mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Refactor image repository to a single variable
This commit is contained in:
Jason Ertel
@@ -15,6 +15,8 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
IMAGEREPO=soshybridhunter
|
||||
|
||||
# Check for prerequisites
|
||||
if [ "$(id -u)" -ne 0 ]; then
|
||||
echo "This script must be run using sudo!"
|
||||
|
||||
@@ -14,12 +14,8 @@
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
got_root(){
|
||||
if [ "$(id -u)" -ne 0 ]; then
|
||||
echo "This script must be run using sudo!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
manager_check() {
|
||||
# Check to see if this is a manager
|
||||
@@ -39,10 +35,10 @@ update_docker_containers() {
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
echo "Downloading $i"
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
|
||||
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker push $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
docker push $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
done
|
||||
|
||||
}
|
||||
@@ -55,7 +51,7 @@ version_check() {
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
got_root
|
||||
|
||||
manager_check
|
||||
version_check
|
||||
|
||||
|
||||
@@ -1,43 +0,0 @@
|
||||
#!/bin/bash
|
||||
MANAGER=MANAGER
|
||||
VERSION="HH1.1.4"
|
||||
TRUSTED_CONTAINERS=( \
|
||||
"so-nginx:$VERSION" \
|
||||
"so-thehive-cortex:$VERSION" \
|
||||
"so-curator:$VERSION" \
|
||||
"so-domainstats:$VERSION" \
|
||||
"so-elastalert:$VERSION" \
|
||||
"so-elasticsearch:$VERSION" \
|
||||
"so-filebeat:$VERSION" \
|
||||
"so-fleet:$VERSION" \
|
||||
"so-fleet-launcher:$VERSION" \
|
||||
"so-freqserver:$VERSION" \
|
||||
"so-grafana:$VERSION" \
|
||||
"so-idstools:$VERSION" \
|
||||
"so-influxdb:$VERSION" \
|
||||
"so-kibana:$VERSION" \
|
||||
"so-logstash:$VERSION" \
|
||||
"so-mysql:$VERSION" \
|
||||
"so-playbook:$VERSION" \
|
||||
"so-redis:$VERSION" \
|
||||
"so-sensoroni:$VERSION" \
|
||||
"so-soctopus:$VERSION" \
|
||||
"so-steno:$VERSION" \
|
||||
#"so-strelka:$VERSION" \
|
||||
"so-suricata:$VERSION" \
|
||||
"so-telegraf:$VERSION" \
|
||||
"so-thehive:$VERSION" \
|
||||
"so-thehive-es:$VERSION" \
|
||||
"so-wazuh:$VERSION" \
|
||||
"so-zeek:$VERSION" )
|
||||
|
||||
for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
echo "Downloading $i"
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i
|
||||
docker push $MANAGER:5000/soshybridhunter/$i
|
||||
docker rmi soshybridhunter/$i
|
||||
done
|
||||
@@ -31,13 +31,13 @@ for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
echo "Downloading $i"
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
|
||||
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker push $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
docker push $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
done
|
||||
for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
echo "Removing $i locally"
|
||||
docker rmi soshybridhunter/$i
|
||||
docker rmi $IMAGEREPO/$i
|
||||
done
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{%- set MANAGERIP = salt['pillar.get']('static:managerip') -%}
|
||||
|
||||
function usage {
|
||||
@@ -31,13 +32,13 @@ EOF
|
||||
function pcapinfo() {
|
||||
PCAP=$1
|
||||
ARGS=$2
|
||||
docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
|
||||
docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
|
||||
}
|
||||
|
||||
function pcapfix() {
|
||||
PCAP=$1
|
||||
PCAP_OUT=$2
|
||||
docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1
|
||||
docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1
|
||||
}
|
||||
|
||||
function suricata() {
|
||||
@@ -58,7 +59,7 @@ function suricata() {
|
||||
-v ${NSM_PATH}/:/nsm/:rw \
|
||||
-v $PCAP:/input.pcap:ro \
|
||||
-v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
|
||||
{{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} \
|
||||
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
|
||||
--runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1
|
||||
}
|
||||
|
||||
@@ -86,7 +87,7 @@ function zeek() {
|
||||
-v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \
|
||||
--entrypoint /opt/zeek/bin/zeek \
|
||||
-w /nsm/zeek/logs \
|
||||
{{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} \
|
||||
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} \
|
||||
-C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1
|
||||
}
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %}
|
||||
# Curator
|
||||
@@ -111,7 +112,7 @@ so-curatordeletecron:
|
||||
|
||||
so-curator:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-curator:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }}
|
||||
- hostname: curator
|
||||
- name: so-curator
|
||||
- user: curator
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
#!/bin/bash
|
||||
/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log
|
||||
@@ -1,64 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
|
||||
|
||||
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
|
||||
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
clean () {
|
||||
|
||||
SENSOR_DIR='/nsm'
|
||||
CRIT_DISK_USAGE=90
|
||||
CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
|
||||
LOG="/nsm/bro/logs/zeek_clean.log"
|
||||
|
||||
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
|
||||
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
|
||||
do
|
||||
TODAY=$(date -u "+%Y-%m-%d")
|
||||
|
||||
# find the oldest Zeek logs directory and exclude today
|
||||
OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
|
||||
if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
|
||||
then
|
||||
echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
|
||||
exit 0
|
||||
else
|
||||
echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
|
||||
rm -rf /nsm/bro/logs/"$OLDEST_DIR"
|
||||
fi
|
||||
|
||||
# find oldest files in extracted directory and exclude today
|
||||
OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
|
||||
if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
|
||||
then
|
||||
echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
|
||||
else
|
||||
OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
|
||||
OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
|
||||
echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
|
||||
find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
|
||||
do
|
||||
echo "$(date) - Removing extracted file: $FILE" >> $LOG
|
||||
rm -f "$FILE"
|
||||
done
|
||||
fi
|
||||
done
|
||||
else
|
||||
echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
|
||||
fi
|
||||
}
|
||||
|
||||
clean
|
||||
@@ -1,139 +0,0 @@
|
||||
##! Local site policy. Customize as appropriate.
|
||||
##!
|
||||
##! This file will not be overwritten when upgrading or reinstalling!
