From 762a3bea177a021dc97a1dcf9c1771d9c8bcc359 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Jan 2024 09:59:26 -0500 Subject: [PATCH 01/89] Defaults and Annotations --- salt/suricata/defaults.yaml | 10 +++++++ salt/suricata/soc_suricata.yaml | 50 +++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index e9e39d40a..4961ae50a 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -128,6 +128,16 @@ suricata: enabled: "no" pcap-log: enabled: "no" + compression: "none" + lz4-checksum: "no" + lz4-level: 8 + filename: "%n/so-pcap.%t" + limit: "1000mb" + mode: "multi" + max-files: 10 + use-stream-depth: "no" + conditional: "all" + dir: "/nsm/pcap" alert-debug: enabled: "no" alert-prelude: diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 30f277c0a..58a2273b9 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -153,6 +153,53 @@ suricata: header: description: Header name where the actual IP address will be reported. helpLink: suricata.html + pcap-log: + enabled: + description: Enable Suricata to collect PCAP. + helpLink: suricata.html + compression: + description: Enable compression of Suricata PCAP. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + lz4-checksum: + description: Enable PCAP lz4 checksum. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + lz4-level: + description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + filename: + description: Filename output for Suricata PCAP. + advanced: True + readonly: True + helpLink: suricata.html + limit: + description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit. + helpLink: suricata.html + mode: + description: Suricata PCAP mode. Currenlty only multi is supported. + advanced: True + readonly: True + helpLink: suricata.html + max-files: + description: Max PCAP files per thread. To determine max PCAP size multiple threads x max-files x limit. + helpLink: suricata.html + use-stream-depth: + description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. + advanced: True + helpLink: suricata.html + conditional: + description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules. + helpLink: suricata.html + dir: + description: Parent directory to store PCAP. + advanced: True + readonly: True + helpLink: suricata.html asn1-max-frames: description: Maximum nuber of asn1 frames to decode. helpLink: suricata.html @@ -209,6 +256,9 @@ suricata: memcap: description: Can be specified in kb,mb,gb. helpLink: suricata.html + depth: + description: Controls how far into a stream that reassembly is done. + helpLink: suricata.html host: hash-size: description: Hash size in bytes. From 1a2245a1ed188be34b2ffbcb6304567c9c5abdee Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 13:44:53 -0500 Subject: [PATCH 02/89] Add so-minion modifications --- salt/manager/tools/sbin/so-minion | 25 +++++++++++++++++++++++++ salt/suricata/soc_suricata.yaml | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index d5225cc82..12349b680 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -79,6 +79,30 @@ function getinstallinfo() { source <(echo $INSTALLVARS) } +function pcapspace() { + + local NSMSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') + local ROOTSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') + + if [[ "$NSMSIZE" == "null" ]]; then + # Looks like there is no dedicated nsm partition. Using root + local SPACESIZE=$ROOTSIZE + else + local SPACESIZE=$NSMSIZE + fi + + local s=$(( $SPACESIZE / 1000000 )) + local s1=$(( $s / 2 )) + local s2=$(( $s1 / $lb_procs )) + + printf '%s\n'\ + "suricata:"\ + " config:"\ + " output:"\ + " pcap-log: $s" >> $PILLARFILE + +} + function testMinion() { # Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone. # Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image. @@ -252,6 +276,7 @@ function add_sensor_to_minion() { if [[ $is_pcaplimit ]]; then echo " config:" >> $PILLARFILE echo " diskfreepercentage: 60" >> $PILLARFILE + pcapspace fi echo " " >> $PILLARFILE } diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 58a2273b9..5dddd7442 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -181,7 +181,7 @@ suricata: description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit. helpLink: suricata.html mode: - description: Suricata PCAP mode. Currenlty only multi is supported. + description: Suricata PCAP mode. Currently only multi is supported. advanced: True readonly: True helpLink: suricata.html From 5b05aec96aaa9cbf73294bce24fed2d59f5e4be4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 14:56:51 -0500 Subject: [PATCH 03/89] Target sspecific minion --- salt/manager/tools/sbin/so-minion | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 12349b680..877796620 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -81,8 +81,8 @@ function getinstallinfo() { function pcapspace() { - local NSMSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') - local ROOTSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') + local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') + local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') if [[ "$NSMSIZE" == "null" ]]; then # Looks like there is no dedicated nsm partition. Using root From 0c969312e2ee61eed8e6c0d571e44dc7ee7cdcec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 15:22:20 -0500 Subject: [PATCH 04/89] Add Globals --- salt/global/defaults.yaml | 2 ++ salt/global/soc_global.yaml | 5 +++++ salt/manager/tools/sbin/so-minion | 3 ++- salt/sensoroni/files/sensoroni.json | 11 ++++++++++- salt/suricata/soc_suricata.yaml | 4 +++- 5 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 salt/global/defaults.yaml diff --git a/salt/global/defaults.yaml b/salt/global/defaults.yaml new file mode 100644 index 000000000..bd7244a58 --- /dev/null +++ b/salt/global/defaults.yaml @@ -0,0 +1,2 @@ +global: + pcapengine: STENO \ No newline at end of file diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 14d637d50..fc1c09b1c 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -14,6 +14,11 @@ global: regex: ^(ZEEK|SURICATA)$ regexFailureMessage: You must enter either ZEEK or SURICATA. global: True + pcapengine: + description: What engine to use for generating pcap. Options are STENO and SURICATA. + regex: ^(STENO|SURICATA)$ + regexFailureMessage: You must enter either STENO or SURICATA. + global: True ids: description: Which IDS engine to use. Currently only Suricata is supported. global: True diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 877796620..4995e1c9d 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -99,7 +99,8 @@ function pcapspace() { "suricata:"\ " config:"\ " output:"\ - " pcap-log: $s" >> $PILLARFILE + " pcap-log:"\ + " max-files: $s" >> $PILLARFILE } diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 59ce500e3..c5608ba56 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -23,13 +23,22 @@ "importer": {}, "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" -{%- if PCAPMERGED.enabled %} +{%- if PCAPMERGED.enabled %} +{%- if PCAPENGINE.steno %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } +{%- elif PCAPENGINE.suri %} + }, + "suriquery": { + "executablePath": "/opt/sensoroni/scripts/suriquery.sh", + "pcapInputPath": "/nsm/suripcap", + "pcapOutputPath": "/nsm/pcapout" + } +{%- endif %} {%- else %} } {%- endif %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 5dddd7442..7153eb9a1 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -155,8 +155,10 @@ suricata: helpLink: suricata.html pcap-log: enabled: - description: Enable Suricata to collect PCAP. + description: This value is ignored by SO. pcapengine in globals takes predidence. + readonly: True helpLink: suricata.html + advanced: True compression: description: Enable compression of Suricata PCAP. Currently unsupported advanced: True From 88c01a22d6454b318c0c94a1718c93fb69b34500 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 15:27:28 -0500 Subject: [PATCH 05/89] Add annotation logic --- salt/suricata/soc_suricata.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 7153eb9a1..52352d043 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -44,6 +44,7 @@ suricata: set-cpu-affinity: description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. regex: ^(yes|no)$ + regexFailureMessage: You must enter either yes or no. helpLink: suricata.html cpu-affinity: management-cpu-set: @@ -155,7 +156,7 @@ suricata: helpLink: suricata.html pcap-log: enabled: - description: This value is ignored by SO. pcapengine in globals takes predidence. + description: This value is ignored by SO. pcapengine in globals takes precidence. readonly: True helpLink: suricata.html advanced: True @@ -193,9 +194,13 @@ suricata: use-stream-depth: description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. advanced: True + regex: ^(yes|no)$ + regexFailureMessage: You must enter either yes or no. helpLink: suricata.html conditional: description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules. + regex: ^(all|alert|tag)$ + regexFailureMessage: You must enter either all, alert or tag. helpLink: suricata.html dir: description: Parent directory to store PCAP. From ab551a747ddafe1fd0b602e3f84d8130e9ffe5bc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 15:44:57 -0500 Subject: [PATCH 06/89] Threads placeholder logic --- salt/suricata/enabled.sls | 3 +++ salt/suricata/pcap.sls | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 salt/suricata/pcap.sls diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ce309e41a..6dce49c8c 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -12,6 +12,9 @@ include: - suricata.config - suricata.sostatus + if blah + - suricata.pcap + endif so-suricata: docker_container.running: diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls new file mode 100644 index 000000000..f677532f0 --- /dev/null +++ b/salt/suricata/pcap.sls @@ -0,0 +1,25 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} +{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} + +suripcapdir: + file.directory: + - name: /nsm/suripcap + - user: 940 + - group: 939 + - mode: 755 + - makedirs: True + +{{ SURICATAMERGED.config['af-packet'].threads }} + +for thread in afp.threads + +suripcapthreaddir: + file.directory: + - name: /nsm/suripcap/{{thread}} + - user: 940 + - group: 939 + - mode: 755 + - makedirs: True + +endfor \ No newline at end of file From 88d2ddba8bddeeac28fbadf12c826c04a4a61e82 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jan 2024 15:53:54 -0500 Subject: [PATCH 07/89] add placeholder for telegraf --- salt/telegraf/scripts/oldpcap.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index bb1be457f..d3f4b9a93 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -5,13 +5,18 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{%- if pcap is steno +PCAPLOC=/host/nsm/pcap +{%- else %} +PCAPLOC=/host/nsm/suripcap +{%- endif %} # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then # Get the data - OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) + OLDPCAP=$(find $PCAPLOC -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) DATE=$(date +%s) AGE=$(($DATE - $OLDPCAP)) From d118ff4728454cb08cd020234b6d858c5edc3656 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jan 2024 16:54:08 -0500 Subject: [PATCH 08/89] add GLOBALS.pcap_engine --- salt/global/map.jinja | 2 ++ salt/sensoroni/files/sensoroni.json | 6 +++--- salt/suricata/enabled.sls | 4 ++-- salt/suricata/pcap.sls | 13 +++++-------- salt/telegraf/config.sls | 2 ++ salt/telegraf/scripts/oldpcap.sh | 7 +++---- salt/vars/globals.map.jinja | 2 ++ 7 files changed, 19 insertions(+), 17 deletions(-) create mode 100644 salt/global/map.jinja diff --git a/salt/global/map.jinja b/salt/global/map.jinja new file mode 100644 index 000000000..54abb8c79 --- /dev/null +++ b/salt/global/map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'global/defaults.yaml' as GLOBALDEFAULTS %} +{% set GLOBALMERGED = salt['pillar.get']('global', GLOBALDEFAULTS.global, merge=True) %} diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index c5608ba56..f813dad2f 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -24,21 +24,21 @@ "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" {%- if PCAPMERGED.enabled %} -{%- if PCAPENGINE.steno %} +{%- if GLOBALS.pcap_engine == "STENO" %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } -{%- elif PCAPENGINE.suri %} +{%- elif GLOBALS.pcap_engine == "SURICATA" %} }, "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", "pcapOutputPath": "/nsm/pcapout" } -{%- endif %} +{%- endif %} {%- else %} } {%- endif %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 6dce49c8c..cf871906b 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -12,9 +12,9 @@ include: - suricata.config - suricata.sostatus - if blah +{% if GLOBALS.pcap_engine == "SURICATA" %} - suricata.pcap - endif +{% endif %} so-suricata: docker_container.running: diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls index f677532f0..7a00d8d6a 100644 --- a/salt/suricata/pcap.sls +++ b/salt/suricata/pcap.sls @@ -1,6 +1,5 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} -{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} +{% from 'suricata/map.jinja' import SURICATAMERGED %} suripcapdir: file.directory: @@ -10,16 +9,14 @@ suripcapdir: - mode: 755 - makedirs: True -{{ SURICATAMERGED.config['af-packet'].threads }} -for thread in afp.threads +{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %} -suripcapthreaddir: +suripcapthread{{i}}dir: file.directory: - - name: /nsm/suripcap/{{thread}} + - name: /nsm/suripcap/{{i}} - user: 940 - group: 939 - mode: 755 - - makedirs: True -endfor \ No newline at end of file +{% endfor %} diff --git a/salt/telegraf/config.sls b/salt/telegraf/config.sls index 0711260b5..a35be55f5 100644 --- a/salt/telegraf/config.sls +++ b/salt/telegraf/config.sls @@ -41,6 +41,8 @@ tgraf_sync_script_{{script}}: - mode: 770 - template: jinja - source: salt://telegraf/scripts/{{script}} + - defaults: + GLOBALS: {{ GLOBALS }} {% endfor %} telegraf_sbin: diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index d3f4b9a93..b68e71539 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -5,13 +5,12 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- if pcap is steno -PCAPLOC=/host/nsm/pcap -{%- else %} +{%- if GLOBALS.pcap_engine == "SURICATA" %} PCAPLOC=/host/nsm/suripcap +{%- else %} +PCAPLOC=/host/nsm/pcap {%- endif %} - # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 3265cde18..990aeb39b 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -1,5 +1,6 @@ {% import 'vars/init.map.jinja' as INIT %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'global/map.jinja' import GLOBALMERGED %} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} @@ -20,6 +21,7 @@ 'influxdb_host': INIT.PILLAR.global.influxdb_host, 'manager_ip': INIT.PILLAR.global.managerip, 'md_engine': INIT.PILLAR.global.mdengine, + 'pcap_engine': GLOBALMERGED.pcapengine 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, 'so_docker_gateway': DOCKER.gateway, From 37dcb84a09d836ec1b772fe25c42051e7bfdf797 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 10:50:01 -0500 Subject: [PATCH 09/89] add missing comma --- salt/vars/globals.