CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/dev' into feature/auth

Browse Source 
# Conflicts:
#	salt/common/nginx/nginx.conf.so-eval
This commit is contained in:
William Wernert
2020-01-09 18:41:46 -05:00
parent 1bfb8bbea2 6ea941dfba
commit 5cb8bd61b6
67 changed files with 2534 additions and 311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
pillar/thresholding/pillar.example Normal file
View File

@@ -0,0 +1,44 @@
thresholding:
sids:
8675309:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
11223344:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

20
pillar/thresholding/pillar.usage Normal file
View File

@@ -0,0 +1,20 @@
thresholding:
sids:
<signature id>:
- threshold:
gen_id: <generator id>
type: <threshold | limit | both>
track: <by_src | by_dst>
count: <count>
seconds: <seconds>
- rate_filter:
gen_id: <generator id>
track: <by_src | by_dst | by_rule | by_both>
count: <count>
seconds: <seconds>
new_action: <alert | pass>
timeout: <seconds>
- suppress:
gen_id: <generator id>
track: <by_src | by_dst | by_either>
ip: <ip | subnet>

11
pillar/top.sls
View File

@@ -3,20 +3,20 @@ base:
- patch.needs_restarting - patch.needs_restarting
'G@role:so-sensor': 'G@role:so-sensor':
- sensors.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- brologs - brologs
'G@role:so-master': 'G@role:so-master':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- data.* - data.*
- auth - auth
'G@role:so-eval': 'G@role:so-eval':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- data.* - data.*
@@ -24,13 +24,12 @@ base:
- auth - auth
'G@role:so-node': 'G@role:so-node':
- nodes.{{ grains.id }} - minions.{{ grains.id }}
- static - static
- firewall.* - firewall.*
'G@role:so-helix': 'G@role:so-helix':
- masters.{{ grains.id }} - minions.{{ grains.id }}
- sensors.{{ grains.id }}
- static - static
- firewall.* - firewall.*
- fireeye - fireeye

63
salt/bro/cron/zeek_clean Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
clean () {
SENSOR_DIR='/nsm'
CRIT_DISK_USAGE=90
CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
LOG="/nsm/bro/logs/zeek_clean.log"
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
do
TODAY=$(date -u "+%Y-%m-%d")
# find the oldest Zeek logs directory and exclude today
OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
then
echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
exit 0
else
echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
rm -rf /nsm/bro/logs/"$OLDEST_DIR"
fi
# find oldest files in extracted directory and exclude today
OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
then
echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
else
OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
do
echo "$(date) - Removing extracted file: $FILE" >> $LOG
rm -f "$FILE"
done
fi
done
else
echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
fi
}
clean

15
salt/bro/init.sls
View File

@@ -79,6 +79,21 @@ plcronscript:
- source: salt://bro/cron/packetloss.sh - source: salt://bro/cron/packetloss.sh
- mode: 755 - mode: 755
zeekcleanscript:
file.managed:
- name: /usr/local/bin/zeek_clean
- source: salt://bro/cron/zeek_clean
- mode: 755
/usr/local/bin/zeek_clean:
cron.present:
- user: root
- minute: '*'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
/usr/local/bin/packetloss.sh: /usr/local/bin/packetloss.sh:
cron.present: cron.present:
- user: root - user: root

3
salt/common/nginx/nginx.conf.so-eval
View File

@@ -184,6 +184,7 @@ http {
} }
<<<<<<< HEAD
location /cyberchef/ { location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/; proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -196,6 +197,8 @@ http {
} }
=======
>>>>>>> origin/dev
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;

12
salt/common/nginx/nginx.conf.so-master
View File

@@ -188,18 +188,6 @@ http {
} }
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;

18
salt/common/tools/sbin/so-allow
View File

@@ -40,3 +40,21 @@ fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds" echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
# Check if Wazuh enabled
if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
# If analyst, add to Wazuh AR whitelist
if [ "$FULLROLE" == "analyst" ]; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
DATE=`date`
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
echo
echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart
fi
fi
fi

20
salt/common/tools/sbin/so-cortex-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start cortex $1

