Merge branch 'dev' into feature/script-fixes

salt/common/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
@@ -118,7 +118,7 @@ nginxtmp:
 
 so-core:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
@@ -172,7 +172,7 @@ tgrafconf:
 
 so-telegraf:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -227,7 +227,7 @@ influxdbconf:
 
 so-influxdb:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -385,7 +385,7 @@ dashboard-{{ SN }}:
 
 so-grafana:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
     - hostname: grafana
     - user: socore
     - binds:

salt/common/nginx/nginx.conf.so-master

@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
+          rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	        rewrite /kibana/(.*) /$1 break;
-	  rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
         }
 
         location /navigator/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
         }
 
         location /fleet/ {
-	  rewrite /fleet/(.*) /$1 break;
+	        rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -200,8 +197,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -238,6 +234,26 @@ http {
 
         }
 
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-mastersearch

@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
+	        rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	        rewrite /kibana/(.*) /$1 break;
-	  rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
         }
 
         location /navigator/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
         }
 
         location /fleet/ {
-	  rewrite /fleet/(.*) /$1 break;
+	        rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -212,8 +209,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
+          auth_request          /so-auth/api/auth/;
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -250,6 +246,26 @@ http {
 
         }
 
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/tools/sbin/so-elastic-clear

@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+

salt/common/tools/sbin/so-features-enable

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-nsm-clear

@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion NSM Data Deletion
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+delete_pcap() {
+  PCAP_DATA="/nsm/pcap/"
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+}
+delete_suricata() {
+  SURI_LOG="/opt/so/log/suricata/eve.json"
+  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+}
+delete_zeek() {
+  ZEEK_LOG="/nsm/zeek/logs/"
+  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+}
+
+delete_pcap
+delete_suricata
+delete_zeek
+

salt/common/tools/sbin/so-pcap-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1

salt/common/tools/sbin/so-pcap-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1

salt/common/tools/sbin/so-pcap-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1

salt/common/tools/sbin/so-wazuh-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,6 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh && sudo docker rm so-wazuh && salt-call state.apply wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart wazuh $1

salt/common/tools/sbin/so-wazuh-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-start wazuh $1
+

salt/common/tools/sbin/so-wazuh-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop wazuh $1
+

salt/curator/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator
@@ -116,7 +116,7 @@ curdel:
 
 so-curator:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:{{ VERSION }}
     - hostname: curator
     - name: so-curator
     - user: curator

salt/elastalert/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
@@ -112,7 +112,7 @@ elastaconf:
 
 so-elastalert:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }}
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert

salt/elasticsearch/init.sls

@@ -12,8 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
+
 {% if grains['role'] == 'so-master' %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -102,7 +109,7 @@ eslogdir:
 
 so-elasticsearch:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }}
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch

salt/filebeat/init.sls

@@ -12,9 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
 
 # Filebeat Setup
 filebeatetcdir:
@@ -49,7 +55,7 @@ filebeatconfsync:
 
 so-filebeat:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}

salt/fleet/init.sls

@@ -1,7 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Fleet Setup
@@ -63,7 +63,7 @@ fleetdbpriv:
 
 so-fleet:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:{{ VERSION }}
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080

salt/hive/init.sls

@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
   file.directory:
@@ -57,7 +57,7 @@ hiveesdata:
 
 so-thehive-es:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }}
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
@@ -85,7 +85,7 @@ so-thehive-es:
 # Install Cortex
 so-cortex:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }}
     - hostname: so-cortex
     - name: so-cortex
     - user: 939
@@ -102,7 +102,7 @@ cortexscript:
 
 so-thehive:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }}
     - environment:
       - ELASTICSEARCH_HOST={{ MASTERIP }}
     - hostname: so-thehive

salt/idstools/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:
@@ -64,7 +64,7 @@ ruleslink:
 
 so-idstools:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }}
     - hostname: so-idstools
     - user: socore
     - binds:

salt/kibana/init.sls

@@ -1,5 +1,11 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
 
 # Add ES Group
 kibanasearchgroup:
@@ -56,7 +62,7 @@ synckibanacustom:
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }}
     - hostname: kibana
     - user: kibana
     - environment:

salt/logstash/init.sls

@@ -12,8 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
+
 # Logstash Section - Decide which pillar to use
 {% if grains['role'] == 'so-sensor' %}
 
@@ -200,7 +207,7 @@ lslogdir:
 
 so-logstash:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash

salt/master/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 
@@ -59,7 +59,7 @@ acngcopyconf:
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142

salt/mysql/init.sls

@@ -1,7 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # MySQL Setup
 mysqlpkgs:
@@ -52,7 +52,7 @@ mysqldatadir:
 
 so-mysql:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:{{ VERSION }}
     - hostname: so-mysql
     - user: socore
     - port_bindings:

salt/pcap/files/config

@@ -11,6 +11,6 @@
   , "Interface": "{{ interface }}"
   , "Port": 1234
   , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ bpf_compiled }}]
+  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}]
   , "CertPath": "/etc/stenographer/certs"
 }

salt/pcap/init.sls

@@ -12,8 +12,12 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
+{% set BPF_COMPILED = "" %}
+
 # PCAP Section
 
