Bro Salt Module - Policy Rework

2025-12-06 17:22:49 +01:00 · 2018-03-05 12:12:45 -05:00
parent d36d0ab6ec
commit b8e8df600e
11 changed files with 3182 additions and 10 deletions
--- a/pillar/sensors/example.sls
+++ b/pillar/sensors/example.sls
@@ -2,5 +2,6 @@
 sensor:
  interface: CHANGEME
  lbprocs: CHANGEME
-  lsheap:
-  lsaccessip:
+  brobpf:
+  pcapbpf:
+  nidsbpf:
--- a/salt/bro/files/local.bro
+++ b/salt/bro/files/local.bro
@@ -90,7 +90,8 @@
 # @load policy/protocols/ssl/heartbleed

 # Uncomment the following line to enable logging of connection VLANs. Enabling
-# this adds two VLAN fields to the conn.log file.
+# this adds two VLAN fields to the conn.log file. This may not work properly
+# since we use AF_PACKET and it strips VLAN tags.
 # @load policy/protocols/conn/vlan-logging

 # Uncomment the following line to enable logging of link-layer addresses. Enabling
@@ -99,10 +100,17 @@

 # Uncomment the following line to enable the SMB analyzer.  The analyzer
 # is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
+@load policy/protocols/smb

-# Security Onion default scripts
-@load securityonion
+######################################
+##  Security Onion Scripts Section  ##
+######################################
+
+# Add the interface to the log event
+@load securityonion/add-interface-to-logs.bro
+
+# Add Sensor Name to the conn.log
+@load securityonion/conn-add-sensorname.bro

 # File Extraction
@load file-extraction
@@ -110,9 +118,21 @@
 # Intel from Mandiant APT1 Report
 #@load apt1

-# You can load your own intel into:
-# /opt/bro/share/bro/intel/
-@load intel
-
 # ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
@load shellshock
+
+#############################
+##  End SO Scrips Section  ##
+#############################
+
+#############################
+##  Custom Script Section  ##
+#############################
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
--- a/salt/bro/policy/securityonion/add-interface-to-logs.bro
+++ b/salt/bro/policy/securityonion/add-interface-to-logs.bro
@@ -0,0 +1,20 @@
+{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
+global interface = "{{ interface }}";
+
+event bro_init()
+	{
+	if ( ! reading_live_traffic() )
+		return;
+
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
+	                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
+	                            	{
+	                            	local peer = get_event_peer()$descr;
+	                            	if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
+	                            		return cat("http_", Cluster::nodes[peer]$interface);
+	                            	else
+	                            		return "http";
+	                            	}
+	                            ]);
+	}
--- a/salt/bro/policy/securityonion/apt1/load.bro
+++ b/salt/bro/policy/securityonion/apt1/load.bro
@@ -0,0 +1,9 @@
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+redef Intel::read_files += {
+  fmt("%s/apt1-fqdn.dat", @DIR),
+  fmt("%s/apt1-md5.dat", @DIR),
+  fmt("%s/apt1-certs.dat", @DIR)
+};
--- a/salt/bro/policy/securityonion/apt1/apt1-certs.dat
+++ b/salt/bro/policy/securityonion/apt1/apt1-certs.dat
@@ -0,0 +1,26 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
+b054e26ef827fbbf5829f84a9bdbb697a5b042fc	Intel::CERT_HASH	Mandiant APT1 Report	ALPHA	T
+7bc0cc2cf7c3a996c32dbe7e938993f7087105b4	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+7855c132af1390413d4e4ff4ead321f8802d8243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+f3e3c590d7126bd227733e9d8313d2575c421243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d4d4e896ce7d73b573f0a0006080a246aec61fe7	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bcdf4809c1886ac95478bbafde246d0603934298	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+6b4855df8afc8d57a671fe5ed628f6d88852a922	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d50fdc82c328319ac60f256d3119b8708cd5717b	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+70b48d5177eebe9c762e9a37ecabebfd10e1b7e9	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+3a6a299b764500ce1b6e58a32a257139d61a3543	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bf4f90e0029b2263af1141963ddf2a0c71a6b5fb	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+b21139583dec0dae344cca530690ec1f344acc79	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+21971ffef58baf6f638df2f7e2cceb4c58b173c8	Intel::CERT_HASH	Mandiant APT1 Report	EMAIL	T
+04ecff66973c92a1c348666d5a4738557cce0cfc	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+f97d1a703aec44d0f53a3a294e33acda43a49de1	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+1b27a897cda019da2c3a6dc838761871e8bf5b5d	Intel::CERT_HASH	Mandiant APT1 Report	LAME	T
+d515996e8696612dc78fc6db39006466fc6550df	Intel::CERT_HASH	Mandiant APT1 Report	MOON-NIGHT	T
+8f79315659e59c79f1301ef4aee67b18ae2d9f1c	Intel::CERT_HASH	Mandiant APT1 Report	NONAME	T
+a57a84975e31e376e3512da7b05ad06ef6441f53	Intel::CERT_HASH	Mandiant APT1 Report	NS	T
+b3db37a0edde97b3c3c15da5f2d81d27af82f583	Intel::CERT_HASH	Mandiant APT1 Report	SERVER (PEM)	T
+6d8f1454f6392361fb2464b744d4fc09eee5fcfd	Intel::CERT_HASH	Mandiant APT1 Report	SUR	T
+b66e230f404b2cc1c033ccacda5d0a14b74a2752	Intel::CERT_HASH	Mandiant APT1 Report	VIRTUALLYTHERE	T
+4acbadb86a91834493dde276736cdf8f7ef5d497	Intel::CERT_HASH	Mandiant APT1 Report	WEBMAIL	T
+86a48093d9b577955c4c9bd19e30536aae5543d4	Intel::CERT_HASH	Mandiant APT1 Report	YAHOO	T
--- a/salt/bro/policy/securityonion/apt1/apt1-fqdn.dat
+++ b/salt/bro/policy/securityonion/apt1/apt1-fqdn.dat
--- a/salt/bro/policy/securityonion/apt1/apt1-md5.dat
+++ b/salt/bro/policy/securityonion/apt1/apt1-md5.dat
--- a/salt/bro/policy/securityonion/conn-add-sensorname.bro
+++ b/salt/bro/policy/securityonion/conn-add-sensorname.bro
@@ -0,0 +1,10 @@
+global sensorname = "{{ grains.host }}";
+
+redef record Conn::Info += {
+	sensorname: string &log &optional;
+};
+
+event connection_state_remove(c: connection)
+	{
+	c$conn$sensorname = SecurityOnion::sensorname;
+	}
--- a/salt/bro/policy/securityonion/file-extraction/load.bro
+++ b/salt/bro/policy/securityonion/file-extraction/load.bro
@@ -0,0 +1 @@
+@load ./extract
--- a/salt/bro/policy/securityonion/file-extraction/extract.bro
+++ b/salt/bro/policy/securityonion/file-extraction/extract.bro
@@ -0,0 +1,21 @@
+global ext_map: table[string] of string = {
+    ["application/x-dosexec"] = "exe",
+    ["text/plain"] = "txt",
+    ["image/jpeg"] = "jpg",
+    ["image/png"] = "png",
+    ["text/html"] = "html",
+} &default ="";
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+    if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
+        return;
+
+    local ext = "";
+
+    if ( meta?$mime_type )
+        ext = ext_map[meta$mime_type];
+
+    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+    }
--- a/salt/bro/policy/securityonion/json-logs/load.bro
+++ b/salt/bro/policy/securityonion/json-logs/load.bro
@@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;