CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of github.com:Security-Onion-Solutions/securityonion-saltstack into feature/registry

Browse Source 
# Conflicts:
#	salt/common/init.sls
#	salt/elasticsearch/init.sls
#	salt/filebeat/init.sls
#	salt/hive/init.sls
#	salt/kibana/init.sls
#	salt/logstash/init.sls
#	salt/suricata/init.sls
#	salt/tcpreplay/init.sls
#	salt/wazuh/init.sls
This commit is contained in:
William Wernert
2020-01-14 15:48:56 -05:00
parent 916f77f0f2 d84cc41e12
commit 54fb2ad244
92 changed files with 4374 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
pillar/thresholding/pillar.example Normal file
View File

@@ -0,0 +1,44 @@
thresholding:
sids:
8675309:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
11223344:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

20
pillar/thresholding/pillar.usage Normal file
View File

@@ -0,0 +1,20 @@
thresholding:
sids:
<signature id>:
- threshold:
gen_id: <generator id>
type: <threshold | limit | both>
track: <by_src | by_dst>
count: <count>
seconds: <seconds>
- rate_filter:
gen_id: <generator id>
track: <by_src | by_dst | by_rule | by_both>
count: <count>
seconds: <seconds>
new_action: <alert | pass>
timeout: <seconds>
- suppress:
gen_id: <generator id>
track: <by_src | by_dst | by_either>
ip: <ip | subnet>

11
pillar/top.sls
View File

@@ -3,20 +3,20 @@ base:
- patch.needs_restarting - patch.needs_restarting
'G@role:so-sensor': 'G@role:so-sensor':
- sensors.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- brologs - brologs
'G@role:so-master': 'G@role:so-master':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- data.* - data.*
- auth - auth
'G@role:so-eval': 'G@role:so-eval':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- data.* - data.*
@@ -24,13 +24,12 @@ base:
- auth - auth
'G@role:so-node': 'G@role:so-node':
- nodes.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
'G@role:so-helix': 'G@role:so-helix':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- sensors.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- fireeye - fireeye

38
salt/auth/init.sls Normal file
View File

@@ -0,0 +1,38 @@
so-auth-api-dir:
file.directory:
- name: /opt/so/conf/auth/api
- user: 939
- group: 939
- makedirs: True
so-auth-api-image:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
so-auth-ui-image:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
so-auth-api:
docker_container.running:
- require:
- so-auth-api-image
- image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
- hostname: so-auth-api
- name: so-auth-api
- environment:
- BASE_PATH: "/so-auth/api"
- binds:
- /opt/so/conf/auth/api:/data
- port_bindings:
- 0.0.0.0:5656:5656
so-auth-ui:
docker_container.running:
- require:
- so-auth-ui-image
- image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
- hostname: so-auth-ui
- name: so-auth-ui
- port_bindings:
- 0.0.0.0:4242:80

63
salt/bro/cron/zeek_clean Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
clean () {
SENSOR_DIR='/nsm'
CRIT_DISK_USAGE=90
CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
LOG="/nsm/bro/logs/zeek_clean.log"
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
do
TODAY=$(date -u "+%Y-%m-%d")
# find the oldest Zeek logs directory and exclude today
OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
then
echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
exit 0
else
echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
rm -rf /nsm/bro/logs/"$OLDEST_DIR"
fi
# find oldest files in extracted directory and exclude today
OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
then
echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
else
OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
do
echo "$(date) - Removing extracted file: $FILE" >> $LOG
rm -f "$FILE"
done
fi
done
else
echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
fi
}
clean

15
salt/bro/init.sls
View File

@@ -79,6 +79,21 @@ plcronscript:
- source: salt://bro/cron/packetloss.sh - source: salt://bro/cron/packetloss.sh
- mode: 755 - mode: 755
zeekcleanscript:
file.managed:
- name: /usr/local/bin/zeek_clean
- source: salt://bro/cron/zeek_clean
- mode: 755
/usr/local/bin/zeek_clean:
cron.present:
- user: root
- minute: '*'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
/usr/local/bin/packetloss.sh: /usr/local/bin/packetloss.sh:
cron.present: cron.present:
- user: root - user: root

42
salt/common/nginx/nginx.conf.so-eval
View File

@@ -100,8 +100,7 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/; proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -126,8 +125,7 @@ http {
location /navigator/ { location /navigator/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:4200/navigator/; proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -186,18 +184,6 @@ http {
} }
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -210,8 +196,7 @@ http {
} }
location /sensoroni/ { location /sensoroni/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/; proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -244,8 +229,27 @@ http {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
} }
location /so-auth/loginpage/ {
proxy_pass http://{{ masterip }}:4242/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /so-auth/api/ {
proxy_pass http://{{ masterip }}:5656/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
return 302 http://{{ masterip }}/so-auth/loginpage/;
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

12
salt/common/nginx/nginx.conf.so-master
View File

@@ -188,18 +188,6 @@ http {
} }
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;

75
salt/common/tools/sbin/so-allow
View File

@@ -1,15 +1,54 @@
#!/bin/bash #!/bin/bash
got_root() { #
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Make sure you are root . /usr/sbin/so-common
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
} SKIP=0
got_root while getopts "abowi:" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
a)
FULLROLE="analyst"
SKIP=1
;;
b)
FULLROLE="beats_endpoint"
SKIP=1
;;
i) IP=$OPTARG
;;
o)
FULLROLE="osquery_endpoint"
SKIP=1
;;
w)
FULLROLE="wazuh_endpoint"
SKIP=1
;;
esac
done
if [ "$SKIP" -eq 0 ]; then
echo "This program allows you to add a firewall rule to allow connections from a new IP address." echo "This program allows you to add a firewall rule to allow connections from a new IP address."
echo "" echo ""
@@ -38,5 +77,25 @@ else
exit 1 exit 1
fi fi
fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds" echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
# Check if Wazuh enabled
if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
# If analyst, add to Wazuh AR whitelist
if [ "$FULLROLE" == "analyst" ]; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
DATE=`date`
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
echo
echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart
fi
fi
fi

20
salt/common/tools/sbin/so-cortex-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart cortex $1

20
salt/common/tools/sbin/so-cortex-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start cortex $1

20
salt/common/tools/sbin/so-cortex-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop cortex $1

20
salt/common/tools/sbin/so-curator-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart curator $1

20
salt/common/tools/sbin/so-curator-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start curator $1

20
salt/common/tools/sbin/so-curator-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop curator $1

1000
salt/common/tools/sbin/so-elastalert-create Normal file
View File

File diff suppressed because it is too large Load Diff

20
salt/common/tools/sbin/so-elastalert-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elastalert $1

20
salt/common/tools/sbin/so-elastalert-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elastalert $1

20
salt/common/tools/sbin/so-elastalert-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elastalert $1