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 990aeb39b..624173217 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -21,7 +21,7 @@ 'influxdb_host': INIT.PILLAR.global.influxdb_host, 'manager_ip': INIT.PILLAR.global.managerip, 'md_engine': INIT.PILLAR.global.mdengine, - 'pcap_engine': GLOBALMERGED.pcapengine + 'pcap_engine': GLOBALMERGED.pcapengine, 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, 'so_docker_gateway': DOCKER.gateway, From 0522dc180a753ddb5886c9b370df6fc6662eef10 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 13:39:35 -0500 Subject: [PATCH 10/89] map pcap dir to container. enable pcap-log in map --- salt/suricata/enabled.sls | 3 +++ salt/suricata/map.jinja | 5 +++++ salt/suricata/pcap.sls | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index cf871906b..8b2776b39 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -35,6 +35,9 @@ so-suricata: - /nsm/suricata/:/nsm/:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro + {% if GLOBALS.pcap_engine == "SURICATA" %} + - /nsm/suripcap/:/nsm/pcap:rw + {% endif %} {% if DOCKER.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} - {{ BIND }} diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 01d019de8..5f6e913f5 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -60,6 +60,11 @@ {% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} +{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} +{% if GLOBALS.pcap_engine == "SURICATA" %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} +{% endif %} + {# outputs is a list but we convert to dict in defaults to work with ui #} {# below they are converted back to lists #} {% load_yaml as outputs %} diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls index 7a00d8d6a..a3cbafa0a 100644 --- a/salt/suricata/pcap.sls +++ b/salt/suricata/pcap.sls @@ -9,8 +9,8 @@ suripcapdir: - mode: 755 - makedirs: True - -{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %} +{# there should only be 1 interface in af-packet so we can just reference the first list item #} +{% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %} suripcapthread{{i}}dir: file.directory: From 8ed66ea468b5eea0d3230db0e23ea34fd3267762 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 15:22:32 -0500 Subject: [PATCH 11/89] disable stenographer if suricata is pcap engine --- salt/pcap/config.map.jinja | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/pcap/config.map.jinja b/salt/pcap/config.map.jinja index 7ed500f25..e6d9f8bda 100644 --- a/salt/pcap/config.map.jinja +++ b/salt/pcap/config.map.jinja @@ -2,6 +2,12 @@ or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} - + +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %} {% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %} + +{# disable stenographer if the pcap engine is set to SURICATA #} +{% if GLOBALS.pcap_engine == "SURICATA" %} +{% do PCAPMERGED.update({'enabled': False}) %} +{% endif %} From f32cb1f1153d691394f58295770717b781929ed9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 15:48:10 -0500 Subject: [PATCH 12/89] fix find to work with steno and suri pcap --- salt/telegraf/scripts/oldpcap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index b68e71539..438ce912c 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -15,7 +15,7 @@ PCAPLOC=/host/nsm/pcap if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then # Get the data - OLDPCAP=$(find $PCAPLOC -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) + OLDPCAP=$(find $PCAPLOC -type f -exec stat -c'%n %Z' {} + | sort | grep -v "/\." | head -n 1 | awk {'print $2'}) DATE=$(date +%s) AGE=$(($DATE - $OLDPCAP)) From 8b503e2ffa722977841947590195b1aae1a90663 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 15:58:11 -0500 Subject: [PATCH 13/89] telegraf dont run stenoloss script if suricata is pcap engine --- salt/telegraf/map.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/telegraf/map.jinja b/salt/telegraf/map.jinja index e6d3460d6..b56c8a64d 100644 --- a/salt/telegraf/map.jinja +++ b/salt/telegraf/map.jinja @@ -14,4 +14,11 @@ {% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %} {% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %} {% endif %} + +{% from 'pcap/config.map.jinja' import PCAPMERGED %} +{# PCAPMERGED.enabled is set false in soc ui or if suricata is the pcap engine #} +{% if not PCAPMERGED.enabled %} +{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('stenoloss.sh') %} +{% endif %} + {% endif %} From 8a25748e3309fea6b8f5f01537e4c8f9bdafc65f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 16:06:24 -0500 Subject: [PATCH 14/89] grammar --- salt/global/soc_global.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index fc1c09b1c..d707fb1cc 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -10,12 +10,12 @@ global: regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. mdengine: - description: What engine to use for meta data generation. Options are ZEEK and SURICATA. + description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. regex: ^(ZEEK|SURICATA)$ regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: - description: What engine to use for generating pcap. Options are STENO and SURICATA. + description: Which engine to use for generating pcap. Options are STENO and SURICATA. regex: ^(STENO|SURICATA)$ regexFailureMessage: You must enter either STENO or SURICATA. global: True From 4be1214bab11f57286f042ce7dbebd76bcbb8259 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 30 Jan 2024 16:53:57 -0500 Subject: [PATCH 15/89] pcap engine logic for sensoroni --- salt/sensoroni/files/sensoroni.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index f813dad2f..97c91f0b3 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,6 +1,7 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'sensoroni/map.jinja' import SENSORONIMERGED %} {%- from 'pcap/config.map.jinja' import PCAPMERGED %} +{%- from 'suricata/map.jinja' import SURICATAMERGED %} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", @@ -23,22 +24,22 @@ "importer": {}, "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" +{#- if PCAPMERGED.enabled is true then we know that steno is the pcap engine #} +{#- if it is false, then user has steno disabled in ui or has selected suricata for pcap engine #} {%- if PCAPMERGED.enabled %} -{%- if GLOBALS.pcap_engine == "STENO" %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } -{%- elif GLOBALS.pcap_engine == "SURICATA" %} +{%- elif GLOBALS.pcap_engine == "SURICATA" and SURICATAMERGED.enabled %} }, "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", "pcapOutputPath": "/nsm/pcapout" } -{%- endif %} {%- else %} } {%- endif %} From 00289c201ee39e5bba2836f30106dbe7957acf61 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Jan 2024 08:58:57 -0500 Subject: [PATCH 16/89] fix pcap paths --- salt/sensoroni/enabled.sls | 3 +++ salt/suricata/defaults.yaml | 2 +- salt/suricata/enabled.sls | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 2111e8f1b..07b4df10a 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -23,6 +23,9 @@ so-sensoroni: - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw + {% if GLOBALS.pcap_engine == "SURICATA" %} + - /nsm/suripcap/:/nsm/suripcap:rw + {% endif %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} - {{ BIND }} diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 4961ae50a..eb2c181e3 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -137,7 +137,7 @@ suricata: max-files: 10 use-stream-depth: "no" conditional: "all" - dir: "/nsm/pcap" + dir: "/nsm/suripcap" alert-debug: enabled: "no" alert-prelude: diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 8b2776b39..fa1ebafef 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -36,7 +36,7 @@ so-suricata: - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro {% if GLOBALS.pcap_engine == "SURICATA" %} - - /nsm/suripcap/:/nsm/pcap:rw + - /nsm/suripcap/:/nsm/suripcap:rw {% endif %} {% if DOCKER.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} From 0d01d09d2e8805287cfd061038b1df64ff1348c5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Jan 2024 09:15:35 -0500 Subject: [PATCH 17/89] fix pcap paths --- salt/sensoroni/enabled.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 07b4df10a..6dc3df2bd 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -25,6 +25,7 @@ so-sensoroni: - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw {% if GLOBALS.pcap_engine == "SURICATA" %} - /nsm/suripcap/:/nsm/suripcap:rw + - /nsm/suripcaptmp:/nsm/suripcaptmp:rw {% endif %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} From 9ca0f586ae63a90fef9c78b8b1fc24b020545ae3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 21 Feb 2024 11:45:02 -0500 Subject: [PATCH 18/89] Manage the repos --- salt/manager/files/mirror.txt | 0 salt/manager/files/repodownload.conf | 13 +++++++++++++ salt/manager/init.sls | 14 ++++++++++++++ setup/so-functions | 4 ++-- 4 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 salt/manager/files/mirror.txt create mode 100644 salt/manager/files/repodownload.conf diff --git a/salt/manager/files/mirror.txt b/salt/manager/files/mirror.txt new file mode 100644 index 000000000..e69de29bb diff --git a/salt/manager/files/repodownload.conf b/salt/manager/files/repodownload.conf new file mode 100644 index 000000000..3c156a9db --- /dev/null +++ b/salt/manager/files/repodownload.conf @@ -0,0 +1,13 @@ +[main] +gpgcheck=1 +installonly_limit=3 +clean_requirements_on_remove=True +best=True +skip_if_unavailable=False +cachedir=/opt/so/conf/reposync/cache +keepcache=0 +[securityonionsync] +name=Security Onion Repo repo +mirrorlist=file:///opt/so/conf/reposync/mirror.txt +enabled=1 +gpgcheck=1 \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 23ef189b5..e51a448d5 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -75,6 +75,20 @@ yara_update_scripts: - defaults: EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} +so-repo-file: + file.managed: + - name: /opt/so/conf/reposync/repodownload.conf + - source: salt://manager/files/repodownload.conf + - user: socore + - group: socore + +so-repo-mirrorlist: + file.managed: + - name: /opt/so/conf/reposync/mirror.txt + - source: salt://manager/files/mirror.txt + - user: socore + - group: socore + so-repo-sync: {% if MANAGERMERGED.reposync.enabled %} cron.present: diff --git a/setup/so-functions b/setup/so-functions index f0462e4d6..ef1df4a71 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1811,8 +1811,8 @@ repo_sync_local() { info "Adding Repo Download Configuration" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache - echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt - echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/2.4/oracle/9" >> /opt/so/conf/reposync/mirror.txt + echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9.3" > /opt/so/conf/reposync/mirror.txt + echo "https://repo-alt.securityonion.net/prod/2.4/oracle/9.3" >> /opt/so/conf/reposync/mirror.txt echo "[main]" > /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf From 25570e6ec2e9935c4a4481fd5f0ad32b9b7068de Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 21 Feb 2024 13:18:39 -0500 Subject: [PATCH 19/89] add missing template --- .github/DISCUSSION_TEMPLATE/2-4.yml | 190 ++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 .github/DISCUSSION_TEMPLATE/2-4.yml diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml new file mode 100644 index 000000000..8e2592071 --- /dev/null +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -0,0 +1,190 @@ +body: + - type: markdown + attributes: + value: | + ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️ + + If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support + - type: dropdown + attributes: + label: Version + description: Which version of Security Onion 2.4.x are you asking