From 53883e4adef75cc4896cecce671ff7154a0bd772 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 May 2022 11:40:33 -0400 Subject: [PATCH 1/3] manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918 --- salt/suricata/classification.csv | 43 ++++++ salt/suricata/classification.yml | 126 +++++++++++++++++ salt/suricata/defaults.yaml | 131 +++++++++++++++++- .../files/classification.config.jinja | 11 ++ salt/suricata/init.sls | 11 ++ 5 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 salt/suricata/classification.csv create mode 100644 salt/suricata/classification.yml create mode 100644 salt/suricata/files/classification.config.jinja diff --git a/salt/suricata/classification.csv b/salt/suricata/classification.csv new file mode 100644 index 000000000..a35b67acf --- /dev/null +++ b/salt/suricata/classification.csv @@ -0,0 +1,43 @@ +attempted-admin,Attempted Administrator Privilege Gain,1 +attempted-dos,Attempted Denial of Service,2 +attempted-recon,Attempted Information Leak,2 +attempted-user,Attempted User Privilege Gain,1 +bad-unknown,Potentially Bad Traffic, 2 +coin-mining,Crypto Currency Mining Activity Detected,2 +command-and-control,Malware Command and Control Activity Detected,1 +credential-theft,Successful Credential Theft Detected,1 +default-login-attempt,Attempt to login by a default username and password,2 +denial-of-service,Detection of a Denial of Service Attack,2 +domain-c2,Domain Observed Used for C2 Detected,1 +exploit-kit,Exploit Kit Activity Detected,1 +external-ip-check,Device Retrieving External IP Address Detected,2 +icmp-event,Generic ICMP event,3 +inappropriate-content,Inappropriate Content was Detected,1 +misc-activity,Misc activity,3 +misc-attack,Misc Attack,2 +network-scan,Detection of a Network Scan,3 +non-standard-protocol,Detection of a non-standard protocol or event,2 +not-suspicious,Not Suspicious Traffic,3 +policy-violation,Potential Corporate Privacy Violation,1 +protocol-command-decode,Generic Protocol Command Decode,3 +pup-activity,Possibly Unwanted Program Detected,2 +rpc-portmap-decode,Decode of an RPC Query,2 +shellcode-detect,Executable code was detected,1 +social-engineering,Possible Social Engineering Attempted,2 +string-detect,A suspicious string was detected,3 +successful-admin,Successful Administrator Privilege Gain,1 +successful-dos,Denial of Service,2 +successful-recon-largescale,Large Scale Information Leak,2 +successful-recon-limited,Information Leak,2 +successful-user,Successful User Privilege Gain,1 +suspicious-filename-detect,A suspicious filename was detected,2 +suspicious-login,An attempted login using a suspicious username was detected,2 +system-call-detect,A system call was detected,2 +targeted-activity,Targeted Malicious Activity was Detected,1 +tcp-connection,A TCP connection was detected,4 +trojan-activity,A Network Trojan was detected, 1 +unknown,Unknown Traffic,3 +unsuccessful-user,Unsuccessful User Privilege Gain,1 +unusual-client-port-connection,A client was using an unusual port,2 +web-application-activity,access to a potentially vulnerable web application,2 +web-application-attack,Web Application Attack,1 diff --git a/salt/suricata/classification.yml b/salt/suricata/classification.yml new file mode 100644 index 000000000..e0ca109a9 --- /dev/null +++ b/salt/suricata/classification.yml @@ -0,0 +1,126 @@ +- '3': 3 + Not Suspicious Traffic: Unknown Traffic + not-suspicious: unknown +- '3': 2 + Not Suspicious Traffic: Potentially Bad Traffic + not-suspicious: bad-unknown +- '3': 2 + Not Suspicious Traffic: Attempted Information Leak + not-suspicious: attempted-recon +- '3': 2 + Not Suspicious Traffic: Information Leak + not-suspicious: successful-recon-limited +- '3': 2 + Not Suspicious Traffic: Large Scale Information Leak + not-suspicious: successful-recon-largescale +- '3': 2 + Not Suspicious Traffic: Attempted Denial of Service + not-suspicious: attempted-dos +- '3': 2 + Not Suspicious Traffic: Denial of Service + not-suspicious: successful-dos +- '3': 1 + Not Suspicious Traffic: Attempted User Privilege Gain + not-suspicious: attempted-user +- '3': 1 + Not Suspicious Traffic: Unsuccessful User Privilege Gain + not-suspicious: unsuccessful-user +- '3': 1 + Not Suspicious Traffic: Successful User Privilege Gain + not-suspicious: successful-user +- '3': 1 + Not Suspicious Traffic: Attempted Administrator Privilege Gain + not-suspicious: attempted-admin +- '3': 1 + Not Suspicious Traffic: Successful Administrator Privilege Gain + not-suspicious: successful-admin +- '3': 2 + Not Suspicious Traffic: Decode of an RPC Query + not-suspicious: rpc-portmap-decode +- '3': 1 + Not Suspicious Traffic: Executable code was detected + not-suspicious: shellcode-detect +- '3': 3 + Not Suspicious Traffic: A suspicious string was detected + not-suspicious: string-detect +- '3': 2 + Not Suspicious Traffic: A suspicious filename was detected + not-suspicious: suspicious-filename-detect +- '3': 2 + Not Suspicious Traffic: An attempted login using a suspicious username was detected + not-suspicious: suspicious-login +- '3': 2 + Not Suspicious Traffic: A system call was detected + not-suspicious: system-call-detect +- '3': 4 + Not Suspicious Traffic: A TCP connection was detected + not-suspicious: tcp-connection +- '3': 1 + Not Suspicious Traffic: A Network Trojan was detected + not-suspicious: trojan-activity +- '3': 2 + Not Suspicious Traffic: A client was using an unusual port + not-suspicious: unusual-client-port-connection +- '3': 3 + Not Suspicious Traffic: Detection of a Network Scan + not-suspicious: network-scan +- '3': 2 + Not Suspicious Traffic: Detection of a Denial of Service Attack + not-suspicious: denial-of-service +- '3': 2 + Not Suspicious Traffic: Detection of a non-standard protocol or event + not-suspicious: non-standard-protocol +- '3': 3 + Not Suspicious Traffic: Generic Protocol Command Decode + not-suspicious: protocol-command-decode +- '3': 2 + Not Suspicious Traffic: access to a potentially vulnerable web application + not-suspicious: web-application-activity +- '3': 1 + Not Suspicious Traffic: Web Application Attack + not-suspicious: web-application-attack +- '3': 3 + Not Suspicious Traffic: Misc activity + not-suspicious: misc-activity +- '3': 2 + Not Suspicious Traffic: Misc Attack + not-suspicious: misc-attack +- '3': 3 + Not Suspicious Traffic: Generic ICMP event + not-suspicious: icmp-event +- '3': 1 + Not Suspicious Traffic: Inappropriate Content was Detected + not-suspicious: inappropriate-content +- '3': 1 + Not Suspicious Traffic: Potential Corporate Privacy Violation + not-suspicious: policy-violation +- '3': 2 + Not Suspicious Traffic: Attempt to login by a default username and password + not-suspicious: default-login-attempt +- '3': 1 + Not Suspicious Traffic: Targeted Malicious Activity was Detected + not-suspicious: targeted-activity +- '3': 1 + Not Suspicious Traffic: Exploit Kit Activity Detected + not-suspicious: exploit-kit +- '3': 2 + Not Suspicious Traffic: Device Retrieving External IP Address Detected + not-suspicious: external-ip-check +- '3': 1 + Not Suspicious Traffic: Domain Observed Used for C2 Detected + not-suspicious: domain-c2 +- '3': 2 + Not Suspicious Traffic: Possibly Unwanted Program Detected + not-suspicious: pup-activity +- '3': 1 + Not Suspicious Traffic: Successful Credential Theft Detected + not-suspicious: credential-theft +- '3': 2 + Not Suspicious Traffic: Possible Social Engineering Attempted + not-suspicious: social-engineering +- '3': 2 + Not Suspicious Traffic: Crypto Currency Mining Activity Detected + not-suspicious: coin-mining +- '3': 1 + Not Suspicious Traffic: Malware Command and Control Activity Detected + not-suspicious: command-and-control diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 695e43f08..9c358b448 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -586,4 +586,133 @@ suricata: threshold-file: /etc/suricata/threshold.conf #include: include1.yaml #include: include2.yaml - \ No newline at end of file + classification: + attempted-admin: + description: Attempted Administrator Privilege Gain + priority: 1 + attempted-dos: + description: Attempted Denial of Service + priority: 2 + attempted-recon: + description: Attempted Information Leak + priority: 2 + attempted-user: + description: Attempted User Privilege Gain + priority: 1 + bad-unknown: + description: Potentially Bad Traffic + priority: 2 + coin-mining: + description: Crypto Currency Mining Activity Detected + priority: 2 + command-and-control: + description: Malware Command and Control Activity Detected + priority: 1 + credential-theft: + description: Successful Credential Theft Detected + priority: 1 + default-login-attempt: + description: Attempt to login by a default username and password + priority: 2 + denial-of-service: + description: Detection of a Denial of Service Attack + priority: 2 + domain-c2: + description: Domain Observed Used for C2 Detected + priority: 1 + exploit-kit: + description: Exploit Kit Activity Detected + priority: 1 + external-ip-check: + description: Device Retrieving External IP Address Detected + priority: 2 + icmp-event: + description: Generic ICMP event + priority: 3 + inappropriate-content: + description: Inappropriate Content was Detected + priority: 1 + misc-activity: + description: Misc activity + priority: 3 + misc-attack: + description: Misc Attack + priority: 2 + network-scan: + description: Detection of a Network Scan + priority: 3 + non-standard-protocol: + description: Detection of a non-standard protocol or event + priority: 2 + not-suspicious: + description: Not Suspicious Traffic + priority: 3 + policy-violation: + description: Potential Corporate Privacy Violation + priority: 1 + protocol-command-decode: + description: Generic Protocol Command Decode + priority: 3 + pup-activity: + description: Possibly Unwanted Program Detected + priority: 2 + rpc-portmap-decode: + description: Decode of an RPC Query + priority: 2 + shellcode-detect: + description: Executable code was detected + priority: 1 + social-engineering: + description: Possible Social Engineering Attempted + priority: 2 + string-detect: + description: A suspicious string was detected + priority: 3 + successful-admin: + description: Successful Administrator Privilege Gain + priority: 1 + successful-dos: + description: Denial of Service + priority: 2 + successful-recon-largescale: + description: Large Scale Information Leak + priority: 2 + successful-recon-limited: + description: Information Leak + priority: 2 + successful-user: + description: Successful User Privilege Gain + priority: 1 + suspicious-filename-detect: + description: A suspicious filename was detected + priority: 2 + suspicious-login: + description: An attempted login using a suspicious username was detected + priority: 2 + system-call-detect: + description: A system call was detected + priority: 2 + targeted-activity: + description: Targeted Malicious Activity was Detected + priority: 1 + tcp-connection: + description: A TCP connection was detected + priority: 4 + trojan-activity: + description: A Network Trojan was detected + priority: 1 + unknown: + description: Unknown Traffic + priority: 3 + unsuccessful-user: + description: Unsuccessful User Privilege Gain + priority: 1 + unusual-client-port-connection: + description: A client was using an unusual port + priority: 2 + web-application-activity: + description: access to a potentially vulnerable web application + priority: 2 + web-application-attack: + description: Web Application Attack + priority: 1 diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja new file mode 100644 index 000000000..7b1e0c2e1 --- /dev/null +++ b/salt/suricata/files/classification.config.jinja @@ -0,0 +1,11 @@ +{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%} +{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%} +# +# config classification:shortname,short description,priority +# +{% for sn, details in suricata_defaults.suricata.classification.items() -%} +{% if not details -%} +{% do details.update({'description': 'The description is not set', 'priority': '1'}) -%} +{% endif -%} +config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} +{% endfor -%} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 4c2347302..db09e310b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -111,6 +111,14 @@ surithresholding: - group: 940 - template: jinja +classification_config: + file.managed: + - name: /opt/so/conf/suricata/classification.config + - source: salt://suricata/files/classification.config.jinja + - user: 940 + - group: 940 + - template: jinja + # BPF compilation and configuration {% if BPF_NIDS %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} @@ -148,6 +156,7 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro + - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw @@ -159,10 +168,12 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf + - file: classification_config - require: - file: suriconfig - file: surithresholding - file: suribpf + - file: classification_config {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - force: True From 1bfde852f55c227c2479e18b50c2dff396025d2e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 