142
salt/common/tools/sbin/so-elastalert-test Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Originally written by Bryant Treacle
# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
# Modified by Doug Burks and Wes Lambert
#
# Purpose: This script will allow you to test your elastalert rule without entering the Docker container.
. /usr/sbin/so-elastic-common
OPTIONS=""
SKIP=0
RESULTS_TO_LOG="n"
RULE_NAME=""
FILE_SAVE_LOCATION=""
usage()
{
cat <<EOF
Test Elastalert Rule
Options:
-h This message
-a Trigger real alerts instead of the debug alert
-l <path_to_file> Write results to specified log file
-o '<options>' Specify Elastalert options ( Ex. --schema-only , --count-only, --days N )
-r <rule_name> Specify path/name of rule to test
EOF
}
while getopts "hal:o:r:" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
a)
OPTIONS="--alert"
;;
l)
RESULTS_TO_LOG="y"
FILE_SAVE_LOCATION=$OPTARG
;;
o)
OPTIONS=$OPTARG
;;
r)
RULE_NAME=$OPTARG
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
docker_exec(){
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
else
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
fi
}
rule_prompt(){
CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
echo
echo "This script will allow you to test an Elastalert rule."
echo
echo "Below is a list of active Elastalert rules:"
echo
echo "-----------------------------------"
echo
echo "$CURRENT_RULES"
echo
echo "-----------------------------------"
echo
echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
echo
echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
echo
while [ -z $RULE_NAME ]; do
echo "Please enter the file path and rule name you want to test."
read -e RULE_NAME
done
}
log_save_prompt(){
RESULTS_TO_LOG=""
while [ -z $RESULTS_TO_LOG ]; do
echo "The results can be rather long. Would you like to write the results to a file? (Y/N)"
read RESULTS_TO_LOG
done
}
log_path_prompt(){
while [ -z $FILE_SAVE_LOCATION ]; do
echo "Please enter the file path and file name."
read -e FILE_SAVE_LOCATION
done
echo "Depending on the rule this may take a while."
}
if [ $SKIP -eq 0 ]; then
rule_prompt
log_save_prompt
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
log_path_prompt
fi
fi
docker_exec
if [ $? -eq 0 ]; then
echo "Test completed successfully!"
else
echo "Something went wrong..."
fi
echo

33
salt/common/tools/sbin/so-elastic-diagnose Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Source common settings
. /usr/sbin/so-common
# Check for log files
for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
# If file exists, then look for errors or warnings
if [ -f $FILE ]; then
MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE`
if [ ! -z "$MESSAGE" ]; then
header $FILE
echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
echo
fi
fi
done

20
salt/common/tools/sbin/so-elasticsearch-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elasticsearch $1

11
salt/common/tools/sbin/so-filebeat-restart
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat
. /usr/sbin/so-common
/usr/sbin/so-restart filebeat $1

11
salt/common/tools/sbin/so-filebeat-start
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-filebeat && salt-call state.apply filebeat
. /usr/sbin/so-common
/usr/sbin/so-start filebeat $1

11
salt/common/tools/sbin/so-filebeat-stop
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-filebeat
. /usr/sbin/so-common
/usr/sbin/so-stop filebeat $1

20
salt/common/tools/sbin/so-fleet-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart fleet $1

20
salt/common/tools/sbin/so-fleet-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start fleet $1

20
salt/common/tools/sbin/so-fleet-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop fleet $1

20
salt/common/tools/sbin/so-grafana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart grafana $1

20
salt/common/tools/sbin/so-grafana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start grafana $1

20
salt/common/tools/sbin/so-grafana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop grafana $1

20
salt/common/tools/sbin/so-kibana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart kibana $1

20
salt/common/tools/sbin/so-kibana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start kibana $1

20
salt/common/tools/sbin/so-kibana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop kibana $1

20
salt/common/tools/sbin/so-logstash-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start logstash $1

20
salt/common/tools/sbin/so-logstash-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop logstash $1

20
salt/common/tools/sbin/so-mysql-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart mysql $1

20
salt/common/tools/sbin/so-mysql-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start mysql $1

20
salt/common/tools/sbin/so-mysql-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop mysql $1

20
salt/common/tools/sbin/so-playbook-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart playbook $1

20
salt/common/tools/sbin/so-playbook-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start playbook $1

20
salt/common/tools/sbin/so-playbook-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop playbook $1

20
salt/common/tools/sbin/so-redis-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart redis $1

20
salt/common/tools/sbin/so-redis-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start redis $1

20
salt/common/tools/sbin/so-redis-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop redis $1

5
salt/common/tools/sbin/so-restart
View File

@@ -20,7 +20,7 @@
. /usr/sbin/so-common . /usr/sbin/so-common
echo $banner echo $banner
printf "Restarting $1\n" printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner echo $banner
if [ "$2" = "--force" ] if [ "$2" = "--force" ]
@@ -31,6 +31,5 @@ fi
case $1 in case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;; "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"fleet") docker stop so-fleet so-redis && docker rm so-fleet so-redis && salt-call state.apply fleet queue=True;; *) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
*) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
esac esac

20
salt/common/tools/sbin/so-soctopus-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart soctopus $1

20
salt/common/tools/sbin/so-soctopus-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start soctopus $1

20
salt/common/tools/sbin/so-soctopus-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop soctopus $1

37
salt/common/tools/sbin/so-start
View File

@@ -1 +1,36 @@
sudo salt-call state.highstate #!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-start all | filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
then
printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs
fi
case $1 in
"all") salt-call state.highstate queue=True;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
esac

27
salt/common/tools/sbin/so-stop Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-stop filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Stopping $1...\n"
echo $banner
docker stop so-$1 ; docker rm so-$1

28
salt/common/tools/sbin/so-tcpreplay Executable file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
if [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
docker cp so-tcpreplay:/opt/samples /opt/samples
docker exec -it so-tcpreplay /usr/bin/tcpreplay -i bond0 -M10 $1
else
echo "Replay functionality not enabled! To enable, run `so-tcpreplay-start`"
echo
echo "Note that you will need internet access to download the appropiriate components"
fi

21
salt/common/tools/sbin/so-tcpreplay-restart Executable file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart tcreplay $1

20
salt/common/tools/sbin/so-tcpreplay-start Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start tcpreplay $1

21
salt/common/tools/sbin/so-tcpreplay-stop Executable file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop tcpreplay $1

20
salt/common/tools/sbin/so-thehive-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart thehive $1

20
salt/common/tools/sbin/so-thehive-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start thehive $1

20
salt/common/tools/sbin/so-thehive-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop thehive $1

2
salt/common/tools/sbin/so-wazuh-start
View File

@@ -14,4 +14,4 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-wazuh && salt-call state.apply wazuh docker stop so-wazuh

20
salt/common/tools/sbin/so-zeek-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart bro $1

20
salt/common/tools/sbin/so-zeek-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start bro $1

20
salt/common/tools/sbin/so-zeek-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop bro $1

4
salt/cyberchef/init.sls
View File

@@ -42,13 +42,13 @@ cybercheflog:
so-cyberchefimage: so-cyberchefimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4 - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
so-cyberchef: so-cyberchef:
docker_container.running: docker_container.running:
- require: - require:
- so-cyberchefimage - so-cyberchefimage
- image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4 - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
- interactive: True - interactive: True
- binds: - binds:
- /opt/so/saltstack/salt/cyberchef/build:/prod:rw - /opt/so/saltstack/salt/cyberchef/build:/prod:rw

