CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #49 from weslambert/master

Browse Source 
Various Updates
This commit is contained in:
Mike Reeves
2018-12-06 09:15:48 -05:00
committed by GitHub
parent 24cb7f4a14 e335be7476
commit 7816c6e18e
12 changed files with 214 additions and 517 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
salt/elastalert/init.sls Normal file
View File

@@ -0,0 +1,101 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{% if grains['role'] == 'so-master' %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% set esip = salt['pillar.get']('master:mainip', '') %}
{% set esport = salt['pillar.get']('master:es_port', '') %}
{% elif grains['role'] == 'so-eval' %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% set esip = salt['pillar.get']('master:mainip', '') %}
{% set esport = salt['pillar.get']('master:es_port', '') %}
{% elif grains['role'] == 'so-node' %}
{% set esalert = salt['pillar.get']('node:elastalert', '0') %}
{% endif %}
# Elastalert
{% if esalert == 1 %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 939
- makedirs: True
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 939
- makedirs: True
#elastaconfdir:
# file.directory:
# - name: /opt/so/conf/elastalert
# - user: 933
# - group: 939
# - makedirs: True
#elastaconf:
# file.managed:
# - name: /opt/so/conf/elastalert/config.yaml
# - source: salt://elastalert/files/config.yaml
# - user: 933
# - group: 939
# - template: jinja
so-elastalert:
docker_container.running:
- image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert
- name: so-elastalert
- user: elastalert
- detach: True
- binds:
# - /opt/so/conf/elastalert/config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
- /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
- environment:
- ELASTICSEARCH_HOST: {{ esip }}
- ELASTICSEARCH_PORT: {{ esport }}
- ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
- ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
- RULES_DIRECTORY: /etc/elastalert/rules/
- LOG_DIR: /var/log/elastalert
{% endif %}

54
salt/elasticsearch/init.sls
View File

@@ -18,7 +18,6 @@
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% elif grains['role'] == 'so-eval' %}
@@ -26,7 +25,6 @@
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
{% elif grains['role'] == 'so-node' %}
@@ -34,7 +32,6 @@
{% set esheap = salt['pillar.get']('node:esheap', '') %}
{% set freq = salt['pillar.get']('node:freq', '0') %}
{% set dstats = salt['pillar.get']('node:dstats', '0') %}
{% set esalert = salt['pillar.get']('node:elastalert', '1') %}
{% endif %}
@@ -193,54 +190,3 @@ so-domainstats:
{% endif %}
# Elastalert
{% if esalert == 1 %}
# Create the group
elastagroup:
group.present:
- name: elastalert
- gid: 933
# Add user
elastalert:
user.present:
- uid: 933
- gid: 933
- home: /opt/so/conf/elastalert
- createhome: False
elastalogdir:
file.directory:
- name: /opt/so/log/elastalert
- user: 933
- group: 939
- makedirs: True
elastarules:
file.directory:
- name: /opt/so/rules/elastalert
- user: 933
- group: 939
- makedirs: True
elastaconf:
file.directory:
- name: /opt/so/conf/elastalert
- user: 933
- group: 939
- makedirs: True
so-elastalert:
docker_container.running:
- image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert
- name: so-elastalert
- user: elastalert
- detach: True
- binds:
- /etc/elastalert/rules/:/etc/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw
{% endif %}

2
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -12,8 +12,8 @@
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.so/0008_input_eval.conf
/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
/usr/share/logstash/pipeline.so/1002_preprocess_json.conf

109
salt/logstash/conf/conf.enabled.txt.so-eval.old Normal file
View File

@@ -0,0 +1,109 @@
# This is where can specify which LogStash configs get loaded.
#
# The custom folder on the master gets automatically synced to each logstash
# node.
#
# To enable a custom configuration see the following example and uncomment:
# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
##
# All of the defaults are loaded.
/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
/usr/share/logstash/pipeline.so/0001_input_json.conf
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.so/0008_input_eval.conf
/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
/usr/share/logstash/pipeline.so/1998_test_data.conf
/usr/share/logstash/pipeline.so/2000_network_flow.conf
/usr/share/logstash/pipeline.so/6000_bro.conf
/usr/share/logstash/pipeline.so/6001_bro_import.conf
/usr/share/logstash/pipeline.so/6002_syslog.conf
/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
/usr/share/logstash/pipeline.so/6300_windows.conf
/usr/share/logstash/pipeline.so/6301_dns_windows.conf
/usr/share/logstash/pipeline.so/6400_suricata.conf
/usr/share/logstash/pipeline.so/6500_ossec.conf
/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf

38
salt/pulledpork/etc/disablesid.conf
View File

@@ -1,38 +0,0 @@
# example disablesid.conf V3.1
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

42
salt/pulledpork/etc/dropsid.conf
View File

@@ -1,42 +0,0 @@
# example dropsid.conf V3.1
#
# Note: This file is used to specify what rules you wish to be set to have
# an action of drop rather than alert. This means that you are running
# snort inline (more info about inline deployments at snort.org).
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

48
salt/pulledpork/etc/enablesid.conf
View File

@@ -1,48 +0,0 @@
# example enablesid.conf v3.1
# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file
# will be set back to their ORIGINAL state as it was read when they were
# originally extracted from the source tarball!
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013
# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!
# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+
# FOR TESTING ONLY:
# The following will enable ALL signatures for which Pulledpork has been configured
# to download
# pcre:.
# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.

40
salt/pulledpork/etc/modifysid.conf
View File

@@ -1,40 +0,0 @@
# example modifysid.conf v1.1 2/18/2011 Alan Ptak
#
# Change history:
# -----------------------------------------------
# v1.1 2/18/2011 Alan Ptak
# - Inserted comments around example elements that would otherwise modify rules
#
# v1.0 7/25/2010 JJC
# - original release
# -----------------------------------------------
#
# formatting is simple
# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
#
# Note that this will only work with GID:1 rules, simply because modifying
# GID:3 stub rules would not actually affect the rule, thusly it will remain
# non modifyable!
#
# If you are attempting to change rulestate (enable,drop,disable) from here
# then you are doing it wrong, it is much more efficient to do so from within
# the respective rulestate modification configuration files, please see doc/
# and the README file!
# the following applies to sid 10010 only and represents what would normally
# be s/to_client/from_server/
# 10010 "to_client" "from_server"
# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
# rules
# "HTTP_PORTS" "HTTPS_PORTS"
# multiple sids can be specified as noted below:
# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"
# example of modification of a rule to make snortsam BLOCK the rule:
# note that one rule changes from alert to BLOCK and that the other
# modifies the msg:" field value so that when the alert occurs it is noted
# that it is a SNORTSAM block rule!
# 17803 "\(msg:"" "\(msg:"SNORTSAM ";
# 17803 "^\s*alert" "BLOCK";