about? + options: + - + - 2.4 Pre-release (Beta, Release Candidate) + - 2.4.10 + - 2.4.20 + - 2.4.30 + - 2.4.40 + - 2.4.50 + - 2.4.60 + - 2.4.70 + - 2.4.80 + - 2.4.90 + - 2.4.100 + - Other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Installation Method + description: How did you install Security Onion? + options: + - + - Security Onion ISO image + - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. + - Network installation on Ubuntu + - Network installation on Debian + - Other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Description + description: > + Is this discussion about installation, configuration, upgrading, or other? + options: + - + - installation + - configuration + - upgrading + - other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Installation Type + description: > + When you installed, did you choose Import, Eval, Standalone, Distributed, or something else? + options: + - + - Import + - Eval + - Standalone + - Distributed + - other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Location + description: > + Is this deployment in the cloud, on-prem with Internet access, or airgap? + options: + - + - cloud + - on-prem with Internet access + - airgap + - other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Hardware Specs + description: > + Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html? + options: + - + - Meets minimum requirements + - Exceeds minimum requirements + - Does not meet minimum requirements + - other (please provide detail below) + validations: + required: true + - type: input + attributes: + label: CPU + description: How many CPU cores do you have? + validations: + required: true + - type: input + attributes: + label: RAM + description: How much RAM do you have? + validations: + required: true + - type: input + attributes: + label: Storage for / + description: How much storage do you have for the / partition? + validations: + required: true + - type: input + attributes: + label: Storage for /nsm + description: How much storage do you have for the /nsm partition? + validations: + required: true + - type: dropdown + attributes: + label: Network Traffic Collection + description: > + Are you collecting network traffic from a tap or span port? + options: + - + - tap + - span port + - other (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Network Traffic Speeds + description: > + How much network traffic are you monitoring? + options: + - + - Less than 1Gbps + - 1Gbps to 10Gbps + - more than 10Gbps + validations: + required: true + - type: dropdown + attributes: + label: Status + description: > + Does SOC Grid show all services on all nodes as running OK? + options: + - + - Yes, all services on all nodes are running OK + - No, one or more services are failed (please provide detail below) + validations: + required: true + - type: dropdown + attributes: + label: Salt Status + description: > + Do you get any failures when you run "sudo salt-call state.highstate"? + options: + - + - Yes, there are salt failures (please provide detail below) + - No, there are no failures + validations: + required: true + - type: dropdown + attributes: + label: Logs + description: > + Are there any additional clues in /opt/so/log/? + options: + - + - Yes, there are additional clues in /opt/so/log/ (please provide detail below) + - No, there are no additional clues + validations: + required: true + - type: textarea + attributes: + label: Detail + description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you. + placeholder: |- + STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety! + + If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support + validations: + required: true + - type: checkboxes + attributes: + label: Guidelines + options: + - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines. + required: true From 162785575cbae9d9454a1d58830ab740129f1c57 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Feb 2024 15:28:24 -0500 Subject: [PATCH 20/89] nest under policy --- salt/elasticsearch/soc_elasticsearch.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 9a64190b3..e68d0441b 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -95,6 +95,7 @@ elasticsearch: description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html + policy: phases: hot: max_age: From 0a9022ba6a1f6ce82efa28d632b2f4f4bb1cd7b6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 21 Feb 2024 17:07:08 -0500 Subject: [PATCH 21/89] Add hash mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 32 ++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index a1c4d6d62..54ce83eff 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -15,4 +15,34 @@ transformations: src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword - dst_port: destination.port \ No newline at end of file + dst_port: destination.port + - id: hashes_process-creation + type: field_name_mapping + mapping: + winlog.event_data.sha256: process.hash.sha256 + winlog.event_data.sha1: process.hash.sha1 + winlog.event_data.md5: process.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: process_creation + - id: hashes_image-load + type: field_name_mapping + mapping: + winlog.event_data.sha256: dll.hash.sha256 + winlog.event_data.sha1: dll.hash.sha1 + winlog.event_data.md5: dll.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: image_load + - id: hashes_driver-load + type: field_name_mapping + mapping: + winlog.event_data.sha256: dll.hash.sha256 + winlog.event_data.sha1: dll.hash.sha1 + winlog.event_data.md5: dll.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: driver_load \ No newline at end of file From c886e7279363a8f0c614dc8a753166f5d418d5dc Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 22 Feb 2024 08:59:33 -0500 Subject: [PATCH 22/89] Imphash mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 54ce83eff..8121a6f13 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -15,13 +15,15 @@ transformations: src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword - dst_port: destination.port + dst_port: destination.port + winlog.event_data.User: user.name - id: hashes_process-creation type: field_name_mapping mapping: winlog.event_data.sha256: process.hash.sha256 winlog.event_data.sha1: process.hash.sha1 winlog.event_data.md5: process.hash.md5 + winlog.event_data.Imphash: process.pe.imphash rule_conditions: - type: logsource product: windows @@ -32,6 +34,7 @@ transformations: winlog.event_data.sha256: dll.hash.sha256 winlog.event_data.sha1: dll.hash.sha1 winlog.event_data.md5: dll.hash.md5 + winlog.event_data.Imphash: dll.pe.imphash rule_conditions: - type: logsource product: windows @@ -42,6 +45,7 @@ transformations: winlog.event_data.sha256: dll.hash.sha256 winlog.event_data.sha1: dll.hash.sha1 winlog.event_data.md5: dll.hash.md5 + winlog.event_data.Imphash: dll.pe.imphash rule_conditions: - type: logsource product: windows From 759b2ff59e5ffa201464a32a0ac776925a8044bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Feb 2024 10:03:51 -0500 Subject: [PATCH 23/89] Manage the repos --- salt/manager/files/mirror.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/manager/files/mirror.txt b/salt/manager/files/mirror.txt index e69de29bb..732c116b4 100644 --- a/salt/manager/files/mirror.txt +++ b/salt/manager/files/mirror.txt @@ -0,0 +1,2 @@ +https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9 +https://repo-alt.securityonion.net/prod/2.4/oracle/9 \ No newline at end of file From e7914fc5a16bc47d243835244985088e717d9a80 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Feb 2024 12:49:06 -0500 Subject: [PATCH 24/89] Update stenoloss.sh --- salt/telegraf/scripts/stenoloss.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh index 5c27ee7a5..5219dcfd0 100644 --- a/salt/telegraf/scripts/stenoloss.sh +++ b/salt/telegraf/scripts/stenoloss.sh @@ -10,8 +10,8 @@ # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - CHECKIT=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2|wc -l) - STENOGREP=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2) + CHECKIT=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2|wc -l) + STENOGREP=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2) declare RESULT=($STENOGREP) From d04aa06455e7e96b5cbdac6c09953e01bd718c81 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 22 Feb 2024 14:01:02 -0500 Subject: [PATCH 25/89] Fix source.ip --- salt/soc/files/soc/sigma_so_pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8121a6f13..533823e6f 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -12,7 +12,7 @@ transformations: sid: rule.uuid answer: answers query: dns.query.name - src_ip: destination.ip.keyword + src_ip: source.ip.keyword src_port: source.port dst_ip: destination.ip.keyword dst_port: destination.port From b8baca417bc6a50a5149b1f538dba6e9eb26ffb4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 14:03:04 -0500 Subject: [PATCH 26/89] add endpoint_x_events_x_process to defaults.yaml --- salt/soc/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2c15fe996..d672d1dad 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -995,6 +995,14 @@ soc: - tds.header_type - log.id.uid - event.dataset + ':endpoint:endpoint_x_events_x_process': + - soc_timestamp + - event.dataset + - host.name + - user.name + - process.parent.name + - process.name + - process.working_directory server: bindAddress: 0.0.0.0:9822 baseUrl: / From 573d565976b267b304ce6c03b5ca8a9041b4ad70 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 23 Feb 2024 15:03:44 -0500 Subject: [PATCH 27/89] convert _x_ to . for soc ui to config --- salt/soc/merged.map.jinja | 2 ++ salt/soc/soc_soc.yaml | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 33c0070ad..55d8d2600 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -66,6 +66,8 @@ {% do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %} {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} +{# replace the _x_ with . for soc ui to config conversion #} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fdfb09733..13e50a0cb 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -55,10 +55,11 @@ soc: global: True forcedType: "[]{}" eventFields: - default: - description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. + default: &eventFields + description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True + ':endpoint:endpoint_x_events_x_process': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From 7da0ccf5a628d71e75eef7fda547004ca693fec4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 15:35:53 -0500 Subject: [PATCH 28/89] add more endpoint.events.x entries to merged.map.jinja --- salt/soc/merged.map.jinja | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 55d8d2600..c0ea836e5 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -67,7 +67,13 @@ {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} {# replace the _x_ with . for soc ui to config conversion #} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.api': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_api') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.file': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_file') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.library': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_library') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.network': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_network') }) %} {% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.registry': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_registry') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.security': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_security') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} From b7ef1e8af121862174fd72b0a75125fbf1341ec1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 15:38:53 -0500 Subject: [PATCH 29/89] add more endpoint.events.x fields to soc_soc.yaml --- salt/soc/soc_soc.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 13e50a0cb..f59d6117b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -59,7 +59,13 @@ soc: description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True + ':endpoint:endpoint_x_events_x_api': *eventFields + ':endpoint:endpoint_x_events_x_file': *eventFields + ':endpoint:endpoint_x_events_x_library': *eventFields + ':endpoint:endpoint_x_events_x_network': *eventFields ':endpoint:endpoint_x_events_x_process': *eventFields + ':endpoint:endpoint_x_events_x_registry': *eventFields + ':endpoint:endpoint_x_events_x_security': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From 58f4fb87d08813ab41eea5b24e6b2a4a2326d5ff Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:06:29 -0500 Subject: [PATCH 30/89] fix new eventFields in soc_soc.yaml --- salt/soc/soc_soc.