51
salt/domainstats/init.sls Normal file
View File

@@ -0,0 +1,51 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the group
dstatsgroup:
group.present:
- name: domainstats
- gid: 936
# Add user
domainstats:
user.present:
- uid: 936
- gid: 936
- home: /opt/so/conf/domainstats
- createhome: False
# Create the log directory
dstatslogdir:
file.directory:
- name: /opt/so/log/domainstats
- user: 936
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats

71
salt/elastalert/files/modules/so/thehive.py
View File

@@ -1,51 +1,45 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from __future__ import unicode_literals # HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
import uuid import uuid
import re
from elastalert.alerts import Alerter from elastalert.alerts import Alerter
from thehive4py.api import TheHiveApi from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
class TheHiveAlerter(Alerter): class TheHiveAlerter(Alerter):
""" """
Use matched data to create alerts containing observables in an instance of TheHive Use matched data to create alerts containing observables in an instance of TheHive
This is a modified version for use with Security Onion
""" """
required_options = set(['hive_connection', 'hive_alert_config']) required_options = set(['hive_connection', 'hive_alert_config'])
def alert(self, matches): def get_aggregation_summary_text(self, matches):
text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
connection_details = self.rule['hive_connection'] if text:
text = '```\n{0}```\n'.format(text)
api = TheHiveApi( return text
connection_details.get('hive_host'),
connection_details.get('hive_apikey', ''),
proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
cert=connection_details.get('hive_verify', False))
for match in matches:
context = {'rule': self.rule, 'match': match}
def create_artifacts(self, match):
artifacts = [] artifacts = []
context = {'rule': self.rule, 'match': match}
for mapping in self.rule.get('hive_observable_data_mapping', []): for mapping in self.rule.get('hive_observable_data_mapping', []):
for observable_type, match_data_key in mapping.items(): for observable_type, match_data_key in mapping.items():
try: try:
match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key)
rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key)
data_keys = match_data_keys + rule_data_keys
context_keys = list(context['match'].keys()) + list(context['rule'].keys())
if all([True if k in context_keys else False for k in data_keys]):
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context))) artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError: except KeyError as e:
raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context)) print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
return artifacts
def create_alert_config(self, match):
context = {'rule': self.rule, 'match': match}
alert_config = { alert_config = {
'artifacts': artifacts, 'artifacts': self.create_artifacts(match),
'sourceRef': str(uuid.uuid4())[0:6], 'sourceRef': str(uuid.uuid4())[0:6],
'title': '{rule[index]}_{rule[name]}'.format(**context) 'title': '{rule[name]}'.format(**context)
} }
alert_config.update(self.rule.get('hive_alert_config', {})) alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.items(): for alert_config_field, alert_config_value in alert_config.items():
@@ -70,12 +64,41 @@ class TheHiveAlerter(Alerter):
formatted_list.append(element) formatted_list.append(element)
alert_config[alert_config_field] = formatted_list alert_config[alert_config_field] = formatted_list
return alert_config
def send_to_thehive(self, alert_config):
connection_details = self.rule['hive_connection']
api = TheHiveApi(
connection_details.get('hive_host', ''),
connection_details.get('hive_apikey', ''),
proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
cert=connection_details.get('hive_verify', False))
alert = Alert(**alert_config) alert = Alert(**alert_config)
response = api.create_alert(alert) response = api.create_alert(alert)
if response.status_code != 201: if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text)) raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def alert(self, matches):
if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
for match in matches:
alert_config = self.create_alert_config(match)
self.send_to_thehive(alert_config)
else:
alert_config = self.create_alert_config(matches[0])
artifacts = []
for match in matches:
artifacts += self.create_artifacts(match)
if 'related_events' in match:
for related_event in match['related_events']:
artifacts += self.create_artifacts(related_event)
alert_config['artifacts'] = artifacts
alert_config['title'] = self.create_title(matches)
alert_config['description'] = self.create_alert_body(matches)
self.send_to_thehive(alert_config)
def get_info(self): def get_info(self):
return { return {

8
salt/elasticsearch/init.sls
View File

@@ -1,4 +1,4 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@@ -18,22 +18,16 @@
{% set esclustername = salt['pillar.get']('master:esclustername', '') %} {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %} {% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-eval' %} {% elif grains['role'] == 'so-eval' %}
{% set esclustername = salt['pillar.get']('master:esclustername', '') %} {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %} {% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-node' %} {% elif grains['role'] == 'so-node' %}
{% set esclustername = salt['pillar.get']('node:esclustername', '') %} {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
{% set esheap = salt['pillar.get']('node:esheap', '') %} {% set esheap = salt['pillar.get']('node:esheap', '') %}
{% set freq = salt['pillar.get']('node:freq', '0') %}
{% set dstats = salt['pillar.get']('node:dstats', '0') %}
{% endif %} {% endif %}

14
salt/filebeat/etc/filebeat.yml
View File

@@ -3,6 +3,7 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
{%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %} {%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
name: {{ HOSTNAME }} name: {{ HOSTNAME }}
@@ -126,6 +127,19 @@ filebeat.prospectors:
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %}
{%- if STRELKAENABLED == '1' %}
- type: log
paths:
- /opt/so/log/strelka/strelka.log
fields:
type: strelka
fields_under_root: true
clean_removed: false
close_removed: false
{%- endif %} {%- endif %}
#----------------------------- Logstash output --------------------------------- #----------------------------- Logstash output ---------------------------------
output.logstash: output.logstash:

52
salt/freqserver/init.sls Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the user
fservergroup:
group.present:
- name: freqserver
- gid: 935
# Add ES user
freqserver:
user.present:
- uid: 935
- gid: 935
- home: /opt/so/conf/freqserver
- createhome: False
# Create the log directory
freqlogdir:
file.directory:
- name: /opt/so/log/freq_server
- user: 935
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
- user: freqserver
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw

2
salt/hive/thehive/scripts/hive_init.sh
View File

@@ -16,7 +16,7 @@ hive_init(){
COUNT=0 COUNT=0
HIVE_CONNECTED="no" HIVE_CONNECTED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
curl --output /dev/null --silent --head --fail "https://$HIVE_IP:/thehive" curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
HIVE_CONNECTED="yes" HIVE_CONNECTED="yes"
echo "connected!" echo "connected!"

0
salt/logstash/conf/conf.enabled.txt.storage → salt/logstash/conf/conf.enabled.txt.search
View File

BIN
salt/playbook/files/redmine.db
View File

Binary file not shown.