|
||||
|
||||
# This script logs which scripts were loaded during each run.
|
||||
@load misc/loaded-scripts
|
||||
|
||||
# Apply the default tuning scripts for common tuning settings.
|
||||
@load tuning/defaults
|
||||
|
||||
# Estimate and log capture loss.
|
||||
@load misc/capture-loss
|
||||
|
||||
# Enable logging of memory, packet and lag statistics.
|
||||
@load misc/stats
|
||||
|
||||
# Load the scan detection script.
|
||||
@load misc/scan
|
||||
|
||||
# Detect traceroute being run on the network. This could possibly cause
|
||||
# performance trouble when there are a lot of traceroutes on your network.
|
||||
# Enable cautiously.
|
||||
#@load misc/detect-traceroute
|
||||
|
||||
# Generate notices when vulnerable versions of software are discovered.
|
||||
# The default is to only monitor software found in the address space defined
|
||||
# as "local". Refer to the software framework's documentation for more
|
||||
# information.
|
||||
@load frameworks/software/vulnerable
|
||||
|
||||
# Detect software changing (e.g. attacker installing hacked SSHD).
|
||||
@load frameworks/software/version-changes
|
||||
|
||||
# This adds signatures to detect cleartext forward and reverse windows shells.
|
||||
@load-sigs frameworks/signatures/detect-windows-shells
|
||||
|
||||
# Load all of the scripts that detect software in various protocols.
|
||||
@load protocols/ftp/software
|
||||
@load protocols/smtp/software
|
||||
@load protocols/ssh/software
|
||||
@load protocols/http/software
|
||||
# The detect-webapps script could possibly cause performance trouble when
|
||||
# running on live traffic. Enable it cautiously.
|
||||
#@load protocols/http/detect-webapps
|
||||
|
||||
# This script detects DNS results pointing toward your Site::local_nets
|
||||
# where the name is not part of your local DNS zone and is being hosted
|
||||
# externally. Requires that the Site::local_zones variable is defined.
|
||||
@load protocols/dns/detect-external-names
|
||||
|
||||
# Script to detect various activity in FTP sessions.
|
||||
@load protocols/ftp/detect
|
||||
|
||||
# Scripts that do asset tracking.
|
||||
@load protocols/conn/known-hosts
|
||||
@load protocols/conn/known-services
|
||||
@load protocols/ssl/known-certs
|
||||
|
||||
# This script enables SSL/TLS certificate validation.
|
||||
@load protocols/ssl/validate-certs
|
||||
|
||||
# This script prevents the logging of SSL CA certificates in x509.log
|
||||
@load protocols/ssl/log-hostcerts-only
|
||||
|
||||
# Uncomment the following line to check each SSL certificate hash against the ICSI
|
||||
# certificate notary service; see http://notary.icsi.berkeley.edu .
|
||||
# @load protocols/ssl/notary
|
||||
|
||||
# If you have libGeoIP support built in, do some geographic detections and
|
||||
# logging for SSH traffic.
|
||||
@load protocols/ssh/geo-data
|
||||
# Detect hosts doing SSH bruteforce attacks.
|
||||
@load protocols/ssh/detect-bruteforcing
|
||||
# Detect logins using "interesting" hostnames.
|
||||
@load protocols/ssh/interesting-hostnames
|
||||
|
||||
# Detect SQL injection attacks.
|
||||
@load protocols/http/detect-sqli
|
||||
|
||||
#### Network File Handling ####
|
||||
|
||||
# Enable MD5 and SHA1 hashing for all files.
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
|
||||
@load frameworks/files/detect-MHR
|
||||
|
||||
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
|
||||
# this might impact performance a bit.
|
||||
# @load policy/protocols/ssl/heartbleed
|
||||
|
||||
# Uncomment the following line to enable logging of connection VLANs. Enabling
|
||||
# this adds two VLAN fields to the conn.log file. This may not work properly
|
||||
# since we use AF_PACKET and it strips VLAN tags.
|
||||
# @load policy/protocols/conn/vlan-logging
|
||||
|
||||
# Uncomment the following line to enable logging of link-layer addresses. Enabling
|
||||
# this adds the link-layer address for each connection endpoint to the conn.log file.
|
||||
# @load policy/protocols/conn/mac-logging
|
||||
|
||||
# Uncomment the following line to enable the SMB analyzer. The analyzer
|
||||
# is currently considered a preview and therefore not loaded by default.
|
||||
@load base/protocols/smb
|
||||
|
||||
# BPF Configuration
|
||||
@load securityonion/bpfconf
|
||||
|
||||
# Add the interface to the log event
|
||||
#@load securityonion/add-interface-to-logs.bro
|
||||
|
||||
# Add Sensor Name to the conn.log
|
||||
#@load securityonion/conn-add-sensorname.bro
|
||||
|
||||
# File Extraction
|
||||
#@load securityonion/file-extraction
|
||||
|
||||
# Intel from Mandiant APT1 Report
|
||||
#@load securityonion/apt1
|
||||
|
||||
# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
|
||||
#@load securityonion/shellshock
|
||||
|
||||
# JA3 - SSL Detection Goodness
|
||||
@load policy/ja3
|
||||
|
||||
# HASSH
|
||||
@load policy/hassh
|
||||
|
||||
# You can load your own intel into:
|
||||
# /opt/so/saltstack/bro/policy/intel/ on the manager
|
||||
@load intel
|
||||
|
||||
# Load a custom Bro policy
|
||||
# /opt/so/saltstack/bro/policy/custom/ on the manager
|
||||
#@load custom/somebropolicy.bro
|
||||
|
||||
# Write logs in JSON
|
||||
redef LogAscii::use_json = T;
|
||||
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
|
||||
@@ -1,133 +0,0 @@
|
||||
##! Local site policy. Customize as appropriate.
|
||||
##!
|
||||
##! This file will not be overwritten when upgrading or reinstalling!
