CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fleet Module - Move database stuff to the fleet module

Browse Source
This commit is contained in:
Mike Reeves
2018-12-06 11:12:56 -05:00
parent 46ef0280cd 7816c6e18e
commit 5a830b4ff4
12 changed files with 217 additions and 516 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
salt/elastalert/init.sls Normal file
View File

@@ -0,0 +1,101 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{% if grains['role'] == 'so-master' %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% set esip = salt['pillar.get']('master:mainip', '') %}
{% set esport = salt['pillar.get']('master:es_port', '') %}
{% elif grains['role'] == 'so-eval' %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% set esip = salt['pillar.get']('master:mainip', '') %}
{% set esport = salt['pillar.get']('master:es_port', '') %}
{% elif grains['role'] == 'so-node' %}
{% set esalert = salt['pillar.get']('node:elastalert', '0') %}
{% endif %}
# Elastalert
{% if esalert == 1 %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 939
- makedirs: True
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 939
- makedirs: True
#elastaconfdir:
# file.directory:
# - name: /opt/so/conf/elastalert
# - user: 933
# - group: 939
# - makedirs: True
#elastaconf:
# file.managed:
# - name: /opt/so/conf/elastalert/config.yaml
# - source: salt://elastalert/files/config.yaml
# - user: 933
# - group: 939
# - template: jinja
so-elastalert:
docker_container.running:
- image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert
- name: so-elastalert
- user: elastalert
- detach: True
- binds:
# - /opt/so/conf/elastalert/config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
- /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- environment:
- ELASTICSEARCH_HOST: {{ esip }}
- ELASTICSEARCH_PORT: {{ esport }}
- ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
- ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
- RULES_DIRECTORY: /etc/elastalert/rules/
- LOG_DIR: /var/log/elastalert
{% endif %}

54
salt/elasticsearch/init.sls
View File

@@ -18,7 +18,6 @@
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% elif grains['role'] == 'so-eval' %}
@@ -26,7 +25,6 @@
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% elif grains['role'] == 'so-node' %}
@@ -34,7 +32,6 @@
{% set esheap = salt['pillar.get']('node:esheap', '') %}
{% set freq = salt['pillar.get']('node:freq', '0') %}
{% set dstats = salt['pillar.get']('node:dstats', '0') %}
{% set esalert = salt['pillar.get']('node:elastalert', '1') %}
{% endif %}
@@ -193,54 +190,3 @@ so-domainstats:
{% endif %}
# Elastalert
{% if esalert == 1 %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 939
- makedirs: True
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 939
- makedirs: True
elastaconf:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 939
- makedirs: True
so-elastalert:
docker_container.running:
- image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert
- name: so-elastalert
- user: elastalert
- detach: True
- binds:
- /etc/elastalert/rules/:/etc/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
{% endif %}

2
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -12,8 +12,8 @@
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.so/0008_input_eval.conf
/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
/usr/share/logstash/pipeline.so/1002_preprocess_json.conf

109
salt/logstash/conf/conf.enabled.txt.so-eval.old Normal file
View File

@@ -0,0 +1,109 @@
# This is where can specify which LogStash configs get loaded.
#
# The custom folder on the master gets automatically synced to each logstash
# node.
#
# To enable a custom configuration see the following example and uncomment:
# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
##
# All of the defaults are loaded.
/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
/usr/share/logstash/pipeline.so/0001_input_json.conf
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.so/0008_input_eval.conf
/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
/usr/share/logstash/pipeline.so/1998_test_data.conf
/usr/share/logstash/pipeline.so/2000_network_flow.conf
/usr/share/logstash/pipeline.so/6000_bro.conf
/usr/share/logstash/pipeline.so/6001_bro_import.conf
/usr/share/logstash/pipeline.so/6002_syslog.conf
/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
/usr/share/logstash/pipeline.so/6300_windows.conf
/usr/share/logstash/pipeline.so/6301_dns_windows.conf
/usr/share/logstash/pipeline.so/6400_suricata.conf
/usr/share/logstash/pipeline.so/6500_ossec.conf
/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf

38
salt/pulledpork/etc/disablesid.conf
View File

@@ -1,38 +0,0 @@
# example disablesid.conf V3.1
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

42
salt/pulledpork/etc/dropsid.conf
View File

@@ -1,42 +0,0 @@
# example dropsid.conf V3.1
#
# Note: This file is used to specify what rules you wish to be set to have
# an action of drop rather than alert. This means that you are running
# snort inline (more info about inline deployments at snort.org).
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

