CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-22 18:28:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into jertel/wip

Browse Source
This commit is contained in:
Jason Ertel
2024-11-11 10:06:44 -05:00
parent 31cf6a2ebc b3ce624fff
commit 57a9992a3d
34 changed files with 980 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/soc/config.sls
+43
View File
@@ -204,6 +204,49 @@ socsensoronirepos:
- mode: 775
- makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True
add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"
create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True
add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"
socore_own_custom_repos:
file.directory:
- name: /nsm/rules/custom-local-repos/
- user: socore
- group: socore
- recurse:
- user
- group
{% else %}
{{sls}}_state_not_allowed:
salt/soc/defaults.yaml
+25 -1
View File
@@ -1351,11 +1351,17 @@ soc:
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
sigmaRulePackages:
- core
- emerging_threats_addon
@@ -1422,10 +1428,16 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200
@@ -1445,6 +1457,8 @@ soc:
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
integrityCheckFrequencySeconds: 1200
ignoredSidRanges:
- '1100000-1101000'
client:
enableReverseLookup: false
docsUrl: /docs/
@@ -2254,7 +2268,7 @@ soc:
description: Show all custom detections
- name: "All Detections - Enabled"
query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all enalbed Detections
description: Show all enabled Detections
- name: "All Detections - Disabled"
query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all disabled Detections
@@ -2273,6 +2287,16 @@ soc:
- name: "Detections with Overrides"
query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
description: Show Detections that have Overrides
detectionEngineStatusQueries: |
suricata:
default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
elastalert:
default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
strelka:
default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
detection:
showUnreviewedAiSummaries: false
presets:
salt/soc/files/soc/detections_custom_repo_template_readme.jinja
+94
View File
@@ -0,0 +1,94 @@
{% if repo_type == 'yara' %}
# YARA Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any YARA rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yar extension:
`vi my_custom_rule.yar`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yar`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yar"`
The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Sigma rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yml or .yaml extension:
`vi my_custom_rule.yml`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yml`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yml"`
The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% endif %}
salt/soc/files/soc/sigma_so_pipeline.yaml
+20
View File
@@ -106,3 +106,23 @@ transformations:
- type: include_fields
fields:
- event.code
# Maps process_creation rules to endpoint process creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_process_create_windows_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
rule_conditions:
- type: logsource
category: process_creation
# Maps file_event rules to endpoint file creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_file_create_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
rule_conditions:
- type: logsource
category: file_event
salt/soc/soc_soc.yaml
+14 -1
View File
@@ -390,6 +390,12 @@ soc:
advanced: True
forcedType: "[]{}"
helpLink: suricata.html
ignoredSidRanges:
description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
global: True
advanced: True
forcedType: "[]string"
helpLink: detections.html#rule-engine-status
client:
enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.
@@ -461,7 +467,14 @@ soc:
alerts: *appSettings
cases: *appSettings
dashboards: *appSettings
detections: *appSettings
detections:
<<: *appSettings
detectionEngineStatusQueries:
description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified.
global: True
syntax: yaml
multiline: True
forcedType: "string"
detection:
showUnreviewedAiSummaries:
description: Show AI summaries in detections even if they have not yet been reviewed by a human.