20
salt/common/tools/sbin/so-cortex-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop cortex $1

20
salt/common/tools/sbin/so-curator-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart curator $1

20
salt/common/tools/sbin/so-curator-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start curator $1

20
salt/common/tools/sbin/so-curator-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop curator $1

1000
salt/common/tools/sbin/so-elastalert-create Normal file
View File

File diff suppressed because it is too large Load Diff

20
salt/common/tools/sbin/so-elastalert-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elastalert $1

20
salt/common/tools/sbin/so-elastalert-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elastalert $1

20
salt/common/tools/sbin/so-elastalert-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elastalert $1

142
salt/common/tools/sbin/so-elastalert-test Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Originally written by Bryant Treacle
# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
# Modified by Doug Burks and Wes Lambert
#
# Purpose: This script will allow you to test your elastalert rule without entering the Docker container.
. /usr/sbin/so-elastic-common
OPTIONS=""
SKIP=0
RESULTS_TO_LOG="n"
RULE_NAME=""
FILE_SAVE_LOCATION=""
usage()
{
cat <<EOF
Test Elastalert Rule
Options:
-h This message
-a Trigger real alerts instead of the debug alert
-l <path_to_file> Write results to specified log file
-o '<options>' Specify Elastalert options ( Ex. --schema-only , --count-only, --days N )
-r <rule_name> Specify path/name of rule to test
EOF
}
while getopts "hal:o:r:" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
a)
OPTIONS="--alert"
;;
l)
RESULTS_TO_LOG="y"
FILE_SAVE_LOCATION=$OPTARG
;;
o)
OPTIONS=$OPTARG
;;
r)
RULE_NAME=$OPTARG
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
docker_exec(){
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
else
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
fi
}
rule_prompt(){
CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
echo
echo "This script will allow you to test an Elastalert rule."
echo
echo "Below is a list of active Elastalert rules:"
echo
echo "-----------------------------------"
echo
echo "$CURRENT_RULES"
echo
echo "-----------------------------------"
echo
echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
echo
echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
echo
while [ -z $RULE_NAME ]; do
echo "Please enter the file path and rule name you want to test."
read -e RULE_NAME
done
}
log_save_prompt(){
RESULTS_TO_LOG=""
while [ -z $RESULTS_TO_LOG ]; do
echo "The results can be rather long. Would you like to write the results to a file? (Y/N)"
read RESULTS_TO_LOG
done
}
log_path_prompt(){
while [ -z $FILE_SAVE_LOCATION ]; do
echo "Please enter the file path and file name."
read -e FILE_SAVE_LOCATION
done
echo "Depending on the rule this may take a while."
}
if [ $SKIP -eq 0 ]; then
rule_prompt
log_save_prompt
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
log_path_prompt
fi
fi
docker_exec
if [ $? -eq 0 ]; then
echo "Test completed successfully!"
else
echo "Something went wrong..."
fi
echo

33
salt/common/tools/sbin/so-elastic-diagnose Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Source common settings
. /usr/sbin/so-common
# Check for log files
for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
# If file exists, then look for errors or warnings
if [ -f $FILE ]; then
MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE`
if [ ! -z "$MESSAGE" ]; then
header $FILE
echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
echo
fi
fi
done

20
salt/common/tools/sbin/so-elasticsearch-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elasticsearch $1

31
salt/common/tools/sbin/so-filebeat-start
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # This program is free software: you can redistribute it and/or modify
# along with this program. If not, see <http://www.gnu.org/licenses/>. # it under the terms of the GNU General Public License as published by
docker rm so-filebeat && salt-call state.apply filebeat # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start filebeat $1

31
salt/common/tools/sbin/so-filebeat-stop
View File

@@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # This program is free software: you can redistribute it and/or modify
# along with this program. If not, see <http://www.gnu.org/licenses/>. # it under the terms of the GNU General Public License as published by
docker stop so-filebeat # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop filebeat $1

20
salt/common/tools/sbin/so-fleet-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart fleet $1

20
salt/common/tools/sbin/so-fleet-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start fleet $1

