From 76e3118bd3af981fd1867bb62cfee42831c41961 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Sun, 21 Jun 2020 08:33:09 -0400
Subject: [PATCH 1/7] Split Sensoroni and Stenographer executables into
 separate images

---
 salt/pcap/files/sensoroni.json |  1 +
 salt/pcap/init.sls             | 59 +++++++++++++++++++++++++---------
 2 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json
index 81776b021..ed673d969 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -12,6 +12,7 @@
         "apiKey": "{{ SENSORONIKEY }}"
       },
       "stenoquery": {
+        "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 93203ca5b..9910507b7 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -20,19 +20,28 @@
 
 # PCAP Section
 
-# Create the logstash group
 stenographergroup:
   group.present:
     - name: stenographer
     - gid: 941
 
-# Add the logstash user for the jog4j settings
 stenographer:
   user.present:
     - uid: 941
     - gid: 941
     - home: /opt/so/conf/steno
 
+sensoronigroup:
+  group.present:
+    - name: sensoroni
+    - gid: 948
+
+sensoroni:
+  user.present:
+    - uid: 948
+    - gid: 948
+    - home: /opt/so/conf/steno
+
 stenoconfdir:
   file.directory:
     - name: /opt/so/conf/steno
@@ -58,8 +67,8 @@ stenoconf:
   file.managed:
     - name: /opt/so/conf/steno/config
     - source: salt://pcap/files/config
-    - user: root
-    - group: root
+    - user: stenographer
+    - group: stenographer
     - mode: 644
     - template: jinja
     - defaults:
@@ -67,10 +76,10 @@ stenoconf:
 
 sensoroniagentconf:
   file.managed:
-    - name: /opt/so/conf/steno/sensoroni.json
+    - name: /opt/so/conf/sensoroni/sensoroni.json
     - source: salt://pcap/files/sensoroni.json
-    - user: stenographer
-    - group: stenographer
+    - user: sensoroni
+    - group: sensoroni
     - mode: 600
     - template: jinja
 
@@ -97,8 +106,8 @@ pcaptmpdir:
 pcapoutdir:
   file.directory:
     - name: /nsm/pcapout
-    - user: 941
-    - group: 941
+    - user: sensoroni
+    - group: sensoroni
     - makedirs: True
 
 pcapindexdir:
@@ -115,23 +124,43 @@ stenolog:
     - group: 941
     - makedirs: True
 
+pcap_network:
+  docker_network.present
+
 so-steno:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
     - network_mode: host
     - privileged: True
-    - port_bindings:
-      - 127.0.0.1:1234:1234
+    - networks:
+      - pcap_network:
+        - aliases:
+          - steno
+    - require:
+      - docker_network: pcap_network
     - binds:
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
       - /opt/so/conf/steno/config:/etc/stenographer/config:rw
       - /nsm/pcap:/nsm/pcap:rw
       - /nsm/pcapindex:/nsm/pcapindex:rw
       - /nsm/pcaptmp:/tmp:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/log/stenographer:/var/log/stenographer:rw
-      - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/stenographer:/opt/sensoroni/logs:rw
     - watch:
       - file: /opt/so/conf/steno/config
-      - file: /opt/so/conf/steno/sensoroni.json
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }}
+    - networks:
+      - pcap_network:
+        - aliases:
+          - sensoroni
+    - require:
+      - docker_network: pcap_network
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json

From 81ed656ba041aff5df362aaea6bd0466410621de Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Sun, 21 Jun 2020 10:50:10 -0400
Subject: [PATCH 2/7] Bind both steno and sensoroni processes to host network

---
 salt/pcap/init.sls | 49 +++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 29 deletions(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 9910507b7..310b7e153 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -31,17 +31,6 @@ stenographer:
     - gid: 941
     - home: /opt/so/conf/steno
 
-sensoronigroup:
-  group.present:
-    - name: sensoroni
-    - gid: 948
-
-sensoroni:
-  user.present:
-    - uid: 948
-    - gid: 948
-    - home: /opt/so/conf/steno
-
 stenoconfdir:
   file.directory:
     - name: /opt/so/conf/steno
@@ -49,6 +38,13 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 {% if BPF_STENO %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
@@ -78,8 +74,8 @@ sensoroniagentconf:
   file.managed:
     - name: /opt/so/conf/sensoroni/sensoroni.json
     - source: salt://pcap/files/sensoroni.json
-    - user: sensoroni
-    - group: sensoroni
+    - user: 939
+    - group: 939
     - mode: 600
     - template: jinja
 
@@ -106,8 +102,8 @@ pcaptmpdir:
 pcapoutdir:
   file.directory:
     - name: /nsm/pcapout
-    - user: sensoroni
-    - group: sensoroni
+    - user: 939
+    - group: 939
     - makedirs: True
 
 pcapindexdir:
@@ -124,20 +120,20 @@ stenolog:
     - group: 941
     - makedirs: True
 
-pcap_network:
-  docker_network.present
+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
 
 so-steno:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
     - network_mode: host
     - privileged: True
-    - networks:
-      - pcap_network:
-        - aliases:
-          - steno
-    - require:
-      - docker_network: pcap_network
+    - port_bindings:
+      - 127.0.0.1:1234:1234
     - binds:
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
       - /opt/so/conf/steno/config:/etc/stenographer/config:rw
@@ -151,12 +147,7 @@ so-steno:
 so-sensoroni:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }}
-    - networks:
-      - pcap_network:
-        - aliases:
-          - sensoroni
-    - require:
-      - docker_network: pcap_network
+    - network_mode: host
     - binds:
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
       - /nsm/pcapout:/nsm/pcapout:rw

