From 989641eb5a2bbf5d9feba0fc23961eeacb3ffac9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 11 Dec 2019 13:44:40 -0500
Subject: [PATCH 1/5] Setup - Fix prompts and disable onion user if iso

---
 salt/common/init.sls                          |  4 +-
 .../files/dynamic/9997_output_helix.conf      | 53 +++++++++++--------
 setup/so-setup.sh                             | 49 ++++++++++++++---
 3 files changed, 75 insertions(+), 31 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 0004bbc7e..3cd4dce19 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -117,13 +117,13 @@ nginxtmp:
 # Start the core docker
 so-coreimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.2
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
 
 so-core:
   docker_container.running:
     - require:
       - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.2
+    - image: docker.io/soshybridhunter/so-core:HH1.1.3
     - hostname: so-core
     - user: socore
     - binds:
diff --git a/salt/logstash/files/dynamic/9997_output_helix.conf b/salt/logstash/files/dynamic/9997_output_helix.conf
index 6168bfb07..320648de5 100644
--- a/salt/logstash/files/dynamic/9997_output_helix.conf
+++ b/salt/logstash/files/dynamic/9997_output_helix.conf
@@ -1,7 +1,7 @@
 {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 
 filter {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
     grok {
       match => [
         "source_ip", "^%{IPV4:srcipv4}$",
@@ -72,7 +72,8 @@ filter {
     if "bro_dhcp" in [class] {
       mutate{
         #add_field = { "metaclass" => "dhcp"}
-        rename => { "ips" => "ip" }
+        rename => { "message_types" => "direction" }
+				rename => { "lease_time" => "duration" }
       }
     }
     if "bro_files" in [class] {
@@ -109,25 +110,35 @@ filter {
         rename => { "request_body_len" => "sentbodybytes" }
       }
     }
-  }
-}
-
-#output {
-#  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
-#    http {
-#      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
-#      http_method => post
-#      http_compression => true
-#      socket_timeout => 60
-#      headers => ["Authorization","{{ HELIX_API_KEY }}"]
-#      format => json_batch
-#    }
-#  }
-#}
-output {
-  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
-    file {
-      path => "/var/log/logstash/output.json"      
+		if "bro_weird" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "name" => "eventname" }
+      }
+    }
+		if "bro_x509" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+				rename => { "certificate_common_name" => "certname" }
+        rename => { "certificate_subject" => "certsubject" }
+				rename => { "issuer_common_name" => "issuer" }
+				reanme => { "certificate_issuer" => "issuersubject" }
+				rename => { "certificate_not_valid_before" => "issuetime" }
+				rename => { "certificate_key_type" => "cert_type" }
+      }
+    }
+  }
+}
+
+output {
+  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    http {
+      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+      http_method => post
+      http_compression => true
+      socket_timeout => 60
+      headers => ["Authorization","{{ HELIX_API_KEY }}"]
+      format => json_batch
     }
   }
 }
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index d4286f913..b5a06dfe4 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -71,13 +71,13 @@ if (whiptail_you_sure) ; then
     # Set management nic
     whiptail_management_nic
 
-    whiptail_create_socore_user
-    SCMATCH=no
-    while [ $SCMATCH != yes ]; do
-      whiptail_create_socore_user_password1
-      whiptail_create_socore_user_password2
-      check_socore_pass
-    done
+#    whiptail_create_socore_user
+#    SCMATCH=no
+#    while [ $SCMATCH != yes ]; do
+#      whiptail_create_socore_user_password1
+#      whiptail_create_socore_user_password2
+#      check_socore_pass
+#    done
 
   else
 
@@ -166,7 +166,10 @@ if (whiptail_you_sure) ; then
     get_filesystem_root
     get_filesystem_nsm
     get_main_ip
-    add_socore_user_master
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
+    #add_socore_user_master
     # Install salt and dependencies
     {
       sleep 0.5
@@ -285,6 +288,15 @@ if (whiptail_you_sure) ; then
       fi
     fi
 
+    # Get a password for the socore user
+    whiptail_create_socore_user
+    SCMATCH=no
+    while [ $SCMATCH != yes ]; do
+      whiptail_create_socore_user_password1
+      whiptail_create_socore_user_password2
+      check_socore_pass
+    done
+
     # Last Chance to back out
     whiptail_make_changes
     set_hostname
@@ -300,6 +312,9 @@ if (whiptail_you_sure) ; then
 
