Merge pull request #12511 from Security-Onion-Solutions/jertel/annotations

PCAP annotations

salt/sensoroni/defaults.yaml

@@ -1,58 +1,60 @@
-sensoroni:
+sensoroni:
-  enabled: False
+  enabled: False
-  config:
+  config:
-    analyze:
+    analyze:
-      enabled: False
+      enabled: False
-      timeout_ms: 900000
+      timeout_ms: 900000
-      parallel_limit: 5
+      parallel_limit: 5
-    node_checkin_interval_ms: 10000
+    node_checkin_interval_ms: 10000
-    sensoronikey:
+    sensoronikey:
-    soc_host:
+    soc_host:
-  analyzers:
+    suripcap:
-      echotrail:
+      pcapMaxCount: 999999
-        base_url: https://api.echotrail.io/insights/
+  analyzers:
-        api_key:
+      echotrail:
-      elasticsearch:
+        base_url: https://api.echotrail.io/insights/
-        base_url: 
+        api_key:
-        auth_user: 
+      elasticsearch:
-        auth_pwd: 
+        base_url: 
-        num_results: 10
+        auth_user: 
-        api_key: 
+        auth_pwd: 
-        index: _all
+        num_results: 10
-        time_delta_minutes: 14400
+        api_key: 
-        timestamp_field_name: '@timestamp'
+        index: _all
-        map: {}
+        time_delta_minutes: 14400
-        cert_path:
+        timestamp_field_name: '@timestamp'
-      emailrep:
+        map: {}
-        base_url: https://emailrep.io/
+        cert_path:
-        api_key:
+      emailrep:
-      greynoise:
+        base_url: https://emailrep.io/
-        base_url: https://api.greynoise.io/
+        api_key:
-        api_key:
+      greynoise:
-        api_version: community
+        base_url: https://api.greynoise.io/
-      localfile:
+        api_key:
-        file_path: []
+        api_version: community
-      otx:
+      localfile:
-        base_url: https://otx.alienvault.com/api/v1/
+        file_path: []
-        api_key:
+      otx:
-      pulsedive:
+        base_url: https://otx.alienvault.com/api/v1/
-        base_url: https://pulsedive.com/api/
+        api_key:
-        api_key:
+      pulsedive:
-      spamhaus:
+        base_url: https://pulsedive.com/api/
-        lookup_host: zen.spamhaus.org
+        api_key:
-        nameservers: []
+      spamhaus:
-      sublime_platform:
+        lookup_host: zen.spamhaus.org
-        base_url: https://api.platform.sublimesecurity.com
+        nameservers: []
-        api_key:
+      sublime_platform:
-        live_flow: False
+        base_url: https://api.platform.sublimesecurity.com
-        mailbox_email_address:
+        api_key:
-        message_source_id:
+        live_flow: False
-      urlscan:
+        mailbox_email_address:
-        base_url: https://urlscan.io/api/v1/
+        message_source_id:
-        api_key:
+      urlscan:
-        enabled: False
+        base_url: https://urlscan.io/api/v1/
-        visibility: public
+        api_key:
-        timeout: 180
+        enabled: False
-      virustotal:
+        visibility: public
-        base_url: https://www.virustotal.com/api/v3/search?query=
+        timeout: 180
-        api_key:
+      virustotal:
+        base_url: https://www.virustotal.com/api/v3/search?query=
+        api_key:

salt/sensoroni/files/sensoroni.json

@@ -39,7 +39,8 @@
       "suriquery": {
         "executablePath": "/opt/sensoroni/scripts/suriquery.sh",
         "pcapInputPath": "/nsm/suripcap",
-        "pcapOutputPath": "/nsm/pcapout"
+        "pcapOutputPath": "/nsm/pcapout",
+        "pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }}
       }
 {%    endif %}
 {%- else %}

salt/sensoroni/soc_sensoroni.yaml

@@ -37,6 +37,11 @@ sensoroni:
       helpLink: grid.html
       global: True
       advanced: True
+    suripcap:
+      pcapMaxCount:
+        description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
+        helpLink: sensoroni.html
+        advanced: True
   analyzers:
     echotrail:
       api_key:

salt/soc/defaults.yaml

@@ -1103,6 +1103,7 @@ soc:
           esSearchOffsetMs: 1800000
           maxLogLength: 1024
           asyncThreshold: 10
+          lookupTunnelParent: true
         influxdb:
           hostUrl:
           token:

salt/soc/soc_soc.yaml

@@ -126,6 +126,9 @@ soc:
             description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete.
             global: True
             advanced: True
+          lookupTunnelParent:
+            description: When true, if a pivoted event appears to be encapsulated, such as in a VXLAN packet, then SOC will pivot to the VXLAN packet stream. When false, SOC will attempt to pivot to the encapsulated packet stream itself, but at the risk that it may be unable to locate it in the stored PCAP data.
+            global: True
         sostatus:
           refreshIntervalMs:
             description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.