423
salt/strelka/files/backend/backend.yaml Normal file
View File

@@ -0,0 +1,423 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
logging_cfg: '/etc/strelka/logging.yaml'
limits:
max_files: 5000
time_to_live: 900
max_depth: 15
distribution: 600
scanner: 150
coordinator:
addr: '{{ ip }}:6380'
db: 0
tasting:
mime_db: null
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanMmbot':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
options:
server: 'strelka_mmrpc_1:33907'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5

78
salt/strelka/files/backend/logging.yaml Normal file
View File

@@ -0,0 +1,78 @@
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0

2
salt/strelka/files/backend/passwords.dat Normal file
View File

@@ -0,0 +1,2 @@
infected
password

748
salt/strelka/files/backend/taste/taste.yara Normal file
View File

@@ -0,0 +1,748 @@
// Archive Files
rule _7zip_file
{
meta:
type = "archive"
strings:
$a = { 37 7A BC AF 27 1C }
condition:
$a at 0
}
rule arj_file
{
meta:
type = "archive"
condition:
uint16(0) == 0xEA60
}
rule cab_file
{
meta:
type = "archive"
strings:
$a = { 4D 53 43 46 00 00 00 00 }
condition:
$a at 0 or
( uint16(0) == 0x5A4D and $a )
}
rule cpio_file
{
meta:
type = "archive"
strings:
$a = { 30 37 30 37 30 31 }
condition:
$a at 0
}
rule iso_file
{
meta:
type = "archive"
strings:
$a = { 43 44 30 30 31 }
condition:
$a at 0x8001 and $a at 0x8801 and $a at 0x9001
}
rule mhtml_file
{
meta:
type = "archive"
strings:
$a = "MIME-Version: 1.0"
$b = "This document is a Single File Web Page, also known as a Web Archive file"
condition:
$a at 0 and $b
}
rule rar_file
{
meta:
type = "archive"
condition:
uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07
}
rule tar_file
{
meta:
type = "archive"
strings:
$a = { 75 73 74 61 72 }
condition:
uint16(0) == 0x9D1F or
uint16(0) == 0xA01F or
$a at 257
}
rule xar_file
{
meta:
type = "archive"
condition:
uint32(0) == 0x21726178
}
rule zip_file
{
meta:
type = "archive"
condition:
( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 )
}
// Audio Files
rule mp3_file
{
meta:
type = "audio"
condition:
uint16(0) == 0x4449 and uint8(2) == 0x33
}
// Certificate Files
rule pkcs7_file
{
meta:
type = "certificate"
strings:
$a = "-----BEGIN PKCS7-----"
condition:
(uint16(0) == 0x8230 and uint16(4) == 0x0906) or
uint32(0) == 0x09068030 or
$a at 0
}
rule x509_der_file
{
meta:
type = "certificate"
condition:
uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 )
}
rule x509_pem_file
{
meta:
type = "certificate"
strings:
$a = "-----BEGIN CERTI"
condition:
$a at 0
}
// Compressed Files
rule bzip2_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x5A42 and uint8(2) == 0x68
}
rule gzip_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x8B1F and uint8(2) == 0x08
}
rule lzma_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x005D and uint8(2) == 0x00
}
rule xz_file
{
meta:
type = "compressed"
condition:
uint32(0) == 0x587A37FD and uint16(4) == 0x005A
}
// Document Files
rule doc_subheader_file
{
meta:
type = "document"
condition:
uint32(0) == 0x00C1A5EC
}
rule mso_file
{
meta:
type = "document"
strings:
$a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // <?mso-application
$b = { 3C 3F 6D 73 6F 2D 63 6F 6E 74 65 6E 74 54 79 70 65 } // <?mso-contentType
condition:
$a at 0 or
$b at 0
}
rule olecf_file
{
meta:
description = "Object Linking and Embedding (OLE) Compound File (CF)"
type = "document"
condition:
uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1
}
rule ooxml_file
{
meta:
description = "Microsoft Office Open XML Format"
type = "document"
condition:
uint32(0) == 0x04034B50 and uint32(4) == 0x00060014
}
rule pdf_file
{
meta:
description = "Portable Document Format"
type = "document"
condition:
uint32(0) == 0x46445025
}
rule poi_hpbf_file
{
meta:
description = "https://poi.apache.org/components/hpbf/file-format.html"
type = "document"
strings:
$a = { 43 48 4E 4B 49 4E 4B } // CHNKINK
condition:
$a at 0
}
rule rtf_file
{
meta:
type = "document"
condition:
uint32(0) == 0x74725C7B
}
rule vbframe_file
{
meta:
type = "document"
strings:
$a = { 56 45 52 53 49 4F 4E 20 35 2E 30 30 0D 0A 42 65 67 69 6E } // VERSION 5.00\r\nBegin
condition:
$a at 0
}
rule wordml_file
{
meta:
description = "Microsoft Office Word 2003 XML format"
type = "document"
strings:
$a = { 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D } // <?xml version=
$b = "http://schemas.microsoft.com/office/word/2003/wordml"
condition:
$a at 0 and $b
}
rule xfdf_file
{
meta:
description = "XML Forms Data Format"
type = "document"
strings:
$a = { 3C 78 66 64 66 20 78 6D 6C 6E 73 3D } // <xfdf xmlns=
condition:
$a at 0
}
// Email Files
rule email_file
{
meta:
type = "email"
strings:
$a = "\x0aReceived:" nocase fullword
$b = "\x0AReturn-Path:" nocase fullword
$c = "\x0aMessage-ID:" nocase fullword
$d = "\x0aReply-To:" nocase fullword
$e = "\x0aX-Mailer:" nocase fullword
condition:
$a in (0..2048) or
$b in (0..2048) or
$c in (0..2048) or
$d in (0..2048) or
$e in (0..2048)
}
rule tnef_file
{
meta:
description = "Transport Neutral Encapsulation Format"
type = "email"
condition:
uint32(0) == 0x223E9F78
}
// Encryption Files
rule pgp_file
{
meta:
type = "encryption"
strings:
$a = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 50 55 42 4C 49 43 20 4B 45 59 20 42 4C 4F 43 4B 2D } // (.{2})(\x2D\x2D\x2DBEGIN PGP PUBLIC KEY BLOCK\x2D)
$b = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 53 49 47 4E 41 54 55 52 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP SIGNATURE\x2D)
$c = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 4D 45 53 53 41 47 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP MESSAGE\x2D)
condition:
$a at 0 or
$b at 0 or
$c at 0
}
// Executable Files
rule elf_file
{
meta:
description = "Executable and Linkable Format"
type = "executable"
condition:
uint32(0) == 0x464C457F
}
rule lnk_file
{
meta:
description = "Windows Shortcut file"
type = "executable"
condition:
uint32(0) == 0x0000004C
}
rule macho_file
{
meta:
description = "Mach object"
type = "executable"
condition:
uint32(0) == 0xCEFAEDFE or
uint32(0) == 0xCFFAEDFE or
uint32(0) == 0xFEEDFACE or
uint32(0) == 0xFEEDFACF
}
rule mz_file
{
meta:
description = "DOS MZ executable"
type = "executable"
condition:
uint16(0) == 0x5A4D
}
// Image Files
rule bmp_file
{
meta:
type = "image"
strings:
$a = { 42 4D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ( 0C | 28 | 40 | 6C | 7C | 80 ) 00 } // BM
condition:
$a at 0
}
rule cmap_file
{
meta:
type = "image"
strings:
$a = { 62 65 67 69 6E 63 6D 61 70 } // begincmap
condition:
$a at 0
}
rule gif_file
{
meta:
description = "Graphics Interchange Format"
type = "image"
condition:
uint32(0) == 0x38464947 and ( uint16(4) == 0x6137 or uint16(4) == 0x6139 )
}
rule jpeg_file
{
meta:
type = "image"
condition:
uint32(0) == 0xE0FFD8FF or
uint32(0) == 0xE1FFD8FF or
uint32(0) == 0xE2FFD8FF or
uint32(0) == 0xE8FFD8FF
}
rule postscript_file
{
meta:
type = "image"
strings:
