From 78267054694c3f91d60f3d6d09d0d21e4352f237 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Feb 2018 10:48:53 -0500 Subject: [PATCH] PulledPork Salt Module --- salt/common/init.sls | 5 +- salt/pulledpork/etc/disablesid.conf | 38 +++++ salt/pulledpork/etc/dropsid.conf | 42 ++++++ salt/pulledpork/etc/enablesid.conf | 48 +++++++ salt/pulledpork/etc/modifysid.conf | 40 ++++++ salt/pulledpork/etc/pulledpork.conf | 214 ++++++++++++++++++++++++++++ 6 files changed, 386 insertions(+), 1 deletion(-) create mode 100644 salt/pulledpork/etc/disablesid.conf create mode 100644 salt/pulledpork/etc/dropsid.conf create mode 100644 salt/pulledpork/etc/enablesid.conf create mode 100644 salt/pulledpork/etc/modifysid.conf create mode 100644 salt/pulledpork/etc/pulledpork.conf diff --git a/salt/common/init.sls b/salt/common/init.sls index cda5eb1dd..5aa25d0dc 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -38,9 +38,12 @@ dockernet: - name: so-elastic-net - driver: bridge +toosmooth/so-core:test2: + docker_image.present + so-core: docker_container.running: - - image: toosmooth/so-bro:test1 + - image: toosmooth/so-core:test2 - hostname: so-core - user: socore - binds: diff --git a/salt/pulledpork/etc/disablesid.conf b/salt/pulledpork/etc/disablesid.conf new file mode 100644 index 000000000..7e2381aa3 --- /dev/null +++ b/salt/pulledpork/etc/disablesid.conf @@ -0,0 +1,38 @@ +# example disablesid.conf V3.1 + +# Example of modifying state for individual rules +# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 + +# Example of modifying state for rule ranges +# 1:220-1:3264,3:13010-3:13013 + +# Comments are allowed in this file, and can also be on the same line +# As the modify state syntax, as long as it is a trailing comment +# 1:1011 # I Disabled this rule because I could! + +# Example of modifying state for MS and cve rules, note the use of the : +# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, +# and all MS00 and all cve 2000 related sids! These support regular expression +# matching only after you have specified what you are looking for, i.e. +# MS00- or cve:, the first section CANNOT contain a regular +# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) +# for this. +# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ + +# Example of using the pcre: keyword to modify rulestate. the pcre keyword +# allows for full use of regular expression syntax, you do not need to designate +# with / and all pcre searches are treated as case insensitive. For more information +# about regular expression syntax: http://www.regular-expressions.info/ +# The following example modifies state for all MS07 through MS10 +# pcre:MS(0[7-9]|10)-\d+ + +# Example of modifying state for specific categories entirely (see README.CATEGORIES) +# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp + +# Any of the above values can be on a single line or multiple lines, when +# on a single line they simply need to be separated by a , +# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 + +# The modifications in this file are for sample/example purposes only and +# should not actively be used, you need to modify this file to fit your +# environment. diff --git a/salt/pulledpork/etc/dropsid.conf b/salt/pulledpork/etc/dropsid.conf new file mode 100644 index 000000000..27a41e57e --- /dev/null +++ b/salt/pulledpork/etc/dropsid.conf @@ -0,0 +1,42 @@ +# example dropsid.conf V3.1 +# +# Note: This file is used to specify what rules you wish to be set to have +# an action of drop rather than alert. This means that you are running +# snort inline (more info about inline deployments at snort.org). + +# Example of modifying state for individual rules +# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 + +# Example of modifying state for rule ranges +# 1:220-1:3264,3:13010-3:13013 + +# Comments are allowed in this file, and can also be on the same line +# As the modify state syntax, as long as it is a trailing comment +# 1:1011 # I Disabled this rule because I could! + +# Example of modifying state for MS and cve rules, note the use of the : +# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, +# and all MS00 and all cve 2000 related sids! These support regular expression +# matching only after you have specified what you are looking for, i.e. +# MS00- or cve:, the first section CANNOT contain a regular +# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) +# for this. +# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ + +# Example of using the pcre: keyword to modify rulestate. the pcre keyword +# allows for full use of regular expression syntax, you do not need to designate +# with / and all pcre searches are treated as case insensitive. For more information +# about regular expression syntax: http://www.regular-expressions.info/ +# The following example modifies state for all MS07 through MS10 +# pcre:MS(0[7-9]|10)-\d+ + +# Example of modifying state for specific categories entirely (see README.CATEGORIES) +# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp + +# Any of the above values can be on a single line or multiple lines, when +# on a single line they simply need to be separated by a , +# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 + +# The modifications in this file are for sample/example purposes only and +# should not actively be used, you need to modify this file to fit your +# environment. diff --git a/salt/pulledpork/etc/enablesid.conf b/salt/pulledpork/etc/enablesid.conf new file mode 100644 index 000000000..261f605e4 --- /dev/null +++ b/salt/pulledpork/etc/enablesid.conf @@ -0,0 +1,48 @@ +# example enablesid.conf v3.1 + +# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file +# will be set back to their ORIGINAL state as it was read when they were +# originally extracted from the source tarball! + +# Example of modifying state for individual rules +# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 + +# Example of modifying state for rule ranges +# 1:220-1:3264,3:13010-3:13013 + +# Comments are allowed in this file, and can also be on the same line +# As the modify state syntax, as long as it is a trailing comment +# 1:1011 # I Disabled this rule because I could! + +# Example of modifying state for MS and cve rules, note the use of the : +# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, +# and all MS00 and all cve 2000 related sids! These support regular expression +# matching only after you have specified what you are looking for, i.e. +# MS00- or cve:, the first section CANNOT contain a regular +# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) +# for this. +# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ + +# Example of using the pcre: keyword to modify rulestate. the pcre keyword +# allows for full use of regular expression syntax, you do not need to designate +# with / and all pcre searches are treated as case insensitive. For more information +# about regular expression syntax: http://www.regular-expressions.info/ +# The following example modifies state for all MS07 through MS10 +# pcre:MS(0[7-9]|10)-\d+ + +# FOR TESTING ONLY: +# The following will enable ALL signatures for which Pulledpork has been configured +# to download +# pcre:. + +# Example of modifying state for specific categories entirely (see README.CATEGORIES) +# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp + +# Any of the above values can be on a single line or multiple lines, when +# on a single line they simply need to be separated by a , +# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 + +# The modifications in this file are for sample/example purposes only and +# should not actively be used, you need to modify this file to fit your +# environment. + diff --git a/salt/pulledpork/etc/modifysid.conf b/salt/pulledpork/etc/modifysid.conf new file mode 100644 index 000000000..50ee97601 --- /dev/null +++ b/salt/pulledpork/etc/modifysid.conf @@ -0,0 +1,40 @@ +# example modifysid.conf v1.1 2/18/2011 Alan Ptak +# +# Change history: +# ----------------------------------------------- +# v1.1 2/18/2011 Alan Ptak +# - Inserted comments around example elements that would otherwise modify rules +# +# v1.0 7/25/2010 JJC +# - original release +# ----------------------------------------------- +# +# formatting is simple +# "what I'm replacing" "what I'm replacing it with" +# +# Note that this will only work with GID:1 rules, simply because modifying +# GID:3 stub rules would not actually affect the rule, thusly it will remain +# non modifyable! +# +# If you are attempting to change rulestate (enable,drop,disable) from here +# then you are doing it wrong, it is much more efficient to do so from within +# the respective rulestate modification configuration files, please see doc/ +# and the README file! + +# the following applies to sid 10010 only and represents what would normally +# be s/to_client/from_server/ +# 10010 "to_client" "from_server" + +# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1 +# rules +# "HTTP_PORTS" "HTTPS_PORTS" + +# multiple sids can be specified as noted below: +# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET" + +# example of modification of a rule to make snortsam BLOCK the rule: +# note that one rule changes from alert to BLOCK and that the other +# modifies the msg:" field value so that when the alert occurs it is noted +# that it is a SNORTSAM block rule! +# 17803 "\(msg:"" "\(msg:"SNORTSAM "; +# 17803 "^\s*alert" "BLOCK"; diff --git a/salt/pulledpork/etc/pulledpork.conf b/salt/pulledpork/etc/pulledpork.conf new file mode 100644 index 000000000..736d7b3a1 --- /dev/null +++ b/salt/pulledpork/etc/pulledpork.conf @@ -0,0 +1,214 @@ +# Config file for pulledpork +# Be sure to read through the entire configuration file +# If you specify any of these items on the command line, it WILL take +# precedence over any value that you specify in this file! + +####### +####### The below section defines what your oinkcode is (required for +####### VRT rules), defines a temp path (must be writable) and also +####### defines what version