From 30fa9872f95f38dc0aca73908e6dbcbb25f33132 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 10:38:26 -0400 Subject: [PATCH 01/22] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d3f7ac829..a0c5a8c05 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.0.0.rc1 +## Security Onion 2.0.1.rc1 -Security Onion 2.0.0 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! +Security Onion 2.0.1 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! ### Warnings and Disclaimers From 75477fe9bf22aa68efc11f8dec42ad94ab3b61e7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 11:56:14 -0400 Subject: [PATCH 02/22] Update changes.json --- salt/soc/files/soc/changes.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 517816fcd..1fd10c7ac 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,6 +1,11 @@ { - "title": "Security Onion 2.0.0 RC1 is here!", + "title": "Security Onion 2.0.1 RC1 is here!", "changes": [ + { "summary": "Security Fix: variables.txt from ISO install stays on disk for 10 days." }, + { "summary": "Security Fix: Remove user values from static.sls." }, + { "summary": "Fix distributed deployment sensor interval issue allowing PCAP." }, + { "summary": "Support for passwords that start with special characters." }, + { "summary": "Minor soup updates." }, { "summary": "Re-branded 2.0 to give it a fresh look." }, { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0" }, { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, From 4b127010ee3d80be2f12f5d60bd0b62be74d26b3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 11:59:20 -0400 Subject: [PATCH 03/22] Update changes.json --- salt/soc/files/soc/changes.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 1fd10c7ac..c8f116c4a 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,10 +1,10 @@ { "title": "Security Onion 2.0.1 RC1 is here!", "changes": [ - { "summary": "Security Fix: variables.txt from ISO install stays on disk for 10 days." }, - { "summary": "Security Fix: Remove user values from static.sls." }, - { "summary": "Fix distributed deployment sensor interval issue allowing PCAP." }, - { "summary": "Support for passwords that start with special characters." }, + { "summary": "Security Fix 1067: variables.txt from ISO install stays on disk for 10 days." }, + { "summary": "Security Fix 1068: Remove user values from static.sls." }, + { "summary": "Issue 1059: Fix distributed deployment sensor interval issue allowing PCAP." }, + { "summary": "Issue 1058: Support for passwords that start with special characters." }, { "summary": "Minor soup updates." }, { "summary": "Re-branded 2.0 to give it a fresh look." }, { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0" }, From 3dd8e1998d487c8337e12a9a77c314fa5e0d65eb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 13:33:12 -0400 Subject: [PATCH 04/22] Update Signature and Download Links --- VERIFY_ISO.md | 20 ++++++++++---------- sigs/securityonion-2.0.0-rc1.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.0.1-rc1.iso.sig | Bin 0 -> 543 bytes 3 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 sigs/securityonion-2.0.0-rc1.iso.sig create mode 100644 sigs/securityonion-2.0.1-rc1.