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f59d6117b..a9d36c70c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -59,13 +59,13 @@ soc: description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True - ':endpoint:endpoint_x_events_x_api': *eventFields - ':endpoint:endpoint_x_events_x_file': *eventFields - ':endpoint:endpoint_x_events_x_library': *eventFields - ':endpoint:endpoint_x_events_x_network': *eventFields - ':endpoint:endpoint_x_events_x_process': *eventFields - ':endpoint:endpoint_x_events_x_registry': *eventFields - ':endpoint:endpoint_x_events_x_security': *eventFields + ':endpoint:events_x_api': *eventFields + ':endpoint:events_x_file': *eventFields + ':endpoint:events_x_library': *eventFields + ':endpoint:events_x_network': *eventFields + ':endpoint:events_x_process': *eventFields + ':endpoint:events_x_registry': *eventFields + ':endpoint:events_x_security': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From daf96d79342959155d2fccb7313c8e5a9b393f60 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:07:48 -0500 Subject: [PATCH 31/89] fix new eventFields in merged.map.jinja --- salt/soc/merged.map.jinja | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index c0ea836e5..65091158e 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -67,13 +67,13 @@ {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} {# replace the _x_ with . for soc ui to config conversion #} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.api': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_api') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.file': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_file') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.library': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_library') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.network': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_network') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.registry': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_registry') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.security': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_security') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.api': SOCMERGED.config.eventFields.pop(':endpoint:events_x_api') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.file': SOCMERGED.config.eventFields.pop(':endpoint:events_x_file') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.library': SOCMERGED.config.eventFields.pop(':endpoint:events_x_library') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.network': SOCMERGED.config.eventFields.pop(':endpoint:events_x_network') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.process': SOCMERGED.config.eventFields.pop(':endpoint:events_x_process') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.registry': SOCMERGED.config.eventFields.pop(':endpoint:events_x_registry') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.security': SOCMERGED.config.eventFields.pop(':endpoint:events_x_security') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} From d6cb8ab92823b95d0d35cee157549b52a91d2c97 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:09:40 -0500 Subject: [PATCH 32/89] update events_x_process in defaults.yaml --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d672d1dad..7204027fc 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -995,7 +995,7 @@ soc: - tds.header_type - log.id.uid - event.dataset - ':endpoint:endpoint_x_events_x_process': + ':endpoint:events_x_process': - soc_timestamp - event.dataset - host.name From a6bb7216f9aaead1b51887cee531e8b74e6272c2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 26 Feb 2024 08:18:42 -0500 Subject: [PATCH 33/89] Add Detection AutoUpdate config --- salt/soc/defaults.yaml | 2 ++ salt/soc/soc_soc.yaml | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2c15fe996..5267955b9 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1009,6 +1009,7 @@ soc: kratos: hostUrl: elastalertengine: + autoUpdateEnabled: false communityRulesImportFrequencySeconds: 180 elastAlertRulesFolder: /opt/sensoroni/elastalert rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint @@ -1057,6 +1058,7 @@ soc: userFiles: - rbac/users_roles strelkaengine: + autoUpdateEnabled: false compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py reposFolder: /opt/sensoroni/yara/repos rulesRepos: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fdfb09733..74ae1051b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -75,6 +75,10 @@ soc: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' global: True advanced: False + autoUpdateEnabled: + description: 'Set to true to enable automatic updates of the Sigma Community Ruleset.' + global: True + advanced: True elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. @@ -133,6 +137,11 @@ soc: description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI. global: True advanced: True + strelkaengine: + autoUpdateEnabled: + description: 'Set to true to enable automatic updates of the Yara ruleset.' + global: True + advanced: True client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From ca249312baddc9c3d6b7321f104ccc58da447acb Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:38:14 -0500 Subject: [PATCH 34/89] FEATURE: Add new SOC action for Process Info #12421 --- salt/soc/defaults.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 7204027fc..20f9c284f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -65,12 +65,18 @@ soc: target: _blank links: - 'https://{:sublime.url}/messages/{:sublime.message_group_id}' + - name: actionProcessInfo + description: actionProcessInfoHelp + icon: fa-person-running + target: '' + links: + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' - name: actionProcessAncestors description: actionProcessAncestorsHelp icon: fa-people-roof target: '' links: - - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset host.name user.name process.parent.name process.name process.working_directory' + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' eventFields: default: - soc_timestamp From 4df21148fc4b7117b6a69b2914d961855d3f12e7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:40:51 -0500 Subject: [PATCH 35/89] FEATURE: Add default columns for endpoint.events datasets #12425 --- salt/soc/defaults.yaml | 57 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 20f9c284f..b5fe0e626 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1001,14 +1001,69 @@ soc: - tds.header_type - log.id.uid - event.dataset + ':endpoint:events_x_api': + - soc_timestamp + - host.name + - user.name + - process.name + - process.Ext.api.name + - process.thread.Ext.call_stack_final_user_module.path + - event.dataset + ':endpoint:events_x_file': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - file.path + - event.dataset + ':endpoint:events_x_library': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - dll.path + - dll.code_signature.status + - dll.code_signature.subject_name + - event.dataset + ':endpoint:events_x_network': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - source.ip + - source.port + - destination.ip + - destination.port + - network.community_id + - event.dataset ':endpoint:events_x_process': - soc_timestamp - - event.dataset - host.name - user.name - process.parent.name - process.name + - event.action - process.working_directory + - event.dataset + ':endpoint:events_x_registry': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - registry.path + - event.dataset + ':endpoint:events_x_security': + - soc_timestamp + - host.name + - user.name + - process.executable + - event.action + - event.outcome + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / From c8a95a87069a996543672c50485280394e45226d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:59:07 -0500 Subject: [PATCH 36/89] FEATURE: Add new endpoint dashboards #12428 --- salt/soc/defaults.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b5fe0e626..c1b3ebabb 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1502,13 +1502,22 @@ soc: query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity description: Process activity captured on an endpoint - query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp event.dataset host.name user.name process.parent.name process.name process.working_directory' + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - name: Host File Activity description: File activity captured on an endpoint query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable' - name: Host Network & Process Mappings description: Network activity mapped to originating processes query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Host API Events + description: API (Application Programming Interface) events from endpoints + query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby process.Ext.api.name' + - name: Host Library Events + description: Library events from endpoints + query: 'event.dataset:endpoint.events.library | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby event.action | groupby dll.path | groupby dll.code_signature.status | groupby dll.code_signature.subject_name' + - name: Host Security Events + description: Security events from endpoints + query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.executable | groupby event.action | groupby event.outcome' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' From 9a7e2153eedec1fbeb61df3db918ba5b7e7baa39 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 11:01:53 -0500 Subject: [PATCH 37/89] add classification.config --- salt/suricata/classification/classification.config | 2 ++ salt/suricata/config.sls | 7 +++++++ salt/suricata/enabled.sls | 1 + salt/suricata/soc_suricata.yaml | 7 +++++++ 4 files changed, 17 insertions(+) create mode 100644 salt/suricata/classification/classification.config diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config new file mode 100644 index 000000000..69918fed7 --- /dev/null +++ b/salt/suricata/classification/classification.config @@ -0,0 +1,2 @@ +# configuration classification: shortname,description,priority +# configuration classification: misc-activity,Misc activity,3 diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index 3ec1324bf..00364f384 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -129,6 +129,13 @@ surithresholding: - group: 940 - template: jinja +suriclassifications: + file.managed: + - name: /opt/so/conf/suricata/classification.config + - source: salt://suricata/classification/classification.config + - user: 940 + - group: 940 + # BPF compilation and configuration {% if SURICATABPF %} {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ce309e41a..f96472ae2 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -27,6 +27,7 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro + - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 30f277c0a..4fd720ef1 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -11,6 +11,13 @@ suricata: multiline: True title: SIDS helpLink: suricata.html + classification: + classification__config: + description: Classifications config file. + file: True + global: True + multiline: True + helpLink: suricata.html config: af-packet: interface: From f8424f3dad29bed27f0d02006cb3af14f5f76e39 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 11:22:09 -0500 Subject: [PATCH 38/89] Update defaults.yaml --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index c1b3ebabb..d86262fe7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1502,7 +1502,7 @@ soc: query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity description: Process activity captured on an endpoint - query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp host.name user.name process.parent.name process.name event.action process.working_directory event.dataset' - name: Host File Activity description: File activity captured on an endpoint query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable' From 1d099f97d2577077607152ae2579e974936db53a Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 26 Feb 2024 11:27:56 -0500 Subject: [PATCH 39/89] Update pattern for endpoint diagnostic template --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f4d8c8a95..8e28f2e41 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3926,7 +3926,7 @@ elasticsearch: allow_custom_routing: false hidden: false index_patterns: - - logs-endpoint.diagnostic.collection-* + - .logs-endpoint.diagnostic.collection-* priority: 501 template: settings: From 466dac30bbf0f7b6d3d2d065ea8eed3639541ac8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 12:15:17 -0500 Subject: [PATCH 40/89] soup for classifications --- salt/manager/tools/sbin/soup | 15 +++++++++++++++ salt/suricata/soc_suricata.yaml | 1 + 2 files changed, 16 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 90ec636ef..752ae6e21 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -356,6 +356,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30 [[ "$INSTALLEDVERSION" == 2.4.30 ]] && up_to_2.4.40 [[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50 + [[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60 true } @@ -371,6 +372,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40 [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50 + [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60 true } @@ -427,6 +429,11 @@ post_to_2.4.50() { POSTVERSION=2.4.50 } +post_to_2.4.60() { + echo "Nothing to apply" + POSTVERSION=2.4.60 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -556,6 +563,14 @@ up_to_2.4.50() { INSTALLEDVERSION=2.4.50 } +up_to_2.4.60() { + echo "Creating directory to store Suricata classification.config" + mkdir -vp /opt/so/saltstack/local/salt/suricata/classification + chown socore:socore /opt/so/saltstack/local/salt/suricata/classification + + INSTALLEDVERSION=2.4.60 +} + determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 4fd720ef1..b54a44cbc 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -17,6 +17,7 @@ suricata: file: True global: True multiline: True + title: Classifications helpLink: suricata.html config: af-packet: From 8b7f7933bdfa4e67aa7e3a84dd1c3d03340935c7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 