$a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 } // %!PS-Adobe-3.0
condition:
$a at 0
}
rule png_file
{
meta:
type = "image"
condition:
uint32(0) == 0x474E5089
}
rule psd_file
{
meta:
description = "Photoshop Document"
type = "image"
condition:
uint32(0) == 0x53504238
}
rule psd_image_file
{
meta:
description = "Photoshop Document image resource block"
type = "image"
condition:
uint32(0) == 0x4D494238
}
rule svg_file
{
meta:
type = "image"
strings:
$a = { 3C 73 76 67 20 } // <svg
condition:
$a at 0
}
rule xicc_file
{
meta:
type = "image"
strings:
$a = { 58 49 43 43 5F 50 52 4F 46 49 4C 45 } // XICC_PROFILE
condition:
$a at 0
}
rule xmp_file
{
meta:
type = "image"
strings:
$a = { 3C 3F 78 70 61 63 6B 65 74 20 62 65 67 69 6E 3D } // <?xpacket begin=
$b = { 3C 78 3A 78 6D 70 6D 65 74 61 20 78 6D 6C 6E 73 3A 78 3D } // <x:xmpmeta xmlns:x=
condition:
$a at 0 or $b at 0
}
// Metadata Files
rule jar_manifest_file
{
meta:
type = "metadata"
condition:
uint32(0) == 0x696E614D and uint32(4) == 0x74736566
}
rule bplist_file
{
meta:
description = "Binary Property List"
type = "metadata"
condition:
uint32(0) == 0x696C7062 and uint32(4) == 0x30307473
}
// Multimedia Files
rule fws_file
{
meta:
type = "multimedia"
condition:
uint16(0) == 0x5746 and uint8(2) == 0x53
}
rule cws_file
{
meta:
description = "zlib compressed Flash file"
type = "multimedia"
condition:
uint16(0) == 0x5743 and uint8(2) == 0x53
}
rule zws_file
{
meta:
description = "LZMA compressed Flash file"
type = "multimedia"
condition:
uint16(0) == 0x575A and uint8(2) == 0x53
}
// Package Files
rule debian_package_file
{
meta:
type = "package"
strings:
$a = { 21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E } // \x21\x3Carch\x3E\x0Adebian
condition:
$a at 0
}
rule rpm_file
{
meta:
type = "package"
condition:
uint32(0) == 0x6D707264 or uint32(0) == 0xDBEEABED
}
// Packer Files
rule upx_file
{
meta:
description = "Ultimate Packer for Executables"
type = "packer"
strings:
$a = {55505830000000}
$b = {55505831000000}
$c = "UPX!"
condition:
uint16(0) == 0x5A4D and
$a in (0..1024) and
$b in (0..1024) and
$c in (0..1024)
}
// Script Files
rule batch_file
{
meta:
type = "script"
strings:
$a = { ( 45 | 65 ) ( 43 | 63 ) ( 48 | 68 ) ( 4F | 6F ) 20 ( 4F | 6F) ( 46 | 66 ) ( 46 | 66 ) } // [Ee][Cc][Hh][Oo] [Oo][Ff][Ff]
condition:
$a at 0
}
rule javascript_file
{
meta:
type = "script"
strings:
$var = { 76 61 72 20 } // var
$function1 = { 66 75 6E 63 74 69 6F 6E } // function
$function2 = { 28 66 75 6E 63 74 69 6F 6E } // (function
$function3 = { 66 75 6E 63 74 69 6F 6E [0-1] 28 } // function[0-1](
$if = { 69 66 [0-1] 28 } // if[0-1](
$misc1 = { 24 28 } // $(
$misc2 = { 2F ( 2A | 2F ) } // \/(\/|\*)
$jquery = { 6A 51 75 65 72 79 } // jQuery
$try = { 74 72 79 [0-1] 7B } // try[0-1]{
$catch = { 63 61 74 63 68 28 } // catch(
$push = { 2E 70 75 73 68 28 } // .push(
$array = { 6E 65 77 20 41 72 72 61 79 28 } // new Array(
$document1 = { 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 } // document.create
$document2 = { 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 } // document.write
$window = { 77 69 6E 64 6F 77 ( 2E | 5B ) } // window[.\[]
$define = { 64 65 66 69 6E 65 28 } // define(
$eval = { 65 76 61 6C 28 } // eval(
$unescape = { 75 6E 65 73 63 61 70 65 28 } // unescape(
condition:
$var at 0 or
$function1 at 0 or
$function2 at 0 or
$if at 0 or
$jquery at 0 or
$function3 in (0..30) or
$push in (0..30) or
$array in (0..30) or
( $try at 0 and $catch in (5..5000) ) or
$document1 in (0..100) or
$document2 in (0..100) or
$window in (0..100) or
$define in (0..100) or
$eval in (0..100) or
$unescape in (0..100) or
( ( $misc1 at 0 or $misc2 at 0 ) and $var and $function1 and $if )
}
rule vb_file
{
meta:
type = "script"
strings:
$a = { 41 74 74 72 69 62 75 74 65 20 56 42 5F 4E 61 6D 65 20 3D } // Attribute VB_Name =
$b = { 4F 70 74 69 6F 6E 20 45 78 70 6C 69 63 69 74 } // Option Explicit
$c = { 44 69 6D 20 } // Dim
$d = { 50 75 62 6C 69 63 20 53 75 62 20 } // Public Sub
$e = { 50 72 69 76 61 74 65 20 53 75 62 20 } // Private Sub
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0
}
// Text Files
rule hta_file
{
meta:
type = "text"
strings:
$a = { 3C 48 54 41 3A 41 50 50 4C 49 43 41 54 49 4F 4E 20 } // <HTA:APPLICATION
condition:
$a in (0..2000)
}
rule html_file
{
meta:
type = "text"
strings:
$a = { 3C 21 ( 64 | 44 ) ( 6F | 4F ) ( 63 |43 ) ( 74 | 54 ) ( 79 | 59 ) ( 70 | 50 ) ( 65 | 45 ) 20 ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <![Dd][Oo][Cc][Tt][Yy][Pp][Ee] [Hh][Tt][Mm][Ll]
$b = { 3C ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <[Hh][Tt][Mm][Ll]
$c = { 3C ( 62 | 42 ) ( 72 | 52 ) } // <br
$d = { 3C ( 44 | 64 ) ( 49 | 69 ) ( 56 | 76 ) } // <[Dd][Ii][Vv]
$e = { 3C ( 41 | 61 ) 20 ( 48 |68 ) ( 52 | 72 ) ( 45 | 65 ) ( 46 | 66 ) 3D } // <[Aa] [Hh][Rr][Ee][Ff]=
$f = { 3C ( 48 | 68 ) ( 45 | 65 ) ( 41 | 61 ) ( 44 | 64 ) } // <[Hh][Ee][Aa][Dd]
$g = { 3C ( 53 | 73 ) ( 43 | 63 ) ( 52 | 72 ) ( 49 | 69 ) ( 50 | 70 ) ( 54 | 74 ) } // <[Ss][Cc][Rr][Ii][Pp][Tt]
$h = { 3C ( 53 | 73 ) ( 54 | 74 ) ( 59 | 79 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Ss][Tt][Yy][Ll][Ee]
$i = { 3C ( 54 | 74 ) ( 41 | 61 ) ( 42 | 62 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Tt][Aa][Bb][Ll][Ee]
$j = { 3C ( 50 | 70 ) } // <[Pp]
$k = { 3C ( 49 | 69 ) ( 4D | 6D ) ( 47 | 67 ) } // <[Ii][Mm][Gg]
$l = { 3C ( 53 | 73 ) ( 50 |70 ) ( 41 | 61 ) ( 4E | 6E ) } // <[Ss][Pp][Aa][Nn]
$m = { 3C ( 48 | 68 ) ( 52 | 72 | 31 | 32 | 33 | 34 | 35 | 36 ) } // <[Hh][Rr] <[Hh][1-6]
$n = { 3C ( 54 | 74) ( 49 | 69 ) ( 54 | 74 ) ( 4C | 6C ) ( 45 | 65 ) 3E } // <[Tt][Ii][Tt][Ll][Ee]>
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0 or
$f at 0 or
$g at 0 or
$h at 0 or
$i at 0 or
$j at 0 or
$k at 0 or
$l at 0 or
$m at 0 or
$n at 0
}
rule json_file
{
meta:
type = "text"
strings:
$a = { 7B [0-5] 22 }
condition:
$a at 0
}
rule php_file
{
meta:
type = "text"
strings:
$a = { 3c 3f 70 68 70 }
condition:
$a at 0
}
rule soap_file
{
meta:
description = "Simple Object Access Protocol"
type = "text"
strings:
$a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // <soapenv:Envelope xmlns
$b = { 3C 73 3A 45 6E 76 65 6C 6F 70 65 } // <s:Envelope
condition:
$a at 0 or
$b at 0
}
rule xml_file
{
meta:
type = "text"
strings:
$a = { 3C 3F ( 58 | 78) ( 4D | 6D ) ( 4C | 6C ) 20 76 65 72 73 69 6F 6E 3D } // <?[Xx][Mm][Ll] version=
$b = { 3C 3F 78 6D 6C 3F 3E } // <?xml?>
$c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } // <styleSheet xmlns=
$d = { 3C 77 6F 72 6B 62 6F 6F 6B 20 78 6D 6C 6E 73 } // <workbook xmlns
$e = { 3C 78 6D 6C 20 78 6D 6C 6E 73 } // <xml xmlns
$f = { 3C 69 6E 74 20 78 6D 6C 6E 73 } // <int xmlns
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0 or
$f at 0
}
// Video Files
rule avi_file
{
meta:
type = "video"
strings:
$a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
condition:
$a at 0
}
rule wmv_file
{
meta:
type = "video"
condition:
uint32(0) == 0x75B22630 and uint32(4) == 0x11CF668E and uint32(8) == 0xAA00D9A6 and uint32(12) == 0x6CCE6200
}