20
salt/common/tools/sbin/so-fleet-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop fleet $1

20
salt/common/tools/sbin/so-grafana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart grafana $1

20
salt/common/tools/sbin/so-grafana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start grafana $1

20
salt/common/tools/sbin/so-grafana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop grafana $1

20
salt/common/tools/sbin/so-kibana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart kibana $1

20
salt/common/tools/sbin/so-kibana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start kibana $1

20
salt/common/tools/sbin/so-kibana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop kibana $1

20
salt/common/tools/sbin/so-logstash-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start logstash $1

20
salt/common/tools/sbin/so-logstash-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop logstash $1

20
salt/common/tools/sbin/so-mysql-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart mysql $1

20
salt/common/tools/sbin/so-mysql-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start mysql $1

20
salt/common/tools/sbin/so-mysql-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop mysql $1

20
salt/common/tools/sbin/so-playbook-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start playbook $1

20
salt/common/tools/sbin/so-playbook-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop playbook $1

20
salt/common/tools/sbin/so-redis-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart redis $1

20
salt/common/tools/sbin/so-redis-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start redis $1

20
salt/common/tools/sbin/so-redis-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop redis $1

5
salt/common/tools/sbin/so-restart
View File

@@ -20,7 +20,7 @@
. /usr/sbin/so-common . /usr/sbin/so-common
echo $banner echo $banner
printf "Restarting $1\n" printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner echo $banner
if [ "$2" = "--force" ] if [ "$2" = "--force" ]
@@ -31,6 +31,5 @@ fi
case $1 in case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;; "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"fleet") docker stop so-fleet so-redis && docker rm so-fleet so-redis && salt-call state.apply fleet queue=True;; *) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
*) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
esac esac

20
salt/common/tools/sbin/so-soctopus-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start soctopus $1

20
salt/common/tools/sbin/so-soctopus-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop soctopus $1

37
salt/common/tools/sbin/so-start
View File

@@ -1 +1,36 @@
sudo salt-call state.highstate #!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-start all | filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
then
printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs
fi
case $1 in
"all") salt-call state.highstate queue=True;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
esac

27
salt/common/tools/sbin/so-stop Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-stop filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Stopping $1...\n"
echo $banner
docker stop so-$1 ; docker rm so-$1

20
salt/common/tools/sbin/so-thehive-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start thehive $1

20
salt/common/tools/sbin/so-thehive-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop thehive $1

2
salt/common/tools/sbin/so-wazuh-start
View File

@@ -14,4 +14,4 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-wazuh && salt-call state.apply wazuh docker stop so-wazuh

20
salt/common/tools/sbin/so-zeek-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart bro $1

20
salt/common/tools/sbin/so-zeek-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start bro $1

20
salt/common/tools/sbin/so-zeek-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop bro $1

51
salt/domainstats/init.sls Normal file
View File

@@ -0,0 +1,51 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the group
dstatsgroup:
group.present:
- name: domainstats
- gid: 936
# Add user
domainstats:
user.present:
- uid: 936
- gid: 936
- home: /opt/so/conf/domainstats
- createhome: False
# Create the log directory
dstatslogdir:
file.directory:
- name: /opt/so/log/domainstats
- user: 936
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats

131
salt/elastalert/files/modules/so/thehive.py
View File

@@ -1,84 +1,107 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from __future__ import unicode_literals # HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
import uuid import uuid
import re
from elastalert.alerts import Alerter from elastalert.alerts import Alerter
from thehive4py.api import TheHiveApi from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
class TheHiveAlerter(Alerter): class TheHiveAlerter(Alerter):
""" """
Use matched data to create alerts containing observables in an instance of TheHive Use matched data to create alerts containing observables in an instance of TheHive
This is a modified version for use with Security Onion
""" """
required_options = set(['hive_connection', 'hive_alert_config']) required_options = set(['hive_connection', 'hive_alert_config'])
def alert(self, matches): def get_aggregation_summary_text(self, matches):
text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
if text:
text = '```\n{0}```\n'.format(text)
return text
def create_artifacts(self, match):
artifacts = []
context = {'rule': self.rule, 'match': match}
for mapping in self.rule.get('hive_observable_data_mapping', []):
for observable_type, match_data_key in mapping.items():
try:
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError as e:
print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
return artifacts
def create_alert_config(self, match):
context = {'rule': self.rule, 'match': match}
alert_config = {
'artifacts': self.create_artifacts(match),
'sourceRef': str(uuid.uuid4())[0:6],
'title': '{rule[name]}'.format(**context)
}
alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.items():
if alert_config_field == 'customFields':
custom_fields = CustomFieldHelper()
for cf_key, cf_value in alert_config_value.items():
try:
func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
except AttributeError:
raise Exception('unsupported custom field type {}'.format(cf_value['type']))
value = cf_value['value'].format(**context)
func(cf_key, value)
alert_config[alert_config_field] = custom_fields.build()
elif isinstance(alert_config_value, str):
alert_config[alert_config_field] = alert_config_value.format(**context)
elif isinstance(alert_config_value, (list, tuple)):
formatted_list = []
for element in alert_config_value:
try:
formatted_list.append(element.format(**context))
except (AttributeError, KeyError, IndexError):
formatted_list.append(element)
alert_config[alert_config_field] = formatted_list
return alert_config
def send_to_thehive(self, alert_config):
connection_details = self.rule['hive_connection'] connection_details = self.rule['hive_connection']
api = TheHiveApi( api = TheHiveApi(
connection_details.get('hive_host'), connection_details.get('hive_host', ''),
connection_details.get('hive_apikey', ''), connection_details.get('hive_apikey', ''),
proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}), proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
cert=connection_details.get('hive_verify', False)) cert=connection_details.get('hive_verify', False))
for match in matches: alert = Alert(**alert_config)
context = {'rule': self.rule, 'match': match} response = api.create_alert(alert)
if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def alert(self, matches):
if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
for match in matches:
alert_config = self.create_alert_config(match)
self.send_to_thehive(alert_config)
else:
alert_config = self.create_alert_config(matches[0])
artifacts = [] artifacts = []
for mapping in self.rule.get('hive_observable_data_mapping', []): for match in matches:
for observable_type, match_data_key in mapping.items(): artifacts += self.create_artifacts(match)
try: if 'related_events' in match:
match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key) for related_event in match['related_events']:
rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key) artifacts += self.create_artifacts(related_event)
data_keys = match_data_keys + rule_data_keys
context_keys = list(context['match'].keys()) + list(context['rule'].keys())
if all([True if k in context_keys else False for k in data_keys]):
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError:
raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context))
alert_config = { alert_config['artifacts'] = artifacts
'artifacts': artifacts, alert_config['title'] = self.create_title(matches)
'sourceRef': str(uuid.uuid4())[0:6], alert_config['description'] = self.create_alert_body(matches)
'title': '{rule[index]}_{rule[name]}'.format(**context) self.send_to_thehive(alert_config)
}
alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.items():
if alert_config_field == 'customFields':
custom_fields = CustomFieldHelper()
for cf_key, cf_value in alert_config_value.items():
try:
func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
except AttributeError:
raise Exception('unsupported custom field type {}'.format(cf_value['type']))
value = cf_value['value'].format(**context)
func(cf_key, value)
alert_config[alert_config_field] = custom_fields.build()
elif isinstance(alert_config_value, str):
alert_config[alert_config_field] = alert_config_value.format(**context)
elif isinstance(alert_config_value, (list, tuple)):
formatted_list = []
for element in alert_config_value:
try:
formatted_list.append(element.format(**context))
except (AttributeError, KeyError, IndexError):
formatted_list.append(element)
alert_config[alert_config_field] = formatted_list
alert = Alert(**alert_config)
response = api.create_alert(alert)
if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def get_info(self): def get_info(self):
return { return {
'type': 'hivealerter', 'type': 'hivealerter',
'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '') 'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
} }