15:29:13 -0500 Subject: [PATCH 41/89] suricata container watch classification.config --- salt/suricata/classification/classification.config | 4 ++-- salt/suricata/enabled.sls | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config index 69918fed7..e597eb5a1 100644 --- a/salt/suricata/classification/classification.config +++ b/salt/suricata/classification/classification.config @@ -1,2 +1,2 @@ -# configuration classification: shortname,description,priority -# configuration classification: misc-activity,Misc activity,3 +# config classification: shortname,description,priority +# config classification: misc-activity,Misc activity,3 diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index f96472ae2..94b95ff5d 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -50,10 +50,12 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf + - file: suriclassifications - require: - file: suriconfig - file: surithresholding - file: suribpf + - file: suriclassifications delete_so-suricata_so-status.disabled: file.uncomment: From c6baa4be1baad88a7301e7c08d8c960d865afca0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 26 Feb 2024 16:19:32 -0500 Subject: [PATCH 42/89] Airgap Support - Detections module --- salt/manager/tools/sbin/soup | 10 ++++++---- salt/soc/enabled.sls | 2 +- salt/soc/merged.map.jinja | 6 ++++++ setup/so-setup | 6 ++---- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 90ec636ef..655e99f6c 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -603,6 +603,10 @@ update_airgap_rules() { if [ -d /nsm/repo/rules/sigma ]; then rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/ fi + + # SOC Detections Airgap + rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/ + rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/ } update_airgap_repo() { @@ -931,10 +935,8 @@ main() { preupgrade_changes echo "" - if [[ $is_airgap -eq 0 ]]; then - echo "Updating Rule Files to the Latest." - update_airgap_rules - fi + echo "Updating Airgap Rule Files to the Latest." + update_airgap_rules # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars if [[ ! "$MINIONID" =~ "_import" ]]; then diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 7c04da825..93ca07ac8 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -22,7 +22,7 @@ so-soc: - sobridge: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - - /nsm/rules:/nsm/rules:rw #Need to tighten this up? + - /nsm/rules:/nsm/rules:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 65091158e..bc7c5cada 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -34,6 +34,12 @@ {% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} +{# if system is Airgap, don't autoupdate Yara & Sigma rules #} +{% if pillar.global.airgap %} + {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %} + {% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %} +{% endif %} + {% set standard_actions = SOCMERGED.config.pop('actions') %} {% if pillar.global.endgamehost != '' %} diff --git a/setup/so-setup b/setup/so-setup index ca1581ef9..e2de39f50 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -687,10 +687,8 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-minion -o=setup" title "Creating Global SLS" - if [[ $is_airgap ]]; then - # Airgap Rules - airgap_rules - fi + # Airgap Rules + airgap_rules manager_pillar From 59af547838100d006f924ad43e302c7aac736bc6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 27 Feb 2024 09:49:54 -0500 Subject: [PATCH 43/89] Fix download location --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fa488ab7a..e80e98a7e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -83,7 +83,7 @@ soc: global: True advanced: False autoUpdateEnabled: - description: 'Set to true to enable automatic updates of the Sigma Community Ruleset.' + description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' global: True advanced: True elastic: @@ -146,7 +146,7 @@ soc: advanced: True strelkaengine: autoUpdateEnabled: - description: 'Set to true to enable automatic updates of the Yara ruleset.' + description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' global: True advanced: True client: From fcc0f9d14f50019dcad5ffc02035173fe50c6bbe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 27 Feb 2024 13:20:58 -0500 Subject: [PATCH 44/89] redo classifications --- .../classification/classification.config | 53 ++++++++++++++++++- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config index e597eb5a1..220736c94 100644 --- a/salt/suricata/classification/classification.config +++ b/salt/suricata/classification/classification.config @@ -1,2 +1,51 @@ -# config classification: shortname,description,priority -# config classification: misc-activity,Misc activity,3 +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: inappropriate-content,Inappropriate Content was Detected,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 +config classification: command-and-control,Malware Command and Control Activity Detected,1 From df3943b4651e1bf293e0433d2138dece8ffc829b Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 27 Feb 2024 17:24:27 -0500 Subject: [PATCH 45/89] Daily rollover --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 8e28f2e41..39d218564 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -10597,7 +10597,7 @@ elasticsearch: hot: actions: rollover: - max_age: 30d + max_age: 1d max_primary_shard_size: 50gb set_priority: priority: 100 From e2dd0f8cf17950a6b35d66419085adb167a28e34 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 28 Feb 2024 09:39:23 -0500 Subject: [PATCH 46/89] Only update rule files if AG --- salt/manager/tools/sbin/soup | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 655e99f6c..ba8316116 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -935,8 +935,10 @@ main() { preupgrade_changes echo "" - echo "Updating Airgap Rule Files to the Latest." - update_airgap_rules + if [[ $is_airgap -eq 0 ]]; then + echo "Updating Rule Files to the Latest." + update_airgap_rules + fi # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars if [[ ! "$MINIONID" =~ "_import" ]]; then From 53761d4dba278243222822f1a00a1ec9ba033891 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 29 Feb 2024 16:15:26 -0500 Subject: [PATCH 47/89] FIX: EA installers not downloadable from SOC + fix stg logging Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/stig/enabled.sls | 21 ++++++++++++--------- salt/stig/files/sos-oscap.xml | 6 +++--- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/salt/stig/enabled.sls b/salt/stig/enabled.sls index 1f1a064fd..0f347f8bc 100644 --- a/salt/stig/enabled.sls +++ b/salt/stig/enabled.sls @@ -48,15 +48,17 @@ update_stig_profile: {% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %} run_initial_scan: - module.run: - - name: openscap.xccdf - - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}' + cmd.run: + - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}' + - success_retcodes: + - 2 {% endif %} run_remediate: - module.run: - - name: openscap.xccdf - - params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_PROFILE_LOCATION }}' + cmd.run: + - name: 'oscap xccdf eval --remediate --profile {{ OSCAP_PROFILE_NAME }} {{ OSCAP_PROFILE_LOCATION }}' + - success_retcodes: + - 2 {# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #} disable_ctrl_alt_del_action: @@ -82,9 +84,10 @@ remove_nullok_from_system_auth_auth: - backup: '.bak' run_post_scan: - module.run: - - name: openscap.xccdf - - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}' + cmd.run: + - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}' + - success_retcodes: + - 2 {% else %} {{sls}}_no_license_detected: diff --git a/salt/stig/files/sos-oscap.xml b/salt/stig/files/sos-oscap.xml index 3f78af8c0..6c4c93778 100644 --- a/salt/stig/files/sos-oscap.xml +++ b/salt/stig/files/sos-oscap.xml @@ -611,7 +611,7 @@ the release. Additionally, the original security profile has been modified by Se - + @@ -1007,8 +1007,8 @@ the release. Additionally, the original security profile has been modified by Se - - + + From b017157d21a7b32a8163b7593d2279a06d3a776f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 1 Mar 2024 14:04:56 -0500 Subject: [PATCH 48/89] Add antivirus mapping --- salt/soc/files/soc/sigma_so_pipeline.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 533823e6f..37e9f4a3e 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -16,7 +16,25 @@ transformations: src_port: source.port dst_ip: destination.ip.keyword dst_port: destination.port - winlog.event_data.User: user.name + winlog.event_data.User: user.name + # Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration + # winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name + - id: antivirus_field-mappings_windows-defender + type: field_name_mapping + mapping: + Signature: winlog.event_data.threat_name + rule_conditions: + - type: logsource + category: antivirus + - id: antivirus_add-fields_windows-defender + type: add_condition + conditions: + winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + winlog.provider_name: 'Microsoft-Windows-Windows Defender' + event.code: "1116" + rule_conditions: + - type: logsource + category: antivirus - id: hashes_process-creation type: field_name_mapping mapping: From d832158cc52fe7c87d88fe233c38128d425d0a2f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 1 Mar 2024 15:26:02 -0500 Subject: [PATCH 49/89] Drop Hashes field --- salt/soc/files/soc/sigma_so_pipeline.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 37e9f4a3e..d227c3f01 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -35,6 +35,17 @@ transformations: rule_conditions: - type: logsource category: antivirus + # Drops the Hashes field which is specific to Sysmon logs + # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields + - id: hashes_drop_sysmon-specific-field + type: drop_detection_item + field_name_conditions: + - type: include_fields + fields: + - winlog.event_data.Hashes + rule_conditions: + - type: logsource + product: windows - id: hashes_process-creation type: field_name_mapping mapping: @@ -67,4 +78,4 @@ transformations: rule_conditions: - type: logsource product: windows - category: driver_load \ No newline at end of file + category: driver_load From f28f269bb120195d00066d7b7fcf0304906c8e86 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 4 Mar 2024 07:38:32 -0500 Subject: [PATCH 50/89] Fix FIM --- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 275bc6a11..ff46a3e07 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -46,7 +46,7 @@ do done printf "\n### Stripping out unused components" -find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete +find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*heart.*\|.*cloud.*' -delete printf "\n### Tarring everything up again" for OS in "${OSARCH[@]}" From 018e099111e86774e51126b42d22253b73ea7495 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Mar 2024 14:53:15 -0500 Subject: [PATCH 51/89] Modify setup --- salt/manager/tools/sbin/so-minion | 39 +++++++++++++++++++------------ 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 4995e1c9d..4a6e5b7c7 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -80,28 +80,27 @@ function getinstallinfo() { } function pcapspace() { - - local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') - local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') - - if [[ "$NSMSIZE" == "null" ]]; then - # Looks like there is no dedicated nsm partition. Using root - local SPACESIZE=$ROOTSIZE + if [[ "$OPERATION" == "setup" ]]; then + local SPACESIZE=$(df -h /nsm | tail -1 | awk '{print $2}') else - local SPACESIZE=$NSMSIZE + + local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') + local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') + + if [[ "$NSMSIZE" == "null" ]]; then + # Looks like there is no dedicated nsm partition. Using root + local SPACESIZE=$ROOTSIZE + else + local SPACESIZE=$NSMSIZE + fi fi local s=$(( $SPACESIZE / 1000000 )) local s1=$(( $s / 2 )) local s2=$(( $s1 / $lb_procs )) - printf '%s\n'\ - "suricata:"\ - " config:"\ - " output:"\ - " pcap-log:"\ - " max-files: $s" >> $PILLARFILE - + MAXPCAPFILES=$s2 + } function testMinion() { @@ -272,6 +271,11 @@ function add_sensor_to_minion() { echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE + if [[ $is_pcaplimit ]]; then + echo " output:" >> $PILLARFILE + echo " pcap-log:" >> $PILLARFILE + echo " max-files: '$MAXPCAPFILES'" >> $PILLARFILE + fi echo "pcap:" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE if [[ $is_pcaplimit ]]; then @@ -448,6 +452,7 @@ function updateMine() { function createEVAL() { is_pcaplimit=true + pcapspace add_elasticsearch_to_minion add_sensor_to_minion add_strelka_to_minion @@ -468,6 +473,7 @@ function createEVAL() { function createSTANDALONE() { is_pcaplimit=true + pcapspace add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion @@ -557,6 +563,7 @@ function createIDH() { function createHEAVYNODE() { is_pcaplimit=true + pcapspace add_elasticsearch_to_minion add_elastic_agent_to_minion add_logstash_to_minion @@ -567,6 +574,8 @@ function createHEAVYNODE() { } function createSENSOR() { + is_pcaplimit=true + pcapspace add_sensor_to_minion add_strelka_to_minion add_telegraf_to_minion From fe238755e981fdc3316c48f03c23c9a6a29613ca Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Mar 2024 16:52:51 -0500 Subject: [PATCH 52/89] Fix df --- salt/manager/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 