From bf76c1b58c940e3fd7e9841f9ae20a1a76c2cc90 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 10:52:14 -0500 Subject: [PATCH 01/10] Create unprocessed dir and move Zeek extracted files there --- salt/strelka/init.sls | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8748cbe50..bdca1213b 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -72,13 +72,20 @@ strelkalogdir: - group: 939 - makedirs: True -strelkastagedir: +strelkaprocessed: file.directory: - name: /nsm/strelka/processed - user: 939 - group: 939 - makedirs: True +strelkaunprocessed: + file.directory: + - name: /nsm/strelka/unprocessed + - user: 939 + - group: 939 + - makedirs: True + strelka_coordinator: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} @@ -167,7 +174,7 @@ append_so-strelka-filestream_so-status.conf: strelka_zeek_extracted_sync: cron.present: - user: root - - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' + - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' {% else %} @@ -176,4 +183,4 @@ strelka_state_not_allowed: test.fail_without_changes: - name: strelka_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 9493aad1a57e54d81ab9ac50bfe308616e7b303f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 10:53:17 -0500 Subject: [PATCH 02/10] Read from dedicated unprocessed dir --- salt/strelka/files/filestream/filestream.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index 0661cabfa..aa5d51ad1 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -16,7 +16,7 @@ throughput: delay: 0s files: patterns: - - '/nsm/strelka/*' + - '/nsm/strelka/unprocessed/*' delete: false gatekeeper: true response: From 1a463bccaf546369c9d2b275a6844e1b031a5fbd Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 11:25:14 -0500 Subject: [PATCH 03/10] Add cron.absent to remove old cron job if present --- salt/strelka/init.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bdca1213b..64bf089ff 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -170,7 +170,13 @@ append_so-strelka-filestream_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-strelka-filestream - + +strelka_zeek_extracted_sync_old: + cron.absent: + - user: root + - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' + - minute: '*' + strelka_zeek_extracted_sync: cron.present: - user: root From 4bbedfa02782e83461726dc654e323a291641c13 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Dec 2020 14:14:45 -0500 Subject: [PATCH 04/10] put portgroup name in statename --- salt/firewall/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 07871fa74..6f68cb677 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -104,7 +104,7 @@ enable_docker_user_established: {% for proto, ports in portgroup.items() %} {% for port in ports %} -{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}: +{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{portgroup}}_{{port}}_{{proto}}: iptables.{{action}}: - table: filter - chain: {{ chain }} From ad45779978251acb8abaf7579b90f1b2eab09a4e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Dec 2020 15:01:55 -0500 Subject: [PATCH 05/10] fix duplicate state name for fw --- salt/firewall/init.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 6f68cb677..27f04bee0 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -95,6 +95,7 @@ enable_docker_user_established: - match: conntrack - ctstate: 'RELATED,ESTABLISHED' +{% set count = namespace(value=0) %} {% for chain, hg in assigned_hostgroups.chain.items() %} {% for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %} {% for action in ['insert', 'delete' ] %} @@ -103,8 +104,9 @@ enable_docker_user_established: {% for portgroup in portgroups.portgroups %} {% for proto, ports in portgroup.items() %} {% for port in ports %} + {% set count.value = count.value + 1 %} -{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{portgroup}}_{{port}}_{{proto}}: +{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}_{{count.value}}: iptables.{{action}}: - table: filter - chain: {{ chain }} From 7453626b06fb0ea82a6be329ddd72521187acbdb Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 15:39:52 -0500 Subject: [PATCH 06/10] Add identifier --- salt/strelka/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 64bf089ff..0a92dbbb6 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -180,6 +180,7 @@ strelka_zeek_extracted_sync_old: strelka_zeek_extracted_sync: cron.present: - user: root + - identifier: STRELKACRON - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' From 2fee2ca1433a322094fb457f0fdcb1743526c9b5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 15:40:54 -0500 Subject: [PATCH 07/10] Change identifier name to be more descriptive --- salt/strelka/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 0a92dbbb6..339b5d434 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -180,7 +180,7 @@ strelka_zeek_extracted_sync_old: strelka_zeek_extracted_sync: cron.present: - user: root - - identifier: STRELKACRON + - identifier: zeek-extracted-strelka-sync - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' From a0f00e09c198cb64bedb7e23f0aaab62734ec653 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 09:55:23 -0500 Subject: [PATCH 08/10] 2.3.20 Readme Update --- VERIFY_ISO.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index ed450a342..35cb33926 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.10 ISO image built on 2020/11/19 +### 2.3.20 ISO image built on 2020/11/19 ### Download and Verify -2.3.10 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso +2.3.20 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso -MD5: 55E10BAE3D90DF47CA4D5DCCDCB67A96 -SHA1: 01361123F35CEACE077803BC8074594D57EE653A -SHA256: 772EA4EFFFF12F026593F5D1CC93DB538CC17B9BA5F60308F1976B6ED7032A8D +MD5: E348FA65A46FD3FBA0D574D9C1A0582D +SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6 +SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.10.iso.sig securityonion-2.3.10.iso +gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 19 Nov 2020 03:38:54 PM EST using RSA key ID FE507013 +gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 88be7bca3fee05978b69b8ef3713aa3920f77251 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 21 Dec 2020 09:56:18 -0500 Subject: [PATCH 09/10] Update VERIFY_ISO.md --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 35cb33926..e28513cef 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,4 +1,4 @@ -### 2.3.20 ISO image built on 2020/11/19 +### 2.3.20 ISO image built on 2020/12/20 ### Download and Verify From def8dc0e1efafefdb7eaa43dab29e940549c5183 Mon Sep 17 00:00:00 2001 From: TOoSmOotH Date: Mon, 21 Dec 2020 09:58:25 -0500 Subject: [PATCH 10/10] 2.3.20 ISO sig --- sigs/securityonion-2.3.20.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.20.iso.sig diff --git a/sigs/securityonion-2.3.20.iso.sig b/sigs/securityonion-2.3.20.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..4f24d58391abcb25482896ed1d9c663217ff8796 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5+cd!5o2@re`V7LBIa1-H`5CFMaD1-xAI&s(P?tDD8 zK^FHL*$*!22Q%nJ1d;hnkL>D0e1%7$Q9e?%Skx9iZ#HnYF|^9h`sXt77?UknleS+4 z7_?8GPG`)Vp3*3>2I*)4=iv2)8qvZ>_W8@nqqEr}eQ|rOSQR@P!pf4de?VPLh;v1^5!k>KBGb?aLhYyD;nW|wF!i>vc z_LL4ka5V3d>-`Hm-?q;aQ0}fkc2Ktq{O^5+9ZTdvR>ws6sc}saDbTfAJx3r+I;?JS zA^X8#!3Rl_Yd#n@^}NUb^lS4lC~HcuLonxKG!4n9<-pP3cdNuYHYF0ME9b{Yq*M;v z;NKs5erbK$QUt}(5V8N1Dz&90_ItNQe-0yTwajcOTw>A;sMKIoBlsNNmbT5A&lI%erI(e%g3-iuP zcdWf;`@$Pf7@YK(J|mlObN1~Ps~-_XKY6K7ocrn(9KcxTkoGS~GCJ3$6jZrw$DT0k z7-NTFGVy@R+w4XOJ}