92
salt/elasticsearch/init.sls
View File

@@ -1,4 +1,4 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@@ -16,22 +16,16 @@
{% set esclustername = salt['pillar.get']('master:esclustername', '') %} {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %} {% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-eval' %} {% elif grains['role'] == 'so-eval' %}
{% set esclustername = salt['pillar.get']('master:esclustername', '') %} {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %} {% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-node' %} {% elif grains['role'] == 'so-node' %}
{% set esclustername = salt['pillar.get']('node:esclustername', '') %} {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
{% set esheap = salt['pillar.get']('node:esheap', '') %} {% set esheap = salt['pillar.get']('node:esheap', '') %}
{% set freq = salt['pillar.get']('node:freq', '0') %}
{% set dstats = salt['pillar.get']('node:dstats', '0') %}
{% endif %} {% endif %}
@@ -150,87 +144,3 @@ so-elasticsearch-pipelines:
# Tell the main cluster I am here # Tell the main cluster I am here
#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}' #curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
# See if Freqserver is enabled
{% if freq == 1 %}
# Create the user
fservergroup:
group.present:
- name: freqserver
- gid: 935
# Add ES user
freqserver:
user.present:
- uid: 935
- gid: 935
- home: /opt/so/conf/freqserver
- createhome: False
# Create the log directory
freqlogdir:
file.directory:
- name: /opt/so/log/freq_server
- user: 935
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
- user: freqserver
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw
{% endif %}
{% if dstats == 1 %}
# Create the group
dstatsgroup:
group.present:
- name: domainstats
- gid: 936
# Add user
domainstats:
user.present:
- uid: 936
- gid: 936
- home: /opt/so/conf/domainstats
- createhome: False
# Create the log directory
dstatslogdir:
file.directory:
- name: /opt/so/log/domainstats
- user: 936
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats
{% endif %}

52
salt/freqserver/init.sls Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the user
fservergroup:
group.present:
- name: freqserver
- gid: 935
# Add ES user
freqserver:
user.present:
- uid: 935
- gid: 935
- home: /opt/so/conf/freqserver
- createhome: False
# Create the log directory
freqlogdir:
file.directory:
- name: /opt/so/log/freq_server
- user: 935
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
- user: freqserver
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw

BIN
salt/playbook/files/redmine.db
View File

Binary file not shown.

36
salt/suricata/files/threshold.conf.jinja Normal file
View File

@@ -0,0 +1,36 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%}
{% if THRESHOLDING -%}
{% for EACH_SID in THRESHOLDING.sids -%}
{% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%}
{% for EACH_ACTION in ACTIONS_LIST -%}
{%- if EACH_ACTION == 'threshold' %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
{%- elif EACH_ACTION == 'rate_filter' %}
{%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- else %}
##### Security Onion does not support drop or reject actions for rate_filter
##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- endif %}
{%- elif EACH_ACTION == 'suppress' %}
{%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
{%- else %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- else %}
##### The thresholding pillar has not been defined
{%- endif %}

10
salt/suricata/init.sls
View File

@@ -70,6 +70,14 @@ suriconfigsync:
- group: 940 - group: 940
- template: jinja - template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
so-suricataimage: so-suricataimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1 - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
- INTERFACE={{ interface }} - INTERFACE={{ interface }}
- binds: - binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw - /opt/so/log/suricata/:/var/log/suricata/:rw
- network_mode: host - network_mode: host
- watch: - watch:
- file: /opt/so/conf/suricata/suricata.yaml - file: /opt/so/conf/suricata/suricata.yaml
- file: surithresholding
- file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/rules/

2
salt/tcpreplay/init.sls
View File

@@ -7,7 +7,7 @@ so-tcpreplayimage:
so-tcpreplay: so-tcpreplay:
docker_container.running: docker_container.running:
- require: - require:
- so-tcpreplay - so-tcpreplayimage
- network_mode: "host" - network_mode: "host"
- image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4 - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
- name: so-tcpreplay - name: so-tcpreplay