20
salt/strelka/files/filestream/filestream.yaml Normal file
View File

@@ -0,0 +1,20 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
conn:
server: '{{ ip }}:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/*'
delete: false
gatekeeper: true
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/processed'

11
salt/strelka/files/frontend/frontend.yaml Normal file
View File

@@ -0,0 +1,11 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
server: ":57314"
coordinator:
addr: '{{ ip }}:6380'
db: 0
gatekeeper:
addr: '{{ ip }}:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"

4
salt/strelka/files/manager/manager.yaml Normal file
View File

@@ -0,0 +1,4 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
coordinator:
addr: '{{ ip }}:6380'
db: 0

149
salt/strelka/init.sls Normal file
View File

@@ -0,0 +1,149 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MASTER = grains['master'] %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
# Strelka config
strelkaconfdir:
file.directory:
- name: /opt/so/conf/strelka
- user: 939
- group: 939
- makedirs: True
# Strelka logs
strelkalogdir:
file.directory:
- name: /opt/so/log/strelka
- user: 939
- group: 939
- makedirs: True
# Sync dynamic config to conf dir
strelkasync:
file.recurse:
- name: /opt/so/conf/strelka/
- source: salt://strelka/files
- user: 939
- group: 939
- template: jinja
strelkadatadir:
file.directory:
- name: /nsm/strelka
- user: 939
- group: 939
- makedirs: True
strelkastagedir:
file.directory:
- name: /nsm/strelka/processed
- user: 939
- group: 939
- makedirs: True
so-strelka-frontendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
so-strelka-coordinatorimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
so-strelka-gatekeeperimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
so-strelka-backendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
so-strelka-managerimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
so-strelka-backendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
strelka_coordinator:
docker_container.running:
- require:
- so-strelka-coordinatorimage
- image: docker.io/redis:5.0.5-alpine3.10
- name: so-strelka-coordinator
- command: redis-server --save "" --appendonly no
- port_bindings:
- 0.0.0.0:6380:6379
strelka_gatekeeper:
docker_container.running:
- require:
- so-strelka-gatekeeperimage
- image: docker.io/redis:5.0.5-alpine3.10
- name: so-strelka-gatekeeper
- command: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- port_bindings:
- 0.0.0.0:6381:6379
strelka_frontend:
docker_container.running:
- require:
- so-strelka-frontendimage
- image: docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
- binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /opt/so/log/strelka/:/var/log/strelka/:rw
- privileged: True
- name: so-strelka-frontend
- command: strelka-frontend
- port_bindings:
- 0.0.0.0:57314:57314
strelka_backend:
docker_container.running:
- require:
- so-strelka-backendimage
- image: docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
- restart_policy: unless-stopped
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
- name: so-strelka-backend
- command: strelka-backend
strelka_manager:
docker_container.running:
- require:
- so-strelka-managerimage
- image: docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
- binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
- name: so-strelka-manager
- command: strelka-manager
strelka_filestream:
docker_container.running:
- require:
- so-strelka-filestreamimage
- image: docker.io/soshybridhunter/so-strelka-filestream:HH1.1.5
- image: docker.io/wlambert/sfilestream:grpc
- binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka
- name: so-strelka-filestream
- command: strelka-filestream

36
salt/suricata/files/threshold.conf.jinja Normal file
View File

@@ -0,0 +1,36 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%}
{% if THRESHOLDING -%}
{% for EACH_SID in THRESHOLDING.sids -%}
{% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%}
{% for EACH_ACTION in ACTIONS_LIST -%}
{%- if EACH_ACTION == 'threshold' %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
{%- elif EACH_ACTION == 'rate_filter' %}
{%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- else %}
##### Security Onion does not support drop or reject actions for rate_filter
##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- endif %}
{%- elif EACH_ACTION == 'suppress' %}
{%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
{%- else %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- else %}
##### The thresholding pillar has not been defined
{%- endif %}

10
salt/suricata/init.sls
View File

@@ -72,6 +72,14 @@ suriconfigsync:
- group: 940 - group: 940
- template: jinja - template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
so-suricata: so-suricata:
docker_container.running: docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }} - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
@@ -80,9 +88,11 @@ so-suricata:
- INTERFACE={{ interface }} - INTERFACE={{ interface }}
- binds: - binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw - /opt/so/log/suricata/:/var/log/suricata/:rw
- network_mode: host - network_mode: host
- watch: - watch:
- file: /opt/so/conf/suricata/suricata.yaml - file: /opt/so/conf/suricata/suricata.yaml
- file: surithresholding
- file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/rules/