|
||||
|
||||
# This script logs which scripts were loaded during each run.
|
||||
@load misc/loaded-scripts
|
||||
|
||||
# Apply the default tuning scripts for common tuning settings.
|
||||
@load tuning/defaults
|
||||
|
||||
# Estimate and log capture loss.
|
||||
@load misc/capture-loss
|
||||
|
||||
# Enable logging of memory, packet and lag statistics.
|
||||
@load misc/stats
|
||||
|
||||
# Load the scan detection script.
|
||||
@load misc/scan
|
||||
|
||||
# Detect traceroute being run on the network. This could possibly cause
|
||||
# performance trouble when there are a lot of traceroutes on your network.
|
||||
# Enable cautiously.
|
||||
#@load misc/detect-traceroute
|
||||
|
||||
# Generate notices when vulnerable versions of software are discovered.
|
||||
# The default is to only monitor software found in the address space defined
|
||||
# as "local". Refer to the software framework's documentation for more
|
||||
# information.
|
||||
@load frameworks/software/vulnerable
|
||||
|
||||
# Detect software changing (e.g. attacker installing hacked SSHD).
|
||||
@load frameworks/software/version-changes
|
||||
|
||||
# This adds signatures to detect cleartext forward and reverse windows shells.
|
||||
@load-sigs frameworks/signatures/detect-windows-shells
|
||||
|
||||
# Load all of the scripts that detect software in various protocols.
|
||||
@load protocols/ftp/software
|
||||
@load protocols/smtp/software
|
||||
@load protocols/ssh/software
|
||||
@load protocols/http/software
|
||||
# The detect-webapps script could possibly cause performance trouble when
|
||||
# running on live traffic. Enable it cautiously.
|
||||
#@load protocols/http/detect-webapps
|
||||
|
||||
# This script detects DNS results pointing toward your Site::local_nets
|
||||
# where the name is not part of your local DNS zone and is being hosted
|
||||
# externally. Requires that the Site::local_zones variable is defined.
|
||||
@load protocols/dns/detect-external-names
|
||||
|
||||
# Script to detect various activity in FTP sessions.
|
||||
@load protocols/ftp/detect
|
||||
|
||||
# Scripts that do asset tracking.
|
||||
@load protocols/conn/known-hosts
|
||||
@load protocols/conn/known-services
|
||||
@load protocols/ssl/known-certs
|
||||
|
||||
# This script enables SSL/TLS certificate validation.
|
||||
@load protocols/ssl/validate-certs
|
||||
|
||||
# This script prevents the logging of SSL CA certificates in x509.log
|
||||
@load protocols/ssl/log-hostcerts-only
|
||||
|
||||
# Uncomment the following line to check each SSL certificate hash against the ICSI
|
||||
# certificate notary service; see http://notary.icsi.berkeley.edu .
|
||||
# @load protocols/ssl/notary
|
||||
|
||||
# If you have libGeoIP support built in, do some geographic detections and
|
||||
# logging for SSH traffic.
|
||||
@load protocols/ssh/geo-data
|
||||
# Detect hosts doing SSH bruteforce attacks.
|
||||
@load protocols/ssh/detect-bruteforcing
|
||||
# Detect logins using "interesting" hostnames.
|
||||
@load protocols/ssh/interesting-hostnames
|
||||
|
||||
# Detect SQL injection attacks.
|
||||
@load protocols/http/detect-sqli
|
||||
|
||||
#### Network File Handling ####
|
||||
|
||||
# Enable MD5 and SHA1 hashing for all files.
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
|
||||
@load frameworks/files/detect-MHR
|
||||
|
||||
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
|
||||
# this might impact performance a bit.
|
||||
# @load policy/protocols/ssl/heartbleed
|
||||
|
||||
# Uncomment the following line to enable logging of connection VLANs. Enabling
|
||||
# this adds two VLAN fields to the conn.log file. This may not work properly
|
||||
# since we use AF_PACKET and it strips VLAN tags.
|
||||
# @load policy/protocols/conn/vlan-logging
|
||||
|
||||
# Uncomment the following line to enable logging of link-layer addresses. Enabling
|
||||
# this adds the link-layer address for each connection endpoint to the conn.log file.
|
||||
# @load policy/protocols/conn/mac-logging
|
||||
|
||||
# Uncomment the following line to enable the SMB analyzer. The analyzer
|
||||
# is currently considered a preview and therefore not loaded by default.
|
||||
# @load policy/protocols/smb
|
||||
|
||||
# Add the interface to the log event
|
||||
#@load securityonion/add-interface-to-logs.bro
|
||||
|
||||
# Add Sensor Name to the conn.log
|
||||
#@load securityonion/conn-add-sensorname.bro
|
||||
|
||||
# File Extraction
|
||||
#@load securityonion/file-extraction
|
||||
|
||||
# Intel from Mandiant APT1 Report
|
||||
#@load securityonion/apt1
|
||||
|
||||
# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
|
||||
#@load securityonion/shellshock
|
||||
|
||||
# JA3 - SSL Detection Goodness
|
||||
@load policy/ja3
|
||||
|
||||
# You can load your own intel into:
|
||||
# /opt/so/saltstack/bro/policy/intel/ on the manager
|
||||
@load intel
|
||||
|
||||
# Load a custom Bro policy
|
||||
# /opt/so/saltstack/bro/policy/custom/ on the manager
|
||||
#@load custom/somebropolicy.bro
|
||||
|
||||
# Use JSON
|
||||
redef LogAscii::use_json = T;
|
||||
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
|
||||
@@ -1,47 +0,0 @@
|
||||
{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
|
||||
|
||||
{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
|
||||
{%- if salt['pillar.get']('sensor:zeek_proxies') %}
|
||||
{%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %}
|
||||
{%- else %}
|
||||
{%- if salt['pillar.get']('sensor:zeek_pins') %}
|
||||
{%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
|
||||
{%- else %}
|
||||
{%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
[manager]
|
||||
type=manager
|
||||
host=localhost
|
||||
|
||||
[logger]
|
||||
type=logger
|
||||
host=localhost
|
||||
|
||||
[proxy]
|
||||
type=proxy
|
||||
host=localhost
|
||||
|
||||
[worker-1]
|
||||
type=worker
|
||||
host=localhost
|
||||
interface=af_packet::{{ interface }}
