Merge branch 'dev' into feature/script-fixes

# Conflicts: # salt/auth/init.sls # salt/common/tools/sbin/so-bro-restart # salt/common/tools/sbin/so-bro-start # salt/common/tools/sbin/so-bro-stop # salt/wazuh/files/wazuh-manager-whitelist
2026-04-24 21:47:48 +02:00 · 2020-02-05 10:58:51 -05:00
parent 50d4693a09 dc89f95d4b
commit 3e97930506
117 changed files with 3671 additions and 175 deletions
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
+
+# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+clean () {
+
+SENSOR_DIR='/nsm'
+CRIT_DISK_USAGE=90
+CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+LOG="/nsm/bro/logs/zeek_clean.log"
+
+if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
+    while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
+        do
+                TODAY=$(date -u "+%Y-%m-%d")
+
+                # find the oldest Zeek logs directory and exclude today
+                OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
+                if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+                then
+                        echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
+                        exit 0
+                else
+                        echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
+                        rm -rf /nsm/bro/logs/"$OLDEST_DIR"
+                fi
+
+                # find oldest files in extracted directory and exclude today
+                OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
+                if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
+                then
+                        echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
+                else
+                        OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
+                        OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
+                        echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
+                        find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
+                        do
+                                echo "$(date) - Removing extracted file: $FILE" >> $LOG
+                                rm -f "$FILE"
+                        done
+                fi
+    done
+else
+  echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
+fi
+}
+
+clean
@@ -0,0 +1,139 @@
+##! Local site policy. Customize as appropriate.
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Estimate and log capture loss.
+@load misc/capture-loss
+
+# Enable logging of memory, packet and lag statistics.
+@load misc/stats
+
+# Load the scan detection script.
+@load misc/scan
+
+# Detect traceroute being run on the network. This could possibly cause
+# performance trouble when there are a lot of traceroutes on your network.
+# Enable cautiously.
+#@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have libGeoIP support built in, do some geographic detections and
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file. This may not work properly
+# since we use AF_PACKET and it strips VLAN tags.
+# @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
+# Uncomment the following line to enable the SMB analyzer.  The analyzer
+# is currently considered a preview and therefore not loaded by default.
+@load base/protocols/smb
+
+# BPF Configuration
+@load securityonion/bpfconf
+
+# Add the interface to the log event
+#@load securityonion/add-interface-to-logs.bro
+
+# Add Sensor Name to the conn.log
+#@load securityonion/conn-add-sensorname.bro
+
+# File Extraction
+#@load securityonion/file-extraction
+
+# Intel from Mandiant APT1 Report
+#@load securityonion/apt1
+
+# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
+#@load securityonion/shellshock
+
+# JA3 - SSL Detection Goodness
+@load policy/ja3
+
+# HASSH
+@load policy/hassh
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
+
+# Write logs in JSON
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
@@ -0,0 +1,133 @@
+##! Local site policy. Customize as appropriate.
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Estimate and log capture loss.
+@load misc/capture-loss
+
+# Enable logging of memory, packet and lag statistics.
+@load misc/stats
+
+# Load the scan detection script.
+@load misc/scan
+
+# Detect traceroute being run on the network. This could possibly cause
+# performance trouble when there are a lot of traceroutes on your network.
+# Enable cautiously.
+#@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have libGeoIP support built in, do some geographic detections and
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file. This may not work properly
+# since we use AF_PACKET and it strips VLAN tags.
+# @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
+# Uncomment the following line to enable the SMB analyzer.  The analyzer
+# is currently considered a preview and therefore not loaded by default.
