merge with dev and resolve conflict

files/analyst/README

@@ -1,81 +1,79 @@
-The following tools are available on the analyst workstation.
+The following GUI tools are available on the analyst workstation:
 
-NetworkMiner
-  url: https://www.netresec.com
-  Running NetworkMiner: Open terminal and run: mono /opt/NetworkMiner_2-5/NetworkMiner.exe --noupdatecheck
+chromium
+  url: https://www.chromium.org/Home
+  To run chromium, click Applications > Internet > Chromium Web Browser
   
 Wireshark
   url: https://www.wireshark.org/
-  Running Wireshark: Applications > Internet > Wireshark Network Analyzer
+  To run Wireshark, click Applications > Internet > Wireshark Network Analyzer
 
-dnsiff
-  url: https://www.monkey.org/~dugsong/dsniff/
-  Running dsniff: Open terminal and run: dsniff -h
+NetworkMiner
+  url: https://www.netresec.com
+  To run NetworkMiner, click Applications > Internet > NetworkMiner
 
-hping3
-  url: http://www.hping.org/hping3.html
-  Running hping3: Open terminal and run: hping3 -h
-
-netsed
-  url: http://silicone.homelinux.org/projects/netsed/
-  Running netsed: Open terminal and run: netsed -h
-
-ngrep
-  url: https://github.com/jpr5/ngrep
-  Running ngrep: Open terminal and run: ngrep -h
-
-scapy
-  url: http://www.secdev.org/projects/scapy/
-  Running scapy: Open terminal and run: scapy
-
-ssldump
-  url: http://www.rtfm.com/ssldump/
-  Running ssldump: Open terminal and run: ssldump -h
-
-tcpdump
-  url: http://www.tcpdump.org
-  Running tcpdump: Open terminal and run: tcpdump -h
-
-tcpflow
-  url: https://github.com/simsong/tcpflow
-  Running tcpflow: Open terminal and run: tcpflow -h
-
-tcpxtract
-  url: http://tcpxtract.sourceforge.net/
-  Running tcpxtract: Open terminal and run: tcpxtract -h
-
-whois
-  url: http://www.linux.it/~md/software/
-  Running whois: Open terminal and run: whois -h
-
-foremost
-  url: http://foremost.sourceforge.net
-  Running foremost: Open terminal and run: foremost -h
-
-tcpstat
-  url: https://frenchfries.net/paul/tcpstat/
-  Running tcpstat: Open terminal and run: tcpstat -h
-
-tcptrace
-  url: http://www.tcptrace.org
-  Running tcptract: Open terminal and run: tcptrace -h
-
-sslsplit
-  url: https://github.com/droe/sslsplit
-  Running sslsplit: Open terminal and run: sslsplit -h
+The following CLI tools are available on the analyst workstation:
 
 bit-twist
   url: http://bittwist.sourceforge.net
-  Running bit-twist: Open terminal and run: bittwist -h
+  To run bit-twist, open a terminal and type: bittwist -h
 
 chaosreader
   url: http://chaosreader.sourceforge.net
-  Running chaosreader: Open terminal and run: perl /usr/bin/chaosreader -h
+  To run chaosreader, open a terminal and type: chaosreader -h
 
-Google Chrome
-  url: https://www.google.com/chrome/
-  Running Google Chrome: Applications > Internet > Google Chrome
+dnsiff
+  url: https://www.monkey.org/~dugsong/dsniff/
+  To run dsniff, open a terminal and type: dsniff -h
 
+foremost
+  url: http://foremost.sourceforge.net
+  To run foremost, open a terminal and type: foremost -h
   
+hping3
+  url: http://www.hping.org/hping3.html
+  To run hping3, open a terminal and type: hping3 -h
 
+netsed
+  url: http://silicone.homelinux.org/projects/netsed/
+  To run netsed, open a terminal and type: netsed -h
 