|
||||
lb_method=custom
|
||||
|
||||
{%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
|
||||
lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
|
||||
{%- else %}
|
||||
lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
|
||||
{%- endif %}
|
||||
{%- if salt['pillar.get']('sensor:zeek_pins') %}
|
||||
pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
|
||||
{%- endif %}
|
||||
af_packet_fanout_id=23
|
||||
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
|
||||
af_packet_buffer_size=128*1024*1024
|
||||
{%- else %}
|
||||
[brosa]
|
||||
type=standalone
|
||||
host=localhost
|
||||
interface={{ interface }}
|
||||
{%- endif %}
|
||||
@@ -1,206 +0,0 @@
|
||||
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
|
||||
{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
|
||||
{% set BPF_STATUS = 0 %}
|
||||
|
||||
# Bro Salt State
|
||||
# Add Bro group
|
||||
brogroup:
|
||||
group.present:
|
||||
- name: bro
|
||||
- gid: 937
|
||||
|
||||
# Add Bro User
|
||||
bro:
|
||||
user.present:
|
||||
- uid: 937
|
||||
- gid: 937
|
||||
- home: /home/bro
|
||||
|
||||
# Create some directories
|
||||
bropolicydir:
|
||||
file.directory:
|
||||
- name: /opt/so/conf/bro/policy
|
||||
- user: 937
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
|
||||
# Bro Log Directory
|
||||
brologdir:
|
||||
file.directory:
|
||||
- name: /nsm/bro/logs
|
||||
- user: 937
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
|
||||
# Bro Spool Directory
|
||||
brospooldir:
|
||||
file.directory:
|
||||
- name: /nsm/bro/spool/manager
|
||||
- user: 937
|
||||
- makedirs: true
|
||||
|
||||
# Bro extracted directory
|
||||
broextractdir:
|
||||
file.directory:
|
||||
- name: /nsm/bro/extracted
|
||||
- user: 937
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
|
||||
brosfafincompletedir:
|
||||
file.directory:
|
||||
- name: /nsm/faf/files/incomplete
|
||||
- user: 937
|
||||
- makedirs: true
|
||||
|
||||
brosfafcompletedir:
|
||||
file.directory:
|
||||
- name: /nsm/faf/files/complete
|
||||
- user: 937
|
||||
- makedirs: true
|
||||
|
||||
# Sync the policies
|
||||
bropolicysync:
|
||||
file.recurse:
|
||||
- name: /opt/so/conf/bro/policy
|
||||
- source: salt://bro/policy
|
||||
- user: 937
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
# Sync node.cfg
|
||||
nodecfgsync:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/bro/node.cfg
|
||||
- source: salt://bro/files/node.cfg
|
||||
- user: 937
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
plcronscript:
|
||||
file.managed:
|
||||
- name: /usr/local/bin/packetloss.sh
|
||||
- source: salt://bro/cron/packetloss.sh
|
||||
- mode: 755
|
||||
|
||||
zeekcleanscript:
|
||||
file.managed:
|
||||
- name: /usr/local/bin/zeek_clean
|
||||
- source: salt://bro/cron/zeek_clean
|
||||
- mode: 755
|
||||
|
||||
/usr/local/bin/zeek_clean:
|
||||
cron.present:
|
||||
- user: root
|
||||
- minute: '*'
|
||||
- hour: '*'
|
||||
- daymonth: '*'
|
||||
- month: '*'
|
||||
- dayweek: '*'
|
||||
|
||||
/usr/local/bin/packetloss.sh:
|
||||
cron.present:
|
||||
- user: root
|
||||
- minute: '*/10'
|
||||
- hour: '*'
|
||||
- daymonth: '*'
|
||||
- month: '*'
|
||||
- dayweek: '*'
|
||||
|
||||
# BPF compilation and configuration
|
||||
{% if BPF_ZEEK %}
|
||||
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ") ) %}
|
||||
{% if BPF_CALC['stderr'] == "" %}
|
||||
{% set BPF_STATUS = 1 %}
|
||||
{% else %}
|
||||
zeekbpfcompilationfailure:
|
||||
test.configurable_test_state:
|
||||
- changes: False
|
||||
- result: False
|
||||
- comment: "BPF Syntax Error - Discarding Specified BPF"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
zeekbpf:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/bro/bpf
|
||||
- user: 940
|
||||
- group: 940
|
||||
{% if BPF_STATUS %}
|
||||
- contents_pillar: zeek:bpf
|
||||
{% else %}
|
||||
- contents:
|
||||
- "ip or not ip"
|
||||
{% endif %}
|
||||
|
||||
# Sync local.bro
|
||||
{% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
|
||||
localbrosync:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/bro/local.bro
|
||||
- source: salt://bro/files/local.bro.community
|
||||
- user: 937
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
so-communitybroimage:
|
||||
cmd.run:
|
||||
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-communitybro:HH1.0.3
|
||||
|
||||
so-bro:
|
||||
docker_container.running:
|
||||
- require:
|
||||
- so-communitybroimage
|
||||
- image: docker.io/soshybridhunter/so-communitybro:HH1.0.3
|
||||
- privileged: True
|
||||
- binds:
|
||||
- /nsm/bro/logs:/nsm/bro/logs:rw
|
||||
- /nsm/bro/spool:/nsm/bro/spool:rw
|
||||
- /nsm/bro/extracted:/nsm/bro/extracted:rw
|
||||
- /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
|
||||
- /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
|
||||
- /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
|
||||
- /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
|
||||
- /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
|
||||
- network_mode: host
|
||||
- watch:
|
||||
- file: /opt/so/conf/bro/local.bro
|
||||
- file: /opt/so/conf/bro/node.cfg
|
||||
- file: /opt/so/conf/bro/policy
|
||||
|
||||
{% else %}
|
||||
localbrosync:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/bro/local.bro
|
||||
- source: salt://bro/files/local.bro
|
||||
- user: 937
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
so-broimage:
|
||||
cmd.run:
|
||||
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-bro:HH1.1.1
|
||||
|
||||
so-bro:
|
||||
docker_container.running:
|
||||
- require:
|
||||
- so-broimage
|
||||
- image: docker.io/soshybridhunter/so-bro:HH1.1.1
|
||||
- privileged: True
|
||||
- binds:
|
||||
- /nsm/bro/logs:/nsm/bro/logs:rw
|
||||
- /nsm/bro/spool:/nsm/bro/spool:rw
|
||||
- /nsm/bro/extracted:/nsm/bro/extracted:rw
|
||||
- /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
|
||||
- /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