+# @load policy/protocols/smb
+
+# Add the interface to the log event
+#@load securityonion/add-interface-to-logs.bro
+
+# Add Sensor Name to the conn.log
+#@load securityonion/conn-add-sensorname.bro
+
+# File Extraction
+#@load securityonion/file-extraction
+
+# Intel from Mandiant APT1 Report
+#@load securityonion/apt1
+
+# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
+#@load securityonion/shellshock
+
+# JA3 - SSL Detection Goodness
+@load policy/ja3
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
+
+# Use JSON
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
@@ -0,0 +1,47 @@
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+
+{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %}
+{%- if salt['pillar.get']('sensor:bro_proxies') %}
+  {%- set proxies =  salt['pillar.get']('sensor:bro_proxies', '1') %}
+{%- else %}
+  {%- if salt['pillar.get']('sensor:bro_pins') %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %}
+  {%- else %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %}
+  {%- endif %}
+{%- endif %}
+[manager]
+type=manager
+host=localhost
+
+[logger]
+type=logger
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[worker-1]
+type=worker
+host=localhost
+interface=af_packet::{{ interface }}
+lb_method=custom
+
+{%- if salt['pillar.get']('sensor:bro_lbprocs') %}
+lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }}
+{%- else %}
+lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }}
+{%- endif %}
+{%- if salt['pillar.get']('sensor:bro_pins') %}
+pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }}
+{%- endif %}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size=128*1024*1024
+{%- else %}
+[brosa]
+type=standalone
+host=localhost
+interface={{ interface }}
+{%- endif %}
@@ -0,0 +1,206 @@
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
+{% set BPF_STATUS = 0  %}
+
+# Bro Salt State
+# Add Bro group
+brogroup:
+  group.present:
+    - name: bro
+    - gid: 937
+
+# Add Bro User
+bro:
+  user.present:
+    - uid: 937
+    - gid: 937
+    - home: /home/bro
+
+# Create some directories
+bropolicydir:
+  file.directory:
+    - name: /opt/so/conf/bro/policy
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Bro Log Directory
+brologdir:
+  file.directory:
+    - name: /nsm/bro/logs
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Bro Spool Directory
+brospooldir:
+  file.directory:
+    - name: /nsm/bro/spool/manager
+    - user: 937
+    - makedirs: true
+
+# Bro extracted directory
+broextractdir:
+  file.directory:
+    - name: /nsm/bro/extracted
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+brosfafincompletedir:
+  file.directory:
+    - name: /nsm/faf/files/incomplete
+    - user: 937
+    - makedirs: true
+
+brosfafcompletedir:
+  file.directory:
+    - name: /nsm/faf/files/complete
+    - user: 937
+    - makedirs: true
+
+# Sync the policies
+bropolicysync:
+  file.recurse:
+    - name: /opt/so/conf/bro/policy
+    - source: salt://bro/policy
+    - user: 937
+    - group: 939
+    - template: jinja
+
+# Sync node.cfg
+nodecfgsync:
+  file.managed:
+    - name: /opt/so/conf/bro/node.cfg
+    - source: salt://bro/files/node.cfg
+    - user: 937
+    - group: 939
+    - template: jinja
+
+plcronscript:
+  file.managed:
+    - name: /usr/local/bin/packetloss.sh
+    - source: salt://bro/cron/packetloss.sh
+    - mode: 755
+
+zeekcleanscript:
+  file.managed:
+    - name: /usr/local/bin/zeek_clean
+    - source: salt://bro/cron/zeek_clean
+    - mode: 755
+
+/usr/local/bin/zeek_clean:
+  cron.present:
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+/usr/local/bin/packetloss.sh:
+  cron.present:
+    - user: root
+    - minute: '*/10'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+# BPF compilation and configuration
+{% if BPF_ZEEK %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+       {% set BPF_STATUS = 1  %}
+  {% else  %}
+zeekbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+zeekbpf:
+  file.managed:
+    - name: /opt/so/conf/bro/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: zeek:bpf
+   {% else %}
+    - contents:
+      - "ip or not ip"
+   {% endif %}
+
+# Sync local.bro
+{% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
+localbrosync:
+  file.managed:
+    - name: /opt/so/conf/bro/local.bro
+    - source: salt://bro/files/local.bro.community
+    - user: 937
+    - group: 939
+    - template: jinja
+
+so-communitybroimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-communitybro:HH1.0.3
+
+so-bro:
+  docker_container.running:
+    - require:
+      - so-communitybroimage
+    - image: docker.io/soshybridhunter/so-communitybro:HH1.0.3
+    - privileged: True
+    - binds:
+      - /nsm/bro/logs:/nsm/bro/logs:rw
+      - /nsm/bro/spool:/nsm/bro/spool:rw
+      - /nsm/bro/extracted:/nsm/bro/extracted:rw
+      - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
