mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
refactor to hash
This commit is contained in:
DefensiveDepth
@@ -639,7 +639,9 @@ post_to_2.4.190() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
post_to_2.4.200() {
|
post_to_2.4.200() {
|
||||||
echo "Nothing to apply"
|
echo "Initiating Suricata idstools migration..."
|
||||||
|
suricata_idstools_removal_post
|
||||||
|
|
||||||
POSTVERSION=2.4.200
|
POSTVERSION=2.4.200
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -911,8 +913,8 @@ up_to_2.4.190() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
up_to_2.4.200() {
|
up_to_2.4.200() {
|
||||||
echo "Migrating idstools config"
|
echo "Backing up idstools config..."
|
||||||
suricata_idstools_removal
|
suricata_idstools_removal_pre
|
||||||
|
|
||||||
INSTALLEDVERSION=2.4.200
|
INSTALLEDVERSION=2.4.200
|
||||||
}
|
}
|
||||||
@@ -1102,116 +1104,127 @@ playbook_migration() {
|
|||||||
echo "Playbook Migration is complete...."
|
echo "Playbook Migration is complete...."
|
||||||
}
|
}
|
||||||
|
|
||||||
suricata_idstools_removal() {
|
suricata_idstools_removal_pre() {
|
||||||
# For SOUPs beginning with 2.4.200
|
# For SOUPs beginning with 2.4.200 - pre SOUP checks
|
||||||
|
|
||||||
# Create syncBlock file
|
# Create syncBlock file
|
||||||
cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
|
cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
|
||||||
Suricata rulset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
|
Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Track if we have custom configs
|
# TODO - backup custom rules & overrides
|
||||||
CUSTOM_CONFIGS_FOUND=0
|
mkdir -p /nsm/backup/detections-migration/2-4-200
|
||||||
|
cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
|
||||||
|
cp /opt/so/conf/idstools/etc/rulecat.conf /nsm/backup/detections-migration/2-4-200
|
||||||
|
|
||||||
# ETPRO Check
|
}
|
||||||
ETPRO=$(grep "\--etpro" /usr/sbin/so-rule-update || true)
|
|
||||||
if [[ -n "$ETPRO" ]]; then
|
suricata_idstools_removal_post() {
|
||||||
ETPRO_KEY=$(echo "$ETPRO" | awk -F'--etpro=' '{print $2}' | awk '{print $1}')
|
# For SOUPs beginning with 2.4.200 - post SOUP checks
|
||||||
echo "Grid is using ETPRO."
|
|
||||||
# Add ETPRO yaml to SOC pillar file
|
echo "Checking idstools configuration for custom modifications..."
|
||||||
if [[ $is_airgap -eq 0 ]]; then
|
|
||||||
#TODO /opt/so/saltstack/local/pillar/soc/soc_soc.sls
|
# Normalize file content for consistent hashing
|
||||||
echo "TODO"
|
# Args: $1 - file path
|
||||||
else
|
normalize_file() {
|
||||||
#TODO /opt/so/saltstack/local/pillar/soc/soc_soc.sls
|
local file="$1"
|
||||||
echo "TODO"
|
|
||||||
|
if [[ ! -f "$file" ]]; then
|
||||||
|
echo "FILE_NOT_FOUND"
|
||||||
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
#idstools conf parse
|
# Strip whitespace, normalize hostname, remove blank lines
|
||||||
RULECAT_CONF="/opt/so/conf/idstools/etc/rulecat.conf"
|
sed -E \
|
||||||
|
-e 's/^[[:space:]]+//; s/[[:space:]]+$//' \
|
||||||
|
-e '/^$/d' \
|
||||||
|
-e 's|--url=http://[^:]+:7788|--url=http://MANAGER:7788|' \
|
||||||
|
"$file"
|
||||||
|
}
|
||||||
|
|
||||||
echo "Checking $RULECAT_CONF for custom configurations..."
|
# Hash normalized content
|
||||||
|
hash_file() {
|
||||||
|
local file="$1"
|
||||||
|
|
||||||
# Parse RULECAT_CONF and check for custom configs
|
local normalized=$(normalize_file "$file")
|
||||||
if [[ ! -f "$RULECAT_CONF" ]]; then
|
|
||||||
echo "Warning: $RULECAT_CONF not found - leaving syncBlock."
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Parsing $RULECAT_CONF for custom configurations..."