|
||||
- /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro
|
||||
- /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
|
||||
- /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
|
||||
- /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
|
||||
- network_mode: host
|
||||
- watch:
|
||||
- file: /opt/so/conf/bro/local.bro
|
||||
- file: /opt/so/conf/bro/node.cfg
|
||||
- file: /opt/so/conf/bro/policy
|
||||
- file: /opt/so/conf/bro/bpf
|
||||
{% endif %}
|
||||
@@ -1 +0,0 @@
|
||||
#Intel
|
||||
@@ -1,20 +0,0 @@
|
||||
{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
|
||||
global interface = "{{ interface }}";
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
if ( ! reading_live_traffic() )
|
||||
return;
|
||||
|
||||
Log::remove_default_filter(HTTP::LOG);
|
||||
Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
|
||||
$path_func(id: Log::ID, path: string, rec: HTTP::Info) =
|
||||
{
|
||||
local peer = get_event_peer()$descr;
|
||||
if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
|
||||
return cat("http_", Cluster::nodes[peer]$interface);
|
||||
else
|
||||
return "http";
|
||||
}
|
||||
]);
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
@load frameworks/intel/seen
|
||||
@load frameworks/intel/do_notice
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
redef Intel::read_files += {
|
||||
fmt("%s/apt1-fqdn.dat", @DIR),
|
||||
fmt("%s/apt1-md5.dat", @DIR),
|
||||
fmt("%s/apt1-certs.dat", @DIR)
|
||||
};
|
||||
@@ -1,26 +0,0 @@
|
||||
#fields indicator indicator_type meta.source meta.desc meta.do_notice
|
||||
b054e26ef827fbbf5829f84a9bdbb697a5b042fc Intel::CERT_HASH Mandiant APT1 Report ALPHA T
|
||||
7bc0cc2cf7c3a996c32dbe7e938993f7087105b4 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
7855c132af1390413d4e4ff4ead321f8802d8243 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
f3e3c590d7126bd227733e9d8313d2575c421243 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
d4d4e896ce7d73b573f0a0006080a246aec61fe7 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
bcdf4809c1886ac95478bbafde246d0603934298 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
6b4855df8afc8d57a671fe5ed628f6d88852a922 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
d50fdc82c328319ac60f256d3119b8708cd5717b Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
70b48d5177eebe9c762e9a37ecabebfd10e1b7e9 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
3a6a299b764500ce1b6e58a32a257139d61a3543 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
bf4f90e0029b2263af1141963ddf2a0c71a6b5fb Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
b21139583dec0dae344cca530690ec1f344acc79 Intel::CERT_HASH Mandiant APT1 Report AOL T
|
||||
21971ffef58baf6f638df2f7e2cceb4c58b173c8 Intel::CERT_HASH Mandiant APT1 Report EMAIL T
|
||||
04ecff66973c92a1c348666d5a4738557cce0cfc Intel::CERT_HASH Mandiant APT1 Report IBM T
|
||||
f97d1a703aec44d0f53a3a294e33acda43a49de1 Intel::CERT_HASH Mandiant APT1 Report IBM T
|
||||
c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe Intel::CERT_HASH Mandiant APT1 Report IBM T
|
||||
1b27a897cda019da2c3a6dc838761871e8bf5b5d Intel::CERT_HASH Mandiant APT1 Report LAME T
|
||||
d515996e8696612dc78fc6db39006466fc6550df Intel::CERT_HASH Mandiant APT1 Report MOON-NIGHT T
|
||||
8f79315659e59c79f1301ef4aee67b18ae2d9f1c Intel::CERT_HASH Mandiant APT1 Report NONAME T
|
||||
a57a84975e31e376e3512da7b05ad06ef6441f53 Intel::CERT_HASH Mandiant APT1 Report NS T
|
||||
b3db37a0edde97b3c3c15da5f2d81d27af82f583 Intel::CERT_HASH Mandiant APT1 Report SERVER (PEM) T
|
||||
6d8f1454f6392361fb2464b744d4fc09eee5fcfd Intel::CERT_HASH Mandiant APT1 Report SUR T
|
||||
b66e230f404b2cc1c033ccacda5d0a14b74a2752 Intel::CERT_HASH Mandiant APT1 Report VIRTUALLYTHERE T
|
||||
4acbadb86a91834493dde276736cdf8f7ef5d497 Intel::CERT_HASH Mandiant APT1 Report WEBMAIL T
|
||||
86a48093d9b577955c4c9bd19e30536aae5543d4 Intel::CERT_HASH Mandiant APT1 Report YAHOO T
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,106 +0,0 @@
|
||||
##! This script is to support the bpf.conf file like other network monitoring tools use.
|
||||
##! Please don't try to learn from this script right now, there are a large number of
|
||||
##! hacks in it to work around bugs discovered in Bro.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module BPFConf;
|
||||
|
||||
export {
|
||||
## The file that is watched on disk for BPF filter changes.
|
||||
## Two templated variables are available; "sensorname" and "interface".
|
||||
## They can be used by surrounding the term by doubled curly braces.
|
||||
const filename = "/opt/bro/share/bro/site/bpf" &redef;
|
||||
|
||||
redef enum Notice::Type += {
|
||||
## Invalid filter notice.
|
||||
InvalidFilter
|
||||
};
|
||||
}
|
||||
|
||||
global filter_parts: vector of string = vector();
|
||||
global current_filter_filename = "";
|
||||
|
||||
type FilterLine: record {
|
||||
s: string;
|
||||
};
|
||||
|
||||
redef enum PcapFilterID += {
|
||||
BPFConfPcapFilter,
|
||||
};
|
||||
|
||||
event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
|
||||
{
|
||||
local part = sub(s, /[[:blank:]]*#.*$/, "");
|
||||
|
||||
# We don't want any blank parts.
|
||||
if ( part != "" )
|
||||
filter_parts[|filter_parts|] = part;
|
||||
}
|
||||
|
||||
event Input::end_of_data(name: string, source:string)
|
||||
{
|
||||
if ( name == "bpfconf" )
|
||||
{
|
||||
local filter = join_string_vec(filter_parts, " ");
|
||||
capture_filters["bpf.conf"] = filter;
|
||||
if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
|
||||
{
|
||||
PacketFilter::install();
|
||||
}
|
||||
else
|
||||
{
|
||||
NOTICE([$note=InvalidFilter,
|
||||
$msg=fmt("Compiling packet filter from %s failed", filename),
|
||||
$sub=filter]);
|
||||
}
|
||||
|
||||
filter_parts=vector();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function add_filter_file()
|
||||
{
|
||||
local real_filter_filename = BPFConf::filename;
