From 8344e38d91a9932cc77667a8ae0fdce45aa7915c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 28 Aug 2020 16:43:28 -0400 Subject: [PATCH 01/19] Add files via upload --- setup/so-analyst | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/setup/so-analyst b/setup/so-analyst index 6311f0d23..68747c743 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -15,6 +15,11 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 +fi + # Install misc utils yum -y install wget curl unzip epel-release; @@ -26,7 +31,7 @@ ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; # Install Mono - prereq for NetworkMiner rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; -su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo'; +curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo; yum -y install mono-devel; # Install NetworkMiner @@ -34,10 +39,15 @@ yum -y install libcanberra-gtk2; wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; unzip /tmp/nm.zip -d /opt/; cd /opt/NetworkMiner*; -sudo chmod +x NetworkMiner.exe; -sudo chmod -R go+w AssembledFiles/; -sudo chmod -R go+w Captures/; +chmod +x NetworkMiner.exe; +chmod -R go+w AssembledFiles/; +chmod -R go+w Captures/; rm /tmp/nm.zip; +cat << EOF >> /bin/networkminer +#!/bin/bash +/bin/mono /opt/NetworkMiner_2-5/NetworkMiner.exe \$@ --noupdatecheck +EOF +chmod +x /bin/networkminer # Install Wireshark for Gnome yum -y install wireshark-gnome; @@ -73,12 +83,10 @@ yum -y install tcpxtract; yum -y install whois; # Install foremost -sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; +yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; -# Install Google Chrome -wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm; -yum -y localinstall google-chrome-stable_current_x86_64.rpm; -rm google-chrome-stable_current_x86_64.rpm; +# Install chromium +yum -y install chromium; # Install tcpstat yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm; @@ -88,7 +96,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker- # Install sslsplit yum -y install libevent; -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsplit-0.5.5/securityonion-sslsplit-0.5.5.rpm; +yum -y install sslsplit; # Install Bit-Twist yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm; @@ -99,4 +107,9 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker- cp ../files/analyst/README /; -reboot; \ No newline at end of file +echo +echo "Analyst workstation has been installed!" +echo "Press ENTER to reboot or Ctrl-C to cancel." +read pause + +reboot; From f6f990ca9f5064a34684efb76e2ea06cd31a2a36 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 28 Aug 2020 16:44:41 -0400 Subject: [PATCH 02/19] Update README --- files/analyst/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/analyst/README b/files/analyst/README index bb3f265ec..9bb61a3c0 100644 --- a/files/analyst/README +++ b/files/analyst/README @@ -2,7 +2,7 @@ The following tools are available on the analyst workstation. NetworkMiner url: https://www.netresec.com - Running NetworkMiner: Open terminal and run: mono /opt/NetworkMiner_2-5/NetworkMiner.exe --noupdatecheck + Running NetworkMiner: Open terminal and run: networkminer Wireshark url: https://www.wireshark.org/ From c21b347549d13f0120896fcc9e855d0de0e9bec1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 29 Aug 2020 04:46:00 -0400 Subject: [PATCH 03/19] Update README --- files/analyst/README | 130 +++++++++++++++++++++---------------------- 1 file changed, 64 insertions(+), 66 deletions(-) diff --git a/files/analyst/README b/files/analyst/README index 9bb61a3c0..ce5a4f202 100644 --- a/files/analyst/README +++ b/files/analyst/README @@ -1,81 +1,79 @@ -The following tools are available on the analyst workstation. +The following GUI tools are available on the analyst workstation: + +chromium + url: https://www.chromium.org/Home + To run chromium, click Applications > Internet > Chromium Web Browser + +Wireshark + url: https://www.wireshark.org/ + To run Wireshark, click Applications > Internet > Wireshark Network