CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into foxtrot

Browse Source
This commit is contained in:
William Wernert
2021-03-31 16:02:26 -04:00
parent dfe5e73608 2b86241450
commit a8483cb30e
11 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/tools/sbin/so-index-list
View File

@@ -15,4 +15,4 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
curl -X GET -k -L https://localhost:9200/_cat/indices?v curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"

4
salt/common/tools/sbin/so-playbook-sync
View File

@@ -17,4 +17,8 @@
. /usr/sbin/so-common . /usr/sbin/so-common
# Check to see if we are already running
IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
docker exec so-soctopus python3 playbook_play-sync.py docker exec so-soctopus python3 playbook_play-sync.py

2
salt/common/tools/sbin/so-sensor-clean
View File

@@ -115,7 +115,7 @@ clean() {
} }
# Check to see if we are already running # Check to see if we are already running
IS_RUNNING=$(ps aux | grep "so-sensor-clean" | grep -v grep | wc -l) IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 [ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then

2
salt/elastalert/files/modules/so/playbook-es.py
View File

@@ -17,7 +17,7 @@ class PlaybookESAlerter(Alerter):
def alert(self, matches): def alert(self, matches):
for match in matches: for match in matches:
today = strftime("%Y.%m.%d", gmtime()) today = strftime("%Y.%m.%d", gmtime())
timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime())
headers = {"Content-Type": "application/json"} headers = {"Content-Type": "application/json"}
payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"

2
setup/automation/eval-net-centos
View File

@@ -41,7 +41,7 @@ install_type=EVAL
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1 MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

2
setup/automation/import-airgap
View File

@@ -42,7 +42,7 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1 MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

2
setup/automation/import-ami
View File

@@ -41,7 +41,7 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1 MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

2
setup/automation/import-iso
View File

@@ -41,7 +41,7 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1 MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

2
setup/automation/import-net-centos
View File

@@ -41,7 +41,7 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1 MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

8
setup/yum_repos/securityonion.repo
View File

@@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
enabled=1 enabled=1
name=Wazuh repository name=Wazuh repository
baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/
protect=1
[wazuh4_repo]
gpgcheck=1
gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/
protect=1 protect=1

8
setup/yum_repos/securityonioncache.repo
View File

@@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
enabled=1 enabled=1
name=Wazuh repository name=Wazuh repository
baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/
protect=1
[wazuh4_repo]
gpgcheck=1
gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/
protect=1 protect=1