From 1ee3625f6104695e005ab554bf24b39b5847c113 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Sun, 21 Jun 2020 15:46:36 -0400
Subject: [PATCH 3/7] Ensure certs dir is group readable by socore since
 Sensoroni process will need to read the client key

---
 salt/pcap/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 310b7e153..02a2e23d8 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -83,7 +83,7 @@ stenoca:
   file.directory:
     - name: /opt/so/conf/steno/certs
     - user: 941
-    - group: 941
+    - group: 939
 
 pcapdir:
   file.directory:

From d7693f9b555704b030d2da6cfa71128c81dff04f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 22 Jun 2020 08:27:43 -0400
Subject: [PATCH 4/7] Expose pcap dir to sensoroni for epoch discovery

---
 salt/pcap/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 02a2e23d8..bcf09b765 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -150,6 +150,7 @@ so-sensoroni:
     - network_mode: host
     - binds:
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw

From af451573ebfe432d435f3903864448a937cb5eab Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 23 Jun 2020 17:43:28 +0000
Subject: [PATCH 5/7] Move dataset from files to file

---
 salt/elasticsearch/files/ingest/zeek.files | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files
index f72bde097..53600180f 100644
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -30,6 +30,7 @@
     { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "file.extracted.cutoff",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",	"ignore_missing": true 	} },
+    { "set":            { "field": "dataset",                   "value": "file"                                                 } },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }

From c0428ce79ddb9099334e18f5472f3d5a79b5cbf6 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 23 Jun 2020 17:48:12 +0000
Subject: [PATCH 6/7] Update file dataset name for hunt queries

---
 salt/soc/files/soc/soc.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index 090db59ea..693c44aeb 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -107,8 +107,8 @@
           { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"},
           { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"},
           { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"},
-          { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:files | groupby file.mime_type source.ip"},
-          { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:files | groupby file.source source.ip"},
+          { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"},
+          { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"},
           { "name": "FTP", "description": "FTP grouped by argument", "query": "event.dataset:ftp | groupby ftp.argument"},
           { "name": "FTP", "description": "FTP grouped by command", "query": "event.dataset:ftp | groupby ftp.command"},
           { "name": "FTP", "description": "FTP grouped by username", "query": "event.dataset:ftp | groupby ftp.user"},

From f7eacc2b05c17c0b72d4956f3df54e07ef20cfc2 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 23 Jun 2020 18:47:23 +0000
Subject: [PATCH 7/7] Add FW config for Strelka frontend

---
 files/firewall/hostgroups.local.yaml       | 6 +++++-
 salt/common/tools/sbin/so-allow            | 8 ++++++++
 salt/firewall/assigned_hostgroups.map.yaml | 5 ++++-
 salt/firewall/portgroups.yaml              | 5 ++++-
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index 9d2c4c0c7..27ad40f6e 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -44,6 +44,10 @@ firewall:
       ips:
         delete:
         insert:
+    strelka_frontend:
+      ips:
+        delete:
+        insert:
     syslog:
       ips:
         delete:
@@ -59,4 +63,4 @@ firewall:
     wazuh_authd:
       ips:
         delete:
-        insert:
\ No newline at end of file
+        insert:
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 82d25c25e..d273cfce5 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -38,6 +38,11 @@ do
             FULLROLE="beats_endpoint"
             SKIP=1
             ;;
+	f)
+	    FULLROLE="strelka_frontend"
+            SKIP=1
+            ;;
+
         i)  IP=$OPTARG
             ;;
         o)
@@ -72,6 +77,7 @@ if [ "$SKIP" -eq 0 ]; then
     echo ""
     echo "[a] - Analyst - ports 80/tcp and 443/tcp"
     echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[f] - Strelka frontend - port 57314/tcp"
     echo "[o] - Osquery endpoint - port 8090/tcp"
     echo "[s] - Syslog device - 514/tcp/udp"
     echo "[w] - Wazuh agent - port 1514/tcp/udp"
@@ -86,6 +92,8 @@ if [ "$SKIP" -eq 0 ]; then
         FULLROLE=analyst
     elif [ "$ROLE" == "b" ]; then
         FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "f" ]; then
+        FULLROLE=strelka_frontend
     elif [ "$ROLE" == "o" ]; then
         FULLROLE=osquery_endpoint
     elif [ "$ROLE" == "w" ]; then
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index beda399e7..ea7b23afb 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -52,6 +52,9 @@ role:
           osquery_endpoint:
             portgroups:
               - {{ portgroups.fleet_api }}
+          strelka_frontend:
+            portgroups:
+              - {{ portgroups.strelka_frontend }}
           syslog:
             portgroups:
               - {{ portgroups.syslog }}
@@ -466,4 +469,4 @@ role:
               - {{ portgroups.all }}
           localhost:
             portgroups:
-              - {{ portgroups.all }}
\ No newline at end of file
+              - {{ portgroups.all }}
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
index 94dace60f..2f3d5032a 100644
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -74,6 +74,9 @@ firewall:
       ssh:
         tcp:
           - 22
+      strelka_frontend:
+        tcp:
+          - 57314
       syslog:
         tcp:
           - 514
@@ -89,4 +92,4 @@ firewall:
           - 55000
       wazuh_authd:
         tcp:
-          - 1515
\ No newline at end of file
+          - 1515