|
||||
|
||||
# Support the interface template value.
|
||||
#if ( SecurityOnion::sensorname != "" )
|
||||
# real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
|
||||
|
||||
# Support the interface template value.
|
||||
#if ( SecurityOnion::interface != "" )
|
||||
# real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
|
||||
|
||||
#if ( /\{\{/ in real_filter_filename )
|
||||
# {
|
||||
# return;
|
||||
# }
|
||||
#else
|
||||
# Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
|
||||
|
||||
if ( real_filter_filename != current_filter_filename )
|
||||
{
|
||||
current_filter_filename = real_filter_filename;
|
||||
Input::add_event([$source=real_filter_filename,
|
||||
$name="bpfconf",
|
||||
$reader=Input::READER_RAW,
|
||||
$mode=Input::REREAD,
|
||||
$want_record=F,
|
||||
$fields=FilterLine,
|
||||
$ev=BPFConf::line]);
|
||||
}
|
||||
}
|
||||
|
||||
#event SecurityOnion::found_sensorname(name: string)
|
||||
# {
|
||||
# add_filter_file();
|
||||
# }
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
if ( BPFConf::filename != "" )
|
||||
add_filter_file();
|
||||
}
|
||||
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
global sensorname = "{{ grains.host }}";
|
||||
|
||||
redef record Conn::Info += {
|
||||
sensorname: string &log &optional;
|
||||
};
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
c$conn$sensorname = sensorname;
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
@load ./extract
|
||||
@@ -1,21 +0,0 @@
|
||||
global ext_map: table[string] of string = {
|
||||
["application/x-dosexec"] = "exe",
|
||||
["text/plain"] = "txt",
|
||||
["image/jpeg"] = "jpg",
|
||||
["image/png"] = "png",
|
||||
["text/html"] = "html",
|
||||
} &default ="";
|
||||
|
||||
event file_sniff(f: fa_file, meta: fa_metadata)
|
||||
{
|
||||
if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
|
||||
return;
|
||||
|
||||
local ext = "";
|
||||
|
||||
if ( meta?$mime_type )
|
||||
ext = ext_map[meta$mime_type];
|
||||
|
||||
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
|
||||
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
@load tuning/json-logs
|
||||
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
|
||||
redef LogAscii::use_json = T;
|
||||
@@ -13,6 +13,8 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
# Create the group
|
||||
dstatsgroup:
|
||||
group.present:
|
||||
@@ -37,13 +39,13 @@ dstatslogdir:
|
||||
|
||||
so-domainstatsimage:
|
||||
cmd.run:
|
||||
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
|
||||
- name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3
|
||||
|
||||
so-domainstats:
|
||||
docker_container.running:
|
||||
- require:
|
||||
- so-domainstatsimage
|
||||
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
|
||||
- image: docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3
|
||||
- hostname: domainstats
|
||||
- name: so-domainstats
|
||||
- user: domainstats
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
|
||||
{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %}
|
||||
@@ -101,7 +102,7 @@ elastaconf:
|
||||
|
||||
so-elastalert:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }}
|
||||
- hostname: elastalert
|
||||
- name: so-elastalert
|
||||
- user: elastalert
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
|
||||
|
||||
@@ -101,7 +102,7 @@ eslogdir:
|
||||
|
||||
so-elasticsearch:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATURES }}
|
||||
- hostname: elasticsearch
|
||||
- name: so-elasticsearch
|
||||
- user: elasticsearch
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
|
||||
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
|
||||
@@ -51,7 +52,7 @@ filebeatconfsync:
|
||||
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
|
||||
so-filebeat:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }}
|
||||
- hostname: so-filebeat
|
||||
- user: root
|
||||
- extra_hosts: {{ MANAGER }}:{{ MANAGERIP }}
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%}
|
||||
{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set FLEETARCH = salt['grains.get']('role') %}
|
||||
|
||||
@@ -105,7 +106,7 @@ fleet_password_none:
|
||||
|
||||
so-fleet:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-fleet:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-fleet:{{ VERSION }}
|
||||
- hostname: so-fleet
|
||||
- port_bindings:
|
||||
- 0.0.0.0:8080:8080
|
||||
|
||||
@@ -13,6 +13,8 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
# Create the user
|
||||
fservergroup:
|
||||
group.present:
|
||||
@@ -37,13 +39,13 @@ freqlogdir:
|
||||
|
||||
so-freqimage:
|
||||
cmd.run:
|
||||
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
|
||||
- name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3
|
||||
|
||||
so-freq:
|
||||
docker_container.running:
|
||||
- require:
|
||||
- so-freqimage
|
||||
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
|
||||
- image: docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3
|
||||
- hostname: freqserver
|
||||
- name: so-freqserver
|
||||
- user: freqserver
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
|
||||
|
||||
@@ -216,7 +217,7 @@ dashboard-{{ SN }}:
|
||||
|
||||
so-grafana:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-grafana:{{ VERSION }}
|
||||
- hostname: grafana
|
||||
- user: socore
|
||||
- binds:
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
# IDSTools Setup
|
||||
idstoolsdir:
|
||||
@@ -60,7 +61,7 @@ synclocalnidsrules:
|
||||
|
||||
so-idstools:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-idstools:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idstools:{{ VERSION }}
|
||||
- hostname: so-idstools
|
||||
- user: socore
|
||||
- binds:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
|
||||
|
||||
@@ -26,7 +26,7 @@ influxdbconf:
|
||||
|
||||
so-influxdb:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-influxdb:{{ VERSION }}
|
||||
- hostname: influxdb
|
||||
- environment:
|
||||
- INFLUXDB_HTTP_LOG_ENABLED=false
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
|
||||
{% if FEATURES %}
|
||||
@@ -69,7 +70,7 @@ kibanabin:
|
||||
# Start the kibana docker
|
||||
so-kibana:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }}
|
||||
- hostname: kibana
|
||||
- user: kibana
|
||||
- environment:
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
|
||||
|
||||
@@ -159,7 +160,7 @@ lslogdir:
|
||||
|
||||
so-logstash:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }}
|
||||
- hostname: so-logstash
|
||||
- name: so-logstash
|
||||
- user: logstash
|
||||
|
||||
@@ -1,46 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
MANAGER={{ MANAGER }}
|
||||
VERSION="HH1.2.2"
|
||||
TRUSTED_CONTAINERS=( \
|
||||
"so-nginx:$VERSION" \
|
||||
"so-cyberchef:$VERSION" \
|
||||
"so-acng:$VERSION" \
|
||||
"so-soc:$VERSION" \
|
||||
"so-kratos:$VERSION" \
|
||||
"so-fleet:$VERSION" \
|
||||
"so-soctopus:$VERSION" \
|
||||
"so-steno:$VERSION" \
|
||||
"so-playbook:$VERSION" \
|
||||
"so-thehive-cortex:$VERSION" \
|
||||
"so-thehive:$VERSION" \
|
||||
"so-thehive-es:$VERSION" \
|
||||
"so-wazuh:$VERSION" \
|
||||
"so-kibana:$VERSION" \
|
||||
"so-elastalert:$VERSION" \
|
||||
"so-filebeat:$VERSION" \