17
salt/top.sls
View File

@@ -4,6 +4,9 @@
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%} {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
base: base:
'*': '*':
- patch.os.schedule - patch.os.schedule
@@ -78,7 +81,12 @@ base:
{%- if PLAYBOOK != 0 %} {%- if PLAYBOOK != 0 %}
- playbook - playbook
{%- endif %} {%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
'G@role:so-master': 'G@role:so-master':
@@ -114,7 +122,12 @@ base:
{%- if PLAYBOOK != 0 %} {%- if PLAYBOOK != 0 %}
- playbook - playbook
{%- endif %} {%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
# Search node logic # Search node logic

9
salt/wazuh/files/agent/ossec.conf
View File

@@ -179,12 +179,17 @@
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location> <location>/var/ossec/logs/active-responses.log</location>
</localfile> </localfile>
{%- if grains['os'] == 'Ubuntu' %}
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/log/auth.log</location> <location>/var/log/auth.log</location>
</localfile> </localfile>
{%- else %}
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
{%- endif %}
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/log/syslog</location> <location>/var/log/syslog</location>

8
salt/wazuh/files/agent/wazuh-register-agent
View File

@@ -31,6 +31,7 @@ USER="foo"
PASSWORD="bar" PASSWORD="bar"
AGENT_NAME=$(hostname) AGENT_NAME=$(hostname)
AGENT_IP="{{ip}}" AGENT_IP="{{ip}}"
AGENT_ID=001
display_help() { display_help() {
cat <<HELP_USAGE cat <<HELP_USAGE
@@ -135,5 +136,10 @@ shift $(($OPTIND - 1))
# Default action -> try to register the agent # Default action -> try to register the agent
sleep 10s sleep 10s
register_agent STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
if [[ $STATUS == "Active" ]]; then
echo "Agent $AGENT_ID already registered!"
else
register_agent
fi
#remove_agent #remove_agent

