CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bro Salt Module - Policy Rework

Browse Source
This commit is contained in:
Mike Reeves
2018-03-05 12:12:45 -05:00
parent d36d0ab6ec
commit b8e8df600e
11 changed files with 3182 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pillar/sensors/example.sls
View File

@@ -2,5 +2,6 @@
sensor: sensor:
interface: CHANGEME interface: CHANGEME
lbprocs: CHANGEME lbprocs: CHANGEME
lsheap: brobpf:
lsaccessip: pcapbpf:
nidsbpf:

36
salt/bro/files/local.bro
View File

@@ -90,7 +90,8 @@
# @load policy/protocols/ssl/heartbleed # @load policy/protocols/ssl/heartbleed
# Uncomment the following line to enable logging of connection VLANs. Enabling # Uncomment the following line to enable logging of connection VLANs. Enabling
# this adds two VLAN fields to the conn.log file. # this adds two VLAN fields to the conn.log file. This may not work properly
# since we use AF_PACKET and it strips VLAN tags.
# @load policy/protocols/conn/vlan-logging # @load policy/protocols/conn/vlan-logging
# Uncomment the following line to enable logging of link-layer addresses. Enabling # Uncomment the following line to enable logging of link-layer addresses. Enabling
@@ -99,10 +100,17 @@
# Uncomment the following line to enable the SMB analyzer. The analyzer # Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default. # is currently considered a preview and therefore not loaded by default.
# @load policy/protocols/smb @load policy/protocols/smb
# Security Onion default scripts ######################################
@load securityonion ## Security Onion Scripts Section ##
######################################
# Add the interface to the log event
@load securityonion/add-interface-to-logs.bro
# Add Sensor Name to the conn.log
@load securityonion/conn-add-sensorname.bro
# File Extraction # File Extraction
@load file-extraction @load file-extraction
@@ -110,9 +118,21 @@
# Intel from Mandiant APT1 Report # Intel from Mandiant APT1 Report
#@load apt1 #@load apt1
# You can load your own intel into:
# /opt/bro/share/bro/intel/
@load intel
# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271 # ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
@load shellshock @load shellshock
#############################
## End SO Scrips Section ##
#############################
#############################
## Custom Script Section ##
#############################
# You can load your own intel into:
# /opt/so/saltstack/bro/policy/intel/ on the master
@load intel
# Load a custom Bro policy
# /opt/so/saltstack/bro/policy/custom/ on the master
#@load custom/somebropolicy.bro

20
salt/bro/policy/securityonion/add-interface-to-logs.bro Normal file
View File

@@ -0,0 +1,20 @@
{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
global interface = "{{ interface }}";
event bro_init()
{
if ( ! reading_live_traffic() )
return;
Log::remove_default_filter(HTTP::LOG);
Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
$path_func(id: Log::ID, path: string, rec: HTTP::Info) =
{
local peer = get_event_peer()$descr;
if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
return cat("http_", Cluster::nodes[peer]$interface);
else
return "http";
}
]);
}

9
salt/bro/policy/securityonion/apt1/__load__.bro Normal file
View File

@@ -0,0 +1,9 @@
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
redef Intel::read_files += {
fmt("%s/apt1-fqdn.dat", @DIR),
fmt("%s/apt1-md5.dat", @DIR),
fmt("%s/apt1-certs.dat", @DIR)
};