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index abefebfc6..139751091 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.0.0-rc1 ISO image built on 2020/07/20 +### 2.0.1-rc1 ISO image built on 2020/07/23 ### Download and Verify -2.0.0-rc1 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.0.0-rc1.iso +2.0.1-rc1 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso -MD5: 788570E839439C23956581C6145B8689 -SHA1: A87CAF016C989D4DB4D4ED619DF072B708BA28FE -SHA256: C5AC6419AF40CB98E93C53CE4101E7DE5F51AEE76DB46734191D783503649210 +MD5: 6A6FB965E6470EC7CA3D0030F041C687 +SHA1: B1EA5198CF73653F3D33E64A45B56D4327F1B0AB +SHA256: EB9913BB0EB2692DBF28BF2AB7D691BB2EED5F7751D8A8A42D9B86D3F983FAEB Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.0-rc1.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.1-rc1.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,17 +24,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.0-rc1.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.1-rc1.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.0.0-rc1.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.0.0-rc1.iso.sig securityonion-2.0.0-rc1.iso +gpg --verify securityonion-2.0.0-rc1.iso.sig securityonion-2.0.1-rc1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: diff --git a/sigs/securityonion-2.0.0-rc1.iso.sig b/sigs/securityonion-2.0.0-rc1.iso.sig deleted file mode 100644 index c3504de4c6849aee7d94761e67bfb393b7414a0e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;3c>Hh!<2@re`V7LBIa1+bo5B(BQH`)!6wdCiS?etDG z$7z6>%)&}{^-5LV{Y6sAw)$Yg%`TO(NpFKf#lWfB?;+RxB1Y#!fQ?}^8)>8AC5@+G z(BEIT;=FW&>Ml+raoEsl-!dN?U>F)MFBCDqCjPwwsSr*=$~q8sSDmv&`fT!&aPO;h z{koU~=)dI94n~R5JC}oo`wjR%WzP#2rvAeMW3kyd8IU1Kn)< zT`6(u(npsNrN<$}g_VbHd(s$sZoG%|9bSTJ?#H3%!0xe&%1y6;USX4=)__9d_$1Q* zkkv8^(zf{|LkfLw#=$#tco)+ieS?a35dfOuA4)<~i2i2k0Me7d+VFl+u4byA+&Q6Z zJT659*nxc72gRBskK#H>zP5!$J8}Ww$T=h5v9)q=;Ry@agywV8Q@gV92L6`DS~BpL!-u0wP#wYvC;7 zB!~_Fai+ejx43ihGj|9VMECX0**&VI6K*`8D+T-LrRz8`&g@#!J(LFdhcZGZ239U-lY@?c$fa1VKPpOrLd hNQi-TnCEU%1Za5fyc7xo&sN#>7zjgPK!*J>>`Xuu4E+EA diff --git a/sigs/securityonion-2.0.1-rc1.iso.sig b/sigs/securityonion-2.0.1-rc1.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..1510bf3b62c777fb35cfaff97f06eb047e7a4c64 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;3gyDR_-2@re`V7LBIa1-6{5CE{w`OJf5s)Ugt4NL&# z`JGMxKTQ-H%{-U9RLnhItf^sJ#7l$vv#I;iPv_Efv&W=YDI_7^`)Cn~Qs!{hwdyFZ z#5OVq`oC@}U!~oAjK~x)UX~F|k@M5f?whiPp{m}_K7DPH%U@|0{mq{nO!HnZQ8mpZaVJKOEX8uck7?Fm0r`*b=^E>*Ey8>QUV|DA>uN=K{7YFq2!yv2yPZ z#3$lzy-i1NVKXVzYzgUR8k7L}kNx3%o8DEhXHZtW4MxD65Wu?yU|_bX9j*HVD2=F2;e5XaRZi-Q@qXgXnR)+A;hT+|Ntx1nGB+JWhJ#Pqxs zEbmXo4|oSc0(m_;hx?$4bV7=-e-|N!-S`Q|tgdJTw3Uby(|NZb3*2DqzA3V5nb8Xt zJtt~O?(=IlIns+lv)PN;nS^>ruXgu5DUnGWO_|$Ng!-<7nH$F{i*G`1>vH(Wp7f9Z zzq?dcqWzDIVH}#(kMoeeG>pr2p^t@$1It^lDC7+f+afbrw_H#@TN{llEzg;eph$Sx z<4JS3kW;wFRE%+q5JZRTihR;XI1v=W+S4E`evL^fG*ZrG$%8~n>=G?+zYHhJ83Vt| h07+PeqCK7R=H6P5hbM?v3(w3*1@C1&SVY`h?fE282=o8| literal 0 HcmV?d00001 From 4d84b840e47911ebbc89826506e1e3bdd3d0af96 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 15:16:39 -0400 Subject: [PATCH 05/22] Update Signature and hashes --- sigs/securityonion-2.0.1-rc1.iso.sig | Bin 543 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/sigs/securityonion-2.0.1-rc1.iso.sig b/sigs/securityonion-2.0.1-rc1.iso.sig index 1510bf3b62c777fb35cfaff97f06eb047e7a4c64..9b425ada19b36d4ea00f4427f925bf3e857c6bb6 100644 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;3g-0J`e2@re`V7LBIa1(eG5C3kgvn4_|BqkcaLp#Ug z4&UtC2(Z*ZWnXzmNK`qCMAjh4Z#$E~cecv#Ba_=A3v9iW zL?hmX$;`QQvO07`BO=%MDQr#17NbgB7{`c{&6a=Ed~ai>+MIOF?^?hYW-AQ>+s{QQ zv@P~0@G7BLC2H9Ji&`?