+      - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
+      - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
+      - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
+      - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
+    - network_mode: host
+    - watch:
+      - file: /opt/so/conf/bro/local.bro
+      - file: /opt/so/conf/bro/node.cfg
+      - file: /opt/so/conf/bro/policy
+
+{% else %}
+localbrosync:
+  file.managed:
+    - name: /opt/so/conf/bro/local.bro
+    - source: salt://bro/files/local.bro
+    - user: 937
+    - group: 939
+    - template: jinja
+
+so-broimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-bro:HH1.1.1
+
+so-bro:
+  docker_container.running:
+    - require:
+      - so-broimage
+    - image: docker.io/soshybridhunter/so-bro:HH1.1.1
+    - privileged: True
+    - binds:
+      - /nsm/bro/logs:/nsm/bro/logs:rw
+      - /nsm/bro/spool:/nsm/bro/spool:rw
+      - /nsm/bro/extracted:/nsm/bro/extracted:rw
+      - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
+      - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
+      - /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro
+      - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
+      - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
+      - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
+    - network_mode: host
+    - watch:
+      - file: /opt/so/conf/bro/local.bro
+      - file: /opt/so/conf/bro/node.cfg
+      - file: /opt/so/conf/bro/policy
+      - file: /opt/so/conf/bro/bpf
+{% endif %}
@@ -0,0 +1 @@
+#Intel
@@ -0,0 +1,20 @@
+{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
+global interface = "{{ interface }}";
+
+event bro_init()
+	{
+	if ( ! reading_live_traffic() )
+		return;
+
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
+	                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
+	                            	{
+	                            	local peer = get_event_peer()$descr;
+	                            	if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
+	                            		return cat("http_", Cluster::nodes[peer]$interface);
+	                            	else
+	                            		return "http";
+	                            	}
+	                            ]);
+	}
@@ -0,0 +1,9 @@
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+redef Intel::read_files += {
+  fmt("%s/apt1-fqdn.dat", @DIR),
+  fmt("%s/apt1-md5.dat", @DIR),
+  fmt("%s/apt1-certs.dat", @DIR)
+};
@@ -0,0 +1,26 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
+b054e26ef827fbbf5829f84a9bdbb697a5b042fc	Intel::CERT_HASH	Mandiant APT1 Report	ALPHA	T
+7bc0cc2cf7c3a996c32dbe7e938993f7087105b4	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+7855c132af1390413d4e4ff4ead321f8802d8243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+f3e3c590d7126bd227733e9d8313d2575c421243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d4d4e896ce7d73b573f0a0006080a246aec61fe7	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bcdf4809c1886ac95478bbafde246d0603934298	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+6b4855df8afc8d57a671fe5ed628f6d88852a922	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d50fdc82c328319ac60f256d3119b8708cd5717b	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+70b48d5177eebe9c762e9a37ecabebfd10e1b7e9	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+3a6a299b764500ce1b6e58a32a257139d61a3543	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bf4f90e0029b2263af1141963ddf2a0c71a6b5fb	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+b21139583dec0dae344cca530690ec1f344acc79	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+21971ffef58baf6f638df2f7e2cceb4c58b173c8	Intel::CERT_HASH	Mandiant APT1 Report	EMAIL	T
+04ecff66973c92a1c348666d5a4738557cce0cfc	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+f97d1a703aec44d0f53a3a294e33acda43a49de1	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+1b27a897cda019da2c3a6dc838761871e8bf5b5d	Intel::CERT_HASH	Mandiant APT1 Report	LAME	T
+d515996e8696612dc78fc6db39006466fc6550df	Intel::CERT_HASH	Mandiant APT1 Report	MOON-NIGHT	T
+8f79315659e59c79f1301ef4aee67b18ae2d9f1c	Intel::CERT_HASH	Mandiant APT1 Report	NONAME	T
+a57a84975e31e376e3512da7b05ad06ef6441f53	Intel::CERT_HASH	Mandiant APT1 Report	NS	T
+b3db37a0edde97b3c3c15da5f2d81d27af82f583	Intel::CERT_HASH	Mandiant APT1 Report	SERVER (PEM)	T
+6d8f1454f6392361fb2464b744d4fc09eee5fcfd	Intel::CERT_HASH	Mandiant APT1 Report	SUR	T
+b66e230f404b2cc1c033ccacda5d0a14b74a2752	Intel::CERT_HASH	Mandiant APT1 Report	VIRTUALLYTHERE	T
+4acbadb86a91834493dde276736cdf8f7ef5d497	Intel::CERT_HASH	Mandiant APT1 Report	WEBMAIL	T
+86a48093d9b577955c4c9bd19e30536aae5543d4	Intel::CERT_HASH	Mandiant APT1 Report	YAHOO	T
@@ -0,0 +1,106 @@
+##! This script is to support the bpf.conf file like other network monitoring tools use.