197
setup/functions.sh
View File

@@ -270,9 +270,9 @@ copy_minion_tmp_files() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack" echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
cp -Rv $TMP/pillar/ /opt/so/saltstack/pillar/ >> $SETUPLOG 2>&1 cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
if [ -d $TMP/salt ] ; then if [ -d $TMP/salt ] ; then
cp -Rv $TMP/salt/ /opt/so/saltstack/salt/ >> $SETUPLOG 2>&1 cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
fi fi
else else
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack" echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
@@ -545,7 +545,8 @@ got_root() {
install_cleanup() { install_cleanup() {
echo "install_cleanup called" >> $SETUPLOG 2>&1 echo "install_cleanup removing the following files:"
ls -lR $TMP
# Clean up after ourselves # Clean up after ourselves
rm -rf /root/installtmp rm -rf /root/installtmp
@@ -556,6 +557,8 @@ install_prep() {
# Create a tmp space that isn't in /tmp # Create a tmp space that isn't in /tmp
mkdir /root/installtmp mkdir /root/installtmp
mkdir /root/installtmp/pillar
mkdir /root/installtmp/pillar/minions
TMP=/root/installtmp TMP=/root/installtmp
} }
@@ -595,47 +598,50 @@ ls_heapsize() {
master_pillar() { master_pillar() {
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
# Create the master pillar # Create the master pillar
touch /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo "master:" >> $PILLARFILE
echo "master:" > /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
echo " mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " esheap: $ES_HEAP_SIZE" >> $PILLARFILE
echo " esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " esclustername: {{ grains.host }}" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " domainstats: 0" >> $PILLARFILE
echo " ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_pipeline_batch_size: 125" >> $PILLARFILE
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_input_threads: 1" >> $PILLARFILE
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_batch_count: 125" >> $PILLARFILE
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " mtu: 1500" >> $PILLARFILE
else else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " domainstats: 0" >> $PILLARFILE
fi fi
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " lsheap: 1000m" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsheap: 1000m" >> $PILLARFILE
else else
echo " lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
fi fi
echo " lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " lsaccessip: 127.0.0.1" >> $PILLARFILE
echo " elastalert: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " elastalert: 1" >> $PILLARFILE
echo " ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " ls_pipeline_workers: $CPUCORES" >> $PILLARFILE
echo " nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " nids_rules: $RULESETUP" >> $PILLARFILE
echo " oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " oinkcode: $OINKCODE" >> $PILLARFILE
#echo " access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " access_key: $ACCESS_KEY" >> $PILLARFILE
#echo " access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
#echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " mysqlpass: $MYSQLPASS" >> $PILLARFILE
#echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls #echo " fleetpass: $FLEETPASS" >> $PILLARFILE
echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " grafana: $GRAFANA" >> $PILLARFILE
echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " osquery: $OSQUERY" >> $PILLARFILE
echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " wazuh: $WAZUH" >> $PILLARFILE
echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " thehive: $THEHIVE" >> $PILLARFILE
echo " playbook: $PLAYBOOK" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls echo " playbook: $PLAYBOOK" >> $PILLARFILE
echo "" >> $PILLARFILE
} }
master_static() { master_static() {
@@ -695,53 +701,39 @@ network_setup() {
node_pillar() { node_pillar() {
NODEPILLARPATH=$TMP/pillar/nodes PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
if [ ! -d $NODEPILLARPATH ]; then
mkdir -p $NODEPILLARPATH
fi
# Create the node pillar # Create the node pillar
touch $NODEPILLARPATH/$MINION_ID.sls echo "node:" >> $PILLARFILE
echo "node:" > $NODEPILLARPATH/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainip: $MAINIP" >> $NODEPILLARPATH/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
echo " mainint: $MAININT" >> $NODEPILLARPATH/$MINION_ID.sls echo " esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE
echo " esheap: $NODE_ES_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls echo " esclustername: {{ grains.host }}" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> $NODEPILLARPATH/$MINION_ID.sls echo " lsheap: $NODE_LS_HEAP_SIZE" >> $PILLARFILE
echo " lsheap: $NODE_LS_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $PILLARFILE
echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $PILLARFILE
echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_input_threads: $LSINPUTTHREADS" >> $PILLARFILE
echo " ls_input_threads: $LSINPUTTHREADS" >> $NODEPILLARPATH/$MINION_ID.sls echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $PILLARFILE
echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls echo " es_shard_count: $SHARDCOUNT" >> $PILLARFILE
