CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge in 2.4./firewall changes

Browse Source
This commit is contained in:
m0duspwnens
2022-09-22 10:55:39 -04:00
parent 85339d7cb1 2995ae32bd
commit c77fcc74c1
35 changed files with 1168 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.3.120 ## Security Onion 2.4.0
Security Onion 2.3.120 is here! Security Onion 2.4.0 is here!
## Screenshots ## Screenshots
@@ -12,24 +12,24 @@ Hunt
### Release Notes ### Release Notes
https://docs.securityonion.net/en/2.3/release-notes.html https://docs.securityonion.net/en/2.4/release-notes.html
### Requirements ### Requirements
https://docs.securityonion.net/en/2.3/hardware.html https://docs.securityonion.net/en/2.4/hardware.html
### Download ### Download
https://docs.securityonion.net/en/2.3/download.html https://docs.securityonion.net/en/2.4/download.html
### Installation ### Installation
https://docs.securityonion.net/en/2.3/installation.html https://docs.securityonion.net/en/2.4/installation.html
### FAQ ### FAQ
https://docs.securityonion.net/en/2.3/faq.html https://docs.securityonion.net/en/2.4/faq.html
### Feedback ### Feedback
https://docs.securityonion.net/en/2.3/community-support.html https://docs.securityonion.net/en/2.4/community-support.html

3
files/firewall/portgroups.local.yaml
View File

@@ -1,3 +1,2 @@
firewall: firewall:
aliases: ports:
ports:

54
pillar/zeek/init.sls
View File

@@ -1,55 +1 @@
zeek: zeek:
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
MinDiskSpace: 5
MailHostUpDown: 1
LogRotationInterval: 3600
LogExpireInterval: 0
StatsLogEnable: 1
StatsLogExpireInterval: 0
StatusCmdShowAll: 0
CrashExpireInterval: 0
SitePolicyScripts: local.zeek
LogDir: /nsm/zeek/logs
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;

44
salt/elasticsearch/defaults.yaml
View File

@@ -80,8 +80,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.apm_server@package" - "so-logs-elastic_agent.apm_server@package"
- "so-logs-elastic_agent.apm_server@custom" - "so-logs-elastic_agent.apm_server@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -114,8 +114,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.auditbeat@package" - "so-logs-elastic_agent.auditbeat@package"
- "so-logs-elastic_agent.auditbeat@custom" - "so-logs-elastic_agent.auditbeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -148,8 +148,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.cloudbeat@package" - "so-logs-elastic_agent.cloudbeat@package"
- "so-logs-elastic_agent.cloudbeat@custom" - "so-logs-elastic_agent.cloudbeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -182,8 +182,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.endpoint_security@package" - "so-logs-elastic_agent.endpoint_security@package"
- "so-logs-elastic_agent.endpoint_security@custom" - "so-logs-elastic_agent.endpoint_security@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -216,8 +216,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.filebeat@package" - "so-logs-elastic_agent.filebeat@package"
- "so-logs-elastic_agent.filebeat@custom" - "so-logs-elastic_agent.filebeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -250,8 +250,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.fleet_server@package" - "so-logs-elastic_agent.fleet_server@package"
- "so-logs-elastic_agent.fleet_server@custom" - "so-logs-elastic_agent.fleet_server@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -284,8 +284,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.heartbeat@package" - "so-logs-elastic_agent.heartbeat@package"
- "so-logs-elastic_agent.heartbeat@custom" - "so-logs-elastic_agent.heartbeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -318,8 +318,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent@package" - "so-logs-elastic_agent@package"
- "so-logs-elastic_agent@custom" - "so-logs-elastic_agent@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -352,8 +352,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.metricbeat@package" - "so-logs-elastic_agent.metricbeat@package"
- "so-logs-elastic_agent.metricbeat@custom" - "so-logs-elastic_agent.metricbeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -386,8 +386,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.osquerybeat@package" - "so-logs-elastic_agent.osquerybeat@package"
- "so-logs-elastic_agent.osquerybeat@custom" - "so-logs-elastic_agent.osquerybeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:
@@ -420,8 +420,8 @@ elasticsearch:
composed_of: composed_of:
- "so-logs-elastic_agent.packetbeat@package" - "so-logs-elastic_agent.packetbeat@package"
- "so-logs-elastic_agent.packetbeat@custom" - "so-logs-elastic_agent.packetbeat@custom"
- ".fleet_globals-1" - "so-fleet_globals-1"
- ".fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 500 priority: 500
_meta: _meta:
package: package:

