From 9517cb2a582cc9897363f35216b8db04bac5f2a5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 1 Dec 2020 11:25:51 -0500 Subject: [PATCH 1/4] Remove ScanMmbot --- salt/strelka/files/backend/backend.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 53c29e3fa..b71e8ac74 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -215,14 +215,6 @@ scanners: priority: 5 options: tmp_directory: '/dev/shm/' - 'ScanMmbot': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - options: - server: 'strelka_mmrpc_1:33907' 'ScanOcr': - positive: flavors: From 141d7a35c9f161a20dcd0bd79d93ac6e51a3a9a4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 1 Dec 2020 15:38:09 -0500 Subject: [PATCH 2/4] if true cluster enabled allow search nodes to talk to each other https://github.com/Security-Onion-Solutions/securityonion/issues/2079 --- salt/firewall/assigned_hostgroups.map.yaml | 27 ++++++++++++++++++++++ setup/so-functions | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index cb2de370c..30a6117aa 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,6 +1,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'firewall/portgroups.yaml' as portgroups %} {% set portgroups = portgroups.firewall.aliases.ports %} +{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} role: eval: @@ -42,6 +43,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -135,6 +141,12 @@ role: - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.beats_5644 }} self: portgroups: - {{ portgroups.syslog}} @@ -219,6 +231,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -303,6 +320,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -425,6 +447,11 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + {% if TRUE_CLUSTER %} + search_node: + portgroups: + - {{ portgroups.elasticsearch_node }} + {% endif %} self: portgroups: - {{ portgroups.syslog}} diff --git a/setup/so-functions b/setup/so-functions index 4ba639fa5..3cf268869 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1883,7 +1883,7 @@ set_initial_firewall_policy() { ;; 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; From 81b86bf7f2c04ace34514b7cb656a5b77838481d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Dec 2020 16:04:46 -0500 Subject: [PATCH 3/4] Switch PCAP quick actions to support alternative lookup link when a single event ID is not available --- salt/soc/files/soc/alerts.actions.json | 2 +- salt/soc/files/soc/hunt.actions.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index b825c0131..e453a84b7 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,6 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index b825c0131..e453a84b7 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,6 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] \ No newline at end of file From b7bc8db3b2228e4dba288217c990507ea54bb518 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Dec 2020 17:37:44 -0500 Subject: [PATCH 4/4] Modify PCAP quick action to work off of network community ID; Add new Correlate quick action --- salt/soc/files/soc/alerts.actions.json | 31 ++++++++++++++++++++++---- salt/soc/files/soc/hunt.actions.json | 31 ++++++++++++++++++++++---- 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index e453a84b7..46c4ea68d 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,29 @@ [ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} ] \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index e453a84b7..46c4ea68d 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,29 @@ [ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} ] \ No newline at end of file