CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

first commit of importpcap node mode code, kek

Browse Source
This commit is contained in:
m0duspwnens
2020-08-05 14:44:23 -04:00
parent 51934d6e5f
commit 66ca7b266c
4 changed files with 193 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -480,3 +480,51 @@ role:
localhost: localhost:
portgroups: portgroups:
- {{ portgroups.all }} - {{ portgroups.all }}
importpcap:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensor:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}

5
salt/importpcap/bond.sls Normal file
View File

@@ -0,0 +1,5 @@
configure_bond0:
network.managed:
- name: bond0
- type: bond
- enabled: True

136
setup/so-functions
View File

@@ -142,65 +142,7 @@ secrets_pillar(){
fi fi
} }
# Enable Bro Logs
zeek_logs_enabled() {
echo "Enabling Bro Logs" >> "$setup_log" 2>&1
local zeeklogs_pillar=./pillar/zeeklogs.sls
printf '%s\n'\
"zeeklogs:"\
" enabled:" > "$zeeklogs_pillar"
if [ "$MANAGERADV" = 'ADVANCED' ]; then
for BLOG in "${BLOGS[@]}"; do
echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
done
else
printf '%s\n'\
" - conn"\
" - dce_rpc"\
" - dhcp"\
" - dhcpv6"\
" - dnp3"\
" - dns"\
" - dpd"\
" - files"\
" - ftp"\
" - http"\
" - intel"\
" - irc"\
" - kerberos"\
" - modbus"\
" - mqtt"\
" - notice"\
" - ntlm"\
" - openvpn"\
" - pe"\
" - radius"\
" - rfb"\
" - rdp"\
" - signatures"\
" - sip"\
" - smb_files"\
" - smb_mapping"\
" - smtp"\
" - snmp"\
" - software"\
" - ssh"\
" - ssl"\
" - syslog"\
" - telnet"\
" - tunnel"\
" - weird"\
" - mysql"\
" - socks"\
" - x509" >> "$zeeklogs_pillar"
fi
printf '%s\n' '----' >> "$setup_log" 2>&1
cat "$zeeklogs_pillar" >> "$setup_log" 2>&1
}
check_admin_pass() { check_admin_pass() {
check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH"
@@ -416,19 +358,31 @@ check_requirements() {
req_cores=4 req_cores=4
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
elif [[ "$standalone_or_dist" == 'importpcap' ]]; then
req_mem=4
req_cores=2
req_nics=1
fi fi
if [[ $setup_type == 'network' ]] ; then if [[ $setup_type == 'network' ]] ; then
if [[ -n $nsm_mount ]]; then if [[ -n $nsm_mount ]]; then
if [[ "$standalone_or_dist" == 'importpcap' ]]; then
req_storage=50
else
req_storage=100 req_storage=100
fi
if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB" whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB"
fi fi
if (( $(echo "$free_space_nsm < $req_storage" | bc -l) )); then if (( $(echo "$free_space_nsm < $req_storage" | bc -l) )); then
whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB" whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB"
fi fi
else
if [[ "$standalone_or_dist" == 'importpcap' ]]; then
req_storage=50
else else
req_storage=200 req_storage=200
fi
if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB" whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB"
fi fi
@@ -720,7 +674,7 @@ docker_install() {
else else
case "$install_type" in case "$install_type" in
'MANAGER' | 'EVAL') 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORTPCAP')
apt-get update >> "$setup_log" 2>&1 apt-get update >> "$setup_log" 2>&1
;; ;;
*) *)
@@ -1264,7 +1218,7 @@ saltify() {
set_progress_str 6 'Installing various dependencies' set_progress_str 6 'Installing various dependencies'
yum -y install wget nmap-ncat >> "$setup_log" 2>&1 yum -y install wget nmap-ncat >> "$setup_log" 2>&1
case "$install_type" in case "$install_type" in
'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORTPCAP')
reserve_group_ids >> "$setup_log" 2>&1 reserve_group_ids >> "$setup_log" 2>&1
yum -y install epel-release >> "$setup_log" 2>&1 yum -y install epel-release >> "$setup_log" 2>&1
yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1
@@ -1335,7 +1289,7 @@ saltify() {
'FLEET') 'FLEET')
if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi
;; ;;
'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORTPCAP') # TODO: should this also be HELIXSENSOR?
# Add saltstack repo(s) # Add saltstack repo(s)
wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
@@ -1802,3 +1756,63 @@ es_heapsize() {
export NODE_ES_HEAP_SIZE export NODE_ES_HEAP_SIZE
fi fi
} }
# Enable Bro Logs
zeek_logs_enabled() {
echo "Enabling Bro Logs" >> "$setup_log" 2>&1
local zeeklogs_pillar=./pillar/zeeklogs.sls
printf '%s\n'\
"zeeklogs:"\
" enabled:" > "$zeeklogs_pillar"
if [ "$MANAGERADV" = 'ADVANCED' ]; then
for BLOG in "${BLOGS[@]}"; do
echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
done
else
printf '%s\n'\
" - conn"\
" - dce_rpc"\
" - dhcp"\
" - dhcpv6"\
" - dnp3"\
" - dns"\
" - dpd"\
" - files"\
" - ftp"\
" - http"\
" - intel"\
" - irc"\
" - kerberos"\
" - modbus"\
" - mqtt"\
" - notice"\
" - ntlm"\
" - openvpn"\
" - pe"\
" - radius"\
" - rfb"\
" - rdp"\
" - signatures"\
" - sip"\
" - smb_files"\
" - smb_mapping"\
" - smtp"\
" - snmp"\
" - software"\
" - ssh"\
" - ssl"\
" - syslog"\
" - telnet"\
" - tunnel"\
" - weird"\
" - mysql"\
" - socks"\
" - x509" >> "$zeeklogs_pillar"
fi
printf '%s\n' '----' >> "$setup_log" 2>&1
cat "$zeeklogs_pillar" >> "$setup_log" 2>&1
}