48
salt/pulledpork/etc/enablesid.conf
View File

@@ -1,48 +0,0 @@
# example enablesid.conf v3.1
# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file
# will be set back to their ORIGINAL state as it was read when they were
# originally extracted from the source tarball!
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# FOR TESTING ONLY:
# The following will enable ALL signatures for which Pulledpork has been configured
# to download
# pcre:.
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

40
salt/pulledpork/etc/modifysid.conf
View File

@@ -1,40 +0,0 @@
# example modifysid.conf v1.1 2/18/2011 Alan Ptak
#
# Change history:
# -----------------------------------------------
# v1.1 2/18/2011 Alan Ptak
# - Inserted comments around example elements that would otherwise modify rules
#
# v1.0 7/25/2010 JJC
# - original release
# -----------------------------------------------
#
# formatting is simple
# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
#
# Note that this will only work with GID:1 rules, simply because modifying
# GID:3 stub rules would not actually affect the rule, thusly it will remain
# non modifyable!
#
# If you are attempting to change rulestate (enable,drop,disable) from here
# then you are doing it wrong, it is much more efficient to do so from within
# the respective rulestate modification configuration files, please see doc/
# and the README file!
# the following applies to sid 10010 only and represents what would normally
# be s/to_client/from_server/
# 10010 "to_client" "from_server"
# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
# rules
# "HTTP_PORTS" "HTTPS_PORTS"
# multiple sids can be specified as noted below:
# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"
# example of modification of a rule to make snortsam BLOCK the rule:
# note that one rule changes from alert to BLOCK and that the other
# modifies the msg:" field value so that when the alert occurs it is noted
# that it is a SNORTSAM block rule!
# 17803 "\(msg:"" "\(msg:"SNORTSAM ";
# 17803 "^\s*alert" "BLOCK";