+##! Please don't try to learn from this script right now, there are a large number of
+##! hacks in it to work around bugs discovered in Bro.
+
+@load base/frameworks/notice
+
+module BPFConf;
+
+export {
+	## The file that is watched on disk for BPF filter changes.
+	## Two templated variables are available; "sensorname" and "interface".
+	## They can be used by surrounding the term by doubled curly braces.
+	const filename = "/opt/bro/share/bro/site/bpf" &redef;
+
+	redef enum Notice::Type += { 
+		## Invalid filter notice.
+		InvalidFilter
+	};
+}
+
+global filter_parts: vector of string = vector();
+global current_filter_filename = "";
+
+type FilterLine: record {
+	s: string;
+};
+
+redef enum PcapFilterID += {
+	BPFConfPcapFilter,
+};
+
+event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	local part = sub(s, /[[:blank:]]*#.*$/, "");
+
+	# We don't want any blank parts.
+	if ( part != "" )
+		filter_parts[|filter_parts|] = part;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( name == "bpfconf" )
+		{
+		local filter = join_string_vec(filter_parts, " ");
+		capture_filters["bpf.conf"] = filter;
+		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
+			{
+			PacketFilter::install();
+			}
+		else
+			{
+			NOTICE([$note=InvalidFilter,
+			        $msg=fmt("Compiling packet filter from %s failed", filename),
+			        $sub=filter]);
+			}
+
+		filter_parts=vector();
+		}
+	}
+
+
+function add_filter_file()
+	{
+	local real_filter_filename = BPFConf::filename;
+
+	# Support the interface template value.
+	#if ( SecurityOnion::sensorname != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
+
+	# Support the interface template value.
+	#if ( SecurityOnion::interface != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
+
+	#if ( /\{\{/ in real_filter_filename )
+	#	{
+	#	return;
+	#	}
+	#else
+	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
+
+	if ( real_filter_filename != current_filter_filename )
+		{
+		current_filter_filename = real_filter_filename;
+		Input::add_event([$source=real_filter_filename,
+		                  $name="bpfconf",
+		                  $reader=Input::READER_RAW,
+		                  $mode=Input::REREAD,
+		                  $want_record=F,
+		                  $fields=FilterLine,
+		                  $ev=BPFConf::line]);
+		}
+	}
+
+#event SecurityOnion::found_sensorname(name: string)
+#	{
+#	add_filter_file();
+#	}
+
+event bro_init() &priority=5
+	{
+	if ( BPFConf::filename != "" )
+		add_filter_file();
+	}
+
+
@@ -0,0 +1,10 @@
+global sensorname = "{{ grains.host }}";
+
+redef record Conn::Info += {
+	sensorname: string &log &optional;
+};
+
+event connection_state_remove(c: connection)
+	{
+	c$conn$sensorname = sensorname;
+	}
@@ -0,0 +1 @@
+@load ./extract
@@ -0,0 +1,21 @@
+global ext_map: table[string] of string = {
+    ["application/x-dosexec"] = "exe",
+    ["text/plain"] = "txt",
+    ["image/jpeg"] = "jpg",
+    ["image/png"] = "png",
+    ["text/html"] = "html",
+} &default ="";
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+    if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
+        return;
+
+    local ext = "";
+
+    if ( meta?$mime_type )
+        ext = ext_map[meta$mime_type];
+
+    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+    }
@@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;