&u-4RMd?N7sEq@^ox6}FcPF}g%`phY)N1lL zi;$ySfWks{6g4*|HC;G-%4EZ5f)th;@MT2jgXi}-n2Q)Tsrp1?B2OL4YQ71z?P%C3 zJKtkM@=Fx(Rp!z%{r_E?qo41pwJ|2D=)w68e&Ge3umS++NjjG8LArK7{Nj<&N z7xK$Crl@UC37Z{5ypB)_iV^hOM&s^-nQjZmSKu zTy-BtyE|KC4I=bI2zKuRFh}agToypNPcPub7*INaG%93P5@5ce;7oNOj+qKNP$3^m zRTJ?cXNzk5Om_+tzAnjnrd&%g2@Ot`#2nV1T6pn literal 543 zcmV+)0^t3L0vrSY0RjL91p;3gyDR_-2@re`V7LBIa1-6{5CE{w`OJf5s)Ugt4NL&# z`JGMxKTQ-H%{-U9RLnhItf^sJ#7l$vv#I;iPv_Efv&W=YDI_7^`)Cn~Qs!{hwdyFZ z#5OVq`oC@}U!~oAjK~x)UX~F|k@M5f?whiPp{m}_K7DPH%U@|0{mq{nO!HnZQ8mpZaVJKOEX8uck7?Fm0r`*b=^E>*Ey8>QUV|DA>uN=K{7YFq2!yv2yPZ z#3$lzy-i1NVKXVzYzgUR8k7L}kNx3%o8DEhXHZtW4MxD65Wu?yU|_bX9j*HVD2=F2;e5XaRZi-Q@qXgXnR)+A;hT+|Ntx1nGB+JWhJ#Pqxs zEbmXo4|oSc0(m_;hx?$4bV7=-e-|N!-S`Q|tgdJTw3Uby(|NZb3*2DqzA3V5nb8Xt zJtt~O?(=IlIns+lv)PN;nS^>ruXgu5DUnGWO_|$Ng!-<7nH$F{i*G`1>vH(Wp7f9Z zzq?dcqWzDIVH}#(kMoeeG>pr2p^t@$1It^lDC7+f+afbrw_H#@TN{llEzg;eph$Sx z<4JS3kW;wFRE%+q5JZRTihR;XI1v=W+S4E`evL^fG*ZrG$%8~n>=G?+zYHhJ83Vt| h07+PeqCK7R=H6P5hbM?v3(w3*1@C1&SVY`h?fE282=o8| From acf20bf2e87274e3d6cacf82916607a53b3ec272 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 15:20:22 -0400 Subject: [PATCH 06/22] Update Signature and hashes --- VERIFY_ISO.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 139751091..2a1498d55 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -5,9 +5,9 @@ 2.0.1-rc1 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso -MD5: 6A6FB965E6470EC7CA3D0030F041C687 -SHA1: B1EA5198CF73653F3D33E64A45B56D4327F1B0AB -SHA256: EB9913BB0EB2692DBF28BF2AB7D691BB2EED5F7751D8A8A42D9B86D3F983FAEB +MD5: C850E971F7AFC82B61FB74EE4ECC8662 +SHA1: EA3A0C7E059A32EE4A00910FEF342A714316E4F3 +SHA256: 82CD8996F8C40F4B6B23E1232A282610252A8D03F8FF80AB66A74D5E5FD4176E Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.1-rc1.iso.sig From 11932366cdc176920a9a75c6486d460e511b8e27 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 15:25:53 -0400 Subject: [PATCH 07/22] Update VERIFY_ISO.md --- VERIFY_ISO.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 2a1498d55..cb17bd36b 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -6,7 +6,7 @@ https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso MD5: C850E971F7AFC82B61FB74EE4ECC8662 -SHA1: EA3A0C7E059A32EE4A00910FEF342A714316E4F3 +SHA1: EA3A0C7E059A32EE4A00910FEF342A714316E4F3 SHA256: 82CD8996F8C40F4B6B23E1232A282610252A8D03F8FF80AB66A74D5E5FD4176E Signature for ISO image: @@ -39,7 +39,7 @@ gpg --verify securityonion-2.0.0-rc1.iso.sig securityonion-2.0.1-rc1.iso The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 20 Jul 2020 03:01:19 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 23 Jul 2020 02:54:35 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 261310ce92f0e86f7d6c6e0263769ad19047a094 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 15:28:37 -0400 Subject: [PATCH 08/22] Update VERIFY_ISO.md --- VERIFY_ISO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index cb17bd36b..91a2f3f18 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -34,7 +34,7 @@ wget https://download.securityonion.net/file/securityonion/securityonion-2.0.1-r Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.0.0-rc1.iso.sig securityonion-2.0.1-rc1.iso +gpg --verify securityonion-2.0.1-rc1.iso.sig securityonion-2.0.1-rc1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: From 39426afffda52b3634a4a8d5bd2baf930a525a12 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Jul 2020 21:00:10 -0400 Subject: [PATCH 09/22] Ensure SENSOR_CHECKIN_INTERVAL_MS var is non-null before saving static pillar --- setup/so-functions | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 26681b864..1f868ae98 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -926,13 +926,6 @@ manager_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then - SENSOR_CHECKIN_INTERVAL_MS=10000 - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then - SENSOR_CHECKIN_INTERVAL_MS=1000 - fi - fi - # Create the manager pillar printf '%s\n'\ "manager:"\ @@ -1003,6 +996,13 @@ manager_pillar() { manager_static() { local static_pillar="$local_salt_dir/pillar/static.sls" + if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then + SENSOR_CHECKIN_INTERVAL_MS=10000 + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then + SENSOR_CHECKIN_INTERVAL_MS=1000 + fi + fi + # Create a static file for global values printf '%s\n'\ "static:"\ From ec09c064d0ca9b6b55dbf8dba580d2cd00beb5f5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Jul 2020 21:19:45 -0400 Subject: [PATCH 10/22] If SENSOR_CHECKIN_INTERVAL_MS is still not set when using in a template, fallback to 10s --- salt/pcap/files/sensoroni.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index e379d5003..ab99c175c 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -5,7 +5,7 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"debug", "agent": { - "pollIntervalMs": {{ CHECKININTERVALMS }}, + "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ MANAGER }}/sensoroniagents", "verifyCert": false, "modules": { From 95bb1147ca5225904709b5ea37413ef174e50ef2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 22:08:23 -0400 Subject: [PATCH 11/22] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 0637814cd..61cbf99af 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.1-rc.1 \ No newline at end of file +2.0.2-rc.1 From 650c983a2e3f338b93b3c12e53b880dbf1f7102b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 22:09:05 -0400 Subject: [PATCH 12/22] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a0c5a8c05..912ac745a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.0.1.rc1 +## Security Onion 2.0.2.rc1 -Security Onion 2.0.1 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! +Security Onion 2.0.2 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! ### Warnings and Disclaimers From 31daad1e5b28870d3ed3114b838b8630c7d60ea4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 22:11:22 -0400 Subject: [PATCH 13/22] Update VERIFY_ISO.md still needs MD5s etc --- VERIFY_ISO.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 91a2f3f18..0657c5cfe 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -3,14 +3,14 @@ ### Download and Verify 2.0.1-rc1 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso +https://download.securityonion.net/file/securityonion/securityonion-2.0.2-rc1.iso MD5: C850E971F7AFC82B61FB74EE4ECC8662 SHA1: EA3A0C7E059A32EE4A00910FEF342A714316E4F3 SHA256: 82CD8996F8C40F4B6B23E1232A282610252A8D03F8FF80AB66A74D5E5FD4176E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.1-rc1.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.2-rc1.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,17 +24,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.1-rc1.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.2-rc1.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.0.1-rc1.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.0.2-rc1.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.0.1-rc1.iso.sig securityonion-2.0.1-rc1.iso +gpg --verify securityonion-2.0.2-rc1.iso.sig securityonion-2.0.2-rc1.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: From 79c45156c20c3204502d159fb7fb83c1d15d692c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Jul 2020 22:13:02 -0400 Subject: [PATCH 14/22] Update changes.json --- salt/soc/files/soc/changes.