4a6e5b7c7..d696e14c6 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -81,7 +81,7 @@ function getinstallinfo() { function pcapspace() { if [[ "$OPERATION" == "setup" ]]; then - local SPACESIZE=$(df -h /nsm | tail -1 | awk '{print $2}') + local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n) else local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') From b64d61065a7cf910a1c53d28485bfbee21edb4e9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:19:43 -0500 Subject: [PATCH 53/89] Add AWS Cloudfront template --- salt/elasticsearch/defaults.yaml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 39d218564..0d2dd8a41 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1107,6 +1107,50 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-aws_x_cloudfront_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.cloudfront_logs-*" + template: + settings: + index: + lifecycle: + name: so-logs-aws.cloudfront_logs-logs + number_of_replicas: 0 + composed_of: + - "logs-aws.cloudfront_logs@package" + - "logs-aws.cloudfront_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-aws_x_cloudtrail: index_sorting: false index_template: From 1514f1291e2961dedd91354c0593ffa6e0854023 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:21:48 -0500 Subject: [PATCH 54/89] Add AWS GuardDuty template --- salt/elasticsearch/defaults.yaml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 0d2dd8a41..54a65a112 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1371,6 +1371,50 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-aws_x_guardduty: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.guardduty-*" + template: + settings: + index: + lifecycle: + name: so-logs-aws.guardduty-logs + number_of_replicas: 0 + composed_of: + - "logs-aws.guardduty@package" + - "logs-aws.guardduty@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-aws_x_route53_public_logs: index_sorting: false index_template: From d85ac39e2875dac3a58930abd2523f5be7af6ece Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:23:17 -0500 Subject: [PATCH 55/89] Add AWS Inspector template --- salt/elasticsearch/defaults.yaml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 54a65a112..8d31a1acd 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1415,6 +1415,50 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-aws_x_inspector: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.inspector-*" + template: + settings: + index: + lifecycle: + name: so-logs-aws.inspector-logs + number_of_replicas: 0 + composed_of: + - "logs-aws.inspector@package" + - "logs-aws.inspector@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-aws_x_route53_public_logs: index_sorting: false index_template: From d8e8933ea0a035e0628a0bbcc65096a0c0a00b01 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:25:41 -0500 Subject: [PATCH 56/89] Add AWS Security Hub template --- salt/elasticsearch/defaults.yaml | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 8d31a1acd..2274018b1 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1591,6 +1591,94 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-aws_x_securityhub_findings: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.securityhub_findings-*" + template: + settings: + index: + lifecycle: + name: so-logs-aws.securityhub_findings-logs + number_of_replicas: 0 + composed_of: + - "logs-aws.securityhub_findings@package" + - "logs-aws.securityhub_findings@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_securityhub_insights: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.securityhub_insights-*" + template: + settings: + index: + lifecycle: + name: so-logs-aws.securityhub_insights-logs + number_of_replicas: 0 + composed_of: + - "logs-aws.securityhub_insights@package" + - "logs-aws.securityhub_insights@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-aws_x_vpcflow: index_sorting: false index_template: From 2a7e5b096f0320dec1d395bf3fe3c5721582283f Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:48:59 -0500 Subject: [PATCH 57/89] Change version for foxtrot --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 5a99ed019..7d52aac7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.60 +2.4.0-foxtrot From bed42208b1856f1e02033ac483a0610fa7adb76e Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 09:49:55 -0500 Subject: [PATCH 58/89] Add journald integration --- salt/elasticfleet/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e4f54ceb0..7b2d9d6a3 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -65,6 +65,7 @@ elasticfleet: - http_endpoint - httpjson - iis + - journald - juniper - juniper_srx - kafka_log From 08f2b8251b95638ef5611e203bd476f8e259c74c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Mar 2024 09:53:35 -0500 Subject: [PATCH 59/89] add GLOBALS.is_sensor --- salt/vars/globals.map.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 624173217..ed7129678 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -8,6 +8,7 @@ set GLOBALS = { 'hostname': INIT.GRAINS.nodename, 'is_manager': false, + 'is_sensor': false, 'manager': INIT.GRAINS.master, 'minion_id': INIT.GRAINS.id, 'main_interface': INIT.PILLAR.host.mainint, @@ -63,5 +64,8 @@ {% do GLOBALS.update({'is_manager': true}) %} {% endif %} +{% if GLOBALS.role in GLOBALS.sensor_roles %} +{% do GLOBALS.update({'is_sensor': true}) %} +{% endif %} {% do salt['defaults.merge'](GLOBALS, ROLE_GLOBALS, merge_lists=False, in_place=True) %} From 1a58aa61a0409889194fe7f427078c7de5623aff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Mar 2024 09:54:40 -0500 Subject: [PATCH 60/89] only import pcap and suricata if sensor --- salt/sensoroni/files/sensoroni.json | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 97c91f0b3..93708440a 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,7 +1,5 @@ -{%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %} -{%- from 'pcap/config.map.jinja' import PCAPMERGED %} -{%- from 'suricata/map.jinja' import SURICATAMERGED %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'sensoroni/map.jinja' import SENSORONIMERGED -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", @@ -24,24 +22,28 @@ "importer": {}, "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" -{#- if PCAPMERGED.enabled is true then we know that steno is the pcap engine #} -{#- if it is false, then user has steno disabled in ui or has selected suricata for pcap engine #} -{%- if PCAPMERGED.enabled %} +{% if GLOBALS.is_sensor %} +{% from 'pcap/config.map.jinja' import PCAPMERGED %} +{% from 'suricata/map.jinja' import SURICATAMERGED %} +{# if PCAPMERGED.enabled is true then we know that steno is the pcap engine #} +{# if it is false, then user has steno disabled in ui or has selected suricata for pcap engine #} +{%- if PCAPMERGED.enabled %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } -{%- elif GLOBALS.pcap_engine == "SURICATA" and SURICATAMERGED.enabled %} +{%- elif GLOBALS.pcap_engine == "SURICATA" and SURICATAMERGED.enabled %} }, "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", "pcapOutputPath": "/nsm/pcapout" } -{%- else %} +{%- else %} } +{% endif %} {%- endif %} } } From c0d19e11b9bad6ee1ebb93088f42f3e44b0bc13c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Mar 2024 10:07:32 -0500 Subject: [PATCH 61/89] fix } placement --- salt/sensoroni/files/sensoroni.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 93708440a..5090967ef 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -41,9 +41,9 @@ "pcapInputPath": "/nsm/suripcap", "pcapOutputPath": "/nsm/pcapout" } -{%- else %} +{% endif %} +{%- else %} } -{% endif %} {%- endif %} } } From b9ebe6c40b2545bfb9c0d18e75d2be67c5f3d9f2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 5 Mar 2024 12:58:34 -0500 Subject: [PATCH 62/89] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7d52aac7f..5a99ed019 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot +2.4.60 From 6eb608c3f53f2a9b6743d02eebe080c469343995 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Mar 2024 15:05:03 -0500 Subject: [PATCH 63/89] Update so-minion --- salt/manager/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index d696e14c6..82c19e39b 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -96,7 +96,7 @@ function pcapspace() { fi local s=$(( $SPACESIZE / 1000000 )) - local s1=$(( $s / 2 )) + local s1=$(( $s / 4 )) local s2=$(( $s1 / $lb_procs )) MAXPCAPFILES=$s2 From a686d46322ed335c8a7fd4220843e823511f2769 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Mar 2024 15:09:02 -0500 Subject: [PATCH 64/89] Update so-minion --- salt/manager/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 82c19e39b..7e33533b4 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -280,7 +280,7 @@ function add_sensor_to_minion() { echo " enabled: True" >> $PILLARFILE if [[ $is_pcaplimit ]]; then echo " config:" >> $PILLARFILE - echo " diskfreepercentage: 60" >> $PILLARFILE + echo " diskfreepercentage: 75" >> $PILLARFILE pcapspace fi echo " " >> $PILLARFILE From 4b5f00cef4d13a21ac8ff635a8ec625151e33e07 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 5 Mar 2024 16:42:20 -0500 Subject: [PATCH 65/89] fix oinkcodes with leading zeros --- salt/idstools/soc_idstools.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index f8ec3b8b6..3e3a68117 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -6,6 +6,7 @@ idstools: description: Enter your registration code or oinkcode for paid NIDS rulesets. title: Registration Code global: True + forcedType: string helpLink: rules.html ruleset: description: 'Defines the ruleset you want to run. Options are ETOPEN or ETPRO. WARNING! Changing the ruleset will remove all existing Suricata rules of the previous ruleset and their associated overrides. This removal cannot be undone.' From 5687fdcf578eb44aa11f72646a11c284ea57838e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Mar 2024 17:46:43 -0500 Subject: [PATCH 66/89] fix pcapspace function --- salt/manager/tools/sbin/so-minion | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index d696e14c6..54587774f 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -84,8 +84,8 @@ function pcapspace() { local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n) else - local NSMSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') - local ROOTSIZE=$(salt '$MINION_ID' disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') + local NSMSIZE=$(salt "$MINION_ID" disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ') + local ROOTSIZE=$(salt "$MINION_ID" disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ') if [[ "$NSMSIZE" == "null" ]]; then # Looks like there is no dedicated nsm partition. Using root @@ -97,7 +97,7 @@ function pcapspace() { local s=$(( $SPACESIZE / 1000000 )) local s1=$(( $s / 2 )) - local s2=$(( $s1 / $lb_procs )) + local s2=$(( $s1 / $CORECOUNT )) MAXPCAPFILES=$s2 From eaef076eba34104b5495aef002b8bab3e1b8422b Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 5 Mar 2024 17:52:24 -0500 Subject: [PATCH 67/89] Update so-minion --- salt/manager/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 6f037d344..ab05fafcc 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -96,8 +96,8 @@ function pcapspace() { fi local s=$(( $SPACESIZE / 1000000 )) - local s2=$(( $s1 / $CORECOUNT )) local s1=$(( $s / 4 )) + local s2=$(( $s1 / $CORECOUNT )) MAXPCAPFILES=$s2 From 1b47537a3f2d808e8cc9176fbfe636edadea6c7f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 6 Mar 2024 07:16:50 -0500 Subject: [PATCH 68/89] Add Exclusion toggle --- salt/soc/defaults.