|
||||
"so-suricata:$VERSION" \
|
||||
"so-logstash:$VERSION" \
|
||||
"so-bro:$VERSION" \
|
||||
"so-idstools:$VERSION" \
|
||||
"so-fleet-launcher:$VERSION" \
|
||||
"so-freqserver:$VERSION" \
|
||||
"so-influxdb:$VERSION" \
|
||||
"so-grafana:$VERSION" \
|
||||
"so-telegraf:$VERSION" \
|
||||
"so-redis:$VERSION" \
|
||||
"so-mysql:$VERSION" \
|
||||
"so-curtor:$VERSION" \
|
||||
"so-elasticsearch:$VERSION" \
|
||||
"so-domainstats:$VERSION" \
|
||||
"so-tcpreplay:$VERSION" \
|
||||
)
|
||||
|
||||
for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i
|
||||
docker push $MANAGER:5000/soshybridhunter/$i
|
||||
done
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %}
|
||||
|
||||
@@ -59,7 +60,7 @@ acngcopyconf:
|
||||
# Install the apt-cacher-ng container
|
||||
so-aptcacherng:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-acng:{{ VERSION }}
|
||||
- hostname: so-acng
|
||||
- restart_policy: always
|
||||
- port_bindings:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
|
||||
{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %}
|
||||
{% set FLEETARCH = salt['grains.get']('role') %}
|
||||
@@ -71,7 +72,7 @@ mysql_password_none:
|
||||
|
||||
so-mysql:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-mysql:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-mysql:{{ VERSION }}
|
||||
- hostname: so-mysql
|
||||
- user: socore
|
||||
- port_bindings:
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
# Drop the correct nginx config based on role
|
||||
nginxconfdir:
|
||||
@@ -61,7 +62,7 @@ navigatordefaultlayer:
|
||||
|
||||
so-nginx:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-nginx:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }}
|
||||
- hostname: so-nginx
|
||||
- binds:
|
||||
- /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
|
||||
@@ -13,6 +13,8 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
# Create the nodered group
|
||||
noderedgroup:
|
||||
group.present:
|
||||
@@ -61,7 +63,7 @@ noderedlog:
|
||||
|
||||
so-nodered:
|
||||
docker_container.running:
|
||||
- image: soshybridhunter/so-nodered:HH1.2.2
|
||||
- image: {{ IMAGEREPO }}/so-nodered:HH1.2.2
|
||||
- interactive: True
|
||||
- binds:
|
||||
- /opt/so/conf/nodered/:/data:rw
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
|
||||
{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
|
||||
@@ -129,7 +130,7 @@ sensoronilog:
|
||||
|
||||
so-steno:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }}
|
||||
- network_mode: host
|
||||
- privileged: True
|
||||
- port_bindings:
|
||||
@@ -146,7 +147,7 @@ so-steno:
|
||||
|
||||
so-sensoroni:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
|
||||
- network_mode: host
|
||||
- binds:
|
||||
- /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %}
|
||||
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
|
||||
@@ -73,7 +74,7 @@ playbook_password_none:
|
||||
|
||||
so-playbook:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-playbook:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }}
|
||||
- hostname: playbook
|
||||
- name: so-playbook
|
||||
- environment:
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
#!py
|
||||
|
||||
from time import gmtime, strftime
|
||||
@@ -59,7 +61,7 @@ def run():
|
||||
|
||||
# Run Docker container that will build the packages
|
||||
gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \
|
||||
"--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \
|
||||
"--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{{ IMAGEREPO }}/so-fleet-launcher:{ VERSION }", \
|
||||
f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')
|
||||
|
||||
# Update the 'packages-built' timestamp on the webpage (stored in the static pillar)
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
|
||||
# Redis Setup
|
||||
@@ -47,7 +48,7 @@ redisconfsync:
|
||||
|
||||
so-redis:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
|
||||
- hostname: so-redis
|
||||
- user: socore
|
||||
- port_bindings:
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
|
||||
socdir:
|
||||
@@ -33,7 +34,7 @@ socsync:
|
||||
|
||||
so-soc:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
|
||||
- hostname: soc
|
||||
- name: so-soc
|
||||
- binds:
|
||||
@@ -84,7 +85,7 @@ kratossync:
|
||||
|
||||
so-kratos:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-kratos:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kratos:{{ VERSION }}
|
||||
- hostname: kratos
|
||||
- name: so-kratos
|
||||
- binds:
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{%- set MANAGER_URL = salt['pillar.get']('manager:url_base', '') %}
|
||||
{%- set MANAGER_IP = salt['pillar.get']('static:managerip', '') %}
|
||||
@@ -50,7 +51,7 @@ playbookrulessync:
|
||||
|
||||
so-soctopus:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soctopus:{{ VERSION }}
|
||||
- hostname: soctopus
|
||||
- name: so-soctopus
|
||||
- binds:
|
||||
|
||||
@@ -15,6 +15,7 @@
|
||||
{%- set MANAGER = salt['grains.get']('master') %}
|
||||
{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%}
|
||||
|
||||
# Strelka config
|
||||
@@ -79,7 +80,7 @@ strelkastagedir:
|
||||
|
||||
strelka_coordinator:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
|
||||
- name: so-strelka-coordinator
|
||||
- entrypoint: redis-server --save "" --appendonly no
|
||||
- port_bindings:
|
||||
@@ -87,7 +88,7 @@ strelka_coordinator:
|
||||
|
||||
strelka_gatekeeper:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
|
||||
- name: so-strelka-gatekeeper
|
||||
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
|
||||
- port_bindings:
|
||||
@@ -95,7 +96,7 @@ strelka_gatekeeper:
|
||||
|
||||
strelka_frontend:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }}
|
||||
- binds:
|
||||
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
|
||||
- /nsm/strelka/log/:/var/log/strelka/:rw
|
||||
@@ -107,7 +108,7 @@ strelka_frontend:
|
||||
|
||||
strelka_backend:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }}
|
||||
- binds:
|
||||
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
|
||||
- /opt/so/conf/strelka/rules/:/etc/yara/:ro
|
||||
@@ -117,7 +118,7 @@ strelka_backend:
|
||||
|
||||
strelka_manager:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }}
|
||||
- binds:
|
||||
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
|
||||
- name: so-strelka-manager
|
||||
@@ -125,7 +126,7 @@ strelka_manager:
|
||||
|
||||
strelka_filestream:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }}
|
||||
- binds:
|
||||
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
|
||||
- /nsm/strelka:/nsm/strelka
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
|
||||
{% set BROVER = salt['pillar.get']('static:broversion', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
|
||||
{% set BPF_STATUS = 0 %}
|
||||
@@ -132,7 +133,7 @@ suribpf:
|
||||
|
||||
so-suricata:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }}
|
||||
- privileged: True
|
||||
- environment:
|
||||
- INTERFACE={{ interface }}
|
||||
|
||||
@@ -1,11 +1,12 @@
|
||||
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
|
||||
so-tcpreplay:
|
||||
docker_container.running:
|
||||
- network_mode: "host"