Analyzer NetworkMiner url: https://www.netresec.com - Running NetworkMiner: Open terminal and run: networkminer + To run NetworkMiner, open a terminal and type: networkminer -Wireshark - url: https://www.wireshark.org/ - Running Wireshark: Applications > Internet > Wireshark Network Analyzer - -dnsiff - url: https://www.monkey.org/~dugsong/dsniff/ - Running dsniff: Open terminal and run: dsniff -h - -hping3 - url: http://www.hping.org/hping3.html - Running hping3: Open terminal and run: hping3 -h - -netsed - url: http://silicone.homelinux.org/projects/netsed/ - Running netsed: Open terminal and run: netsed -h - -ngrep - url: https://github.com/jpr5/ngrep - Running ngrep: Open terminal and run: ngrep -h - -scapy - url: http://www.secdev.org/projects/scapy/ - Running scapy: Open terminal and run: scapy - -ssldump - url: http://www.rtfm.com/ssldump/ - Running ssldump: Open terminal and run: ssldump -h - -tcpdump - url: http://www.tcpdump.org - Running tcpdump: Open terminal and run: tcpdump -h - -tcpflow - url: https://github.com/simsong/tcpflow - Running tcpflow: Open terminal and run: tcpflow -h - -tcpxtract - url: http://tcpxtract.sourceforge.net/ - Running tcpxtract: Open terminal and run: tcpxtract -h - -whois - url: http://www.linux.it/~md/software/ - Running whois: Open terminal and run: whois -h - -foremost - url: http://foremost.sourceforge.net - Running foremost: Open terminal and run: foremost -h - -tcpstat - url: https://frenchfries.net/paul/tcpstat/ - Running tcpstat: Open terminal and run: tcpstat -h - -tcptrace - url: http://www.tcptrace.org - Running tcptract: Open terminal and run: tcptrace -h - -sslsplit - url: https://github.com/droe/sslsplit - Running sslsplit: Open terminal and run: sslsplit -h +The following CLI tools are available on the analyst workstation: bit-twist url: http://bittwist.sourceforge.net - Running bit-twist: Open terminal and run: bittwist -h + To run bit-twist, open a terminal and type: bittwist -h chaosreader url: http://chaosreader.sourceforge.net - Running chaosreader: Open terminal and run: perl /usr/bin/chaosreader -h + To run chaosreader, open a terminal and type: chaosreader -h -Google Chrome - url: https://www.google.com/chrome/ - Running Google Chrome: Applications > Internet > Google Chrome +dnsiff + url: https://www.monkey.org/~dugsong/dsniff/ + To run dsniff, open a terminal and type: dsniff -h +foremost + url: http://foremost.sourceforge.net + To run foremost, open a terminal and type: foremost -h + +hping3 + url: http://www.hping.org/hping3.html + To run hping3, open a terminal and type: hping3 -h +netsed + url: http://silicone.homelinux.org/projects/netsed/ + To run netsed, open a terminal and type: netsed -h +ngrep + url: https://github.com/jpr5/ngrep + To run ngrep, open a terminal and type: ngrep -h +scapy + url: http://www.secdev.org/projects/scapy/ + To run scapy, open a terminal and type: scapy + +ssldump + url: http://www.rtfm.com/ssldump/ + To run ssldump, open a terminal and type: ssldump -h + +sslsplit + url: https://github.com/droe/sslsplit + To run sslsplit, open a terminal and type: sslsplit -h + +tcpdump + url: http://www.tcpdump.org + To run tcpdump, open a terminal and type: tcpdump -h + +tcpflow + url: https://github.com/simsong/tcpflow + To run tcpflow, open a terminal and type: tcpflow -h + +tcpstat + url: https://frenchfries.net/paul/tcpstat/ + To run tcpstat, open a terminal and type: tcpstat -h + +tcptrace + url: http://www.tcptrace.org + To run tcptrace, open a terminal and type: tcptrace -h + +tcpxtract + url: http://tcpxtract.sourceforge.net/ + To run tcpxtract, open a terminal and type: tcpxtract -h + +whois + url: http://www.linux.it/~md/software/ + To run whois, open a terminal and type: whois -h From c20f47ffd60d040787a3ce4dbbbbfb9cf59cd469 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 29 Aug 2020 04:52:21 -0400 Subject: [PATCH 04/19] make chaosreader executable --- setup/so-analyst | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-analyst b/setup/so-analyst