+ngrep
+  url: https://github.com/jpr5/ngrep
+  To run ngrep, open a terminal and type: ngrep -h
+
+scapy
+  url: http://www.secdev.org/projects/scapy/
+  To run scapy, open a terminal and type: scapy
+
+ssldump
+  url: http://www.rtfm.com/ssldump/
+  To run ssldump, open a terminal and type: ssldump -h
+
+sslsplit
+  url: https://github.com/droe/sslsplit
+  To run sslsplit, open a terminal and type: sslsplit -h
+
+tcpdump
+  url: http://www.tcpdump.org
+  To run tcpdump, open a terminal and type: tcpdump -h
+
+tcpflow
+  url: https://github.com/simsong/tcpflow
+  To run tcpflow, open a terminal and type: tcpflow -h
+
+tcpstat
+  url: https://frenchfries.net/paul/tcpstat/
+  To run tcpstat, open a terminal and type: tcpstat -h
+
+tcptrace
+  url: http://www.tcptrace.org
+  To run tcptrace, open a terminal and type: tcptrace -h
+
+tcpxtract
+  url: http://tcpxtract.sourceforge.net/
+  To run tcpxtract, open a terminal and type: tcpxtract -h
+
+whois
+  url: http://www.linux.it/~md/software/
+  To run whois, open a terminal and type: whois -h

salt/common/tools/sbin/so-common

@@ -40,3 +40,8 @@ lookup_pillar_secret() {
     key=$1
     cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}'
 }
+
+check_container() {
+	docker ps | grep "$1:" > /dev/null 2>&1
+	return $?
+}

salt/common/tools/sbin/so-cortex-user-add

@@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type:
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to Cortex."
 else
-    echo "Failed to add user to Cortex. See API response below."
+    echo "Failed to add user to Cortex."
     exit 2
 fi
     

salt/common/tools/sbin/so-thehive-user-add

@@ -46,7 +46,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type:
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to TheHive."
 else
-    echo "Failed to add user to TheHive. See API response below."
+    echo "Failed to add user to TheHive."
     echo $resp
     exit 2
 fi

salt/common/tools/sbin/so-user

@@ -8,18 +8,7 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-# Make sure the user is root
-got_root
+. /usr/sbin/so-common
 
 if [[ $# < 1 || $# > 2 ]]; then
   echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
@@ -190,9 +179,9 @@ case "${operation}" in
     validateEmail "$email"
     createUser "$email"
     echo "Successfully added new user to SOC"
-    echo $password | so-thehive-user-add "$email"
-    echo $password | so-cortex-user-add "$email"
-    echo $password | so-fleet-user-add "$email"
+    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container cortex && echo $password | so-cortex-user-add "$email"
+    check_container fleet && echo $password | so-fleet-user-add "$email"
     ;;
 
   "list")

salt/common/tools/sbin/so-wazuh-agent-manage

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi

salt/common/tools/sbin/so-wazuh-agent-upggrade

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi

salt/elastalert/init.sls

@@ -100,6 +100,12 @@ elastaconf:
     - group: 933
     - template: jinja
 
+wait_for_elasticsearch:
+  module.run:
+    - http.wait_for_successful_query:
+      - url: 'http://{{MANAGER}}:9200/_cat/indices/.kibana*'
+      - wait_for: 180
+
 so-elastalert:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }}
@@ -112,5 +118,6 @@ so-elastalert:
       - /opt/so/log/elastalert:/var/log/elastalert:rw
       - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
       - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
-
+    - require:
+      - module: wait_for_elasticsearch
 {% endif %}

salt/soc/files/soc/soc.json

@@ -63,7 +63,7 @@
           "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ],
           "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ],
           "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ],
-          "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.cipher", "ssl.curve", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
+          "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
           "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ],
           "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ],
           "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ],

salt/top.sls

@@ -149,7 +149,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - minio
     - redis
     - kibana
     - elastalert
@@ -198,7 +197,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - minio
     - redis
     - kibana
     - pcap
@@ -314,7 +312,6 @@ base:
     - manager
     - idstools
     - suricata.manager
-    - minio
     {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
@@ -355,7 +352,6 @@ base:
     - nginx
     - telegraf
     - firewall
-    - minio
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}

setup/so-analyst

@@ -15,6 +15,11 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+if [ "$(id -u)" -ne 0 ]; then
+	echo "This script must be run using sudo!"
+	exit 1
+fi
+
 # Install misc utils
 yum -y install wget curl unzip epel-release;
 
@@ -26,18 +31,55 @@ ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
 
 # Install Mono - prereq for NetworkMiner
 rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef";
-su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo';
+curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo;
 yum -y install mono-devel;
 
