Merge pull request #7321 from Security-Onion-Solutions/delta

IDH Improvements
2025-12-06 17:22:49 +01:00 · 2022-02-24 21:27:36 -05:00
parent 8302c45059 96ed3cb158
commit be80f0530c
20 changed files with 93 additions and 22 deletions
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -23,6 +23,7 @@
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
+/nsm/idh/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
 }
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -4,7 +4,7 @@ idh:
      http.banner: Apache/2.2.34 (Ubuntu)
      http.enabled: true
      http.port: 80
-      http.skin: basicLogin
+      http.skin: nasLogin
      http.skin.list:
      - desc: Plain HTML Login
        name: basicLogin
--- a/salt/idh/plays/idh_ftp.yml
+++ b/salt/idh/plays/idh_ftp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 2000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_git.yml
+++ b/salt/idh/plays/idh_git.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 16001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_http_get.yml
+++ b/salt/idh/plays/idh_http_get.yml
@@ -1,7 +1,7 @@
 title: SO IDH - HTTP Accessed
 id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
 status: experimental
-description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+description: Detects when the HTTP service on a SO IDH node has had a Get request.
 author: Security Onion Solutions
 license: MIT
 references: 
@@ -12,9 +12,11 @@ logsource:
 detection:
  selection:
    logtype:
-    - 3000 #Get request
-    - 3001 #Login attempt
-  condition: selection
+    - 3000
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_http_login.yml
+++ b/salt/idh/plays/idh_http_login.yml
@@ -0,0 +1,24 @@
+title: SO IDH - HTTP Login Attempt
+id: 19449e62-93fa-40bd-8d0a-2564535d3652
+status: experimental
+description: Detects when the HTTP service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 3001
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_httpproxy.yml
+++ b/salt/idh/plays/idh_httpproxy.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 7001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_mssql.yml
+++ b/salt/idh/plays/idh_mssql.yml
@@ -14,7 +14,10 @@ detection:
    logtype:
    - 9001 #SQL Auth
    - 9002 #Windows Auth
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_mysql.yml
+++ b/salt/idh/plays/idh_mysql.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 8001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_ntp.yml
+++ b/salt/idh/plays/idh_ntp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 11001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_redis.yml
+++ b/salt/idh/plays/idh_redis.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 17001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_sip.yml
+++ b/salt/idh/plays/idh_sip.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 15001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_smb.yml
+++ b/salt/idh/plays/idh_smb.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 5000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_snmp.yml
+++ b/salt/idh/plays/idh_snmp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 13001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_ssh.yml
+++ b/salt/idh/plays/idh_ssh.yml
@@ -15,7 +15,10 @@ detection:
    - 4000 
    - 4001
    - 4002
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_telnet.yml
+++ b/salt/idh/plays/idh_telnet.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 6001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_tftp.yml
+++ b/salt/idh/plays/idh_tftp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 10001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_vnc.yml
+++ b/salt/idh/plays/idh_vnc.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 12001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -451,7 +451,7 @@ collect_idh_services() {
 	whiptail_idh_services

 	case "$idh_services" in
-		'Linux Webserver')
+		'Linux Webserver (NAS Skin)')
 			idh_services=("HTTP" "FTP" "SSH")
 		;;
 		'MySQL Server')
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -732,10 +732,10 @@ whiptail_idh_services() {

 	idh_services=$(whiptail --title "$whiptail_title" --radiolist \
 		"\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \
-		"Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \
+		"Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \
 		"MySQL Server" "MySQL (3306), SSH (22)" OFF \
 		"MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \
-		"Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 )
+		"Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 )

 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1784,6 +1784,8 @@ whiptail_setup_complete() {
 			local sentence_prefix="Run so-allow after reboot to access"
 		fi
 		local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n"
+	elif [[ $is_idh ]]; then
+		local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n"
 	else
 		local accessMessage=""
 	fi