68
setup/so-setup
View File

@@ -165,6 +165,8 @@ elif [ "$install_type" = 'FLEET' ]; then
OSQUERY=1 OSQUERY=1
elif [ "$install_type" = 'HELIXSENSOR' ]; then elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true is_helix=true
elif [ "$install_type" = 'IMPORTPCAP' ]; then
is_importpcap=true
fi fi
if [[ $is_manager && $is_sensor ]]; then if [[ $is_manager && $is_sensor ]]; then
@@ -173,8 +175,10 @@ elif [[ $is_fleet_standalone ]]; then
check_requirements "dist" "fleet" check_requirements "dist" "fleet"
elif [[ $is_sensor && ! $is_eval ]]; then elif [[ $is_sensor && ! $is_eval ]]; then
check_requirements "dist" "sensor" check_requirements "dist" "sensor"
elif [[ $is_distmanager || $is_minion ]]; then elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_importpcap ]]; then
check_requirements "dist" check_requirements "dist"
elif [[ $is_importpcap ]]; then
check_requirements "importpcap"
fi fi
whiptail_patch_schedule whiptail_patch_schedule
@@ -239,13 +243,38 @@ if [[ $is_node ]]; then
CURCLOSEDAYS=30 CURCLOSEDAYS=30
fi fi
if [[ $is_importpcap ]]; then
patch_schedule=Automatic
RULESETUP=ETOPEN
NSMSETUP=BASIC
HNSENSOR=inherit
MANAGERUPDATES=0
MANAGERADV=BASIC
ZEEKVERSION=ZEEK
NIDS=Suricata
RULESETUP=ETOPEN
GRAFANA=0
OSQUERY=0
WAZUH=0
THEHIVE=0
PLAYBOOK=0
STRELKA=0
fi
# Start user prompts # Start user prompts
if [[ $is_helix || $is_sensor ]]; then if [[ $is_helix || $is_sensor ]]; then
whiptail_sensor_nics whiptail_sensor_nics
fi
if [[ $is_helix || $is_sensor || $is_importpcap ]]; then
calculate_useable_cores calculate_useable_cores
fi fi
if [[ $is_helix || $is_manager ]]; then if [[ $is_helix || $is_manager || $is_importpcap ]]; then
whiptail_homenet_manager whiptail_homenet_manager
fi fi
@@ -274,6 +303,9 @@ if [[ $is_manager ]]; then
if [[ $STRELKA == 1 ]]; then if [[ $STRELKA == 1 ]]; then
whiptail_strelka_rules whiptail_strelka_rules
fi fi
fi
if [[ $is_manager || $is_importpcap ]]; then
collect_webuser_inputs collect_webuser_inputs
get_redirect get_redirect
fi fi
@@ -335,7 +367,7 @@ else
FLEETNODEPASSWD1=$WEBPASSWD1 FLEETNODEPASSWD1=$WEBPASSWD1
fi fi
if [[ $is_manager ]]; then whiptail_so_allow; fi if [[ $is_manager || $is_importpcap ]]; then whiptail_so_allow; fi
whiptail_make_changes whiptail_make_changes
@@ -359,7 +391,7 @@ fi
} >> $setup_log 2>&1 } >> $setup_log 2>&1
if [[ $is_manager ]]; then if [[ $is_manager || $is_importpcap ]]; then
{ {
generate_passwords; generate_passwords;
secrets_pillar; secrets_pillar;
@@ -399,6 +431,9 @@ fi
if [[ $is_sensor || $is_helix ]]; then if [[ $is_sensor || $is_helix ]]; then
set_progress_str 3 'Configuring sensor interface' set_progress_str 3 'Configuring sensor interface'