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d5ecbe71f..60f2ee613 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1201,6 +1201,9 @@ soc: - name: caseExcludeToggle filter: 'NOT _index:"*:so-case*"' enabled: true + - name: detectionsExcludeToggle + filter: 'NOT _index:"*:so-detection*"' + enabled: true - name: socExcludeToggle filter: 'NOT event.module:"soc"' enabled: true @@ -1471,6 +1474,9 @@ soc: - name: caseExcludeToggle filter: 'NOT _index:"*:so-case*"' enabled: true + - name: detectionsExcludeToggle + filter: 'NOT _index:"*:so-detection*"' + enabled: true - name: socExcludeToggle filter: 'NOT event.module:"soc"' enabled: true From 12653eec8c4565e9d2538c803fc9a8e53edfb1c6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 08:14:33 -0500 Subject: [PATCH 69/89] add new pcap annotations --- salt/sensoroni/defaults.yaml | 118 ++++++++++++++-------------- salt/sensoroni/files/sensoroni.json | 3 +- salt/sensoroni/soc_sensoroni.yaml | 5 ++ salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 3 + 5 files changed, 71 insertions(+), 59 deletions(-) diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 4ebd666a9..7777985dd 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -1,58 +1,60 @@ -sensoroni: - enabled: False - config: - analyze: - enabled: False - timeout_ms: 900000 - parallel_limit: 5 - node_checkin_interval_ms: 10000 - sensoronikey: - soc_host: - analyzers: - echotrail: - base_url: https://api.echotrail.io/insights/ - api_key: - elasticsearch: - base_url: - auth_user: - auth_pwd: - num_results: 10 - api_key: - index: _all - time_delta_minutes: 14400 - timestamp_field_name: '@timestamp' - map: {} - cert_path: - emailrep: - base_url: https://emailrep.io/ - api_key: - greynoise: - base_url: https://api.greynoise.io/ - api_key: - api_version: community - localfile: - file_path: [] - otx: - base_url: https://otx.alienvault.com/api/v1/ - api_key: - pulsedive: - base_url: https://pulsedive.com/api/ - api_key: - spamhaus: - lookup_host: zen.spamhaus.org - nameservers: [] - sublime_platform: - base_url: https://api.platform.sublimesecurity.com - api_key: - live_flow: False - mailbox_email_address: - message_source_id: - urlscan: - base_url: https://urlscan.io/api/v1/ - api_key: - enabled: False - visibility: public - timeout: 180 - virustotal: - base_url: https://www.virustotal.com/api/v3/search?query= - api_key: +sensoroni: + enabled: False + config: + analyze: + enabled: False + timeout_ms: 900000 + parallel_limit: 5 + node_checkin_interval_ms: 10000 + sensoronikey: + soc_host: + suripcap: + pcapMaxCount: 999999 + analyzers: + echotrail: + base_url: https://api.echotrail.io/insights/ + api_key: + elasticsearch: + base_url: + auth_user: + auth_pwd: + num_results: 10 + api_key: + index: _all + time_delta_minutes: 14400 + timestamp_field_name: '@timestamp' + map: {} + cert_path: + emailrep: + base_url: https://emailrep.io/ + api_key: + greynoise: + base_url: https://api.greynoise.io/ + api_key: + api_version: community + localfile: + file_path: [] + otx: + base_url: https://otx.alienvault.com/api/v1/ + api_key: + pulsedive: + base_url: https://pulsedive.com/api/ + api_key: + spamhaus: + lookup_host: zen.spamhaus.org + nameservers: [] + sublime_platform: + base_url: https://api.platform.sublimesecurity.com + api_key: + live_flow: False + mailbox_email_address: + message_source_id: + urlscan: + base_url: https://urlscan.io/api/v1/ + api_key: + enabled: False + visibility: public + timeout: 180 + virustotal: + base_url: https://www.virustotal.com/api/v3/search?query= + api_key: diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 5090967ef..eb9c1131d 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -39,7 +39,8 @@ "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", - "pcapOutputPath": "/nsm/pcapout" + "pcapOutputPath": "/nsm/pcapout", + "pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }} } {% endif %} {%- else %} diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index f7a10c6f7..7b8495dc5 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -37,6 +37,11 @@ sensoroni: helpLink: grid.html global: True advanced: True + suripcap: + pcapMaxCount: + description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface. + helpLink: sensoroni.html + advanced: True analyzers: echotrail: api_key: diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d5ecbe71f..abcd12308 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1103,6 +1103,7 @@ soc: esSearchOffsetMs: 1800000 maxLogLength: 1024 asyncThreshold: 10 + lookupTunnelParent: true influxdb: hostUrl: token: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e80e98a7e..645a4c8a9 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -126,6 +126,9 @@ soc: description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete. global: True advanced: True + lookupTunnelParent: + description: When true, if a pivoted event appears to be encapsulated, such as in a VxLan packet, then SOC will pivot to the VxLan packet stream. This can be useful if the PCAP parser is unable to locate the encapsulated packets. However, if the parser is written in a way that it can find a given filter even if its encapsulated, this is best left to false, as the analyst will see the intended packet data rather than the wrapping packet data. + global: True sostatus: refreshIntervalMs: description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled. From 0f12297f5019e91def5af525ffcd113108dc9e29 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 08:19:42 -0500 Subject: [PATCH 70/89] add new pcap annotations --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 645a4c8a9..799d9af4e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -127,7 +127,7 @@ soc: global: True advanced: True lookupTunnelParent: - description: When true, if a pivoted event appears to be encapsulated, such as in a VxLan packet, then SOC will pivot to the VxLan packet stream. This can be useful if the PCAP parser is unable to locate the encapsulated packets. However, if the parser is written in a way that it can find a given filter even if its encapsulated, this is best left to false, as the analyst will see the intended packet data rather than the wrapping packet data. + description: When true, if a pivoted event appears to be encapsulated, such as in a VXLAN packet, then SOC will pivot to the VXLAN packet stream. When false, SOC will attempt to pivot to the encapsulated packet stream itself, but at the risk that it may be unable to locate it in the stored PCAP data. global: True sostatus: refreshIntervalMs: From f58c104d899bf99fa1d3b566797eb2447a909917 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 09:51:56 -0500 Subject: [PATCH 71/89] Update so-minion --- salt/manager/tools/sbin/so-minion | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index ab05fafcc..09708707f 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -81,6 +81,8 @@ function getinstallinfo() { function pcapspace() { if [[ "$OPERATION" == "setup" ]]; then + # Use 25% for PCAP + PCAP_PERCENTAGE=1 local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n) else @@ -96,10 +98,9 @@ function pcapspace() { fi local s=$(( $SPACESIZE / 1000000 )) - local s1=$(( $s / 4 )) - local s2=$(( $s1 / $CORECOUNT )) + local s1=$(( $s / 4 * $PCAP_PERCENTAGE )) - MAXPCAPFILES=$s2 + MAX_PCAP_SPACE=$s1 } @@ -271,17 +272,12 @@ function add_sensor_to_minion() { echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE - if [[ $is_pcaplimit ]]; then - echo " output:" >> $PILLARFILE - echo " pcap-log:" >> $PILLARFILE - echo " max-files: '$MAXPCAPFILES'" >> $PILLARFILE - fi echo "pcap:" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE if [[ $is_pcaplimit ]]; then echo " config:" >> $PILLARFILE echo " diskfreepercentage: 75" >> $PILLARFILE - pcapspace + echo " suripcapmaxsize: $MAX_PCAP_SPACE" >> $PILLARFILE fi echo " " >> $PILLARFILE } @@ -563,6 +559,7 @@ function createIDH() { function createHEAVYNODE() { is_pcaplimit=true + PCAP_PERCENTAGE=1 pcapspace add_elasticsearch_to_minion add_elastic_agent_to_minion @@ -575,6 +572,7 @@ function createHEAVYNODE() { function createSENSOR() { is_pcaplimit=true + PCAP_PERCENTAGE=3 pcapspace add_sensor_to_minion add_strelka_to_minion From a63fca727ce144a90d6fd01a82707ecfcf32a39f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 10:02:06 -0500 Subject: [PATCH 72/89] Update soc_suricata.yaml --- salt/suricata/soc_suricata.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 4f9a80d86..fbd6e84ee 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -188,17 +188,11 @@ suricata: advanced: True readonly: True helpLink: suricata.html - limit: - description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit. - helpLink: suricata.html mode: description: Suricata PCAP mode. Currently only multi is supported. advanced: True readonly: True helpLink: suricata.html - max-files: - description: Max PCAP files per thread. To determine max PCAP size multiple threads x max-files x limit. - helpLink: suricata.html use-stream-depth: description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. advanced: True From 4dfa1a5626387ab70c389565fa74a542cc44949b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 10:35:10 -0500 Subject: [PATCH 74/89] Move Suricata around --- salt/suricata/defaults.yaml | 5 +++-- salt/suricata/soc_suricata.yaml | 8 ++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index eb2c181e3..42af3fc55 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,5 +1,8 @@ suricata: enabled: False + pcap: + filesize: 1000mb + maxsize: 25 config: threading: set-cpu-affinity: "no" @@ -132,9 +135,7 @@ suricata: lz4-checksum: "no" lz4-level: 8 filename: "%n/so-pcap.%t" - limit: "1000mb" mode: "multi" - max-files: 10 use-stream-depth: "no" conditional: "all" dir: "/nsm/suripcap" diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index fbd6e84ee..88b460af8 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -19,6 +19,14 @@ suricata: multiline: True title: Classifications helpLink: suricata.html + pcap: + filesize: + description: Max file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval times. + advanced: True + helplink: suricata.html + maxsize: + description: Size in GB for total usage size of PCAP on disk. + helplink: suricata.html config: af-packet: interface: From 167aff24f61b8bbcaced10e05f8dfde3dd4acf0a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 11:03:52 -0500 Subject: [PATCH 75/89] detections annotations --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index abcd12308..ad1f8bb5f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1147,6 +1147,7 @@ soc: tipTimeoutMs: 6000 cacheExpirationMs: 300000 casesEnabled: true + detectionsEnabled: false inactiveTools: ['toolUnused'] tools: - name: toolKibana diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 799d9af4e..08a29766d 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -79,11 +79,11 @@ soc: modules: elastalertengine: sigmaRulePackages: - description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' + description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)' global: True advanced: False autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' + description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' global: True advanced: True elastic: @@ -149,7 +149,7 @@ soc: advanced: True strelkaengine: autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' + description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' global: True advanced: True client: @@ -174,6 +174,9 @@ soc: casesEnabled: description: Set to true to enable case management in SOC. global: True + detectionsEnabled: + description: Set to true to enable the Detections module in SOC. (future use, not yet complete) + global: True inactiveTools: description: List of external tools to remove from the SOC UI. global: True From ad120934295999845436cdcb303ac3ca51c621e6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 11:05:06 -0500 Subject: [PATCH 76/89] Fix percent calc --- salt/manager/tools/sbin/so-minion | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 09708707f..a3d8230b5 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -83,6 +83,7 @@ function pcapspace() { if [[ "$OPERATION" == "setup" ]]; then # Use 25% for PCAP PCAP_PERCENTAGE=1 + DFREEPERCENT=75 local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n) else @@ -269,6 +270,10 @@ function add_sensor_to_minion() { echo " lb_procs: '$CORECOUNT'" >> $PILLARFILE echo "suricata:" >> $PILLARFILE echo " enabled: True " >> $PILLARFILE + if [[ $is_pcaplimit ]]; then + echo " pcap:" >> $PILLARFILE + echo " maxsize: $MAX_PCAP_SPACE" >> $PILLARFILE + fi echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE @@ -276,8 +281,7 @@ function add_sensor_to_minion() { echo " enabled: True" >> $PILLARFILE if [[ $is_pcaplimit ]]; then echo " config:" >> $PILLARFILE - echo " diskfreepercentage: 75" >> $PILLARFILE - echo " suripcapmaxsize: $MAX_PCAP_SPACE" >> $PILLARFILE + echo " diskfreepercentage: $DFREEPERCENT" >> $PILLARFILE fi echo " " >> $PILLARFILE } @@ -560,6 +564,7 @@ function createIDH() { function createHEAVYNODE() { is_pcaplimit=true PCAP_PERCENTAGE=1 + DFREEPERCENT=75 pcapspace add_elasticsearch_to_minion add_elastic_agent_to_minion @@ -572,6 +577,7 @@ function createHEAVYNODE() { function createSENSOR() { is_pcaplimit=true + DFREEPERCENT=10 PCAP_PERCENTAGE=3 pcapspace add_sensor_to_minion From 1cbac11fae137961e67155122856a816989c8a60 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 11:08:03 -0500 Subject: [PATCH 77/89] detections annotations --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 08a29766d..cb939f758 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -34,7 +34,7 @@ soc: helpLink: soc-customization.html sigma_final_pipeline__yaml: title: Final Sigma Pipeline - description: Final Processing Pipeline for Sigma Rules + description: Final Processing Pipeline for Sigma Rules (future use, not yet complete) syntax: yaml file: True global: True From 9a413a2e3189aa24bc654c9ebe388e16153b898f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 12:42:22 -0500 Subject: [PATCH 78/89] Fix location of repo --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ef1df4a71..4aae0f5bd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1811,8 +1811,8 @@ repo_sync_local() { info "Adding Repo Download Configuration" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache - echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9.3" > /opt/so/conf/reposync/mirror.txt - echo "https://repo-alt.securityonion.net/prod/2.4/oracle/9.3" >> /opt/so/conf/reposync/mirror.txt + echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt + echo "https://repo-alt.securityonion.net/prod/2.4/oracle/9" >> /opt/so/conf/reposync/mirror.txt echo "[main]" > /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf From 7f1e786e3d1e75297ecb7bda12a63a60d6521904 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Mar 2024 12:56:09 -0500 Subject: [PATCH 79/89] Consolidate PCAP settings --- salt/suricata/defaults.yaml | 16 +++---- salt/suricata/soc_suricata.yaml | 84 ++++++++++++++++----------------- 2 files changed, 50 insertions(+), 50 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 42af3fc55..0252d3a81 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -3,6 +3,14 @@ suricata: pcap: filesize: 1000mb maxsize: 25 + compression: "none" + lz4-checksum: "no" + lz4-level: 8 + filename: "%n/so-pcap.