diff --git a/files/analyst/README b/files/analyst/README index bb3f265ec..99c444ea8 100644 --- a/files/analyst/README +++ b/files/analyst/README @@ -1,81 +1,79 @@ -The following tools are available on the analyst workstation. +The following GUI tools are available on the analyst workstation: + +chromium + url: https://www.chromium.org/Home + To run chromium, click Applications > Internet > Chromium Web Browser + +Wireshark + url: https://www.wireshark.org/ + To run Wireshark, click Applications > Internet > Wireshark Network Analyzer NetworkMiner url: https://www.netresec.com - Running NetworkMiner: Open terminal and run: mono /opt/NetworkMiner_2-5/NetworkMiner.exe --noupdatecheck + To run NetworkMiner, click Applications > Internet > NetworkMiner -Wireshark - url: https://www.wireshark.org/ - Running Wireshark: Applications > Internet > Wireshark Network Analyzer - -dnsiff - url: https://www.monkey.org/~dugsong/dsniff/ - Running dsniff: Open terminal and run: dsniff -h - -hping3 - url: http://www.hping.org/hping3.html - Running hping3: Open terminal and run: hping3 -h - -netsed - url: http://silicone.homelinux.org/projects/netsed/ - Running netsed: Open terminal and run: netsed -h - -ngrep - url: https://github.com/jpr5/ngrep - Running ngrep: Open terminal and run: ngrep -h - -scapy - url: http://www.secdev.org/projects/scapy/ - Running scapy: Open terminal and run: scapy - -ssldump - url: http://www.rtfm.com/ssldump/ - Running ssldump: Open terminal and run: ssldump -h - -tcpdump - url: http://www.tcpdump.org - Running tcpdump: Open terminal and run: tcpdump -h - -tcpflow - url: https://github.com/simsong/tcpflow - Running tcpflow: Open terminal and run: tcpflow -h - -tcpxtract - url: http://tcpxtract.sourceforge.net/ - Running tcpxtract: Open terminal and run: tcpxtract -h - -whois - url: http://www.linux.it/~md/software/ - Running whois: Open terminal and run: whois -h - -foremost - url: http://foremost.sourceforge.net - Running foremost: Open terminal and run: foremost -h - -tcpstat - url: https://frenchfries.net/paul/tcpstat/ - Running tcpstat: Open terminal and run: tcpstat -h - -tcptrace - url: http://www.tcptrace.org - Running tcptract: Open terminal and run: tcptrace -h - -sslsplit - url: https://github.com/droe/sslsplit - Running sslsplit: Open terminal and run: sslsplit -h +The following CLI tools are available on the analyst workstation: bit-twist url: http://bittwist.sourceforge.net - Running bit-twist: Open terminal and run: bittwist -h + To run bit-twist, open a terminal and type: bittwist -h chaosreader url: http://chaosreader.sourceforge.net - Running chaosreader: Open terminal and run: perl /usr/bin/chaosreader -h + To run chaosreader, open a terminal and type: chaosreader -h -Google Chrome - url: https://www.google.com/chrome/ - Running Google Chrome: Applications > Internet > Google Chrome +dnsiff + url: https://www.monkey.org/~dugsong/dsniff/ + To run dsniff, open a terminal and type: dsniff -h +foremost + url: http://foremost.sourceforge.net + To run foremost, open a terminal and type: foremost -h + +hping3 + url: http://www.hping.org/hping3.html + To run hping3, open a terminal and type: hping3 -h +netsed + url: http://silicone.homelinux.org/projects/netsed/ + To run netsed, open a terminal and type: netsed -h +ngrep + url: https://github.com/jpr5/ngrep + To run ngrep, open a terminal and type: ngrep -h +scapy + url: http://www.secdev.org/projects/scapy/ + To run scapy, open a terminal and type: scapy + +ssldump + url: http://www.rtfm.com/ssldump/ + To run ssldump, open a terminal and type: ssldump -h + +sslsplit + url: https://github.com/droe/sslsplit + To run sslsplit, open a terminal and type: sslsplit -h + +tcpdump + url: http://www.tcpdump.org + To run tcpdump, open a terminal and type: tcpdump -h + +tcpflow + url: https://github.com/simsong/tcpflow + To run tcpflow, open a terminal and type: tcpflow -h + +tcpstat + url: https://frenchfries.net/paul/tcpstat/ + To run tcpstat, open a terminal and type: tcpstat -h + +tcptrace + url: http://www.tcptrace.org + To run tcptrace, open a terminal and type: tcptrace -h + +tcpxtract + url: http://tcpxtract.sourceforge.net/ + To run tcpxtract, open a terminal and type: tcpxtract -h + +whois + url: http://www.linux.it/~md/software/ + To run whois, open a terminal and type: whois -h diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 635910638..7f436a85d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -19,24 +19,29 @@ IMAGEREPO=securityonion # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 + echo "This script must be run using sudo!" + exit 1 fi # Define a banner to separate sections banner="=========================================================================" header() { - echo - printf '%s\n' "$banner" "$*" "$banner" + echo + printf '%s\n' "$banner" "$*" "$banner" } lookup_pillar() { - key=$1 - cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}' + key=$1 + cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}' } lookup_pillar_secret() { - key=$1 - cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}' + key=$1 + cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}' +} + +check_container() { + docker ps | grep "$1:" > /dev/null 2>&1 + return $? } \ No newline at end of file diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add old mode 100644 new mode 100755 index 6d6b0d582..531872d80 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to Cortex." else - echo "Failed to add user to Cortex. See API response below." + echo "Failed to add user to Cortex." exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add old mode 100644 new mode 100755 index 61c655c61..0867ad766 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -46,7 +46,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to TheHive." else - echo "Failed to add user to TheHive. See API response below." + echo "Failed to add user to TheHive." echo $resp exit 2 fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 7ec71c9f5..f4a53efa7 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -8,18 +8,7 @@ # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -got_root() { - - # Make sure you are root - if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 - fi - -} - -# Make sure the user is root -got_root +. /usr/sbin/so-common if [[ $# < 1 || $# > 2 ]]; then echo "Usage: $0 [email]" @@ -190,9 +179,9 @@ case "${operation}" in validateEmail "$email" createUser "$email" echo "Successfully added new user to SOC" - echo $password | so-thehive-user-add "$email" - echo $password | so-cortex-user-add "$email" - echo $password | so-fleet-user-add "$email" + check_container thehive && echo $password | so-thehive-user-add "$email" + check_container cortex && echo $password | so-cortex-user-add "$email" + check_container fleet && echo $password | so-fleet-user-add "$email" ;; "list") diff --git a/salt/common/tools/sbin/so-wazuh-agent-manage b/salt/common/tools/sbin/so-wazuh-agent-manage new file mode 100755 index 000000000..14cb70f2f --- /dev/null +++ b/salt/common/tools/sbin/so-wazuh-agent-manage @@ -0,0 +1,22 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if docker ps |grep so-wazuh >/dev/null 2>&1; then + docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@" +else + echo "Wazuh manager is not running. Please start it with so-wazuh-start." +fi diff --git a/salt/common/tools/sbin/so-wazuh-agent-upggrade b/salt/common/tools/sbin/so-wazuh-agent-upggrade new file mode 100755 index 000000000..7459b0761 --- /dev/null +++ b/salt/common/tools/sbin/so-wazuh-agent-upggrade @@ -0,0 +1,22 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if docker ps |grep so-wazuh >/dev/null 2>&1; then + docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@" +else + echo "Wazuh manager is not running. Please start it with so-wazuh-start." +fi diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index c6c3afb2f..e878ae87d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -100,6 +100,12 @@ elastaconf: - group: 933 - template: jinja +wait_for_elasticsearch: + module.run: + - http.wait_for_successful_query: + - url: 'http://{{MANAGER}}:9200/_cat/indices/.kibana*' + - wait_for: 180 + so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -112,5 +118,6 @@ so-elastalert: - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro - + - require: + - module: wait_for_elasticsearch {% endif %} diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index b44733cb1..f4a817ff3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -63,7 +63,7 @@ "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ], "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ], "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ], - "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.cipher", "ssl.curve", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], + "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ], "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ], diff --git a/salt/top.sls b/salt/top.sls index e091444f2..200cbe42f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -149,7 +149,6 @@ base: - wazuh {%- endif %} - logstash - - minio - redis - kibana - elastalert @@ -198,7 +197,6 @@ base: - wazuh {%- endif %} - logstash - - minio - redis - kibana - pcap @@ -314,7 +312,6 @@ base: - manager - idstools - suricata.manager - - minio {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} @@ -355,7 +352,6 @@ base: - nginx - telegraf - firewall - - minio {%- if WAZUH != 0 %} - wazuh {%- endif %} diff --git a/setup/so-analyst b/setup/so-analyst index 6311f0d23..9f0943523 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -15,6 +15,11 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 +fi + # Install misc utils yum -y install wget curl unzip epel-release; @@ -26,18 +31,55 @@ ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; # Install Mono - prereq for NetworkMiner rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; -su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo'; +curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo; yum -y install mono-devel; # Install NetworkMiner yum -y install libcanberra-gtk2; wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; -unzip /tmp/nm.zip -d /opt/; -cd /opt/NetworkMiner*; -sudo chmod +x NetworkMiner.exe; -sudo chmod -R go+w AssembledFiles/; -sudo chmod -R go+w Captures/; +mkdir -p /opt/networkminer/ +unzip /tmp/nm.zip -d /opt/networkminer/; rm /tmp/nm.zip; +mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/ +chmod +x /opt/networkminer/NetworkMiner.exe; +chmod -R go+w /opt/networkminer/AssembledFiles/; +chmod -R go+w /opt/networkminer/Captures/; +# Create networkminer shim +cat << EOF >> /bin/networkminer +#!/bin/bash +/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@" +EOF +chmod +x /bin/networkminer +# Convert networkminer ico file to png format +yum -y install ImageMagick +convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png +# Create menu entry +cat << EOF >> /usr/share/applications/networkminer.desktop +[Desktop Entry] +Name=NetworkMiner +Comment=NetworkMiner +Encoding=UTF-8 +Exec=/bin/networkminer %f +Icon=/opt/networkminer/networkminericon-4.png +StartupNotify=true +Terminal=false +X-MultipleArgs=false +Type=Application +MimeType=application/x-pcap; +Categories=Network; +EOF + +# Set default monospace font to Liberation +cat << EOF >> /etc/fonts/local.conf + + + monospace + + + Liberation Mono + + +EOF # Install Wireshark for Gnome yum -y install wireshark-gnome; @@ -73,12 +115,10 @@ yum -y install tcpxtract; yum -y install whois; # Install foremost -sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; +yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; -# Install Google Chrome -wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm; -yum -y localinstall google-chrome-stable_current_x86_64.rpm; -rm google-chrome-stable_current_x86_64.rpm; +# Install chromium +yum -y install chromium; # Install tcpstat yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm; @@ -88,7 +128,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker- # Install sslsplit yum -y install libevent; -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsplit-0.5.5/securityonion-sslsplit-0.5.5.rpm; +yum -y install sslsplit; # Install Bit-Twist yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm; @@ -96,7 +136,13 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker- # Install chaosreader yum -y install perl-IO-Compress perl-Net-DNS; yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm; +chmod +x /bin/chaosreader; cp ../files/analyst/README /; -reboot; \ No newline at end of file +echo +echo "Analyst workstation has been installed!" +echo "Press ENTER to reboot or Ctrl-C to cancel." +read pause + +reboot; diff --git a/setup/so-functions b/setup/so-functions index afb7bd72b..73828b091 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1980,6 +1980,47 @@ zeek_logs_enabled() { for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done + elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then + printf '%s\n'\ + " - conn"\ + " - dce_rpc"\ + " - dhcp"\ + " - dhcpv6"\ + " - dnp3"\ + " - dns"\ + " - dpd"\ + " - files"\ + " - ftp"\ + " - http"\ + " - intel"\ + " - irc"\ + " - kerberos"\ + " - modbus"\ + " - mqtt"\ + " - notice"\ + " - ntlm"\ + " - openvpn"\ + " - pe"\ + " - radius"\ + " - rfb"\ + " - rdp"\ + " - signatures"\ + " - sip"\ + " - smb_files"\ + " - smb_mapping"\ + " - smtp"\ + " - snmp"\ + " - software"\ + " - ssh"\ + " - ssl"\ + " - syslog"\ + " - telnet"\ + " - tunnel"\ + " - weird"\ + " - mysql"\ + " - socks"\ + " - x509" >> "$zeeklogs_pillar" + # Disable syslog log by default else printf '%s\n'\ " - conn"\ @@ -2013,7 +2054,6 @@ zeek_logs_enabled() { " - software"\ " - ssh"\ " - ssl"\ - " - syslog"\ " - telnet"\ " - tunnel"\ " - weird"\ diff --git a/setup/so-setup b/setup/so-setup index a3eff2aa6..299f3e094 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -500,7 +500,7 @@ fi update_sudoers >> $setup_log 2>&1 set_progress_str 12 'Generating manager global pillar' - minio_generate_keys + #minio_generate_keys manager_global >> $setup_log 2>&1 set_progress_str 13 'Generating manager pillar'