From 679925ebd967160aa3242405127e3ce5b829c07b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Mar 2021 13:29:56 -0400 Subject: [PATCH 1/6] Fix sensor cleanup & playbook sync scripts --- salt/common/tools/sbin/so-playbook-sync | 4 ++++ salt/common/tools/sbin/so-sensor-clean | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 250e4a3ad..a76d398cb 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -17,4 +17,8 @@ . /usr/sbin/so-common +# Check to see if we are already running +IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l) +[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0 + docker exec so-soctopus python3 playbook_play-sync.py diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 63f102f0c..e62c3c4da 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -115,7 +115,7 @@ clean() { } # Check to see if we are already running -IS_RUNNING=$(ps aux | grep "so-sensor-clean" | grep -v grep | wc -l) +IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l) [ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then From 0b9cf57b5f10b73dfffd094e414fca5ebe75042f Mon Sep 17 00:00:00 2001 From: gebhard73 Date: Wed, 31 Mar 2021 14:22:06 +0200 Subject: [PATCH 2/6] Update so-index-list Sort by index name. --- salt/common/tools/sbin/so-index-list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index dcfebbf58..cf9232150 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -15,4 +15,4 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -curl -X GET -k -L https://localhost:9200/_cat/indices?v +curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" From 5203c25971d7bbcdab4fe5b76897ac60b73a0bb4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:13:38 -0400 Subject: [PATCH 3/6] Add Wazuh 4 Repo --- setup/yum_repos/securityonion.repo | 8 ++++++++ setup/yum_repos/securityonioncache.repo | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/setup/yum_repos/securityonion.repo b/setup/yum_repos/securityonion.repo index 20c907289..e61829380 100644 --- a/setup/yum_repos/securityonion.repo +++ b/setup/yum_repos/securityonion.repo @@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 + +[wazuh4_repo] +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ protect=1 \ No newline at end of file diff --git a/setup/yum_repos/securityonioncache.repo b/setup/yum_repos/securityonioncache.repo index 4fcb992d5..6d5058337 100644 --- a/setup/yum_repos/securityonioncache.repo +++ b/setup/yum_repos/securityonioncache.repo @@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 + +[wazuh4_repo] +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ protect=1 \ No newline at end of file From bb39ccc1aa512b72dc400b435030eecdb49356a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:25:21 -0400 Subject: [PATCH 4/6] Fix Automation Testing --- setup/automation/eval-net-centos | 2 +- setup/automation/import-net-centos | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index abd0c4765..82d2cc9ec 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -41,7 +41,7 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index 37ca6ac51..f6394bde1 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= From 46865809ed92cddb1199ab73a8bad9fd4c3de00c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:28:02 -0400 Subject: [PATCH 5/6] Fix Automation Testing round 2 --- setup/automation/import-airgap | 2 +- setup/automation/import-ami | 2 +- setup/automation/import-iso | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index bfd0e3641..9c394ef2f 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -42,7 +42,7 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-ami b/setup/automation/import-ami index 88734c352..10758be9a 100644 --- a/setup/automation/import-ami +++ b/setup/automation/import-ami @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 011623091..fbfdd364b 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= From ef984455605de8b1cb6f1ea7ee7b13d49afa824a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 31 Mar 2021 15:44:41 -0400 Subject: [PATCH 6/6] Fix Playbook Alert timestamps --- salt/elastalert/files/modules/so/playbook-es.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index c10a80f2c..ab2327ab7 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -17,7 +17,7 @@ class PlaybookESAlerter(Alerter): def alert(self, matches): for match in matches: today = strftime("%Y.%m.%d", gmtime()) - timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) + timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime()) headers = {"Content-Type": "application/json"} payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"