From a795f0a4877f0704069f5a28a34b6c00bed889e0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 16 Jan 2021 12:01:49 -0500 Subject: [PATCH 1/6] Correct airgap IPs; Remove auto tcpreplay during post-setup phase --- setup/automation/distributed-airgap-search | 2 +- setup/automation/distributed-airgap-sensor | 2 +- setup/so-setup | 2 -- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index aec7afd31..1c0ff1254 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.52 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index 4cc3f6a75..1afbafbf9 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.52 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/so-setup b/setup/so-setup index 56d574b15..021fd72ff 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -863,8 +863,6 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [[ -n "$TESTING" ]] && logCmd so-test - export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" From 12aa4033b6da696dfd172696098f9e4008e3f6bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 Jan 2021 18:08:34 -0500 Subject: [PATCH 2/6] Fix soup in case airgap is in the hostname --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5ee403418..811f161e9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -103,7 +103,7 @@ update_registry() { check_airgap() { # See if this is an airgap install - AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}') + AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') if [[ "$AIRGAP" == "True" ]]; then is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion From d91913e58e3c739a6c86c8c7ea42a5488b68a781 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 18 Jan 2021 21:42:46 -0500 Subject: [PATCH 3/6] Redirect tcpreplay warnings to dev null when running so-test --- salt/common/tools/sbin/so-test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index 8e981aecf..b52fa02ac 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -15,4 +15,4 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -so-tcpreplay /opt/samples/* +so-tcpreplay /opt/samples/* 2> /dev/null From 650008e1e6500c949e1fc8ea9428d5a0b06837e4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 19 Jan 2021 11:20:48 -0500 Subject: [PATCH 4/6] [fix] Replace leftover /root/install_opt strings with variable --- setup/so-functions | 15 +++------------ setup/so-setup | 2 +- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index c462280ab..1fe45445d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -828,8 +828,8 @@ check_requirements() { compare_versions() { manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) - if [[ $manager_ver == "" ]]; then - rm /root/install_opt + if [[ $manager_ver == '' ]]; then + rm -rf $install_opt_file echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log" kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi @@ -1203,20 +1203,11 @@ download_repo_tarball() { local manager_ver manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) >> "$setup_log" 2>&1 - - # Fail if we can't determine the version - if [[ $manager_ver == '' ]]; then - rm /root/install_opt - local message="Could not determine the version of Security Onion running on the manager, please check your network settings." - echo "$message" | tee -a "$setup_log" - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit - fi - $scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup >> "$setup_log" 2>&1 # Fail if the file doesn't download if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then - rm /root/install_opt + rm -rf $install_opt_file local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." echo "$message" | tee -a "$setup_log" kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 diff --git a/setup/so-setup b/setup/so-setup index 021fd72ff..0da0b9f8d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -318,7 +318,7 @@ if ! [[ -f $install_opt_file ]]; then fi else - rm -rf /root/install_opt >> "$setup_log" 2>&1 + rm -rf $install_opt_file >> "$setup_log" 2>&1 fi short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') From 8023e79020232f8b9d0146c81e460469177e7814 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 19 Jan 2021 11:28:33 -0500 Subject: [PATCH 5/6] [fix] Don't remove answer file when checking version on manager, file does not yet exist --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 1fe45445d..7fba83ea5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -829,7 +829,6 @@ compare_versions() { manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) if [[ $manager_ver == '' ]]; then - rm -rf $install_opt_file echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log" kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi From 71e001411519ce233401129205094cb84c172073 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 19 Jan 2021 17:51:23 -0500 Subject: [PATCH 6/6] Wrap parenthesis around correlation filter to allow additional filtering --- salt/soc/files/soc/alerts.actions.json | 8 ++++---- salt/soc/files/soc/hunt.actions.json | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 46c4ea68d..364c59d27 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -5,10 +5,10 @@ ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 46c4ea68d..364c59d27 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -5,10 +5,10 @@ ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"