Merge pull request #1 from Security-Onion-Solutions/dev

Update Dev

salt/common/tools/sbin/so-test

@@ -15,4 +15,4 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-so-tcpreplay /opt/samples/*
+so-tcpreplay /opt/samples/* 2> /dev/null

salt/common/tools/sbin/soup

@@ -103,7 +103,7 @@ update_registry() {
 
 check_airgap() {
   # See if this is an airgap install
-  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}')
+  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}')
   if [[ "$AIRGAP" == "True" ]]; then
       is_airgap=0
       UPDATE_DIR=/tmp/soagupdate/SecurityOnion

salt/soc/files/soc/alerts.actions.json

@@ -5,10 +5,10 @@
             ]},
   { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
             "links": [
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
               "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
               "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", 
               "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"

salt/soc/files/soc/hunt.actions.json

@@ -5,10 +5,10 @@
             ]},
   { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
             "links": [
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
-              "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", 
+              "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", 
               "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
               "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", 
               "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"

setup/automation/distributed-airgap-search

@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.52
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=

setup/automation/distributed-airgap-sensor

@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.52
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=

setup/so-functions

@@ -828,8 +828,7 @@ check_requirements() {
 compare_versions() {
 	manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion)
 
-	if [[ $manager_ver == "" ]]; then
+	if [[ $manager_ver == '' ]]; then
-		rm /root/install_opt
 		echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log"
 		kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1
 	fi
@@ -1203,20 +1202,11 @@ download_repo_tarball() {
 
 	local manager_ver
 	manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) >> "$setup_log" 2>&1
-
-	# Fail if we can't determine the version
-	if [[ $manager_ver == '' ]]; then
-		rm /root/install_opt
-		local message="Could not determine the version of Security Onion running on the manager, please check your network settings."
-		echo "$message" | tee -a "$setup_log"
-		kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 
-	fi
-
 	$scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup >> "$setup_log" 2>&1
 	
 	# Fail if the file doesn't download
 	if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then
-		rm /root/install_opt
+		rm -rf $install_opt_file
 		local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." 
 		echo "$message" | tee -a "$setup_log"
 		kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1

setup/so-setup

@@ -318,7 +318,7 @@ if ! [[ -f $install_opt_file ]]; then
 	fi
 
 else
-	rm -rf /root/install_opt >> "$setup_log" 2>&1
+	rm -rf $install_opt_file >> "$setup_log" 2>&1
 fi
 
 short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}')
@@ -863,8 +863,6 @@ if [[ -n $SO_ERROR ]]; then
 else 
 	echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1
 	{
-		[[ -n "$TESTING" ]] && logCmd so-test
-
 		export percentage=95 # set to last percentage used in previous subshell
 		if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
 			set_progress_str 96 "Stopping SOC prior to adjusting firewall rules"