configure_network_sensor >> $setup_log 2>&1 configure_network_sensor >> $setup_log 2>&1
fi
if [[ $is_sensor || $is_helix || $is_importpcap ]]; then
set_progress_str 4 'Generating sensor pillar' set_progress_str 4 'Generating sensor pillar'
sensor_pillar >> $setup_log 2>&1 sensor_pillar >> $setup_log 2>&1
fi fi
@@ -415,7 +450,7 @@ fi
set_progress_str 9 'Initializing Salt minion' set_progress_str 9 'Initializing Salt minion'
configure_minion "$minion_type" >> $setup_log 2>&1 configure_minion "$minion_type" >> $setup_log 2>&1
if [[ $is_manager || $is_helix ]]; then if [[ $is_manager || $is_helix || $is_importpcap ]]; then
set_progress_str 10 'Configuring Salt master' set_progress_str 10 'Configuring Salt master'
{ {
create_local_directories; create_local_directories;
@@ -459,7 +494,7 @@ fi
accept_salt_key_remote >> $setup_log 2>&1 accept_salt_key_remote >> $setup_log 2>&1
fi fi
if [[ $is_manager ]]; then if [[ $is_manager || $is_importpcap ]]; then
set_progress_str 20 'Accepting Salt key' set_progress_str 20 'Accepting Salt key'
salt-key -ya "$MINION_ID" >> $setup_log 2>&1 salt-key -ya "$MINION_ID" >> $setup_log 2>&1
fi fi
@@ -472,10 +507,15 @@ fi
salt-call state.apply salt.minion -l info >> $setup_log 2>&1 salt-call state.apply salt.minion -l info >> $setup_log 2>&1
fi fi
if [[ $is_importpcap ]]; then
set_progress_str 22 'Configuring bond interface'
salt-call state.apply importpcap.bond -l info >> $setup_log 2>&1
fi
set_progress_str 23 'Generating CA and checking in' set_progress_str 23 'Generating CA and checking in'
salt_checkin >> $setup_log 2>&1 salt_checkin >> $setup_log 2>&1
if [[ $is_manager || $is_helix ]]; then if [[ $is_manager || $is_helix || $is_importpcap ]]; then
set_progress_str 25 'Configuring firewall' set_progress_str 25 'Configuring firewall'
set_initial_firewall_policy >> $setup_log 2>&1 set_initial_firewall_policy >> $setup_log 2>&1
@@ -485,14 +525,18 @@ fi
set_progress_str 26 'Downloading containers from the internet' set_progress_str 26 'Downloading containers from the internet'
fi fi
if [[ ! $is_importpcap ]]; then
salt-call state.apply -l info registry >> $setup_log 2>&1 salt-call state.apply -l info registry >> $setup_log 2>&1
docker_seed_registry 2>> "$setup_log" # ~ 60% when finished docker_seed_registry 2>> "$setup_log" # ~ 60% when finished
fi
set_progress_str 60 "$(print_salt_state_apply 'manager')" set_progress_str 60 "$(print_salt_state_apply 'manager')"
salt-call state.apply -l info manager >> $setup_log 2>&1 salt-call state.apply -l info manager >> $setup_log 2>&1
if [[ ! $is_importpcap ]]; then
set_progress_str 61 "$(print_salt_state_apply 'idstools')" set_progress_str 61 "$(print_salt_state_apply 'idstools')"
