CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into issue/1066

Browse Source
This commit is contained in:
m0duspwnens
2020-09-14 08:45:54 -04:00
parent 77911acfb4 841db1b4b9
commit 46cbcfa330
8 changed files with 101 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
salt/common/tools/sbin/so-yara-update
View File

@@ -14,8 +14,9 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
clone_dir="/tmp"
output_dir="/opt/so/saltstack/default/salt/strelka/rules" output_dir="/opt/so/saltstack/default/salt/strelka/rules"
#mkdir -p $output_dir #mkdir -p $output_dir
repos="$output_dir/repos.txt" repos="$output_dir/repos.txt"
@@ -27,6 +28,69 @@ updatecounter=0
gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com) gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
{%- if ISAIRGAP is sameas true -%}
clone_dir="/nsm/repo/rules/strelka"
repo_name="signature-base"
mkdir -p $output_dir/$repo_name
[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
# Copy over rules
for i in $(find $clone_dir -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}')
repo_sum=$(sha256sum $i | awk '{print $1}')
# Check rules against those in ignore list -- don't copy if ignored.
if ! grep -iq $rule_name $ignorefile; then
existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
# For existing rules, check to see if they need to be updated, by comparing checksums
if [ $existing_rules -gt 0 ];then
local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
if [ "$repo_sum" != "$local_sum" ]; then
echo "Checksums do not match!"
echo "Updating $rule_name..."
cp $i $output_dir/$repo_name;
((updatecounter++))
fi
else
# If rule doesn't exist already, we'll add it
echo "Adding new rule: $rule_name..."
cp $i $output_dir/$repo_name
((newcounter++))
fi
fi;
done
# Check to see if we have any old rules that need to be removed
for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
is_repo_rule=$(find $clone_dir -name "$i" | wc -l)
if [ $is_repo_rule -eq 0 ]; then
echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
rm $output_dir/$repo_name/$i
((deletecounter++))
fi
done
echo "Done!"
if [ "$newcounter" -gt 0 ];then
echo "$newcounter new rules added."
fi
if [ "$updatecounter" -gt 0 ];then
echo "$updatecounter rules updated."
fi
if [ "$deletecounter" -gt 0 ];then
echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
fi
{%- else -%}
clone_dir="/tmp"
if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
while IFS= read -r repo; do while IFS= read -r repo; do
@@ -100,3 +164,4 @@ else
echo "No connectivity to Github...exiting..." echo "No connectivity to Github...exiting..."
exit 1 exit 1
fi fi
{%- endif -%}

9
salt/manager/init.sls
View File

@@ -21,6 +21,7 @@
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %} {% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
socore_own_saltstack: socore_own_saltstack:
file.directory: file.directory:
@@ -82,10 +83,16 @@ so-aptcacherng:
{% endif %} {% endif %}
strelka_yara_update:
cron.present:
- user: root
- name: '/usr/sbin/so-yara-update > /dev/null 2>&1'
- hour: '7'
- minute: '1'
{% else %} {% else %}
manager_state_not_allowed: manager_state_not_allowed:
test.fail_without_changes: test.fail_without_changes:
- name: manager_state_not_allowed - name: manager_state_not_allowed
{% endif %} {% endif %}

12
salt/soc/files/soc/soc.json
View File

@@ -124,7 +124,7 @@
{ "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"}, { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"},
{ "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"}, { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"},
{ "name": "RDP", "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"}, { "name": "RDP", "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"},
{ "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name"}, { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"},
{ "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"}, { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"}, { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"},
{ "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"}, { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"},
@@ -135,7 +135,7 @@
{ "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version"}, { "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version"},
{ "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"},
{ "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"}, { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"},
{ "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.dataset:tunnels | groupby event.action"}, { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby event.action"},
{ "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"},
{ "name": "x509", "description": "x.509 grouped by key length", "query": "event.dataset:x509 | groupby x509.certificate.key.length"}, { "name": "x509", "description": "x.509 grouped by key length", "query": "event.dataset:x509 | groupby x509.certificate.key.length"},
{ "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"}, { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"},
@@ -143,10 +143,10 @@
{ "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"} { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
], ],
"actions": [ "actions": [
{ "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "_blank" },
{ "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}", "target": "_blank" },
{ "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" }, { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" },
{ "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" }
] ]
} }
} }