214
salt/pulledpork/etc/pulledpork.conf
View File

@@ -1,214 +0,0 @@
# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take
# precedence over any value that you specify in this file!
#######
####### The below section defines what your oinkcode is (required for
####### VRT rules), defines a temp path (must be writable) and also
####### defines what version of rules that you are getting (for your
####### snort version and subscription etc...)
#######
# You can specify one or as many rule_urls as you like, they
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
# each on an individual line, or you can specify them in a , separated list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789,
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
# NEW Community ruleset:
#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
#rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
# URL for rule documentation! (slow to process)
#rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
# and open-nogpl, to avoid conflicts.
rule_url=https://rules.emergingthreats.net/open/suricata-4.0/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
# NOTE above that the VRT snortrules-snapshot does not contain the version
# portion of the tarball name, this is because PP now automatically populates
# this value for you, if, however you put the version information in, PP will
# NOT populate this value but will use your value!
# Specify rule categories to ignore from the tarball in a comma separated list
# with no spaces. There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the category
# regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
# rulefiles located in the /rules directory of the tarball, ie: policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
# preprocessor rules located in the /preproc_rules directory of the tarball,
# ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only shared-object
# rules located in the /so_rules directory of the tarball, ie: netbios.so
# The example below ignores dos rules wherever they may appear, sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
ignore=deleted.rules,experimental.rules,local.rules
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp
#######
####### The below section is for rule processing. This section is
####### required if you are not specifying the configuration using
####### runtime switches. Note that runtime switches do SUPERSEED
####### any values that you have specified here!
#######
# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/opt/so/rules/nids/downloaded.rules
# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be used with the
# -k runtime flag, this can be set at runtime using the -K flag or specified
# here. If specified here, the -k option must also be passed at runtime, however
# specifying -K <path> at runtime forces the -k option to also be set
# out_path=/usr/local/etc/snort/rules/
# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information. You can specify other rules
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
local_rules=/opt/so/rules/nids/local.rules,/opt/so/rules/nids/decoder-events.rules,/opt/so/rules/nids/stream-events.rules,/opt/so/rules/nids/http-events.rules,/opt/so/rules/nids/smtp-events.rules
# Where should I put the sid-msg.map file?
sid_msg=/opt/so/rules/nids/sid-msg.map
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
sid_msg_version=1
# Where do you want me to put the sid changelog? This is a changelog
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/nsm/sid_changes.log
# this value is optional
#######
####### The below section is for so_rule processing only. If you don't
####### need to use them.. then comment this section out!
####### Alternately, if you are not using pulledpork to process
####### so_rules, you can specify -T at runtime to bypass this altogether
#######
# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/bin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/etc/nsm/templates/snort/snort.conf
##### Deprecated - The stubs are now categorically written to the single rule file!
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types:
# Debian-6-0, Ubuntu-10-4
# Ubuntu-12-04, Centos-5-4
# FC-12, FC-14, RHEL-5-5, RHEL-6-0
# FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0
# OpenBSD-5-2, OpenBSD-5-3
# OpenSUSE-11-4, OpenSUSE-12-1
# Slackware-13-1
distro=Centos-5-4
####### This next section is optional, but probably pretty useful to you.
####### Please read thoroughly!
# If you are using IP Reputation and getting some public lists, you will probably
# want to tell pulledpork where your blacklist file lives, PP automagically will
# de-dupe any duplicate IPs from different sources.
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
# the IP list can be reloaded while snort is running through the use of a control
# socket. Please be sure that you built snort with the following optins:
# -enable-shared-rep and --enable-control-socket. Be sure to read about how to
# configure these! The following option tells pulledpork where to place the version
# file for use with control socket ip list reloads!
# This should be the same path where your black_list lives!
IPRVersion=/usr/local/etc/snort/rules/iplists
# The following option tells snort where the snort_control tool is located.
snort_control=/usr/local/bin/snort_control
# What do you want to backup and archive? This is a comma separated list
# of file or directory values. If a directory is specified, PP will recurse
# through said directory and all subdirectories to archive all files.
# The following example backs up all snort config files, rules, pulledpork
# config files, and snort shared object binary rules.
# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
# what path and filename should we use for the backup tarball?
# note that an epoch time value and the .tgz extension is automatically added
# to the backup_file name on completeion i.e. the written file is:
# pp_backup.1295886020.tgz
# backup_file=/tmp/pp_backup
# Where do you want the signature docs to be copied, if this is commented
# out then they will not be copied / extracted. Note that extracting them
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www
# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions. An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable
# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid
# This defines the version of snort that you are using, for use ONLY if the
# proper snort binary is not on the system that you are fetching the rules with
# This value MUST contain all 4 minor version
# numbers. ET rules are now also dependant on this, verify supported ET versions
# prior to simply throwing rubbish in this variable kthx!
#
# Suricata users - set this to 'suricata-3.x.x' to process rule files
# for suricata, this mimics the -S flag on the command line.
# snort_version=2.9.0.0
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
enablesid=/opt/so/pulledpork/etc/enablesid.conf
dropsid=/opt/so/pulledpork/dropsid.conf
disablesid=/opt/so/pulledpork/disablesid.conf
modifysid=/opt/so/pulledpork/modifysid.conf
# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
# ips_policy=security
####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.
version=0.7.3

55
salt/pulledpork/init.sls
View File

@@ -1,55 +0,0 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# PulledProk Setup
ppdir:
file.directory:
- name: /opt/so/pulledpork/etc
- user: 939
- group: 939
- makedirs: True
ppetcsync:
file.recurse:
- name: /opt/so/pulledpork/etc
- source: salt://pulledpork/etc
- user: 939
- group: 939
- template: jinja
rulesdir:
file.directory:
- name: /opt/so/rules/nids
- user: 939
- group: 939
- makedirs: True
ruleslink:
file.symlink:
- name: /opt/so/saltstack/salt/pulledpork/rules
- target: /opt/so/rules/nids
toosmooth/so-pulledpork:test2:
docker_image.present
so-pulledpork:
docker_container.running:
- image: toosmooth/so-pulledpork:test2
- hostname: so-pulledpork
- user: socore
- binds:
- /opt/so/pulledpork/etc:/opt/pulledpork/etc:ro
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- network_mode: so-elastic-net

24
salt/somaster/init.sls
View File

@@ -1,24 +0,0 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Add Redis docker if REDIS is enabled
# Add REDIS user
# Sync updated logstash config for REDIS
# Add ES user
# Add ES Docker

4
salt/top.sls
View File

@@ -20,7 +20,6 @@ base:
- firewall
- master
- idstools
- redis
- elasticsearch
- logstash
- kibana
@@ -28,6 +27,8 @@ base:
- suricata
- bro
- curator
- elastalert
- filebeat
- utility
- schedule
@@ -43,6 +44,7 @@ base:
- elasticsearch
- logstash
- kibana
- elastalert
- utility
- schedule