|
if [[ "$normalized" == "FILE_NOT_FOUND" ]]; then
|
||||||
|
echo "FILE_NOT_FOUND"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Default values to check against
|
echo -n "$normalized" | sha256sum | awk '{print $1}'
|
||||||
DEFAULT_URL="--url=http://MANAGER:7788/suricata/emerging-all.rules"
|
}
|
||||||
DEFAULT_DISABLE="--disable=/opt/so/idstools/etc/disable.conf"
|
|
||||||
DEFAULT_ENABLE="--enable=/opt/so/idstools/etc/enable.conf"
|
|
||||||
DEFAULT_MODIFY="--modify=/opt/so/idstools/etc/modify.conf"
|
|
||||||
|
|
||||||
# Valid --local patterns
|
# Known-default hashes
|
||||||
VALID_LOCAL_PATTERNS=(
|
KNOWN_SO_RULE_UPDATE_HASHES=(
|
||||||
"/opt/so/rules/nids/suri/local.rules" # 2/24
|
"8f1fe1cb65c08aab78830315b952785c7ccdcc108c5c0474f427e29d4e39ee5f" # non-Airgap
|
||||||
"/opt/so/rules/nids/suri/extraction.rules" # 2/24
|
"d23ac5a962c709dcb888103effb71444df72b46009b6c426e280dbfbc7d74d40" # Airgap
|
||||||
"/opt/so/rules/nids/suri/filters.rules" # 2/24
|
)
|
||||||
"/opt/so/rules/nids/extraction.rules" # 9/23
|
|
||||||
"/opt/so/rules/nids/filters.rules" # 9/23
|
|
||||||
"/opt/so/rules/nids/local.rules" # 8/23
|
|
||||||
"/opt/so/rules/nids/sorules/extraction.rules" # 8/23
|
|
||||||
"/opt/so/rules/nids/sorules/filters.rules" # 8/23
|
|
||||||
)
|
|
||||||
|
|
||||||
# Parse each line in the config file
|
KNOWN_RULECAT_CONF_HASHES=(
|
||||||
while IFS= read -r line; do
|
"17fc663a83b30d4ba43ac6643666b0c96343c5ea6ea833fe6a8362fe415b666b" # default
|
||||||
# Skip empty lines and comments
|
)
|
||||||
[[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
|
|
||||||
|
|
||||||
# Check for non-default --local parameter
|
# Check a config file against known hashes
|
||||||
if [[ "$line" =~ ^--local= ]]; then
|
# Args: $1 - file path, $2 - array name of known hashes
|
||||||
local_path="${line#--local=}"
|
check_config_file() {
|
||||||
is_valid=0
|
local file="$1"
|
||||||
for pattern in "${VALID_LOCAL_PATTERNS[@]}"; do
|
local known_hashes_array="$2"
|
||||||
if [[ "$local_path" == "$pattern" ]]; then
|
local file_display_name=$(basename "$file")
|
||||||
is_valid=1
|
|
||||||
break
|
if [[ ! -f "$file" ]]; then
|
||||||
fi
|
echo "Warning: $file not found"
|
||||||
done
|
return 1
|
||||||
if [[ $is_valid -eq 0 ]]; then
|
fi
|
||||||
echo "Custom --local parameter detected: $line"
|
|
||||||
echo "Custom configuration found: $line" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
echo "Hashing $file..."
|
||||||
return 0
|
local file_hash=$(hash_file "$file")
|
||||||
|
|
||||||
|
if [[ "$file_hash" == "FILE_NOT_FOUND" ]]; then
|
||||||
|
echo "Warning: Could not read $file"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo " Hash: $file_hash"
|
||||||
|
|
||||||
|
# Check if hash matches any known default
|
||||||
|
local match_found=0
|
||||||
|
local -n known_hashes=$known_hashes_array
|
||||||
|
for known_hash in "${known_hashes[@]}"; do
|
||||||
|
if [[ "$file_hash" == "$known_hash" ]]; then
|
||||||
|
match_found=1
|
||||||
|
echo " Matches known default configuration"
|
||||||
|
break
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ $match_found -eq 0 ]]; then
|
||||||
|
echo "Does not match known default - custom configuration detected"
|
||||||
|
echo "Custom $file_display_name detected (hash: $file_hash)" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
||||||
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check for non-default --url parameter (default contains 7788)
|
return 0
|
||||||
if [[ "$line" =~ ^--url= ]] && [[ ! "$line" =~ 7788 ]]; then
|
}
|
||||||
echo "Custom --url parameter detected: $line"
|
|
||||||
echo "Custom configuration found: $line" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Sanity checks for other parameters
|
# Check so-rule-update and rulecat.conf
|
||||||
if [[ "$line" =~ ^--disable= ]] && [[ "$line" != "$DEFAULT_DISABLE" ]]; then
|
SO_RULE_UPDATE="/nsm/backup/detections-migration/2-4-200/so-rule-update"
|
||||||
echo "Custom --disable parameter detected: $line"
|
RULECAT_CONF="/nsm/backup/detections-migration/2-4-200/rulecat.conf"
|
||||||
echo "Custom configuration found: $line" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$line" =~ ^--enable= ]] && [[ "$line" != "$DEFAULT_ENABLE" ]]; then
|
custom_found=0
|
||||||
echo "Custom --enable parameter detected: $line"
|
|
||||||
echo "Custom configuration found: $line" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$line" =~ ^--modify= ]] && [[ "$line" != "$DEFAULT_MODIFY" ]]; then
|
check_config_file "$SO_RULE_UPDATE" "KNOWN_SO_RULE_UPDATE_HASHES" || custom_found=1
|
||||||
echo "Custom --modify parameter detected: $line"
|
check_config_file "$RULECAT_CONF" "KNOWN_RULECAT_CONF_HASHES" || custom_found=1
|
||||||
echo "Custom configuration found: $line" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
done < "$RULECAT_CONF"
|
# If no custom configs found, remove syncBlock
|
||||||
|
if [[ $custom_found -eq 0 ]]; then
|
||||||
# If we reach here, no custom configs were found
|
echo "idstools migration completed successfully - removing Suricata engine syncBlock"
|
||||||
echo "idstools migration completed successfully - removing Suricata engine syncBlock"
|
rm -f /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
||||||
rm -f /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
|
else
|
||||||
|
echo "Custom idstools configuration detected - syncBlock remains in place"
|
||||||
|
echo "Review /opt/so/conf/soc/fingerprints/suricataengine.syncBlock for details"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
determine_elastic_agent_upgrade() {
|
determine_elastic_agent_upgrade() {
|
||||||
|
|||||||
Reference in New Issue
Block a user