May 2022 11:43:31 -0400 Subject: [PATCH 2/3] manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918 --- salt/suricata/classification.csv | 43 ------ salt/suricata/classification.yml | 126 ------------------ .../files/classification.config.jinja | 1 + 3 files changed, 1 insertion(+), 169 deletions(-) delete mode 100644 salt/suricata/classification.csv delete mode 100644 salt/suricata/classification.yml diff --git a/salt/suricata/classification.csv b/salt/suricata/classification.csv deleted file mode 100644 index a35b67acf..000000000 --- a/salt/suricata/classification.csv +++ /dev/null @@ -1,43 +0,0 @@ -attempted-admin,Attempted Administrator Privilege Gain,1 -attempted-dos,Attempted Denial of Service,2 -attempted-recon,Attempted Information Leak,2 -attempted-user,Attempted User Privilege Gain,1 -bad-unknown,Potentially Bad Traffic, 2 -coin-mining,Crypto Currency Mining Activity Detected,2 -command-and-control,Malware Command and Control Activity Detected,1 -credential-theft,Successful Credential Theft Detected,1 -default-login-attempt,Attempt to login by a default username and password,2 -denial-of-service,Detection of a Denial of Service Attack,2 -domain-c2,Domain Observed Used for C2 Detected,1 -exploit-kit,Exploit Kit Activity Detected,1 -external-ip-check,Device Retrieving External IP Address Detected,2 -icmp-event,Generic ICMP event,3 -inappropriate-content,Inappropriate Content was Detected,1 -misc-activity,Misc activity,3 -misc-attack,Misc Attack,2 -network-scan,Detection of a Network Scan,3 -non-standard-protocol,Detection of a non-standard protocol or event,2 -not-suspicious,Not Suspicious Traffic,3 -policy-violation,Potential Corporate Privacy Violation,1 -protocol-command-decode,Generic Protocol Command Decode,3 -pup-activity,Possibly Unwanted Program Detected,2 -rpc-portmap-decode,Decode of an RPC Query,2 -shellcode-detect,Executable code was detected,1 -social-engineering,Possible Social Engineering Attempted,2 -string-detect,A suspicious string was detected,3 -successful-admin,Successful Administrator Privilege Gain,1 -successful-dos,Denial of Service,2 -successful-recon-largescale,Large Scale Information Leak,2 -successful-recon-limited,Information Leak,2 -successful-user,Successful User Privilege Gain,1 -suspicious-filename-detect,A suspicious filename was detected,2 -suspicious-login,An attempted login using a suspicious username was detected,2 -system-call-detect,A system call was detected,2 -targeted-activity,Targeted Malicious Activity was Detected,1 -tcp-connection,A TCP connection was detected,4 -trojan-activity,A Network Trojan was detected, 1 -unknown,Unknown Traffic,3 -unsuccessful-user,Unsuccessful User Privilege Gain,1 -unusual-client-port-connection,A client was using an unusual port,2 -web-application-activity,access to a potentially vulnerable web application,2 -web-application-attack,Web Application Attack,1 diff --git a/salt/suricata/classification.yml b/salt/suricata/classification.yml deleted file mode 100644 index e0ca109a9..000000000 --- a/salt/suricata/classification.yml +++ /dev/null @@ -1,126 +0,0 @@ -- '3': 3 - Not Suspicious Traffic: Unknown Traffic - not-suspicious: unknown -- '3': 2 - Not Suspicious Traffic: Potentially Bad Traffic - not-suspicious: bad-unknown -- '3': 2 - Not Suspicious Traffic: Attempted Information Leak - not-suspicious: attempted-recon -- '3': 2 - Not Suspicious Traffic: Information Leak - not-suspicious: successful-recon-limited -- '3': 2 - Not Suspicious Traffic: Large Scale Information Leak - not-suspicious: successful-recon-largescale -- '3': 2 - Not Suspicious Traffic: Attempted Denial of Service - not-suspicious: attempted-dos -- '3': 2 - Not Suspicious Traffic: Denial of Service - not-suspicious: successful-dos -- '3': 1 - Not Suspicious Traffic: Attempted User Privilege Gain - not-suspicious: attempted-user -- '3': 1 - Not Suspicious Traffic: Unsuccessful User Privilege Gain - not-suspicious: unsuccessful-user -- '3': 1 - Not Suspicious Traffic: Successful User Privilege Gain - not-suspicious: successful-user -- '3': 1 - Not Suspicious Traffic: Attempted Administrator Privilege Gain - not-suspicious: attempted-admin -- '3': 1 - Not Suspicious Traffic: Successful Administrator Privilege Gain - not-suspicious: successful-admin -- '3': 2 - Not Suspicious Traffic: Decode of an RPC Query - not-suspicious: rpc-portmap-decode -- '3': 1 - Not Suspicious Traffic: Executable code was detected - not-suspicious: shellcode-detect -- '3': 3 - Not Suspicious Traffic: A suspicious string was detected - not-suspicious: string-detect -- '3': 2 - Not Suspicious Traffic: A suspicious filename was detected - not-suspicious: suspicious-filename-detect -- '3': 2 - Not Suspicious Traffic: An attempted login using a suspicious username was detected - not-suspicious: suspicious-login -- '3': 2 - Not Suspicious Traffic: A system call was detected - not-suspicious: system-call-detect -- '3': 4 - Not Suspicious Traffic: A TCP connection was detected - not-suspicious: tcp-connection -- '3': 1 - Not Suspicious Traffic: A Network Trojan was detected - not-suspicious: trojan-activity -- '3': 2 - Not Suspicious Traffic: A client was using an unusual port - not-suspicious: unusual-client-port-connection -- '3': 3 - Not Suspicious Traffic: Detection of a Network Scan - not-suspicious: network-scan -- '3': 2 - Not Suspicious Traffic: Detection of a Denial of Service Attack - not-suspicious: denial-of-service -- '3': 2 - Not Suspicious Traffic: Detection of a non-standard protocol or event - not-suspicious: non-standard-protocol -- '3': 3 - Not Suspicious Traffic: Generic Protocol Command Decode - not-suspicious: protocol-command-decode -- '3': 2 - Not Suspicious Traffic: access to a potentially vulnerable web application - not-suspicious: web-application-activity -- '3': 1 - Not Suspicious Traffic: Web Application Attack - not-suspicious: web-application-attack -- '3': 3 - Not Suspicious Traffic: Misc activity - not-suspicious: misc-activity -- '3': 2 - Not Suspicious Traffic: Misc Attack - not-suspicious: misc-attack -- '3': 3 - Not Suspicious Traffic: Generic ICMP event - not-suspicious: icmp-event -- '3': 1 - Not Suspicious Traffic: Inappropriate Content was Detected - not-suspicious: inappropriate-content -- '3': 1 - Not Suspicious Traffic: Potential Corporate Privacy Violation - not-suspicious: policy-violation -- '3': 2 - Not Suspicious Traffic: Attempt to login by a default username and password - not-suspicious: default-login-attempt -- '3': 1 - Not Suspicious Traffic: Targeted Malicious Activity was Detected - not-suspicious: targeted-activity -- '3': 1 - Not Suspicious Traffic: Exploit Kit Activity Detected - not-suspicious: exploit-kit -- '3': 2 - Not Suspicious Traffic: Device Retrieving External IP Address Detected - not-suspicious: external-ip-check -- '3': 1 - Not Suspicious Traffic: Domain Observed Used for C2 Detected - not-suspicious: domain-c2 -- '3': 2 - Not Suspicious Traffic: Possibly Unwanted Program Detected - not-suspicious: pup-activity -- '3': 1 - Not Suspicious Traffic: Successful Credential Theft Detected - not-suspicious: credential-theft -- '3': 2 - Not Suspicious Traffic: Possible Social Engineering Attempted - not-suspicious: social-engineering -- '3': 2 - Not Suspicious Traffic: Crypto Currency Mining Activity Detected - not-suspicious: coin-mining -- '3': 1 - Not Suspicious Traffic: Malware Command and Control Activity Detected - not-suspicious: command-and-control diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja index 7b1e0c2e1..61b09222c 100644 --- a/salt/suricata/files/classification.config.jinja +++ b/salt/suricata/files/classification.config.jinja @@ -5,6 +5,7 @@ # {% for sn, details in suricata_defaults.suricata.classification.items() -%} {% if not details -%} +{% set details = {} -%} {% do details.update({'description': 'The description is not set', 'priority': '1'}) -%} {% endif -%} config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} From 53d6e1d30d46e10956ca5cf59d08c87a72bf33f8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 May 2022 11:51:17 -0400 Subject: [PATCH 3/3] simplfy --- salt/suricata/files/classification.config.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja index 61b09222c..122cf4baf 100644 --- a/salt/suricata/files/classification.config.jinja +++ b/salt/suricata/files/classification.config.jinja @@ -5,8 +5,7 @@ # {% for sn, details in suricata_defaults.suricata.classification.items() -%} {% if not details -%} -{% set details = {} -%} -{% do details.update({'description': 'The description is not set', 'priority': '1'}) -%} +{% set details = {'description': 'The description is not set', 'priority': '1'} -%} {% endif -%} config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} {% endfor -%}