echo " es_shard_count: $SHARDCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls echo " node_type: $NODETYPE" >> $PILLARFILE
echo " node_type: $NODETYPE" >> $NODEPILLARPATH/$MINION_ID.sls echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> $NODEPILLARPATH/$MINION_ID.sls echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> $NODEPILLARPATH/$MINION_ID.sls echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> $NODEPILLARPATH/$MINION_ID.sls echo "" >> $PILLARFILE
} }
patch_pillar() { patch_pillar() {
case $INSTALLTYPE in PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
MASTERONLY | EVALMODE | HELIXSENSOR)
PATCHPILLARPATH=/opt/so/saltstack/pillar/masters
;;
SENSORONLY)
PATCHPILLARPATH=$SENSORPILLARPATH
;;
SEARCHNODE | PARSINGNODE | HOTNODE | WARMNODE)
PATCHPILLARPATH=$NODEPILLARPATH
;;
esac
echo "" >> $PATCHPILLARPATH/$MINION_ID.sls
echo "patch:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " os:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " schedule_name: $PATCHSCHEDULENAME" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " enabled: True" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " splay: 300" >> $PATCHPILLARPATH/$MINION_ID.sls
echo "" >> $PILLARFILE
echo "patch:" >> $PILLARFILE
echo " os:" >> $PILLARFILE
echo " schedule_name: $PATCHSCHEDULENAME" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE
echo " splay: 300" >> $PILLARFILE
echo "" >> $PILLARFILE
} }
@@ -1105,51 +1097,44 @@ salt_install_mysql_deps() {
} }
sensor_pillar() { sensor_pillar() {
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
SENSORPILLARPATH=/opt/so/saltstack/pillar/sensors PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
mkdir -p $TMP
mkdir -p $SENSORPILLARPATH
else
SENSORPILLARPATH=$TMP/pillar/sensors
fi
if [ ! -d $SENSORPILLARPATH ]; then
mkdir -p $SENSORPILLARPATH
fi
# Create the sensor pillar # Create the sensor pillar
touch $SENSORPILLARPATH/$MINION_ID.sls touch $PILLARFILE
echo "sensor:" > $SENSORPILLARPATH/$MINION_ID.sls echo "sensor:" >> $PILLARFILE
echo " interface: bond0" >> $SENSORPILLARPATH/$MINION_ID.sls echo " interface: bond0" >> $PILLARFILE
echo " mainip: $MAINIP" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainint: $MAININT" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mainint: $MAININT" >> $PILLARFILE
if [ $NSMSETUP == 'ADVANCED' ]; then if [ $NSMSETUP == 'ADVANCED' ]; then
echo " bro_pins:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_pins:" >> $PILLARFILE
for PIN in $BROPINS; do for PIN in $BROPINS; do
PIN=$(echo $PIN | cut -d\" -f2) PIN=$(echo $PIN | cut -d\" -f2)
echo " - $PIN" >> $SENSORPILLARPATH/$MINION_ID.sls echo " - $PIN" >> $PILLARFILE
done done
echo " suripins:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suripins:" >> $PILLARFILE
for SPIN in $SURIPINS; do for SPIN in $SURIPINS; do
SPIN=$(echo $SPIN | cut -d\" -f2) SPIN=$(echo $SPIN | cut -d\" -f2)
echo " - $SPIN" >> $SENSORPILLARPATH/$MINION_ID.sls echo " - $SPIN" >> $PILLARFILE
done done
elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " bro_lbprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_lbprocs: $LBPROCS" >> $PILLARFILE
echo " suriprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suriprocs: $LBPROCS" >> $PILLARFILE
else else
echo " bro_lbprocs: $BASICBRO" >> $SENSORPILLARPATH/$MINION_ID.sls echo " bro_lbprocs: $BASICBRO" >> $PILLARFILE
echo " suriprocs: $BASICSURI" >> $SENSORPILLARPATH/$MINION_ID.sls echo " suriprocs: $BASICSURI" >> $PILLARFILE
fi fi
echo " brobpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " brobpf:" >> $PILLARFILE
echo " pcapbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " pcapbpf:" >> $PILLARFILE
echo " nidsbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls echo " nidsbpf:" >> $PILLARFILE
echo " master: $MSRV" >> $SENSORPILLARPATH/$MINION_ID.sls echo " master: $MSRV" >> $PILLARFILE
echo " mtu: $MTU" >> $SENSORPILLARPATH/$MINION_ID.sls echo " mtu: $MTU" >> $PILLARFILE
if [ $HNSENSOR != 'inherit' ]; then if [ $HNSENSOR != 'inherit' ]; then
echo " hnsensor: $HNSENSOR" >> $SENSORPILLARPATH/$MINION_ID.sls echo " hnsensor: $HNSENSOR" >> $PILLARFILE
fi fi
echo " access_key: $ACCESS_KEY" >> $SENSORPILLARPATH/$MINION_ID.sls echo " access_key: $ACCESS_KEY" >> $PILLARFILE
echo " access_secret: $ACCESS_SECRET" >> $SENSORPILLARPATH/$MINION_ID.sls echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo "" >> $PILLARFILE
} }

6
setup/whiptail.sh
View File

@@ -90,7 +90,7 @@ whiptail_cancel() {
whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75
if [ -d "/root/installtmp" ]; then if [ -d "/root/installtmp" ]; then
echo "/root/installtmp exists" >> $SETUPLOG 2>&1 echo "/root/installtmp exists" >> $SETUPLOG 2>&1
install_cleanup install_cleanup >> $SETUPLOG 2>&1
echo "/root/installtmp removed" >> $SETUPLOG 2>&1 echo "/root/installtmp removed" >> $SETUPLOG 2>&1
fi fi
exit exit
@@ -685,14 +685,14 @@ whiptail_set_hostname() {
whiptail_setup_complete() { whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75 whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75
install_cleanup install_cleanup >> $SETUPLOG 2>&1
} }
whiptail_setup_failed() { whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75 whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75
install_cleanup install_cleanup >> $SETUPLOG 2>&1
} }