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index c8f116c4a..dc3e4118f 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,6 +1,7 @@ { - "title": "Security Onion 2.0.1 RC1 is here!", + "title": "Security Onion 2.0.2 RC1 is here!", "changes": [ + { "summary": "Fixed standalone pcap interval issue." }, { "summary": "Security Fix 1067: variables.txt from ISO install stays on disk for 10 days." }, { "summary": "Security Fix 1068: Remove user values from static.sls." }, { "summary": "Issue 1059: Fix distributed deployment sensor interval issue allowing PCAP." }, From 91e7a474d534b495b10dca9dd07e3284ac436500 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Jul 2020 10:18:09 -0400 Subject: [PATCH 15/22] Update VERIFY_ISO.md --- VERIFY_ISO.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 0657c5cfe..7ff0536b9 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,13 +1,13 @@ -### 2.0.1-rc1 ISO image built on 2020/07/23 +### 2.0.2-rc1 ISO image built on 2020/07/23 ### Download and Verify -2.0.1-rc1 ISO image: +2.0.2-rc1 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.0.2-rc1.iso -MD5: C850E971F7AFC82B61FB74EE4ECC8662 -SHA1: EA3A0C7E059A32EE4A00910FEF342A714316E4F3 -SHA256: 82CD8996F8C40F4B6B23E1232A282610252A8D03F8FF80AB66A74D5E5FD4176E +MD5: DC991385818DB7A4242F4BF7045D1250 +SHA1: 0BD458F01F10B324DF90F95201CC33B9DEBEAFA3 +SHA256: BE851E5FB1952942A9C10F6563DF6EF93381D734FDFD7E05FFAC77A5064F781A Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.0.2-rc1.iso.sig @@ -39,7 +39,7 @@ gpg --verify securityonion-2.0.2-rc1.iso.sig securityonion-2.0.2-rc1.iso The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 23 Jul 2020 02:54:35 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 23 Jul 2020 10:38:04 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. From 2cabcd4239f668b2097a9c56d047241b9efbe38a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Jul 2020 10:19:38 -0400 Subject: [PATCH 16/22] Update sig file and hashes --- sigs/securityonion-2.0.1-rc1.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.0.2-rc1.iso.sig | Bin 0 -> 543 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 sigs/securityonion-2.0.1-rc1.iso.sig create mode 100644 sigs/securityonion-2.0.2-rc1.iso.sig diff --git a/sigs/securityonion-2.0.1-rc1.iso.sig b/sigs/securityonion-2.0.1-rc1.iso.sig deleted file mode 100644 index 9b425ada19b36d4ea00f4427f925bf3e857c6bb6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;3g-0J`e2@re`V7LBIa1(eG5C3kgvn4_|BqkcaLp#Ug z4&UtC2(Z*ZWnXzmNK`qCMAjh4Z#$E~cecv#Ba_=A3v9iW zL?hmX$;`QQvO07`BO=%MDQr#17NbgB7{`c{&6a=Ed~ai>+MIOF?^?hYW-AQ>+s{QQ zv@P~0@G7BLC2H9Ji&`?&u-4RMd?N7sEq@^ox6}FcPF}g%`phY)N1lL zi;$ySfWks{6g4*|HC;G-%4EZ5f)th;@MT2jgXi}-n2Q)Tsrp1?B2OL4YQ71z?P%C3 zJKtkM@=Fx(Rp!z%{r_E?qo41pwJ|2D=)w68e&Ge3umS++NjjG8LArK7{Nj<&N z7xK$Crl@UC37Z{5ypB)_iV^hOM&s^-nQjZmSKu zTy-BtyE|KC4I=bI2zKuRFh}agToypNPcPub7*INaG%93P5@5ce;7oNOj+qKNP$3^m zRTJ?cXNzk5Om_+tzAnjnrd&%g2@Ot`#2nV1T6pn diff --git a/sigs/securityonion-2.0.2-rc1.iso.sig b/sigs/securityonion-2.0.2-rc1.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..c51d7e1e44b5da295088d99b7f9827d9f7d22085 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;3hNsIsr2@re`V7LBIa1&1Q5B@er8aj}!^-1Sn^+8Z4 zpjro zaBQ255?uEdXs6#Lk>0;>f15Jfwb#*O${S?pe6I4LDad&Pn0)2@3wGX#ILr@Ug~b8@ zGIykapWTV_*M6g*s6jZMI8mC7JHb2YN@2H!A9OpH31YXjrO4unT-nntHtdbt=`9^g zfTv+cjA_Of`-tu$i-?!