 # Create the logstash group
@@ -36,31 +40,18 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% if BPF_STENO %}
-{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" ")  ) %}
-{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
+   {% if BPF_CALC['stderr'] == "" %}
-
+      {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
-{% if bpf_steno != None or bpf_global != None %}
-   {% if bpf_steno != None %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
-   {% else %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %}
-   {% endif %}
-   {% if bpf_calc['stderr'] == "" %}
-      {% set bpf_compiled = bpf_calc['stdout'] %}
    {% else  %}
-         {% set bpf_compiled = None %}
 
 bpfcompilationfailure:
   test.configurable_test_state:
-   - name: bpfcompfailure
    - changes: False
    - result: False
-   - comment: "BPF Compilation Failed - Discarding specified BPF"
+   - comment: "BPF Compilation Failed - Discarding Specified BPF"
-
    {% endif %}
-{% else  %}
-   {% set bpf_compiled = None %}
 {% endif %}
 
 stenoconf:
@@ -72,11 +63,7 @@ stenoconf:
     - mode: 644
     - template: jinja
     - defaults:
-        bpf_compiled: ""
+        BPF_COMPILED: "{{ BPF_COMPILED }}"
-{% if bpf_compiled != None %}
-    - context:
-        bpf_compiled: ',"--filter={{ bpf_compiled }}"'
-{% endif %}
 
 sensoroniagentconf:
   file.managed:
@@ -130,7 +117,7 @@ stenolog:
 
 so-steno:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
     - network_mode: host
     - privileged: True
     - port_bindings:

salt/playbook/init.sls

@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 playbookdb:
@@ -28,7 +28,7 @@ navigatorconfig:
 
 so-playbook:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:{{ VERSION }}
     - hostname: playbook
     - name: so-playbook
     - binds:
@@ -38,7 +38,7 @@ so-playbook:
 
 so-navigator:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:{{ VERSION }}
     - hostname: navigator
     - name: so-navigator
     - binds:

salt/redis/init.sls

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Redis Setup
@@ -48,7 +48,7 @@ redisconfsync:
 
 so-redis:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }}
     - hostname: so-redis
     - user: socore
     - port_bindings:

salt/sensoroni/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 sensoronidir:
@@ -32,7 +32,7 @@ sensoronisync:
 
 so-sensoroni:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }}
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:

salt/soctopus/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 soctopusdir:
@@ -49,7 +49,7 @@ navigatordefaultlayer:
 
 so-soctopus:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }}
     - hostname: soctopus
     - name: so-soctopus
     - binds:

salt/suricata/init.sls

@@ -15,8 +15,10 @@
 
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BROVER = salt['pillar.get']('static:broversion', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
+
 
 # Suricata
 
@@ -80,9 +82,33 @@ surithresholding:
     - group: 940
     - template: jinja
 
+# BPF compilation and configuration
+{% if BPF_NIDS %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] != "" %}
+suribpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+suribpf:
+  file.managed:
+    - name: /opt/so/conf/suricata/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_CALC['stderr'] == "" %}
+    - contents_pillar: nids:bpf
+   {% else %}
+    - contents:
+      - ""
+   {% endif %}
+    
 so-suricata:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
@@ -91,8 +117,10 @@ so-suricata:
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
+      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
     - network_mode: host
     - watch:
       - file: /opt/so/conf/suricata/suricata.yaml
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
+      - file: /opt/so/conf/suricata/bpf

salt/tcpreplay/init.sls

@@ -1,11 +1,11 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 so-tcpreplay:
   docker_container.running:
     - network_mode: "host"
-    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }}
     - name: so-tcpreplay
     - user: root
     - interactive: True

salt/wazuh/init.sls

@@ -1,5 +1,5 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:
@@ -74,7 +74,7 @@ wazuhmgrwhitelist:
 
 so-wazuh:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }}
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True

salt/zeek/files/local.zeek

@@ -118,3 +118,6 @@
 # Write logs in JSON
 redef LogAscii::use_json = T;
 redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+
+# CVE-2020-0601
+@load cve-2020-0601

salt/zeek/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # Zeek Salt State
 # Add Zeek group
@@ -100,7 +100,7 @@ localzeeksync:
 
 so-zeek:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }}
     - privileged: True
     - binds:
       - /nsm/zeek/logs:/nsm/zeek/logs:rw

salt/zeek/policy/cve-2020-0601/COPYING

@@ -0,0 +1,27 @@
+Copyright (c) 2019, Johanna Amann. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
+

salt/zeek/policy/cve-2020-0601/__load__.zeek

@@ -0,0 +1 @@
+@load ./cve-2020-0601

salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek

@@ -0,0 +1,41 @@
+module CVE_2020_0601;
+
+export {
+        ## set to yes, to log suspicious certificates.
+        option log_certs = F;
+
+        ## The logging stream identifier.
+        redef enum Log::ID += { LOG };
+
+        ## The record type which contains column fields of the certificate log.
+        type Info: record {
+                ## Timestamp when this record is written.
+                ts:          time   &log;
+                ## File-id of the cerfificate
+                fuid:        string &log;
+                ## Certificate encoded as base64
+                certificate: string &log;
+        };
+
+        redef enum Notice::Type += {
+                ## An ECC certificate with an unknown curve was encountered
+                Unknown_X509_Curve
+        };
+}
+
+event zeek_init()
+        {
+        Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]);
+        }
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+        {
+        if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve )
+                {
+                NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]);
+
+                if ( log_certs )
+                        Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F))));
+                }
+        }
+

setup/so-functions

@@ -714,7 +714,7 @@ master_static() {
   touch /opt/so/saltstack/pillar/static.sls
 
   echo "static:" > /opt/so/saltstack/pillar/static.sls
-  echo "  soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls
   echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
   echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
   echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
@@ -732,6 +732,8 @@ master_static() {
   echo "  cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
+  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else