From 83aa261d886f58a78a45e8133d59ecf5625bf6d6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 23 Feb 2022 10:50:13 -0500 Subject: [PATCH] IDH - Import & Enables Plays --- salt/idh/plays/idh_ftp.yml | 17 +++++++++++++++++ salt/idh/plays/idh_httpproxy.yml | 17 +++++++++++++++++ .../{Plays/IDH_SSH.yaml => plays/idh_ssh.yml} | 5 +++-- salt/idh/plays/idh_tftp.yml | 17 +++++++++++++++++ salt/playbook/init.sls | 12 ++++++++++++ 5 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 salt/idh/plays/idh_ftp.yml create mode 100644 salt/idh/plays/idh_httpproxy.yml rename salt/idh/{Plays/IDH_SSH.yaml => plays/idh_ssh.yml} (56%) create mode 100644 salt/idh/plays/idh_tftp.yml diff --git a/salt/idh/plays/idh_ftp.yml b/salt/idh/plays/idh_ftp.yml new file mode 100644 index 000000000..c7572e87a --- /dev/null +++ b/salt/idh/plays/idh_ftp.yml @@ -0,0 +1,17 @@ +title: SO IDH - FTP Login Attempt +id: d2d82069-30a7-4ac3-b584-ba696fbc24fd +status: experimental +description: Detects when the FTP service on a SO IDH node has had a login attempt. +author: Security Onion Solutions +logsource: + product: idh +detection: + selection: + event.code: + - 2000 + condition: selection +falsepositives: + - None +fields: + - source.ip +level: critical \ No newline at end of file diff --git a/salt/idh/plays/idh_httpproxy.yml b/salt/idh/plays/idh_httpproxy.yml new file mode 100644 index 000000000..9333be88c --- /dev/null +++ b/salt/idh/plays/idh_httpproxy.yml @@ -0,0 +1,17 @@ +title: SO IDH - HTTP Proxy Attempted Proxy +id: 6722bba8-5713-4463-b3ab-8432224928c2 +status: experimental +description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt. +author: Security Onion Solutions +logsource: + product: idh +detection: + selection: + event.code: + - 2000 + condition: selection +falsepositives: + - None +fields: + - source.ip +level: critical \ No newline at end of file diff --git a/salt/idh/Plays/IDH_SSH.yaml b/salt/idh/plays/idh_ssh.yml similarity index 56% rename from salt/idh/Plays/IDH_SSH.yaml rename to salt/idh/plays/idh_ssh.yml index 1d4e7ece4..8ed0c26b8 100644 --- a/salt/idh/Plays/IDH_SSH.yaml +++ b/salt/idh/plays/idh_ssh.yml @@ -1,6 +1,7 @@ -title: SO IDH - SSH Accessed +title: SO IDH - SSH Login Attempt +id: b7a09f0a-88ca-4fe0-bc8a-92106133e231 status: experimental -description: Detects when the SSH service on a SO IDH node has been probed. +description: Detects when the SSH service on a SO IDH node has had a login attempt. author: Security Onion Solutions logsource: product: idh diff --git a/salt/idh/plays/idh_tftp.yml b/salt/idh/plays/idh_tftp.yml new file mode 100644 index 000000000..8e07a9d53 --- /dev/null +++ b/salt/idh/plays/idh_tftp.yml @@ -0,0 +1,17 @@ +title: SO IDH - TFTP Requests +id: 6722bba8-5713-4463-b3ab-8432224928c2 +status: experimental +description: Detects when the TFTP service on a SO IDH node has had requests. +author: Security Onion Solutions +logsource: + product: idh +detection: + selection: + event.code: + - 2000 + condition: selection +falsepositives: + - None +fields: + - source.ip +level: critical \ No newline at end of file diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 491890dac..81db5205c 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -109,6 +109,18 @@ so-playbookruleupdatecron: - user: root - minute: '1' - hour: '6' + +{% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} +idh-plays: + file.recurse: + - name: /opt/so/conf/soctopus/sigma-import + - source: salt://idh/plays + - makedirs: True + cmd.run: + - name: so-playbook-import true + - onchanges: + - file: /opt/so/conf/soctopus/sigma-import +{% endif %} {% else %}