Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

VERIFY_ISO.md

@@ -1,16 +1,16 @@
-### 2.3.10 ISO image built on 2020/11/19
+### 2.3.20 ISO image built on 2020/12/20
 
 ### Download and Verify
 
-2.3.10 ISO image:  
+2.3.20 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso
 
-MD5: 55E10BAE3D90DF47CA4D5DCCDCB67A96  
+MD5: E348FA65A46FD3FBA0D574D9C1A0582D  
-SHA1: 01361123F35CEACE077803BC8074594D57EE653A  
+SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6  
-SHA256: 772EA4EFFFF12F026593F5D1CC93DB538CC17B9BA5F60308F1976B6ED7032A8D 
+SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.10.iso.sig securityonion-2.3.10.iso
+gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 19 Nov 2020 03:38:54 PM EST using RSA key ID FE507013
+gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

salt/firewall/init.sls

@@ -95,6 +95,7 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
+{% set count = namespace(value=0) %}
 {% for chain, hg in assigned_hostgroups.chain.items() %}
   {% for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
     {% for action in ['insert', 'delete' ] %}
@@ -103,8 +104,9 @@ enable_docker_user_established:
           {% for portgroup in portgroups.portgroups %}
             {% for proto, ports in portgroup.items() %}
               {% for port in ports %}
+                {% set count.value = count.value + 1 %}
 
-{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
+{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}_{{count.value}}:
   iptables.{{action}}:
     - table: filter
     - chain: {{ chain }}

salt/strelka/files/filestream/filestream.yaml

@@ -16,7 +16,7 @@ throughput:
   delay: 0s
 files:
   patterns:
-    - '/nsm/strelka/*'
+    - '/nsm/strelka/unprocessed/*'
   delete: false
   gatekeeper: true
 response:

salt/strelka/init.sls

@@ -72,13 +72,20 @@ strelkalogdir:
     - group: 939
     - makedirs: True
 
-strelkastagedir:
+strelkaprocessed:
    file.directory:
     - name: /nsm/strelka/processed
     - user: 939
     - group: 939
     - makedirs: True
 
+strelkaunprocessed:
+   file.directory:
+    - name: /nsm/strelka/unprocessed
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 strelka_coordinator:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -164,10 +171,17 @@ append_so-strelka-filestream_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-strelka-filestream
 
+strelka_zeek_extracted_sync_old:
+  cron.absent:
+    - user: root
+    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
+    - minute: '*'
+
 strelka_zeek_extracted_sync:
   cron.present:
     - user: root
-    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
+    - identifier: zeek-extracted-strelka-sync
+    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1'
     - minute: '*'
 
 {% else %}