salt-call state.apply -l info idstools >> $setup_log 2>&1 salt-call state.apply -l info idstools >> $setup_log 2>&1
fi
set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')"
salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 salt-call state.apply -l info suricata.manager >> $setup_log 2>&1
@@ -513,7 +557,7 @@ fi
set_progress_str 64 "$(print_salt_state_apply 'nginx')" set_progress_str 64 "$(print_salt_state_apply 'nginx')"
salt-call state.apply -l info nginx >> $setup_log 2>&1 salt-call state.apply -l info nginx >> $setup_log 2>&1
if [[ $is_manager || $is_node ]]; then if [[ $is_manager || $is_node || $is_importpcap ]]; then
set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')"
salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 salt-call state.apply -l info elasticsearch >> $setup_log 2>&1
fi fi
@@ -521,7 +565,9 @@ fi
if [[ $is_sensor ]]; then if [[ $is_sensor ]]; then
set_progress_str 65 "$(print_salt_state_apply 'pcap')" set_progress_str 65 "$(print_salt_state_apply 'pcap')"
salt-call state.apply -l info pcap >> $setup_log 2>&1 salt-call state.apply -l info pcap >> $setup_log 2>&1
fi
if [[ $is_sensor || $is_importpcap ]]; then
set_progress_str 66 "$(print_salt_state_apply 'suricata')" set_progress_str 66 "$(print_salt_state_apply 'suricata')"
salt-call state.apply -l info suricata >> $setup_log 2>&1 salt-call state.apply -l info suricata >> $setup_log 2>&1
@@ -534,13 +580,15 @@ fi
salt-call state.apply -l info curator >> $setup_log 2>&1 salt-call state.apply -l info curator >> $setup_log 2>&1
fi fi
if [[ $is_manager ]]; then if [[ $is_manager || $is_importpcap ]]; then
set_progress_str 69 "$(print_salt_state_apply 'soc')" set_progress_str 69 "$(print_salt_state_apply 'soc')"
salt-call state.apply -l info soc >> $setup_log 2>&1 salt-call state.apply -l info soc >> $setup_log 2>&1
set_progress_str 70 "$(print_salt_state_apply 'kibana')" set_progress_str 70 "$(print_salt_state_apply 'kibana')"
salt-call state.apply -l info kibana >> $setup_log 2>&1 salt-call state.apply -l info kibana >> $setup_log 2>&1
fi
if [[ $is_manager ]]; then
set_progress_str 71 "$(print_salt_state_apply 'elastalert')" set_progress_str 71 "$(print_salt_state_apply 'elastalert')"
salt-call state.apply -l info elastalert >> $setup_log 2>&1 salt-call state.apply -l info elastalert >> $setup_log 2>&1
@@ -598,7 +646,7 @@ fi
fi fi
fi fi
if [[ $is_manager || $is_helix ]]; then if [[ $is_manager || $is_helix || $is_importpcap ]]; then
set_progress_str 81 "$(print_salt_state_apply 'utility')" set_progress_str 81 "$(print_salt_state_apply 'utility')"
salt-call state.apply -l info utility >> $setup_log 2>&1 salt-call state.apply -l info utility >> $setup_log 2>&1
fi fi