214
salt/pulledpork/etc/pulledpork.conf
View File

@@ -1,214 +0,0 @@
# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take
# precedence over any value that you specify in this file!
#######
####### The below section defines what your oinkcode is (required for
####### VRT rules), defines a temp path (must be writable) and also
####### defines what version of rules that you are getting (for your
####### snort version and subscription etc...)
#######
# You can specify one or as many rule_urls as you like, they
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
# each on an individual line, or you can specify them in a , separated list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789,
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
# NEW Community ruleset:
#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
#rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
# URL for rule documentation! (slow to process)
#rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
# and open-nogpl, to avoid conflicts.
rule_url=https://rules.emergingthreats.net/open/suricata-4.0/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
# NOTE above that the VRT snortrules-snapshot does not contain the version
# portion of the tarball name, this is because PP now automatically populates
# this value for you, if, however you put the version information in, PP will
# NOT populate this value but will use your value!
# Specify rule categories to ignore from the tarball in a comma separated list
# with no spaces. There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the category
# regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
# rulefiles located in the /rules directory of the tarball, ie: policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
# preprocessor rules located in the /preproc_rules directory of the tarball,
# ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only shared-object
# rules located in the /so_rules directory of the tarball, ie: netbios.so
# The example below ignores dos rules wherever they may appear, sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
ignore=deleted.rules,experimental.rules,local.rules
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp
#######
####### The below section is for rule processing. This section is
####### required if you are not specifying the configuration using
####### runtime switches. Note that runtime switches do SUPERSEED
####### any values that you have specified here!
#######
# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/opt/so/rules/nids/downloaded.rules
# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be used with the
# -k runtime flag, this can be set at runtime using the -K flag or specified
# here. If specified here, the -k option must also be passed at runtime, however
# specifying -K <path> at runtime forces the -k option to also be set
# out_path=/usr/local/etc/snort/rules/
# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information. You can specify other rules
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
local_rules=/opt/so/rules/nids/local.rules,/opt/so/rules/nids/decoder-events.rules,/opt/so/rules/nids/stream-events.rules,/opt/so/rules/nids/http-events.rules,/opt/so/rules/nids/smtp-events.rules
# Where should I put the sid-msg.map file?
sid_msg=/opt/so/rules/nids/sid-msg.map
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
sid_msg_version=1
# Where do you want me to put the sid changelog? This is a changelog
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/nsm/sid_changes.log
# this value is optional
#######
####### The below section is for so_rule processing only. If you don't
####### need to use them.. then comment this section out!
####### Alternately, if you are not using pulledpork to process
####### so_rules, you can specify -T at runtime to bypass this altogether
#######
# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/bin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/etc/nsm/templates/snort/snort.conf
##### Deprecated - The stubs are now categorically written to the single rule file!
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types:
# Debian-6-0, Ubuntu-10-4
# Ubuntu-12-04, Centos-5-4
# FC-12, FC-14, RHEL-5-5, RHEL-6-0
# FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0
# OpenBSD-5-2, OpenBSD-5-3
# OpenSUSE-11-4, OpenSUSE-12-1
# Slackware-13-1
distro=Centos-5-4
####### This next section is optional, but probably pretty useful to you.
####### Please read thoroughly!
# If you are using IP Reputation and getting some public lists, you will probably
# want to tell pulledpork where your blacklist file lives, PP automagically will
# de-dupe any duplicate IPs from different sources.
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
# the IP list can be reloaded while snort is running through the use of a control
# socket. Please be sure that you built snort with the following optins:
# -enable-shared-rep and --enable-control-socket. Be sure to read about how to
# configure these! The following option tells pulledpork where to place the version
# file for use with control socket ip list reloads!
# This should be the same path where your black_list lives!
IPRVersion=/usr/local/etc/snort/rules/iplists
# The following option tells snort where the snort_control tool is located.
snort_control=/usr/local/bin/snort_control
# What do you want to backup and archive? This is a comma separated list
# of file or directory values. If a directory is specified, PP will recurse
# through said directory and all subdirectories to archive all files.
# The following example backs up all snort config files, rules, pulledpork
# config files, and snort shared object binary rules.
# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
# what path and filename should we use for the backup tarball?
# note that an epoch time value and the .tgz extension is automatically added
# to the backup_file name on completeion i.e. the written file is:
# pp_backup.1295886020.tgz
# backup_file=/tmp/pp_backup
# Where do you want the signature docs to be copied, if this is commented
# out then they will not be copied / extracted. Note that extracting them
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www
# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions. An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable
# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid
# This defines the version of snort that you are using, for use ONLY if the
# proper snort binary is not on the system that you are fetching the rules with
# This value MUST contain all 4 minor version
# numbers. ET rules are now also dependant on this, verify supported ET versions
# prior to simply throwing rubbish in this variable kthx!
#
# Suricata users - set this to 'suricata-3.x.x' to process rule files
# for suricata, this mimics the -S flag on the command line.
# snort_version=2.9.0.0
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
enablesid=/opt/so/pulledpork/etc/enablesid.conf
dropsid=/opt/so/pulledpork/dropsid.conf
disablesid=/opt/so/pulledpork/disablesid.conf
modifysid=/opt/so/pulledpork/modifysid.conf
# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
# ips_policy=security
####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.
version=0.7.3

55
salt/pulledpork/init.sls
View File

@@ -1,55 +0,0 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# PulledProk Setup
ppdir:
file.directory:
- name: /opt/so/pulledpork/etc
- user: 939
- group: 939
- makedirs: True
ppetcsync:
file.recurse:
- name: /opt/so/pulledpork/etc
- source: salt://pulledpork/etc
- user: 939
- group: 939
- template: jinja
rulesdir:
file.directory:
- name: /opt/so/rules/nids
- user: 939
- group: 939
- makedirs: True
ruleslink:
file.symlink:
- name: /opt/so/saltstack/salt/pulledpork/rules
- target: /opt/so/rules/nids
toosmooth/so-pulledpork:test2:
docker_image.present
so-pulledpork:
docker_container.running:
- image: toosmooth/so-pulledpork:test2
- hostname: so-pulledpork
- user: socore
- binds:
- /opt/so/pulledpork/etc:/opt/pulledpork/etc:ro
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- network_mode: so-elastic-net

24
salt/somaster/init.sls
View File

@@ -1,24 +0,0 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Add Redis docker if REDIS is enabled
# Add REDIS user
# Sync updated logstash config for REDIS
# Add ES user
# Add ES Docker

6
salt/top.sls
View File

@@ -20,8 +20,11 @@ base:
- firewall
- master
- idstools
<<<<<<< HEAD
- redis
- mysql
=======
>>>>>>> 7816c6e18e21870b0249cc05a161ef1644a94066
- elasticsearch
- logstash
- kibana
@@ -29,6 +32,8 @@ base:
- suricata
- bro
- curator
- elastalert
- filebeat
- utility
- schedule
- fleet
@@ -46,6 +51,7 @@ base:
- elasticsearch
- logstash
- kibana
- elastalert
- utility
- schedule
- fleet