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }}
|
||||
- name: so-tcpreplay
|
||||
- user: root
|
||||
- interactive: True
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
|
||||
# Add Telegraf to monitor all the things.
|
||||
tgraflogdir:
|
||||
@@ -36,7 +37,7 @@ tgrafconf:
|
||||
|
||||
so-telegraf:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-telegraf:{{ VERSION }}
|
||||
- environment:
|
||||
- HOST_PROC=/host/proc
|
||||
- HOST_ETC=/host/etc
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
thehiveconfdir:
|
||||
file.directory:
|
||||
@@ -71,7 +72,7 @@ thehiveesdata:
|
||||
|
||||
so-thehive-es:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }}
|
||||
- hostname: so-thehive-es
|
||||
- name: so-thehive-es
|
||||
- user: 939
|
||||
@@ -99,7 +100,7 @@ so-thehive-es:
|
||||
# Install Cortex
|
||||
so-cortex:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-cortex:{{ VERSION }}
|
||||
- hostname: so-cortex
|
||||
- name: so-cortex
|
||||
- user: 939
|
||||
@@ -118,7 +119,7 @@ cortexscript:
|
||||
|
||||
so-thehive:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-thehive:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive:{{ VERSION }}
|
||||
- environment:
|
||||
- ELASTICSEARCH_HOST={{ MANAGERIP }}
|
||||
- hostname: so-thehive
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{%- set HOSTNAME = salt['grains.get']('host', '') %}
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
# Add ossec group
|
||||
ossecgroup:
|
||||
@@ -83,7 +84,7 @@ wazuhmgrwhitelist:
|
||||
|
||||
so-wazuh:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}
|
||||
- hostname: {{HOSTNAME}}-wazuh-manager
|
||||
- name: so-wazuh
|
||||
- detach: True
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
|
||||
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
|
||||
{% set MANAGER = salt['grains.get']('master') %}
|
||||
{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
|
||||
{% set BPF_STATUS = 0 %}
|
||||
@@ -156,7 +157,7 @@ localzeeksync:
|
||||
|
||||
so-zeek:
|
||||
docker_container.running:
|
||||
- image: {{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }}
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
|
||||
- privileged: True
|
||||
- binds:
|
||||
- /nsm/zeek/logs:/nsm/zeek/logs:rw
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
source ./so-variables
|
||||
source ../salt/common/tools/sbin/so-common
|
||||
|
||||
# Helper functions
|
||||
|
||||
|
||||
@@ -797,14 +797,14 @@ docker_seed_registry() {
|
||||
set_progress_str "$percent" "Downloading $i"
|
||||
{
|
||||
|
||||
if ! docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"; then
|
||||
if ! docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"; then
|
||||
sleep 5
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"
|
||||
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"
|
||||
fi
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/"$i" "$HOSTNAME":5000/soshybridhunter/"$i"
|
||||
docker push "$HOSTNAME":5000/soshybridhunter/"$i"
|
||||
#docker rmi soshybridhunter/"$i"
|
||||
docker tag $IMAGEREPO/"$i" "$HOSTNAME":5000/$IMAGEREPO/"$i"
|
||||
docker push "$HOSTNAME":5000/$IMAGEREPO/"$i"
|
||||
#docker rmi $IMAGEREPO/"$i"
|
||||
} >> "$setup_log" 2>&1
|
||||
done
|
||||
else
|
||||
@@ -1023,6 +1023,7 @@ manager_static() {
|
||||
" sensoronikey: $SENSORONIKEY"\
|
||||
" wazuh: $WAZUH"\
|
||||
" managerupdate: $MANAGERUPDATES"\
|
||||
" imagerepo: $IMAGEREPO"\
|
||||
"strelka:"\
|
||||
" enabled: $STRELKA"\
|
||||
" rules: $STRELKARULES"\
|
||||
|
||||
@@ -15,8 +15,9 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Set the new SO Version
|
||||
. /usr/sbin/so-common
|
||||
|
||||
# Set the new SO Version
|
||||
UPDATEVERSION=1.2.2
|
||||
BUILD=HH
|
||||
|
||||
@@ -184,16 +185,16 @@ update_docker_containers() {
|
||||
do
|
||||
# Pull down the trusted docker image
|
||||
echo "Downloading $i"
|
||||
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
|
||||
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
|
||||
# Tag it with the new registry destination
|
||||
docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker push $HOSTNAME:5000/soshybridhunter/$i
|
||||
docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
docker push $HOSTNAME:5000/$IMAGEREPO/$i
|
||||
done
|
||||
|
||||
for i in "${TRUSTED_CONTAINERS[@]}"
|
||||
do
|
||||
echo "Removing $i locally"
|
||||
docker rmi soshybridhunter/$i
|
||||
docker rmi $IMAGEREPO/$i
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user