From 41e5c6ae90db10d0046512b9087eb9c96fb9dc0d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 00:57:58 +0000
Subject: [PATCH 1/3] Add data deletion scripts

---
 salt/common/tools/sbin/so-elastic-clear | 79 +++++++++++++++++++++++++
 salt/common/tools/sbin/so-nsm-clear     | 76 ++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-elastic-clear
 create mode 100644 salt/common/tools/sbin/so-nsm-clear

diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
new file mode 100644
index 000000000..79c7e99ad
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+
diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear
new file mode 100644
index 000000000..e45c10511
--- /dev/null
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion NSM Data Deletion
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+delete_pcap() {
+  PCAP_DATA="/nsm/pcap/"
+  [ -f $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+}
+delete_suricata() {
+  SURI_LOG="/opt/so/log/suricata/eve.json"
+  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+}
+delete_zeek() {
+  ZEEK_LOG="/nsm/zeek/logs/"
+  [ -f $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+}
+
+delete_pcap
+delete_suricata
+delete_zeek
+

From 5e0299e7bba58037b62268693cb0b852298d7790 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 01:11:22 +0000
Subject: [PATCH 2/3] Add PCAP stop|start|restart scripts

---
 salt/common/tools/sbin/so-pcap-restart | 20 ++++++++++++++++++++
 salt/common/tools/sbin/so-pcap-start   | 20 ++++++++++++++++++++
 salt/common/tools/sbin/so-pcap-stop    | 20 ++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-pcap-restart
 create mode 100644 salt/common/tools/sbin/so-pcap-start
 create mode 100644 salt/common/tools/sbin/so-pcap-stop

diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart
new file mode 100644
index 000000000..6095dc357
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1
diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start
new file mode 100644
index 000000000..595fd54bb
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1
diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop
new file mode 100644
index 000000000..d539d2f98
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1

From 48ebc5e2e3b1b06ccf8327873c46c8003777c4d5 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 01:13:40 +0000
Subject: [PATCH 3/3] Fix data checks

---
 salt/common/tools/sbin/so-nsm-clear | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear
index e45c10511..95ded5a4b 100644
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -59,7 +59,7 @@ fi
 
 delete_pcap() {
   PCAP_DATA="/nsm/pcap/"
-  [ -f $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
   SURI_LOG="/opt/so/log/suricata/eve.json"
@@ -67,7 +67,7 @@ delete_suricata() {
 }
 delete_zeek() {
   ZEEK_LOG="/nsm/zeek/logs/"
-  [ -f $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
 }
 
 delete_pcap