%t" + mode: "multi" + use-stream-depth: "no" + conditional: "all" + dir: "/nsm/suripcap" config: threading: set-cpu-affinity: "no" @@ -131,14 +139,6 @@ suricata: enabled: "no" pcap-log: enabled: "no" - compression: "none" - lz4-checksum: "no" - lz4-level: 8 - filename: "%n/so-pcap.%t" - mode: "multi" - use-stream-depth: "no" - conditional: "all" - dir: "/nsm/suripcap" alert-debug: enabled: "no" alert-prelude: diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 88b460af8..da7586e97 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -27,6 +27,47 @@ suricata: maxsize: description: Size in GB for total usage size of PCAP on disk. helplink: suricata.html + compression: + description: Enable compression of Suricata PCAP. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + lz4-checksum: + description: Enable PCAP lz4 checksum. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + lz4-level: + description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported + advanced: True + readonly: True + helpLink: suricata.html + filename: + description: Filename output for Suricata PCAP. + advanced: True + readonly: True + helpLink: suricata.html + mode: + description: Suricata PCAP mode. Currently only multi is supported. + advanced: True + readonly: True + helpLink: suricata.html + use-stream-depth: + description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. + advanced: True + regex: ^(yes|no)$ + regexFailureMessage: You must enter either yes or no. + helpLink: suricata.html + conditional: + description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules. + regex: ^(all|alert|tag)$ + regexFailureMessage: You must enter either all, alert or tag. + helpLink: suricata.html + dir: + description: Parent directory to store PCAP. + advanced: True + readonly: True + helpLink: suricata.html config: af-packet: interface: @@ -175,48 +216,7 @@ suricata: description: This value is ignored by SO. pcapengine in globals takes precidence. readonly: True helpLink: suricata.html - advanced: True - compression: - description: Enable compression of Suricata PCAP. Currently unsupported - advanced: True - readonly: True - helpLink: suricata.html - lz4-checksum: - description: Enable PCAP lz4 checksum. Currently unsupported - advanced: True - readonly: True - helpLink: suricata.html - lz4-level: - description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported - advanced: True - readonly: True - helpLink: suricata.html - filename: - description: Filename output for Suricata PCAP. - advanced: True - readonly: True - helpLink: suricata.html - mode: - description: Suricata PCAP mode. Currently only multi is supported. - advanced: True - readonly: True - helpLink: suricata.html - use-stream-depth: - description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. - advanced: True - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. - helpLink: suricata.html - conditional: - description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules. - regex: ^(all|alert|tag)$ - regexFailureMessage: You must enter either all, alert or tag. - helpLink: suricata.html - dir: - description: Parent directory to store PCAP. - advanced: True - readonly: True - helpLink: suricata.html + advanced: True asn1-max-frames: description: Maximum nuber of asn1 frames to decode. helpLink: suricata.html From cf232534ca9a1609da8946adc24dd5f7116cfc24 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Mar 2024 14:42:07 -0500 Subject: [PATCH 80/89] move suricata.pcap to suricata.config.outputs.pcap-log --- salt/suricata/map.jinja | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 5f6e913f5..d8ce271fe 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -63,6 +63,18 @@ {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} {% if GLOBALS.pcap_engine == "SURICATA" %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} +{# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-stream-depth': SURICATAMERGED.pcap['max-stream-depth']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %} +{% set maxfiles = (SURICATAMERGED.pcap.maxsize / SURICATAMERGED.pcap.filesize) | round | int %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %} {% endif %} {# outputs is a list but we convert to dict in defaults to work with ui #} From 583227290f1fedc68ffb9abf14b2b92c8677171d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Mar 2024 15:18:22 -0500 Subject: [PATCH 81/89] fix max-files calc --- salt/suricata/map.jinja | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index d8ce271fe..77cdbe7c5 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -70,10 +70,11 @@ {% do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-stream-depth': SURICATAMERGED.pcap['max-stream-depth']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'use-stream-depth': SURICATAMERGED.pcap['use-stream-depth']}) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %} -{% set maxfiles = (SURICATAMERGED.pcap.maxsize / SURICATAMERGED.pcap.filesize) | round | int %} +{# multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #} +{% set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / SURICATAMERGED.pcap.filesize[:-2] | int) | round | int %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %} {% endif %} From 70f3ce0536b4c4aa1c7b24bbea28968ec5fb7c28 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Mar 2024 17:32:06 -0500 Subject: [PATCH 82/89] change how maxfiles is calculated --- salt/suricata/map.jinja | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 77cdbe7c5..6ba3c3b73 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -8,6 +8,24 @@ {% set surimeta_evelog_index = [] %} {% set surimeta_filestore_index = [] %} +{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} +{% if GLOBALS.pcap_engine == "SURICATA" %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} +{# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'use-stream-depth': SURICATAMERGED.pcap['use-stream-depth']}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %} +{# multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #} +{% set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round | int %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %} +{% endif %} + {# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #} {# we are limited to only one iterface #} {% load_yaml as afpacket %} @@ -60,24 +78,6 @@ {% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} -{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} -{% if GLOBALS.pcap_engine == "SURICATA" %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} -{# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'use-stream-depth': SURICATAMERGED.pcap['use-stream-depth']}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %} -{# multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #} -{% set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / SURICATAMERGED.pcap.filesize[:-2] | int) | round | int %} -{% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %} -{% endif %} - {# outputs is a list but we convert to dict in defaults to work with ui #} {# below they are converted back to lists #} {% load_yaml as outputs %} From 005930f7fd70577ced8bec4f25650ec42fb1eccd Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Mar 2024 15:41:23 +0000 Subject: [PATCH 83/89] Add error.message mapping for system.syslog --- .../logs-system.syslog@custom.json | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json new file mode 100644 index 000000000..0123fb956 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json @@ -0,0 +1,22 @@ +{ + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} From fffef9b621d9afff1d6fcdae17c8a0fab76aadc5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 7 Mar 2024 12:31:51 -0500 Subject: [PATCH 84/89] gracefully handle status check failure on ubuntu --- salt/common/tools/sbin/so-common-status-check | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-common-status-check b/salt/common/tools/sbin/so-common-status-check index d713ba6c6..625e0f199 100644 --- a/salt/common/tools/sbin/so-common-status-check +++ b/salt/common/tools/sbin/so-common-status-check @@ -47,10 +47,14 @@ def check_for_fps(): fps = 1 except FileNotFoundError: fn = '/proc/sys/crypto/' + feat_full + '_enabled' - with open(fn, 'r') as f: - contents = f.read() - if '1' in contents: - fps = 1 + try: + with open(fn, 'r') as f: + contents = f.read() + if '1' in contents: + fps = 1 + except: + # Unknown, so assume 0 + fps = 0 with open('/opt/so/log/sostatus/lks_enabled', 'w') as f: f.write(str(fps)) From 40574982e4afbf458a60d77267f1b2fde460fee9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 7 Mar 2024 14:25:43 -0500 Subject: [PATCH 85/89] unswap files --- salt/common/tools/sbin/so-common-status-check | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common-status-check b/salt/common/tools/sbin/so-common-status-check index 625e0f199..4aa981123 100644 --- a/salt/common/tools/sbin/so-common-status-check +++ b/salt/common/tools/sbin/so-common-status-check @@ -56,7 +56,7 @@ def check_for_fps(): # Unknown, so assume 0 fps = 0 - with open('/opt/so/log/sostatus/lks_enabled', 'w') as f: + with open('/opt/so/log/sostatus/fps_enabled', 'w') as f: f.write(str(fps)) def check_for_lks(): @@ -80,7 +80,7 @@ def check_for_lks(): lks = 1 if lks: break - with open('/opt/so/log/sostatus/fps_enabled', 'w') as f: + with open('/opt/so/log/sostatus/lks_enabled', 'w') as f: f.write(str(lks)) def fail(msg): From 06257b9c4a0c046ca4d44ca9b1a301f799a92ec8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 7 Mar 2024 14:32:46 -0500 Subject: [PATCH 86/89] Update so-minion --- salt/manager/tools/sbin/so-minion | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index a3d8230b5..cb4e40ade 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -83,7 +83,7 @@ function pcapspace() { if [[ "$OPERATION" == "setup" ]]; then # Use 25% for PCAP PCAP_PERCENTAGE=1 - DFREEPERCENT=75 + DFREEPERCENT=21 local SPACESIZE=$(df -k /nsm | tail -1 | awk '{print $2}' | tr -d \n) else @@ -564,7 +564,7 @@ function createIDH() { function createHEAVYNODE() { is_pcaplimit=true PCAP_PERCENTAGE=1 - DFREEPERCENT=75 + DFREEPERCENT=21 pcapspace add_elasticsearch_to_minion add_elastic_agent_to_minion From 3eb6fe2df97b76059ec9876f082061773ec4c71b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 8 Mar 2024 09:52:12 -0500 Subject: [PATCH 87/89] allow managersearch to receiver redis and 5644 --- salt/firewall/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 75df49b25..75a70828e 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1295,6 +1295,10 @@ firewall: portgroups: - redis - beats_5644 + managersearch: + portgroups: + - redis + - beats_5644 self: portgroups: - redis From 6680e023e4f9dcec593d78967c9f6a49eba63856 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 8 Mar 2024 12:16:59 -0500 Subject: [PATCH 88/89] Update soc_pcap.yaml --- salt/pcap/soc_pcap.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 32204a23a..96bc3831d 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -4,32 +4,32 @@ pcap: helpLink: stenographer.html config: maxdirectoryfiles: - description: The maximum number of packet/index files to create before deleting old files. + description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting. helpLink: stenographer.html diskfreepercentage: - description: The disk space percent to always keep free for PCAP + description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated forward nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and :ref:`elasticsearch` at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21. helpLink: stenographer.html blocks: - description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. + description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True helpLink: stenographer.html preallocate_file_mb: - description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. + description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. advanced: True helpLink: stenographer.html aiops: - description: The max number of async writes to allow at once. + description: The max number of async writes to allow for Stenographer at once. advanced: True helpLink: stenographer.html pin_to_cpu: - description: Enable CPU pinning for PCAP. + description: Enable CPU pinning for Stenographer PCAP. advanced: True helpLink: stenographer.html cpus_to_pin_to: - description: CPU to pin PCAP to. Currently only a single CPU is supported. + description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported. advanced: True helpLink: stenographer.html disks: - description: List of disks to use for PCAP. This is currently not used. + description: List of disks to use for Stenographer PCAP. This is currently not used. advanced: True helpLink: stenographer.html From 6f05c3976b45337fae4699c953345a80179b398b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 8 Mar 2024 11:29:46 -0700 Subject: [PATCH 89/89] Updated RulesRepo for New Strelka Structure --- salt/soc/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 5699c7722..7be2db772 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1132,7 +1132,8 @@ soc: compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py reposFolder: /opt/sensoroni/yara/repos rulesRepos: - - https://github.com/Security-Onion-Solutions/securityonion-yara + - repo: https://github.com/Security-Onion-Solutions/securityonion-yara + license: DRL yaraRulesFolder: /opt/sensoroni/yara/rules suricataengine: communityRulesFile: /nsm/rules/suricata/emerging-all.rules