CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge with dev and resolve conflict

Browse Source
This commit is contained in:
m0duspwnens
2020-08-31 16:05:34 -04:00
parent 31f25eca57 011958a2f3
commit a1a7b36319
14 changed files with 237 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
files/analyst/README
View File

@@ -1,81 +1,79 @@
The following tools are available on the analyst workstation. The following GUI tools are available on the analyst workstation:
chromium
url: https://www.chromium.org/Home
To run chromium, click Applications > Internet > Chromium Web Browser
Wireshark
url: https://www.wireshark.org/
To run Wireshark, click Applications > Internet > Wireshark Network Analyzer
NetworkMiner NetworkMiner
url: https://www.netresec.com url: https://www.netresec.com
Running NetworkMiner: Open terminal and run: mono /opt/NetworkMiner_2-5/NetworkMiner.exe --noupdatecheck To run NetworkMiner, click Applications > Internet > NetworkMiner
Wireshark The following CLI tools are available on the analyst workstation:
url: https://www.wireshark.org/
Running Wireshark: Applications > Internet > Wireshark Network Analyzer
dnsiff
url: https://www.monkey.org/~dugsong/dsniff/
Running dsniff: Open terminal and run: dsniff -h
hping3
url: http://www.hping.org/hping3.html
Running hping3: Open terminal and run: hping3 -h
netsed
url: http://silicone.homelinux.org/projects/netsed/
Running netsed: Open terminal and run: netsed -h
ngrep
url: https://github.com/jpr5/ngrep
Running ngrep: Open terminal and run: ngrep -h
scapy
url: http://www.secdev.org/projects/scapy/
Running scapy: Open terminal and run: scapy
ssldump
url: http://www.rtfm.com/ssldump/
Running ssldump: Open terminal and run: ssldump -h
tcpdump
url: http://www.tcpdump.org
Running tcpdump: Open terminal and run: tcpdump -h
tcpflow
url: https://github.com/simsong/tcpflow
Running tcpflow: Open terminal and run: tcpflow -h
tcpxtract
url: http://tcpxtract.sourceforge.net/
Running tcpxtract: Open terminal and run: tcpxtract -h
whois
url: http://www.linux.it/~md/software/
Running whois: Open terminal and run: whois -h
foremost
url: http://foremost.sourceforge.net
Running foremost: Open terminal and run: foremost -h
tcpstat
url: https://frenchfries.net/paul/tcpstat/
Running tcpstat: Open terminal and run: tcpstat -h
tcptrace
url: http://www.tcptrace.org
Running tcptract: Open terminal and run: tcptrace -h
sslsplit
url: https://github.com/droe/sslsplit
Running sslsplit: Open terminal and run: sslsplit -h
bit-twist bit-twist
url: http://bittwist.sourceforge.net url: http://bittwist.sourceforge.net
Running bit-twist: Open terminal and run: bittwist -h To run bit-twist, open a terminal and type: bittwist -h
chaosreader chaosreader
url: http://chaosreader.sourceforge.net url: http://chaosreader.sourceforge.net
Running chaosreader: Open terminal and run: perl /usr/bin/chaosreader -h To run chaosreader, open a terminal and type: chaosreader -h
Google Chrome dnsiff
url: https://www.google.com/chrome/ url: https://www.monkey.org/~dugsong/dsniff/
Running Google Chrome: Applications > Internet > Google Chrome To run dsniff, open a terminal and type: dsniff -h
foremost
url: http://foremost.sourceforge.net
To run foremost, open a terminal and type: foremost -h
hping3
url: http://www.hping.org/hping3.html
To run hping3, open a terminal and type: hping3 -h
netsed
url: http://silicone.homelinux.org/projects/netsed/
To run netsed, open a terminal and type: netsed -h
ngrep
url: https://github.com/jpr5/ngrep
To run ngrep, open a terminal and type: ngrep -h
scapy
url: http://www.secdev.org/projects/scapy/
To run scapy, open a terminal and type: scapy
ssldump
url: http://www.rtfm.com/ssldump/
To run ssldump, open a terminal and type: ssldump -h
sslsplit
url: https://github.com/droe/sslsplit
To run sslsplit, open a terminal and type: sslsplit -h
tcpdump
url: http://www.tcpdump.org
To run tcpdump, open a terminal and type: tcpdump -h
tcpflow
url: https://github.com/simsong/tcpflow
To run tcpflow, open a terminal and type: tcpflow -h
tcpstat
url: https://frenchfries.net/paul/tcpstat/
To run tcpstat, open a terminal and type: tcpstat -h
tcptrace
url: http://www.tcptrace.org
To run tcptrace, open a terminal and type: tcptrace -h
tcpxtract
url: http://tcpxtract.sourceforge.net/
To run tcpxtract, open a terminal and type: tcpxtract -h
whois
url: http://www.linux.it/~md/software/
To run whois, open a terminal and type: whois -h