 # Install NetworkMiner
 yum -y install libcanberra-gtk2;
 wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
-unzip /tmp/nm.zip -d /opt/;
-cd /opt/NetworkMiner*;
-sudo chmod +x NetworkMiner.exe;
-sudo chmod -R go+w AssembledFiles/;
-sudo chmod -R go+w Captures/;
+mkdir -p /opt/networkminer/
+unzip /tmp/nm.zip -d /opt/networkminer/;
 rm /tmp/nm.zip;
+mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
+chmod +x /opt/networkminer/NetworkMiner.exe;
+chmod -R go+w /opt/networkminer/AssembledFiles/;
+chmod -R go+w /opt/networkminer/Captures/;
+# Create networkminer shim
+cat << EOF >> /bin/networkminer
+#!/bin/bash
+/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
+EOF
+chmod +x /bin/networkminer
+# Convert networkminer ico file to png format
+yum -y install ImageMagick
+convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
+# Create menu entry
+cat << EOF >> /usr/share/applications/networkminer.desktop
+[Desktop Entry]
+Name=NetworkMiner
+Comment=NetworkMiner
+Encoding=UTF-8
+Exec=/bin/networkminer %f
+Icon=/opt/networkminer/networkminericon-4.png
+StartupNotify=true
+Terminal=false
+X-MultipleArgs=false
+Type=Application
+MimeType=application/x-pcap;
+Categories=Network;
+EOF
+
+# Set default monospace font to Liberation
+cat << EOF >> /etc/fonts/local.conf
+ <match target="pattern">
+  <test name="family" qual="any">
+   <string>monospace</string>
+  </test>
+  <edit binding="strong" mode="prepend" name="family">
+   <string>Liberation Mono</string>
+  </edit>
+ </match>
+EOF
 
 # Install Wireshark for Gnome
 yum -y install wireshark-gnome; 
@@ -73,12 +115,10 @@ yum -y install tcpxtract;
 yum -y install whois;
 
 # Install foremost
-sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
+yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
 
-# Install Google Chrome
-wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm;
-yum -y localinstall google-chrome-stable_current_x86_64.rpm;
-rm google-chrome-stable_current_x86_64.rpm;
+# Install chromium
+yum -y install chromium;
 
 # Install tcpstat
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
@@ -88,7 +128,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 
 # Install sslsplit
 yum -y install libevent;
-yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsplit-0.5.5/securityonion-sslsplit-0.5.5.rpm;
+yum -y install sslsplit;
 
 # Install Bit-Twist
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
@@ -96,7 +136,13 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 # Install chaosreader
 yum -y install perl-IO-Compress perl-Net-DNS;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
+chmod +x /bin/chaosreader;
 
 cp ../files/analyst/README /;
 
+echo
+echo "Analyst workstation has been installed!"
+echo "Press ENTER to reboot or Ctrl-C to cancel."
+read pause
+
 reboot;

setup/so-functions

@@ -1980,7 +1980,7 @@ zeek_logs_enabled() {
 		for BLOG in "${BLOGS[@]}"; do
 			echo "    - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
 		done
-	else
+	elif [ "$install_type" == "EVAL" ]  || [ "$install_type" == "IMPORT" ]; then
 		printf '%s\n'\
                         "    - conn"\
                         "    - dce_rpc"\
@@ -2020,6 +2020,46 @@ zeek_logs_enabled() {
                         "    - mysql"\
                         "    - socks"\
                         "    - x509" >> "$zeeklogs_pillar"
+	# Disable syslog log by default
+	else
+		printf '%s\n'\
+			"    - conn"\
+			"    - dce_rpc"\
+			"    - dhcp"\
+			"    - dhcpv6"\
+			"    - dnp3"\
+			"    - dns"\
+			"    - dpd"\
+			"    - files"\
+			"    - ftp"\
+			"    - http"\
+			"    - intel"\
+			"    - irc"\
+			"    - kerberos"\
+			"    - modbus"\
+			"    - mqtt"\
+			"    - notice"\
+			"    - ntlm"\
+			"    - openvpn"\
+			"    - pe"\
+			"    - radius"\
+			"    - rfb"\
+			"    - rdp"\
+			"    - signatures"\
+			"    - sip"\
+			"    - smb_files"\
+			"    - smb_mapping"\
+			"    - smtp"\
+			"    - snmp"\
+			"    - software"\
+			"    - ssh"\
+			"    - ssl"\
+			"    - telnet"\
+			"    - tunnel"\
+			"    - weird"\
+			"    - mysql"\
+			"    - socks"\
+			"    - x509" >> "$zeeklogs_pillar"
 	fi
 
 	printf '%s\n'  '----' >> "$setup_log" 2>&1

setup/so-setup

@@ -500,7 +500,7 @@ fi
 		update_sudoers >> $setup_log 2>&1
 		
 		set_progress_str 12 'Generating manager global pillar'
-		minio_generate_keys
+		#minio_generate_keys
 		manager_global >> $setup_log 2>&1
 		
 		set_progress_str 13 'Generating manager pillar'