of rules that you are getting (for your +####### snort version and subscription etc...) +####### + +# You can specify one or as many rule_urls as you like, they +# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify +# each on an individual line, or you can specify them in a , separated list +# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 +# note that the url, rule file, and oinkcode itself are separated by a pipe | +# i.e. url|tarball|123456789, +rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| +# NEW Community ruleset: +rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community +# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST| +# This format MUST be followed to let pulledpork know that this is a blacklist +rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open +# URL for rule documentation! (slow to process) +rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource +# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change! +# and open-nogpl, to avoid conflicts. +#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl +# THE FOLLOWING URL is for etpro downloads, note the tarball name change! +# and the et oinkcode requirement! +#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| +# NOTE above that the VRT snortrules-snapshot does not contain the version +# portion of the tarball name, this is because PP now automatically populates +# this value for you, if, however you put the version information in, PP will +# NOT populate this value but will use your value! + +# Specify rule categories to ignore from the tarball in a comma separated list +# with no spaces. There are four ways to do this: +# 1) Specify the category name with no suffix at all to ignore the category +# regardless of what rule-type it is, ie: netbios +# 2) Specify the category name with a '.rules' suffix to ignore only gid 1 +# rulefiles located in the /rules directory of the tarball, ie: policy.rules +# 3) Specify the category name with a '.preproc' suffix to ignore only +# preprocessor rules located in the /preproc_rules directory of the tarball, +# ie: sensitive-data.preproc +# 4) Specify the category name with a '.so' suffix to ignore only shared-object +# rules located in the /so_rules directory of the tarball, ie: netbios.so +# The example below ignores dos rules wherever they may appear, sensitive- +# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules), +# and netbios gid-1 rules (while including netbios so-rules): +# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules +# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x. +ignore=deleted.rules,experimental.rules,local.rules +# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the +# previous ignore line and uncomment the following! +# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data + +# What is our temp path, be sure this path has a bit of space for rule +# extraction and manipulation, no trailing slash +temp_path=/tmp + +####### +####### The below section is for rule processing. This section is +####### required if you are not specifying the configuration using +####### runtime switches. Note that runtime switches do SUPERSEED +####### any values that you have specified here! +####### + +# What path you want the .rules file containing all of the processed +# rules? (this value has changed as of 0.4.0, previously we copied +# all of the rules, now we are creating a single large rules file +# but still keeping a separate file for your so_rules! +rule_path=/usr/local/etc/snort/rules/snort.rules + +# What path you want the .rules files to be written to, this is UNIQUE +# from the rule_path and cannot be used in conjunction, this is to be used with the +# -k runtime flag, this can be set at runtime using the -K flag or specified +# here. If specified here, the -k option must also be passed at runtime, however +# specifying -K at runtime forces the -k option to also be set +# out_path=/usr/local/etc/snort/rules/ + +# If you are running any rules in your local.rules file, we need to +# know about them to properly build a sid-msg.map that will contain your +# local.rules metadata (msg) information. You can specify other rules +# files that are local to your system here by adding a comma and more paths... +# remember that the FULL path must be specified for EACH value. +# local_rules=/path/to/these.rules,/path/to/those.rules +local_rules=/usr/local/etc/snort/rules/local.rules + +# Where should I put the sid-msg.map file? +sid_msg=/usr/local/etc/snort/sid-msg.map + +# New for by2 and more advanced msg mapping. Valid options are 1 or 2 +# specify version 2 if you are running barnyard2.2+. Otherwise use 1 +sid_msg_version=1 + +# Where do you want me to put the sid changelog? This is a changelog +# that pulledpork maintains of all new sids that are imported +sid_changelog=/var/log/sid_changes.log +# this value is optional + +####### +####### The below section is for so_rule processing only. If you don't +####### need to use them.. then comment this