21
salt/common/tools/sbin/so-common
View File

@@ -19,24 +19,29 @@ IMAGEREPO=securityonion
# Check for prerequisites # Check for prerequisites
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 exit 1
fi fi
# Define a banner to separate sections # Define a banner to separate sections
banner="=========================================================================" banner="========================================================================="
header() { header() {
echo echo
printf '%s\n' "$banner" "$*" "$banner" printf '%s\n' "$banner" "$*" "$banner"
} }
lookup_pillar() { lookup_pillar() {
key=$1 key=$1
cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}' cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}'
} }
lookup_pillar_secret() { lookup_pillar_secret() {
key=$1 key=$1
cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}' cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}'
}
check_container() {
docker ps | grep "$1:" > /dev/null 2>&1
return $?
} }

2
salt/common/tools/sbin/so-cortex-user-add Normal file → Executable file
View File

@@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type:
if [[ "$resp" =~ \"status\":\"Ok\" ]]; then if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully added user to Cortex." echo "Successfully added user to Cortex."
else else
echo "Failed to add user to Cortex. See API response below." echo "Failed to add user to Cortex."
exit 2 exit 2
fi fi

0
salt/common/tools/sbin/so-fleet-user-add Normal file → Executable file
View File

2
salt/common/tools/sbin/so-thehive-user-add Normal file → Executable file
View File

@@ -46,7 +46,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type:
if [[ "$resp" =~ \"status\":\"Ok\" ]]; then if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully added user to TheHive." echo "Successfully added user to TheHive."
else else
echo "Failed to add user to TheHive. See API response below." echo "Failed to add user to TheHive."
echo $resp echo $resp
exit 2 exit 2
fi fi

19
salt/common/tools/sbin/so-user
View File

@@ -8,18 +8,7 @@
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
got_root() { . /usr/sbin/so-common
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
# Make sure the user is root
got_root
if [[ $# < 1 || $# > 2 ]]; then if [[ $# < 1 || $# > 2 ]]; then
echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]" echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
@@ -190,9 +179,9 @@ case "${operation}" in
validateEmail "$email" validateEmail "$email"
createUser "$email" createUser "$email"
echo "Successfully added new user to SOC" echo "Successfully added new user to SOC"
echo $password | so-thehive-user-add "$email" check_container thehive && echo $password | so-thehive-user-add "$email"
echo $password | so-cortex-user-add "$email" check_container cortex && echo $password | so-cortex-user-add "$email"
echo $password | so-fleet-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email"
;; ;;
"list") "list")

22
salt/common/tools/sbin/so-wazuh-agent-manage Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if docker ps |grep so-wazuh >/dev/null 2>&1; then
docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@"
else
echo "Wazuh manager is not running. Please start it with so-wazuh-start."
fi

22
salt/common/tools/sbin/so-wazuh-agent-upggrade Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if docker ps |grep so-wazuh >/dev/null 2>&1; then
docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@"
else
echo "Wazuh manager is not running. Please start it with so-wazuh-start."
fi

9
salt/elastalert/init.sls
View File

@@ -100,6 +100,12 @@ elastaconf:
- group: 933 - group: 933
- template: jinja - template: jinja
wait_for_elasticsearch:
module.run:
- http.wait_for_successful_query:
- url: 'http://{{MANAGER}}:9200/_cat/indices/.kibana*'
- wait_for: 180
so-elastalert: so-elastalert:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }}
@@ -112,5 +118,6 @@ so-elastalert:
- /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
- require:
- module: wait_for_elasticsearch
{% endif %} {% endif %}

2
salt/soc/files/soc/soc.json
View File

@@ -63,7 +63,7 @@
"::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ], "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ],
"::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ], "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ],
"::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ], "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ],
"::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.cipher", "ssl.curve", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
"::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ], "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ],
"::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ],
"::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ], "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ],

4
salt/top.sls
View File

@@ -149,7 +149,6 @@ base:
- wazuh - wazuh
{%- endif %} {%- endif %}
- logstash - logstash
- minio
- redis - redis
- kibana - kibana
- elastalert - elastalert
@@ -198,7 +197,6 @@ base:
- wazuh - wazuh
{%- endif %} {%- endif %}
- logstash - logstash
- minio
- redis - redis
- kibana - kibana
- pcap - pcap
@@ -314,7 +312,6 @@ base:
- manager - manager
- idstools - idstools
- suricata.manager - suricata.manager
- minio
{%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
- mysql - mysql
{%- endif %} {%- endif %}
@@ -355,7 +352,6 @@ base:
- nginx - nginx
- telegraf - telegraf
- firewall - firewall
- minio
{%- if WAZUH != 0 %} {%- if WAZUH != 0 %}
- wazuh - wazuh
{%- endif %} {%- endif %}