     # Figure out the main IP address
     get_main_ip
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
 
     # Add the user so we can sit back and relax
     #echo ""
@@ -441,6 +456,9 @@ if (whiptail_you_sure) ; then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     copy_ssh_key >> $SETUPLOG 2>&1
     {
       sleep 0.5
@@ -525,6 +543,15 @@ if (whiptail_you_sure) ; then
     BROVERSION=ZEEK
     CURCLOSEDAYS=30
     process_components
+    # Get a password for the socore user
+    whiptail_create_socore_user
+    SCMATCH=no
+    while [ $SCMATCH != yes ]; do
+      whiptail_create_socore_user_password1
+      whiptail_create_socore_user_password2
+      check_socore_pass
+    done
+
     whiptail_make_changes
     set_hostname
     generate_passwords
@@ -535,6 +562,9 @@ if (whiptail_you_sure) ; then
     get_filesystem_nsm
     get_log_size_limit
     get_main_ip
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     # Add the user so we can sit back and relax
     add_socore_user_master
     {
@@ -688,6 +718,9 @@ if (whiptail_you_sure) ; then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     copy_ssh_key >> $SETUPLOG 2>&1
     {
       sleep 0.5

From dd74c224dff7c56c9d1f980b7d1f397c68ccbeed Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 11 Dec 2019 13:49:31 -0500
Subject: [PATCH 2/5] Setup - get rid of setting pw in eval

---
 setup/so-setup.sh | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index b5a06dfe4..3570fc940 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -543,15 +543,6 @@ if (whiptail_you_sure) ; then
     BROVERSION=ZEEK
     CURCLOSEDAYS=30
     process_components
-    # Get a password for the socore user
-    whiptail_create_socore_user
-    SCMATCH=no
-    while [ $SCMATCH != yes ]; do
-      whiptail_create_socore_user_password1
-      whiptail_create_socore_user_password2
-      check_socore_pass
-    done
-
     whiptail_make_changes
     set_hostname
     generate_passwords

From 549358c0eaf89a497794937686d39bd0b044eee4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 11 Dec 2019 17:08:23 -0500
Subject: [PATCH 3/5] Setup - add dhcp or static for iso install

---
 setup/whiptail.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 123970bd5..4992e20d4 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -141,6 +141,18 @@ whiptail_cur_close_days() {
   whiptail_check_exitstatus $exitstatus
 
 }
+
+whiptail_dhcp_or_static() {
+
+  ADDRESSTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose how to set up your management interface:" 20 78 4 \
+  "STATIC" "Set a static IPv4 address" ON  \
+  "DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+}
+
 whiptail_enable_components() {
   COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
   "Select Components to install" 20 75 8 \

From e4c8786e36605b83d7813bc3eeeb3778743e3d27 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 12 Dec 2019 09:07:32 -0500
Subject: [PATCH 4/5] Setup - fix missing whiptail for iso

---
 setup/whiptail.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 4992e20d4..6b095859d 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -106,6 +106,32 @@ whiptail_check_exitstatus() {
 
 }
 
+whiptail_create_admin_user() {
+
+  ADMINUSER=$(whiptail --title "Security Onion Install" --inputbox \
+  "Please enter a username for your new admin user" 10 60 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_create_admin_user_password1() {
+
+  ADMINPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
+  "Enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_create_admin_user_password2() {
+
+  ADMINPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
+  "Re-enter a password for $ADMINUSER" 10 60 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
 whiptail_create_socore_user() {
 
   whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75
@@ -251,6 +277,40 @@ whiptail_log_size_limit() {
 
 }
 
+whiptail_management_interface_dns() {
+
+  MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your DNS server using space between multiple" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_management_interface_dns_search() {
+
+  MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your DNS search domain" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_management_interface_gateway() {
+
+  MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your gateway" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_management_interface_ip() {
+
+  MIP=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your IP address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_management_interface_mask() {
+
+  MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter the bit mask for your subnet" 10 60 24 3>&1 1>&2 2>&3)
+
+}
 
 whiptail_management_nic() {
 

From 6eab27f1de6fcec285c83546a1399343e0cf94c7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 12 Dec 2019 09:19:05 -0500
Subject: [PATCH 5/5] Setup - fix iso hostname

---
 setup/functions.sh | 9 +++++++++
 setup/so-setup.sh  | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 017932834..ef8409df1 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -1171,6 +1171,15 @@ set_hostname() {
 
 }
 
+set_hostname_iso() {
+
+  hostnamectl set-hostname --static $HOSTNAME
+  echo "127.0.0.1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
+  echo "::1   localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
+  echo $HOSTNAME > /etc/hostname
+
+}
+
 set_initial_firewall_policy() {
 
   get_main_ip
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 3570fc940..57f75c015 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -98,7 +98,7 @@ if (whiptail_you_sure) ; then
     fi
 
     # Go ahead and bring up networking so other parts of the install work
-    set_hostname
+    set_hostname_iso
     set_management_interface
 
     # Add an admin user