2aa1f1d9a88 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 12 May 2020 14:19:35 -0400 Subject: [PATCH 6/7] [fix] numeric argument required, unquote var --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b4aeb7f53..8fb6cae7e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -198,7 +198,7 @@ check_hive_init_then_reboot() { local return_val return_val="$(wait_for_file /opt/so/state/thehive.txt 20 5)" - if [ "$return_val" != 0 ]; then + if [[ $return_val != 0 ]]; then return "$return_val" fi From 6b837f80ff06e079111b67f3831047e50c36df78 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 12 May 2020 14:26:02 -0400 Subject: [PATCH 7/7] [fix] numeric argument required, return 0 in wait_for_file --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8fb6cae7e..7d6aca05f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -94,7 +94,7 @@ wait_for_file() { while [[ $cur_attempts < $max_attempts ]]; do if [ -f "$filename" ]; then echo "File $filename already exists at $date" >> "$setup_log" 2>&1 - return + return 0 else echo "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..." >> "$setup_log" 2>&1 ((cur_attempts++)) @@ -198,7 +198,7 @@ check_hive_init_then_reboot() { local return_val return_val="$(wait_for_file /opt/so/state/thehive.txt 20 5)" - if [[ $return_val != 0 ]]; then + if [[ "$return_val" != 0 ]]; then return "$return_val" fi