72
setup/so-analyst
View File

@@ -15,6 +15,11 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
# Install misc utils # Install misc utils
yum -y install wget curl unzip epel-release; yum -y install wget curl unzip epel-release;
@@ -26,18 +31,55 @@ ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
# Install Mono - prereq for NetworkMiner # Install Mono - prereq for NetworkMiner
rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef";
su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo'; curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo;
yum -y install mono-devel; yum -y install mono-devel;
# Install NetworkMiner # Install NetworkMiner
yum -y install libcanberra-gtk2; yum -y install libcanberra-gtk2;
wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
unzip /tmp/nm.zip -d /opt/; mkdir -p /opt/networkminer/
cd /opt/NetworkMiner*; unzip /tmp/nm.zip -d /opt/networkminer/;
sudo chmod +x NetworkMiner.exe;
sudo chmod -R go+w AssembledFiles/;
sudo chmod -R go+w Captures/;
rm /tmp/nm.zip; rm /tmp/nm.zip;
mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
chmod +x /opt/networkminer/NetworkMiner.exe;
chmod -R go+w /opt/networkminer/AssembledFiles/;
chmod -R go+w /opt/networkminer/Captures/;
# Create networkminer shim
cat << EOF >> /bin/networkminer
#!/bin/bash
/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
EOF
chmod +x /bin/networkminer
# Convert networkminer ico file to png format
yum -y install ImageMagick
convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
# Create menu entry
cat << EOF >> /usr/share/applications/networkminer.desktop
[Desktop Entry]
Name=NetworkMiner
Comment=NetworkMiner
Encoding=UTF-8
Exec=/bin/networkminer %f
Icon=/opt/networkminer/networkminericon-4.png
StartupNotify=true
Terminal=false
X-MultipleArgs=false
Type=Application
MimeType=application/x-pcap;
Categories=Network;
EOF
# Set default monospace font to Liberation
cat << EOF >> /etc/fonts/local.conf
<match target="pattern">
<test name="family" qual="any">
<string>monospace</string>
</test>
<edit binding="strong" mode="prepend" name="family">
<string>Liberation Mono</string>
</edit>
</match>
EOF
# Install Wireshark for Gnome # Install Wireshark for Gnome
yum -y install wireshark-gnome; yum -y install wireshark-gnome;
@@ -73,12 +115,10 @@ yum -y install tcpxtract;
yum -y install whois; yum -y install whois;
# Install foremost # Install foremost
sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
# Install Google Chrome # Install chromium
wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm; yum -y install chromium;
yum -y localinstall google-chrome-stable_current_x86_64.rpm;
rm google-chrome-stable_current_x86_64.rpm;
# Install tcpstat # Install tcpstat
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm; yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
@@ -88,7 +128,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
# Install sslsplit # Install sslsplit
yum -y install libevent; yum -y install libevent;
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsplit-0.5.5/securityonion-sslsplit-0.5.5.rpm; yum -y install sslsplit;
# Install Bit-Twist # Install Bit-Twist
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm; yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
@@ -96,7 +136,13 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
# Install chaosreader # Install chaosreader
yum -y install perl-IO-Compress perl-Net-DNS; yum -y install perl-IO-Compress perl-Net-DNS;
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm; yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
chmod +x /bin/chaosreader;
cp ../files/analyst/README /; cp ../files/analyst/README /;
reboot; echo
echo "Analyst workstation has been installed!"
echo "Press ENTER to reboot or Ctrl-C to cancel."
read pause
reboot;

42
setup/so-functions
View File

@@ -1980,6 +1980,47 @@ zeek_logs_enabled() {
for BLOG in "${BLOGS[@]}"; do for BLOG in "${BLOGS[@]}"; do
echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
done done
elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then
printf '%s\n'\
" - conn"\
" - dce_rpc"\
" - dhcp"\
" - dhcpv6"\
" - dnp3"\
" - dns"\
" - dpd"\
" - files"\
" - ftp"\
" - http"\
" - intel"\
" - irc"\
" - kerberos"\
" - modbus"\
" - mqtt"\
" - notice"\
" - ntlm"\
" - openvpn"\
" - pe"\
" - radius"\
" - rfb"\
" - rdp"\
" - signatures"\
" - sip"\
" - smb_files"\
" - smb_mapping"\
" - smtp"\
" - snmp"\
" - software"\
" - ssh"\
" - ssl"\
" - syslog"\
" - telnet"\
" - tunnel"\
" - weird"\
" - mysql"\
" - socks"\
" - x509" >> "$zeeklogs_pillar"
# Disable syslog log by default
else else
printf '%s\n'\ printf '%s\n'\
" - conn"\ " - conn"\
@@ -2013,7 +2054,6 @@ zeek_logs_enabled() {
" - software"\ " - software"\
" - ssh"\ " - ssh"\
" - ssl"\ " - ssl"\
" - syslog"\
" - telnet"\ " - telnet"\
" - tunnel"\ " - tunnel"\
" - weird"\ " - weird"\

2
setup/so-setup
View File

@@ -500,7 +500,7 @@ fi
update_sudoers >> $setup_log 2>&1 update_sudoers >> $setup_log 2>&1
set_progress_str 12 'Generating manager global pillar' set_progress_str 12 'Generating manager global pillar'
minio_generate_keys #minio_generate_keys
manager_global >> $setup_log 2>&1 manager_global >> $setup_log 2>&1
set_progress_str 13 'Generating manager pillar' set_progress_str 13 'Generating manager pillar'