section out! +####### Alternately, if you are not using pulledpork to process +####### so_rules, you can specify -T at runtime to bypass this altogether +####### + +# What path you want the .so files to actually go to *i.e. where is it +# defined in your snort.conf, needs a trailing slash +sorule_path=/usr/local/lib/snort_dynamicrules/ + +# Path to the snort binary, we need this to generate the stub files +snort_path=/usr/local/bin/snort + +# We need to know where your snort.conf file lives so that we can +# generate the stub files +config_path=/usr/local/etc/snort/snort.conf + +##### Deprecated - The stubs are now categorically written to the single rule file! +# sostub_path=/usr/local/etc/snort/rules/so_rules.rules + +# Define your distro, this is for the precompiled shared object libs! +# Valid Distro Types: +# Debian-6-0, Ubuntu-10-4 +# Ubuntu-12-04, Centos-5-4 +# FC-12, FC-14, RHEL-5-5, RHEL-6-0 +# FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0 +# OpenBSD-5-2, OpenBSD-5-3 +# OpenSUSE-11-4, OpenSUSE-12-1 +# Slackware-13-1 +distro=FreeBSD-8-1 + +####### This next section is optional, but probably pretty useful to you. +####### Please read thoroughly! + +# If you are using IP Reputation and getting some public lists, you will probably +# want to tell pulledpork where your blacklist file lives, PP automagically will +# de-dupe any duplicate IPs from different sources. +black_list=/usr/local/etc/snort/rules/iplists/default.blacklist + +# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby +# the IP list can be reloaded while snort is running through the use of a control +# socket. Please be sure that you built snort with the following optins: +# -enable-shared-rep and --enable-control-socket. Be sure to read about how to +# configure these! The following option tells pulledpork where to place the version +# file for use with control socket ip list reloads! +# This should be the same path where your black_list lives! +IPRVersion=/usr/local/etc/snort/rules/iplists + +# The following option tells snort where the snort_control tool is located. +snort_control=/usr/local/bin/snort_control + +# What do you want to backup and archive? This is a comma separated list +# of file or directory values. If a directory is specified, PP will recurse +# through said directory and all subdirectories to archive all files. +# The following example backs up all snort config files, rules, pulledpork +# config files, and snort shared object binary rules. +# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/ + +# what path and filename should we use for the backup tarball? +# note that an epoch time value and the .tgz extension is automatically added +# to the backup_file name on completeion i.e. the written file is: +# pp_backup.1295886020.tgz +# backup_file=/tmp/pp_backup + +# Where do you want the signature docs to be copied, if this is commented +# out then they will not be copied / extracted. Note that extracting them +# will add considerable runtime to pulledpork. +# docs=/path/to/base/www + +# The following option, state_order, allows you to more finely control the order +# that pulledpork performs the modify operations, specifically the enablesid +# disablesid and dropsid functions. An example use case here would be to +# disable an entire category and later enable only a rule or two out of it. +# the valid values are disable, drop, and enable. +# state_order=disable,drop,enable + + +# Define the path to the pid files of any running process that you want to +# sent a signal (specified with -H option) after PP has completed its run. +# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid +# and so on... +# pid_path=/var/run/snort_eth0.pid + +# This defines the version of snort that you are using, for use ONLY if the +# proper snort binary is not on the system that you are fetching the rules with +# This value MUST contain all 4 minor version +# numbers. ET rules are now also dependant on this, verify supported ET versions +# prior to simply throwing rubbish in this variable kthx! +# +# Suricata users - set this to 'suricata-3.x.x' to process rule files +# for suricata, this mimics the -S flag on the command line. +# snort_version=2.9.0.0 + +# Here you can specify what rule modification files to run automatically. +# simply uncomment and specify the apt path. +# enablesid=/usr/local/etc/snort/enablesid.conf +# dropsid=/usr/local/etc/snort/dropsid.conf +# disablesid=/usr/local/etc/snort/disablesid.conf +# modifysid=/usr/local/etc/snort/modifysid.conf + +# What is the base ruleset that you want to use, please uncomment to use +# and see the README.RULESETS for a description of the options. +# Note that setting this value will disable all ET rulesets if you are +# Running such rulesets +# ips_policy=security + +####### Remember, a number of these values are optional.. if you don't +####### need to process so_rules, simply comment out the so_rule section +####### you can also specify -T at runtime to process only GID 1 rules. + +version=0.7.3