index 68747c743..ca75b78b1 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -104,6 +104,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker- # Install chaosreader yum -y install perl-IO-Compress perl-Net-DNS; yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm; +chmod +x /bin/chaosreader; cp ../files/analyst/README /; From 1e1212bf414f5b8f6b490c5342a7d158af1743aa Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 29 Aug 2020 05:59:21 -0400 Subject: [PATCH 05/19] Update so-analyst --- setup/so-analyst | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/setup/so-analyst b/setup/so-analyst index ca75b78b1..0d90a3bd8 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -37,17 +37,37 @@ yum -y install mono-devel; # Install NetworkMiner yum -y install libcanberra-gtk2; wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; -unzip /tmp/nm.zip -d /opt/; -cd /opt/NetworkMiner*; -chmod +x NetworkMiner.exe; -chmod -R go+w AssembledFiles/; -chmod -R go+w Captures/; +mkdir -p /opt/networkminer/ +unzip /tmp/nm.zip -d /opt/networkminer/; +mv NetworkMiner_*/* /opt/networkminer/ +chmod +x /opt/networkminer/NetworkMiner.exe; +chmod -R go+w /opt/networkminer/AssembledFiles/; +chmod -R go+w /opt/networkminer/Captures/; rm /tmp/nm.zip; +# Create networkminer shim cat << EOF >> /bin/networkminer #!/bin/bash -/bin/mono /opt/NetworkMiner_2-5/NetworkMiner.exe \$@ --noupdatecheck +/bin/mono /opt/networkminer/NetworkMiner.exe \$@ --noupdatecheck EOF chmod +x /bin/networkminer +# Convert networkminer ico file to png format +yum -y install ImageMagick +convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png +# Create menu entry +cat << EOF >> /usr/share/applications/networkminer.desktop +[Desktop Entry] +Name=NetworkMiner +Comment=NetworkMiner +Encoding=UTF-8 +Exec=/bin/networkminer %f +Icon=/opt/networkminer/networkminericon-4.png +StartupNotify=true +Terminal=false +X-MultipleArgs=false +Type=Application +MimeType=application/x-pcap; +Categories=Network; +EOF # Install Wireshark for Gnome yum -y install wireshark-gnome; From df5ef7c95636cc54ddcfdde146da2faff81fd5b5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 29 Aug 2020 06:07:58 -0400 Subject: [PATCH 06/19] Update so-analyst --- setup/so-analyst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-analyst b/setup/so-analyst index 0d90a3bd8..f5c70dcad 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -39,11 +39,11 @@ yum -y install libcanberra-gtk2; wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; mkdir -p /opt/networkminer/ unzip /tmp/nm.zip -d /opt/networkminer/; -mv NetworkMiner_*/* /opt/networkminer/ +rm /tmp/nm.zip; +mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/ chmod +x /opt/networkminer/NetworkMiner.exe; chmod -R go+w /opt/networkminer/AssembledFiles/; chmod -R go+w /opt/networkminer/Captures/; -rm /tmp/nm.zip; # Create networkminer shim cat << EOF >> /bin/networkminer #!/bin/bash From 13ce439678be52c647e311fded9acea1fa17f058 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 29 Aug 2020 06:52:26 -0400 Subject: [PATCH 07/19] Update README --- files/analyst/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/analyst/README b/files/analyst/README index ce5a4f202..99c444ea8 100644 --- a/files/analyst/README +++ b/files/analyst/README @@ -10,7 +10,7 @@ Wireshark NetworkMiner url: https://www.netresec.com - To run NetworkMiner, open a terminal and type: networkminer + To run NetworkMiner, click Applications > Internet > NetworkMiner The following CLI tools are available on the analyst workstation: From 77b3ebdabee5cfc77f1053a1437f4db92d3ad9cd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 30 Aug 2020 06:56:15 -0400 Subject: [PATCH 08/19] Hunt Events table should show ssl.server_name when searching for ssl Hunt Events table should show ssl.server_name when searching for ssl #1267 --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index b44733cb1..f4a817ff3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -63,7 +63,7 @@ "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ], "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ], "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ], - "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.cipher", "ssl.curve", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], + "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ], "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ], From 2f09156a023d62027146ae43dc7dc0151377159d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 30 Aug 2020 16:10:47 -0400 Subject: [PATCH 09/19] quote filename when spawning NetworkMiner --- setup/so-analyst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-analyst b/setup/so-analyst index f5c70dcad..3d1eeddc7 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -47,7 +47,7 @@ chmod -R go+w /opt/networkminer/Captures/; # Create networkminer shim cat << EOF >> /bin/networkminer #!/bin/bash -/bin/mono /opt/networkminer/NetworkMiner.exe \$@ --noupdatecheck +/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@" EOF chmod +x /bin/networkminer # Convert networkminer ico file to png format From 9680270b202f84e2edc955772176173a8d00bcf7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 30 Aug 2020 16:42:44 -0400 Subject: [PATCH 10/19] Set default monospace font to Liberation --- setup/so-analyst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/setup/so-analyst b/setup/so-analyst index 3d1eeddc7..9f0943523 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -69,6 +69,18 @@ MimeType=application/x-pcap; Categories=Network; EOF +# Set default monospace font to Liberation +cat << EOF >> /etc/fonts/local.conf + + + monospace + + + Liberation Mono + + +EOF + # Install Wireshark for Gnome yum -y install wireshark-gnome; From 8e06f0453e91d99b2453bbf231849d7cd8b99bea Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 31 Aug 2020 09:41:01 -0400 Subject: [PATCH 11/19] Only add users to aux systems if those systems are currently running --- salt/common/tools/sbin/so-user | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 7ec71c9f5..7f376329c 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -190,9 +190,9 @@ case "${operation}" in validateEmail "$email" createUser "$email" echo "Successfully added new user to SOC" - echo $password | so-thehive-user-add "$email" - echo $password | so-cortex-user-add "$email" - echo $password | so-fleet-user-add "$email" + docker ps | grep so-thehive > /dev/null 2>&1 && echo $password | so-thehive-user-add "$email" + docker ps | grep so-cortex > /dev/null 2>&1 && echo $password | so-cortex-user-add "$email" + docker ps | grep so-fleet > /dev/null 2>&1 && echo $password | so-fleet-user-add "$email" ;; "list") From 189c02648d09749d3ab2805886682ca5e2202d8f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 31 Aug 2020 09:52:06 -0400 Subject: [PATCH 12/19] Move container status check to so-common --- salt/common/tools/sbin/so-common | 21 +++++++++++++-------- salt/common/tools/sbin/so-cortex-user-add | 2 +- salt/common/tools/sbin/so-thehive-user-add | 2 +- salt/common/tools/sbin/so-user | 19 ++++--------------- 4 files changed, 19 insertions(+), 25 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 635910638..7f436a85d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -19,24 +19,29 @@ IMAGEREPO=securityonion # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 + echo "This script must be run using sudo!" + exit 1 fi # Define a banner to separate sections banner="=========================================================================" header() { - echo - printf '%s\n' "$banner" "$*" "$banner" + echo + printf '%s\n' "$banner" "$*" "$banner" } lookup_pillar() { - key=$1 - cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}' + key=$1 + cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}' } lookup_pillar_secret() { - key=$1 - cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}' + key=$1 + cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}' +} + +check_container() { + docker ps | grep "$1:" > /dev/null 2>&1 + return $? } \ No newline at end of file diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 6d6b0d582..531872d80 100644 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to Cortex." else - echo "Failed to add user to Cortex. See API response below." + echo "Failed to add user to Cortex." exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 61c655c61..0867ad766 100644 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -46,7 +46,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to TheHive." else - echo "Failed to add user to TheHive. See API response below." + echo "Failed to add user to TheHive." echo $resp exit 2 fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 7f376329c..f4a53efa7 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -8,18 +8,7 @@ # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -got_root() { - - # Make sure you are root - if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 - fi - -} - -# Make sure the user is root -got_root +. /usr/sbin/so-common if [[ $# < 1 || $# > 2 ]]; then echo "Usage: $0 [email]" @@ -190,9 +179,9 @@ case "${operation}" in validateEmail "$email" createUser "$email" echo "Successfully added new user to SOC" - docker ps | grep so-thehive > /dev/null 2>&1 && echo $password | so-thehive-user-add "$email" - docker ps | grep so-cortex > /dev/null 2>&1 && echo $password | so-cortex-user-add "$email" - docker ps | grep so-fleet > /dev/null 2>&1 && echo $password | so-fleet-user-add "$email" + check_container thehive && echo $password | so-thehive-user-add "$email" + check_container cortex && echo $password | so-cortex-user-add "$email" + check_container fleet && echo $password | so-fleet-user-add "$email" ;; "list") From 9abbda8e04b9d8e1fa4f28fed1af0420fee63542 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 13:54:49 +0000 Subject: [PATCH 13/19] Wait for Elasticsearch indices to be queryable before starting Elastalert container --- salt/elastalert/init.sls | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index c6c3afb2f..e878ae87d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -100,6 +100,12 @@ elastaconf: - group: 933 - template: jinja +wait_for_elasticsearch: + module.run: + - http.wait_for_successful_query: + - url: 'http://{{MANAGER}}:9200/_cat/indices/.kibana*' + - wait_for: 180 + so-elastalert: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} @@ -112,5 +118,6 @@ so-elastalert: - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro - + - require: + - module: wait_for_elasticsearch {% endif %} From 6d14f2af96bc4d5c72922954c7ff8e78417b81f5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 14:07:47 +0000 Subject: [PATCH 14/19] Remove minio for now --- salt/top.sls | 4 ---- setup/so-setup | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 795a89681..719b367e8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -149,7 +149,6 @@ base: - wazuh {%- endif %} - logstash - - minio - redis - kibana - elastalert @@ -198,7 +197,6 @@ base: - wazuh {%- endif %} - logstash - - minio - kibana - pcap - suricata @@ -314,7 +312,6 @@ base: - manager - idstools - suricata.manager - - minio {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} @@ -355,7 +352,6 @@ base: - nginx - telegraf - firewall - - minio {%- if WAZUH != 0 %} - wazuh {%- endif %} diff --git a/setup/so-setup b/setup/so-setup index a3eff2aa6..299f3e094 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -500,7 +500,7 @@ fi update_sudoers >> $setup_log 2>&1 set_progress_str 12 'Generating manager global pillar' - minio_generate_keys + #minio_generate_keys manager_global >> $setup_log 2>&1 set_progress_str 13 'Generating manager pillar' From 46e7e121e313106de42cc6c6a04ed346fff407c9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 14:54:24 +0000 Subject: [PATCH 15/19] Add Wazuh mgmt wrappers for manage_agents and upgrade --- salt/common/tools/sbin/so-wazuh-agent-manage | 22 +++++++++++++++++++ .../common/tools/sbin/so-wazuh-agent-upggrade | 22 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100755 