18
salt/top.sls
View File

@@ -4,6 +4,9 @@
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%} {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
base: base:
'*': '*':
- patch.os.schedule - patch.os.schedule
@@ -49,6 +52,7 @@ base:
- sensoroni - sensoroni
- firewall - firewall
- idstools - idstools
- auth
{%- if OSQUERY != 0 %} {%- if OSQUERY != 0 %}
- mysql - mysql
{%- endif %} {%- endif %}
@@ -78,7 +82,12 @@ base:
{%- if PLAYBOOK != 0 %} {%- if PLAYBOOK != 0 %}
- playbook - playbook
{%- endif %} {%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
'G@role:so-master': 'G@role:so-master':
@@ -115,7 +124,12 @@ base:
{%- if PLAYBOOK != 0 %} {%- if PLAYBOOK != 0 %}
- playbook - playbook
{%- endif %} {%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
# Search node logic # Search node logic

9
salt/wazuh/files/agent/ossec.conf
View File

@@ -179,12 +179,17 @@
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location> <location>/var/ossec/logs/active-responses.log</location>
</localfile> </localfile>
{%- if grains['os'] == 'Ubuntu' %}
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/log/auth.log</location> <location>/var/log/auth.log</location>
</localfile> </localfile>
{%- else %}
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
{%- endif %}
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/log/syslog</location> <location>/var/log/syslog</location>

6
salt/wazuh/files/agent/wazuh-register-agent
View File

@@ -31,6 +31,7 @@ USER="foo"
PASSWORD="bar" PASSWORD="bar"
AGENT_NAME=$(hostname) AGENT_NAME=$(hostname)
AGENT_IP="{{ip}}" AGENT_IP="{{ip}}"
AGENT_ID=001
display_help() { display_help() {
cat <<HELP_USAGE cat <<HELP_USAGE
@@ -135,5 +136,10 @@ shift $(($OPTIND - 1))
# Default action -> try to register the agent # Default action -> try to register the agent
sleep 10s sleep 10s
STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
if [[ $STATUS == "Active" ]]; then
echo "Agent $AGENT_ID already registered!"
else
register_agent register_agent
fi
#remove_agent #remove_agent

33
salt/wazuh/files/wazuh-manager-whitelist Normal file
View File

@@ -0,0 +1,33 @@
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Check if Wazuh enabled
if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
DATE=`date`
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address {{ MASTERIP }} added by setup on "$DATE"-->\n <global>\n <white_list>{{ MASTERIP }}</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
echo
echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart
fi
fi

15
salt/wazuh/init.sls
View File

@@ -63,6 +63,15 @@ wazuhagentregister:
- mode: 755 - mode: 755
- template: jinja - template: jinja
wazuhmgrwhitelist:
file.managed:
- name: /usr/sbin/wazuh-manager-whitelist
- source: salt://wazuh/files/wazuh-manager-whitelist
- user: 0
- group: 0
- mode: 755
- template: jinja
so-wazuh: so-wazuh:
docker_container.running: docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }} - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
@@ -82,3 +91,9 @@ registertheagent:
- name: /usr/sbin/wazuh-register-agent - name: /usr/sbin/wazuh-register-agent
- cwd: / - cwd: /
#- stateful: True #- stateful: True
# Whitelist manager IP
whitelistmanager:
cmd.run:
- name: /usr/sbin/wazuh-manager-whitelist
- cwd: /