8
salt/soctopus/init.sls
View File

@@ -6,8 +6,9 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} {% set MANAGER_URL = salt['pillar.get']('global:url_base', '') %}
{%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} {% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
soctopusdir: soctopusdir:
file.directory: file.directory:
@@ -64,6 +65,9 @@ so-soctopus:
- /opt/so/log/soctopus/:/var/log/SOCtopus/:rw - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw
- /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
- /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw
{% if ISAIRGAP is sameas true %}
- /nsm/repo/rules/sigma:/soctopus/sigma
{% endif %}
- port_bindings: - port_bindings:
- 0.0.0.0:7000:7000 - 0.0.0.0:7000:7000
- extra_hosts: - extra_hosts:

9
salt/strelka/init.sls
View File

@@ -21,7 +21,7 @@
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
# Strelka config # Strelka config
strelkaconfdir: strelkaconfdir:
@@ -48,12 +48,6 @@ strelkasync:
- template: jinja - template: jinja
{%- if STRELKA_RULES == 1 %} {%- if STRELKA_RULES == 1 %}
strelka_yara_update:
cron.present:
- user: root
- name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1'
- hour: '7'
- minute: '1'
strelkarules: strelkarules:
file.recurse: file.recurse:
@@ -61,6 +55,7 @@ strelkarules:
- source: salt://strelka/rules - source: salt://strelka/rules
- user: 939 - user: 939
- group: 939 - group: 939
{%- endif %} {%- endif %}
strelkadatadir: strelkadatadir:

1
salt/top.sls
View File

@@ -128,6 +128,7 @@ base:
{%- endif %} {%- endif %}
{%- if PLAYBOOK != 0 %} {%- if PLAYBOOK != 0 %}
- playbook - playbook
- redis
{%- endif %} {%- endif %}
{%- if FREQSERVER != 0 %} {%- if FREQSERVER != 0 %}
- freqserver - freqserver

8
setup/so-functions
View File

@@ -50,6 +50,14 @@ airgap_rules() {
# Copy the rules for suricata if using Airgap # Copy the rules for suricata if using Airgap
mkdir -p /nsm/repo/rules mkdir -p /nsm/repo/rules
cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/ cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
# Copy over sigma rules
cp -Rv /root/SecurityOnion/agrules/sigma /nsm/repo/rules/
# Don't leave Strelka out
cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/
} }
analyze_system() { analyze_system() {

5
setup/so-setup
View File

@@ -331,7 +331,7 @@ if [[ $is_manager && ! $is_eval ]]; then
whiptail_oinkcode whiptail_oinkcode
fi fi
if [[ $STRELKA == 1 ]]; then if [[ "$STRELKA" == 1 ]]; then
STRELKARULES=1 STRELKARULES=1
fi fi
@@ -573,6 +573,9 @@ fi
docker_seed_registry 2>> "$setup_log" # ~ 60% when finished docker_seed_registry 2>> "$setup_log" # ~ 60% when finished
set_progress_str 60 "$(print_salt_state_apply 'manager')" set_progress_str 60 "$(print_salt_state_apply 'manager')"
if [[ "$STRELKARULES" == 1 ]]; then
/usr/sbin/so-yara-update >> $setup_log 2>&1
fi
salt-call state.apply -l info manager >> $setup_log 2>&1 salt-call state.apply -l info manager >> $setup_log 2>&1
set_progress_str 61 "$(print_salt_state_apply 'idstools')" set_progress_str 61 "$(print_salt_state_apply 'idstools')"