~A-tYSlz~^j(Vdo-iZTVAw1%V?5Oc^zl76&wq|j) z8}Q$WK#kWLs=Qc(|1v()uD48lIa2TDZCrGO8uEDLz0^_#38P^!ywKOyKJ&sKd+Ys< zK5ZCao9m+0kEYHr1a)VPGPRYc@->y~v~(^>_KKdXns?I$`B~|);R;CQC_>q2$oZKZ0Zfp1$qDg literal 0 HcmV?d00001 From 3ac9f1800bb1860a33c7b909f332fb6b6201efdb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 24 Jul 2020 22:04:30 +0000 Subject: [PATCH 17/22] Make sure we are searching all clusters when running rules --- salt/elastalert/files/rules/so/suricata_thehive.yaml | 2 +- salt/elastalert/files/rules/so/wazuh_thehive.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml index cd887c9f9..fb6c6448d 100644 --- a/salt/elastalert/files/rules/so/suricata_thehive.yaml +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -9,7 +9,7 @@ es_host: {{es}} es_port: 9200 name: Suricata-Alert type: frequency -index: "so-ids-*" +index: "*:so-ids-*" num_events: 1 timeframe: minutes: 10 diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml index ccb79e1e5..c01bb5894 100644 --- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -9,7 +9,7 @@ es_host: {{es}} es_port: 9200 name: Wazuh-Alert type: frequency -index: "so-ossec-*" +index: "*:so-ossec-*" num_events: 1 timeframe: minutes: 10 From 958ee25f6db4c11124b2b2d3629b9ad4e3a9bded Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 27 Jul 2020 11:58:12 +0000 Subject: [PATCH 18/22] Move Wazuh from /opt/so/ to /nsm/wazuh --- salt/common/tools/sbin/so-allow | 2 +- salt/filebeat/init.sls | 4 ++-- salt/logstash/init.sls | 6 +++--- salt/wazuh/files/wazuh-manager-whitelist | 2 +- salt/wazuh/init.sls | 10 +++++----- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index c6d3d6bf0..f902d659c 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -127,7 +127,7 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "$IP" $WAZUH_MGR_CFG ; then DATE=$(date) sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6889b892f..0d1f521e3 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -60,8 +60,8 @@ so-filebeat: - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 61d6aecc1..8a3b539a2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -169,8 +169,8 @@ so-logstash: {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} @@ -184,4 +184,4 @@ so-logstash: {% endfor %} {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index d39d68e36..8a8bc9832 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -20,7 +20,7 @@ local_salt_dir=/opt/so/saltstack/local # Check if Wazuh enabled if [ {{ WAZUH_ENABLED }} ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 2ae4ea715..22ba0940e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -13,7 +13,7 @@ ossecm: user.present: - uid: 943 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -23,7 +23,7 @@ ossecr: user.present: - uid: 944 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -33,7 +33,7 @@ ossec: user.present: - uid: 945 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -48,7 +48,7 @@ wazuhpkgs: wazuhdir: file.directory: - - name: /opt/so/wazuh + - name: /nsm/wazuh - user: 945 - group: 945 - makedirs: True @@ -94,7 +94,7 @@ so-wazuh: - 0.0.0.0:1515:1515/tcp - 0.0.0.0:55000:55000 - binds: - - /opt/so/wazuh:/var/ossec/data:rw + - /nsm/wazuh:/var/ossec/data:rw # Register the agent registertheagent: From 51e27cadc8075493d8b007f0c8bcc195959ce6da Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 27 Jul 2020 12:14:43 +0000 Subject: [PATCH 19/22] Add Wazuh Wazuh symlinks for cpnfig/rules --- salt/wazuh/init.sls | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 22ba0940e..dfd47c0f6 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -113,3 +113,22 @@ wazuhagentservice: service.running: - name: wazuh-agent - enable: True + +/opt/so/conf/wazuh: + file.symlink: + - target: /nsm/wazuh/etc + +hidsruledir: + file.directory: + - name: /opt/so/rules/hids + - user: 939 + - group: 939 + - makedirs: True + +/opt/so/rules/hids/local_rules.xml: + file.symlink: + - target: /nsm/wazuh/etc/rules/local_rules.xml + +/opt/so/rules/hids/ruleset: + file.symlink: + - target: /nsm/wazuh/ruleset From ac5aeb480131805eaf86c79b59c538a90c1d5076 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 27 Jul 2020 13:45:34 +0000 Subject: [PATCH 20/22] Bump Wazuh version --- salt/wazuh/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index dfd47c0f6..314a5f47f 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -42,7 +42,7 @@ wazuhpkgs: pkg.installed: - skip_suggestions: False - pkgs: - - wazuh-agent: 3.10.2-1 + - wazuh-agent: 3.13.1-1 - hold: True - update_holds: True From e81fd7464ba717c930ad86a88970e626ac788263 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 27 Jul 2020 13:49:17 +0000 Subject: [PATCH 21/22] Create default orguser if empty --- salt/thehive/scripts/cortex_init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 9fc1caf25..7eb50df5e 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -4,7 +4,7 @@ # {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} # {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} # {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} -# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', 'soadmin') %} # {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} default_salt_dir=/opt/so/saltstack/default From 55e60cb74919c6eb886a949fcaa54fb3aee775d8 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jul 2020 11:03:33 -0400 Subject: [PATCH 22/22] initial refactor - beats/sysmon parsing --- salt/elasticsearch/files/ingest/beats.common | 49 +---------------- salt/elasticsearch/files/ingest/sysmon | 52 +++++++++++++++++++ salt/elasticsearch/files/ingest/win.eventlogs | 13 +++++ 3 files changed, 67 insertions(+), 47 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/sysmon create mode 100644 salt/elasticsearch/files/ingest/win.eventlogs diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index cafbc9e94..4e358582e 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -1,53 +1,8 @@ { "description" : "beats.common", "processors" : [ - {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, - { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, - { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, - { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, - { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, - { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, + { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, { "pipeline": { "name": "common" } } ] } \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/sysmon b/salt/elasticsearch/files/ingest/sysmon new file mode 100644 index 000000000..de6112d89 --- /dev/null +++ b/salt/elasticsearch/files/ingest/sysmon @@ -0,0 +1,52 @@ +{ + "description" : "sysmon", + "processors" : [ + {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, + { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs new file mode 100644 index 000000000..acdf97263 --- /dev/null +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -0,0 +1,13 @@ +{ + "description" : "win.eventlogs", + "processors" : [ + + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, + { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, + + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + ] +} \ No newline at end of file