197
setup/functions.sh
View File

@@ -270,9 +270,9 @@ copy_minion_tmp_files() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack" echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
cp -Rv $TMP/pillar/ /opt/so/saltstack/pillar/ >> $SETUPLOG 2>&1 cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
if [ -d $TMP/salt ] ; then if [ -d $TMP/salt ] ; then
cp -Rv $TMP/salt/ /opt/so/saltstack/salt/ >> $SETUPLOG 2>&1 cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
fi fi
else else
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack" echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
@@ -602,7 +602,8 @@ got_root() {
install_cleanup() { install_cleanup() {
echo "install_cleanup called" >> $SETUPLOG 2>&1 echo "install_cleanup removing the following files:"
ls -lR $TMP
# Clean up after ourselves # Clean up after ourselves
rm -rf /root/installtmp rm -rf /root/installtmp
@@ -613,6 +614,8 @@ install_prep() {
# Create a tmp space that isn't in /tmp # Create a tmp space that isn't in /tmp
mkdir /root/installtmp mkdir /root/installtmp
mkdir /root/installtmp/pillar
mkdir /root/installtmp/pillar/minions
TMP=/root/installtmp TMP=/root/installtmp
} }
@@ -652,47 +655,50 @@ ls_heapsize() {
master_pillar() { master_pillar() {
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
# Create the master pillar # Create the master pillar
touch /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo "master:" >> $PILLARFILE
echo "master:" > /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
echo " mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " esheap: $ES_HEAP_SIZE" >> $PILLARFILE
echo " esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " esclustername: {{ grains.host }}" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " domainstats: 0" >> $PILLARFILE
echo " ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_pipeline_batch_size: 125" >> $PILLARFILE
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_input_threads: 1" >> $PILLARFILE
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_batch_count: 125" >> $PILLARFILE
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mtu: 1500" >> $PILLARFILE
else else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " domainstats: 0" >> $PILLARFILE
fi fi
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " lsheap: 1000m" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsheap: 1000m" >> $PILLARFILE
else else
echo " lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
fi fi
echo " lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsaccessip: 127.0.0.1" >> $PILLARFILE
echo " elastalert: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " elastalert: 1" >> $PILLARFILE
echo " ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_pipeline_workers: $CPUCORES" >> $PILLARFILE
echo " nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " nids_rules: $RULESETUP" >> $PILLARFILE
echo " oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " oinkcode: $OINKCODE" >> $PILLARFILE
#echo " access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " access_key: $ACCESS_KEY" >> $PILLARFILE
#echo " access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
#echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " mysqlpass: $MYSQLPASS" >> $PILLARFILE
#echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " fleetpass: $FLEETPASS" >> $PILLARFILE
echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " grafana: $GRAFANA" >> $PILLARFILE
echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " osquery: $OSQUERY" >> $PILLARFILE
echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " wazuh: $WAZUH" >> $PILLARFILE
echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " thehive: $THEHIVE" >> $PILLARFILE
echo " playbook: $PLAYBOOK" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " playbook: $PLAYBOOK" >> $PILLARFILE
echo "" >> $PILLARFILE
} }
master_static() { master_static() {
@@ -753,53 +759,39 @@ network_setup() {
node_pillar() { node_pillar() {
NODEPILLARPATH=$TMP/pillar/nodes PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
if [ ! -d $NODEPILLARPATH ]; then
mkdir -p $NODEPILLARPATH
fi
# Create the node pillar # Create the node pillar
touch $NODEPILLARPATH/$MINION_ID.sls echo "node:" >> $PILLARFILE
echo "node:" > $NODEPILLARPATH/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainip: $MAINIP" >> $NODEPILLARPATH/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
echo " mainint: $MAININT" >> $NODEPILLARPATH/$MINION_ID.sls echo " esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE
echo " esheap: $NODE_ES_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls echo " esclustername: {{ grains.host }}" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> $NODEPILLARPATH/$MINION_ID.sls echo " lsheap: $NODE_LS_HEAP_SIZE" >> $PILLARFILE
echo " lsheap: $NODE_LS_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $PILLARFILE
echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $PILLARFILE
echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_input_threads: $LSINPUTTHREADS" >> $PILLARFILE
echo " ls_input_threads: $LSINPUTTHREADS" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $PILLARFILE
echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls echo " es_shard_count: $SHARDCOUNT" >> $PILLARFILE
echo " es_shard_count: $SHARDCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls echo " node_type: $NODETYPE" >> $PILLARFILE
echo " node_type: $NODETYPE" >> $NODEPILLARPATH/$MINION_ID.sls echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> $NODEPILLARPATH/$MINION_ID.sls echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> $NODEPILLARPATH/$MINION_ID.sls echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> $NODEPILLARPATH/$MINION_ID.sls echo "" >> $PILLARFILE
} }
patch_pillar() { patch_pillar() {
case $INSTALLTYPE in PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
MASTERONLY | EVALMODE | HELIXSENSOR)
PATCHPILLARPATH=/opt/so/saltstack/pillar/masters
;;
SENSORONLY)
PATCHPILLARPATH=$SENSORPILLARPATH
;;
SEARCHNODE | PARSINGNODE | HOTNODE | WARMNODE)
PATCHPILLARPATH=$NODEPILLARPATH
;;
esac
echo "" >> $PATCHPILLARPATH/$MINION_ID.sls
echo "patch:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " os:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " schedule_name: $PATCHSCHEDULENAME" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " enabled: True" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " splay: 300" >> $PATCHPILLARPATH/$MINION_ID.sls
echo "" >> $PILLARFILE
echo "patch:" >> $PILLARFILE
echo " os:" >> $PILLARFILE
echo " schedule_name: $PATCHSCHEDULENAME" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE
echo " splay: 300" >> $PILLARFILE
echo "" >> $PILLARFILE
} }
@@ -1163,51 +1155,44 @@ salt_install_mysql_deps() {
} }
sensor_pillar() { sensor_pillar() {
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
SENSORPILLARPATH=/opt/so/saltstack/pillar/sensors PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
mkdir -p $TMP
mkdir -p $SENSORPILLARPATH
else
SENSORPILLARPATH=$TMP/pillar/sensors
fi
if [ ! -d $SENSORPILLARPATH ]; then
mkdir -p $SENSORPILLARPATH
fi
# Create the sensor pillar # Create the sensor pillar
touch $SENSORPILLARPATH/$MINION_ID.sls touch $PILLARFILE
echo "sensor:" > $SENSORPILLARPATH/$MINION_ID.sls echo "sensor:" >> $PILLARFILE
echo " interface: bond0" >> $SENSORPILLARPATH/$MINION_ID.sls echo " interface: bond0" >> $PILLARFILE
echo " mainip: $MAINIP" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainint: $MAININT" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
if [ $NSMSETUP == 'ADVANCED' ]; then if [ $NSMSETUP == 'ADVANCED' ]; then
echo " bro_pins:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_pins:" >> $PILLARFILE
for PIN in $BROPINS; do for PIN in $BROPINS; do
PIN=$(echo $PIN | cut -d\" -f2) PIN=$(echo $PIN | cut -d\" -f2)
echo " - $PIN" >> $SENSORPILLARPATH/$MINION_ID.sls echo " - $PIN" >> $PILLARFILE
done done
echo " suripins:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suripins:" >> $PILLARFILE
for SPIN in $SURIPINS; do for SPIN in $SURIPINS; do
SPIN=$(echo $SPIN | cut -d\" -f2) SPIN=$(echo $SPIN | cut -d\" -f2)
echo " - $SPIN" >> $SENSORPILLARPATH/$MINION_ID.sls echo " - $SPIN" >> $PILLARFILE
done done
elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " bro_lbprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_lbprocs: $LBPROCS" >> $PILLARFILE
echo " suriprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suriprocs: $LBPROCS" >> $PILLARFILE
else else
echo " bro_lbprocs: $BASICBRO" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_lbprocs: $BASICBRO" >> $PILLARFILE
echo " suriprocs: $BASICSURI" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suriprocs: $BASICSURI" >> $PILLARFILE
fi fi
echo " brobpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " brobpf:" >> $PILLARFILE
echo " pcapbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " pcapbpf:" >> $PILLARFILE
echo " nidsbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " nidsbpf:" >> $PILLARFILE
echo " master: $MSRV" >> $SENSORPILLARPATH/$MINION_ID.sls echo " master: $MSRV" >> $PILLARFILE
echo " mtu: $MTU" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mtu: $MTU" >> $PILLARFILE
if [ $HNSENSOR != 'inherit' ]; then if [ $HNSENSOR != 'inherit' ]; then
echo " hnsensor: $HNSENSOR" >> $SENSORPILLARPATH/$MINION_ID.sls echo " hnsensor: $HNSENSOR" >> $PILLARFILE
fi fi
echo " access_key: $ACCESS_KEY" >> $SENSORPILLARPATH/$MINION_ID.sls echo " access_key: $ACCESS_KEY" >> $PILLARFILE
echo " access_secret: $ACCESS_SECRET" >> $SENSORPILLARPATH/$MINION_ID.sls echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo "" >> $PILLARFILE
} }

1
setup/so-setup.sh
View File

@@ -663,6 +663,7 @@ if (whiptail_you_sure) ; then
echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX" echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n97\nFinishing touches... \nXXX" echo -e "XX\n97\nFinishing touches... \nXXX"
salt-call state.apply auth >> $SETUPLOG 2>&1
filter_unused_nics >> $SETUPLOG 2>&1 filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1 network_setup >> $SETUPLOG 2>&1
echo -e "XXX\n98\nVerifying Setup... \nXXX" echo -e "XXX\n98\nVerifying Setup... \nXXX"

6
setup/whiptail.sh
View File

@@ -90,7 +90,7 @@ whiptail_cancel() {
whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75
if [ -d "/root/installtmp" ]; then if [ -d "/root/installtmp" ]; then
echo "/root/installtmp exists" >> $SETUPLOG 2>&1 echo "/root/installtmp exists" >> $SETUPLOG 2>&1
install_cleanup install_cleanup >> $SETUPLOG 2>&1
echo "/root/installtmp removed" >> $SETUPLOG 2>&1 echo "/root/installtmp removed" >> $SETUPLOG 2>&1
fi fi
exit exit
@@ -685,14 +685,14 @@ whiptail_set_hostname() {
whiptail_setup_complete() { whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75 whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75
install_cleanup install_cleanup >> $SETUPLOG 2>&1
} }
whiptail_setup_failed() { whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75 whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75
install_cleanup install_cleanup >> $SETUPLOG 2>&1
} }