26
salt/bro/policy/securityonion/apt1/apt1-certs.dat Normal file
View File

@@ -0,0 +1,26 @@
#fields indicator indicator_type meta.source meta.desc meta.do_notice
b054e26ef827fbbf5829f84a9bdbb697a5b042fc Intel::CERT_HASH Mandiant APT1 Report ALPHA T
7bc0cc2cf7c3a996c32dbe7e938993f7087105b4 Intel::CERT_HASH Mandiant APT1 Report AOL T
7855c132af1390413d4e4ff4ead321f8802d8243 Intel::CERT_HASH Mandiant APT1 Report AOL T
f3e3c590d7126bd227733e9d8313d2575c421243 Intel::CERT_HASH Mandiant APT1 Report AOL T
d4d4e896ce7d73b573f0a0006080a246aec61fe7 Intel::CERT_HASH Mandiant APT1 Report AOL T
bcdf4809c1886ac95478bbafde246d0603934298 Intel::CERT_HASH Mandiant APT1 Report AOL T
6b4855df8afc8d57a671fe5ed628f6d88852a922 Intel::CERT_HASH Mandiant APT1 Report AOL T
d50fdc82c328319ac60f256d3119b8708cd5717b Intel::CERT_HASH Mandiant APT1 Report AOL T
70b48d5177eebe9c762e9a37ecabebfd10e1b7e9 Intel::CERT_HASH Mandiant APT1 Report AOL T
3a6a299b764500ce1b6e58a32a257139d61a3543 Intel::CERT_HASH Mandiant APT1 Report AOL T
bf4f90e0029b2263af1141963ddf2a0c71a6b5fb Intel::CERT_HASH Mandiant APT1 Report AOL T
b21139583dec0dae344cca530690ec1f344acc79 Intel::CERT_HASH Mandiant APT1 Report AOL T
21971ffef58baf6f638df2f7e2cceb4c58b173c8 Intel::CERT_HASH Mandiant APT1 Report EMAIL T
04ecff66973c92a1c348666d5a4738557cce0cfc Intel::CERT_HASH Mandiant APT1 Report IBM T
f97d1a703aec44d0f53a3a294e33acda43a49de1 Intel::CERT_HASH Mandiant APT1 Report IBM T
c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe Intel::CERT_HASH Mandiant APT1 Report IBM T
1b27a897cda019da2c3a6dc838761871e8bf5b5d Intel::CERT_HASH Mandiant APT1 Report LAME T
d515996e8696612dc78fc6db39006466fc6550df Intel::CERT_HASH Mandiant APT1 Report MOON-NIGHT T
8f79315659e59c79f1301ef4aee67b18ae2d9f1c Intel::CERT_HASH Mandiant APT1 Report NONAME T
a57a84975e31e376e3512da7b05ad06ef6441f53 Intel::CERT_HASH Mandiant APT1 Report NS T
b3db37a0edde97b3c3c15da5f2d81d27af82f583 Intel::CERT_HASH Mandiant APT1 Report SERVER (PEM) T
6d8f1454f6392361fb2464b744d4fc09eee5fcfd Intel::CERT_HASH Mandiant APT1 Report SUR T
b66e230f404b2cc1c033ccacda5d0a14b74a2752 Intel::CERT_HASH Mandiant APT1 Report VIRTUALLYTHERE T
4acbadb86a91834493dde276736cdf8f7ef5d497 Intel::CERT_HASH Mandiant APT1 Report WEBMAIL T
86a48093d9b577955c4c9bd19e30536aae5543d4 Intel::CERT_HASH Mandiant APT1 Report YAHOO T

2049
salt/bro/policy/securityonion/apt1/apt1-fqdn.dat Normal file
View File

File diff suppressed because it is too large Load Diff

1012
salt/bro/policy/securityonion/apt1/apt1-md5.dat Normal file
View File

File diff suppressed because it is too large Load Diff

10
salt/bro/policy/securityonion/conn-add-sensorname.bro Normal file
View File

@@ -0,0 +1,10 @@
global sensorname = "{{ grains.host }}";
redef record Conn::Info += {
sensorname: string &log &optional;
};
event connection_state_remove(c: connection)
{
c$conn$sensorname = SecurityOnion::sensorname;
}

1
salt/bro/policy/securityonion/file-extraction/__load__.bro Normal file
View File

@@ -0,0 +1 @@
@load ./extract

21
salt/bro/policy/securityonion/file-extraction/extract.bro Normal file
View File

@@ -0,0 +1,21 @@
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}

3
salt/bro/policy/securityonion/json-logs/__load__.bro Normal file
View File

@@ -0,0 +1,3 @@
@load tuning/json-logs
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
redef LogAscii::use_json = T;