salt/common/tools/sbin/so-wazuh-agent-manage create mode 100755 salt/common/tools/sbin/so-wazuh-agent-upggrade diff --git a/salt/common/tools/sbin/so-wazuh-agent-manage b/salt/common/tools/sbin/so-wazuh-agent-manage new file mode 100755 index 000000000..14cb70f2f --- /dev/null +++ b/salt/common/tools/sbin/so-wazuh-agent-manage @@ -0,0 +1,22 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if docker ps |grep so-wazuh >/dev/null 2>&1; then + docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@" +else + echo "Wazuh manager is not running. Please start it with so-wazuh-start." +fi diff --git a/salt/common/tools/sbin/so-wazuh-agent-upggrade b/salt/common/tools/sbin/so-wazuh-agent-upggrade new file mode 100755 index 000000000..7459b0761 --- /dev/null +++ b/salt/common/tools/sbin/so-wazuh-agent-upggrade @@ -0,0 +1,22 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if docker ps |grep so-wazuh >/dev/null 2>&1; then + docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@" +else + echo "Wazuh manager is not running. Please start it with so-wazuh-start." +fi From dc3b065a41280937d6f0db0ae10ffbe60cfac36a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 31 Aug 2020 10:57:17 -0400 Subject: [PATCH 16/19] Set exec bit on new user-add scripts --- salt/common/tools/sbin/so-cortex-user-add | 0 salt/common/tools/sbin/so-fleet-user-add | 0 salt/common/tools/sbin/so-thehive-user-add | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-cortex-user-add mode change 100644 => 100755 salt/common/tools/sbin/so-fleet-user-add mode change 100644 => 100755 salt/common/tools/sbin/so-thehive-user-add diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add old mode 100644 new mode 100755 From 26ffc44fd17b8909f87482521d37e0f2d66fa6e4 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 16:30:32 +0000 Subject: [PATCH 17/19] Only enable syslog log by default in Eval mode --- setup/so-functions | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index afb7bd72b..ab01be05a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1980,6 +1980,47 @@ zeek_logs_enabled() { for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done + elif [ "$install_type" == "EVAL"]; then + printf '%s\n'\ + " - conn"\ + " - dce_rpc"\ + " - dhcp"\ + " - dhcpv6"\ + " - dnp3"\ + " - dns"\ + " - dpd"\ + " - files"\ + " - ftp"\ + " - http"\ + " - intel"\ + " - irc"\ + " - kerberos"\ + " - modbus"\ + " - mqtt"\ + " - notice"\ + " - ntlm"\ + " - openvpn"\ + " - pe"\ + " - radius"\ + " - rfb"\ + " - rdp"\ + " - signatures"\ + " - sip"\ + " - smb_files"\ + " - smb_mapping"\ + " - smtp"\ + " - snmp"\ + " - software"\ + " - ssh"\ + " - ssl"\ + " - syslog"\ + " - telnet"\ + " - tunnel"\ + " - weird"\ + " - mysql"\ + " - socks"\ + " - x509" >> "$zeeklogs_pillar" + # Disable syslog log by default else printf '%s\n'\ " - conn"\ @@ -2013,7 +2054,6 @@ zeek_logs_enabled() { " - software"\ " - ssh"\ " - ssl"\ - " - syslog"\ " - telnet"\ " - tunnel"\ " - weird"\ From 5ed5e6603de9ceb2fa6fa2619171668cd9687159 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 16:32:12 +0000 Subject: [PATCH 18/19] Fix space --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ab01be05a..64f52f304 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1980,7 +1980,7 @@ zeek_logs_enabled() { for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done - elif [ "$install_type" == "EVAL"]; then + elif [ "$install_type" == "EVAL" ]; then printf '%s\n'\ " - conn"\ " - dce_rpc"\ From ae3fe9e892ede08a1c4906134bc2bd5976a2c10b Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 31 Aug 2020 17:07:16 +0000 Subject: [PATCH 19/19] Ensure Zeek syslog log is enabled for Import node --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 64f52f304..73828b091 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1980,7 +1980,7 @@ zeek_logs_enabled() { for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done - elif [ "$install_type" == "EVAL" ]; then + elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then printf '%s\n'\ " - conn"\ " - dce_rpc"\