119
salt/elasticsearch/files/ingest/sysmon
View File

@@ -9,61 +9,70 @@
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } }, { "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } }, { "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } },
{ "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } }, { "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } },
{ "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } }, { "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } }, { "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } },
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } }, { "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } }, { "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } }, { "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, { "set": { "if": "ctx.event?.code == '8'", "field": "event.dataset", "value": "create_remote_thread", "override": true } },
{ "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, { "set": { "if": "ctx.event?.code == '9'", "field": "event.dataset", "value": "raw_file_access_read", "override": true } },
{ "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } }, { "set": { "if": "ctx.event?.code == '10'", "field": "event.dataset", "value": "process_access", "override": true } },
{ "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } }, { "set": { "if": "ctx.event?.code == '11'", "field": "event.dataset", "value": "file_create", "override": true } },
{ "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, { "set": { "if": "ctx.event?.code == '12'", "field": "event.dataset", "value": "registry_create_delete", "override": true } },
{ "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } }, { "set": { "if": "ctx.event?.code == '13'", "field": "event.dataset", "value": "registry_value_set", "override": true } },
{ "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, { "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } },
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, { "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } }, { "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } }, { "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, { "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } }, { "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.processID", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.processGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.commandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.currentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.Company", "target_field": "process.pe.company", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.originalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.fileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.parentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.parentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.parentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.parentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } },
{ "community_id": {} } { "community_id": {} }
] ]
} }

9
salt/elasticsearch/init.sls
View File

@@ -346,6 +346,15 @@ append_so-elasticsearch_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch - text: so-elasticsearch
so-es-cluster-settings:
cmd.run:
- name: /usr/sbin/so-elasticsearch-cluster-settings
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: es_sync_scripts
so-elasticsearch-templates: so-elasticsearch-templates:
cmd.run: cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load - name: /usr/sbin/so-elasticsearch-templates-load

74
salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json Normal file
View File

@@ -0,0 +1,74 @@
{
"component_templates": [
{
"name": "so-fleet_agent_id_verification-1",
"component_template": {
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"final_pipeline": ".fleet_final_pipeline-1"
}
},
"mappings": {
"properties": {
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
}
}
}
},
"_meta": {
"managed_by": "fleet",
"managed": true
}
}
}
]
}

73
salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json Normal file
View File

@@ -0,0 +1,73 @@
{
"component_templates": [
{
"name": "so-fleet_globals-1",
"component_template": {
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"_meta": {
"managed_by": "security_onion",
"managed": true
},
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
}
},
"_meta": {
"managed_by": "security_onion",
"managed": true
}
}
}
]
}

32
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -62,10 +62,40 @@
} }
} }
} }
} },
"elf": {
"properties": {
"sections": {
"properties": {
"entropy": {
"type": "long"
}
}
}
}
}
} }
} }
} }
} }
} }
} }

36
salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings Executable file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
{% set ES = salt['pillar.get']('manager:mainip', '') %}
{% set MANAGER = salt['grains.get']('master') %}
ELASTICSEARCH_PORT=9200
# Wait for ElasticSearch to come up, so that we can query for version infromation
echo -n "Waiting for ElasticSearch..."
COUNT=0
ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 30 ]]; do
curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://localhost:"$ELASTICSEARCH_PORT"
if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes"
echo "connected!"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'"
echo
exit
fi
# Check to see if config already exists
CLUSTER_SETTINGS=$(so-elasticsearch-query _cluster/settings | jq .persistent.cluster.remote)
if [[ ! -z "$CLUSTER_SETTINGS" ]]; then
echo "Applying cross cluster search config..."
so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT
fi

2
salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load
View File

@@ -58,7 +58,7 @@ echo
cd ${ELASTICSEARCH_TEMPLATES}/index cd ${ELASTICSEARCH_TEMPLATES}/index
echo "Loading Security Onion index templates..." echo "Loading Security Onion index templates..."
for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
echo echo
cd - >/dev/null cd - >/dev/null

567
salt/firewall/assigned_hostgroups.map.yaml Normal file
View File

@@ -0,0 +1,567 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/portgroups.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.aliases.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.yum }}
{% endif %}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.syslog}}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
endgame:
portgroups:
- {{ portgroups.endgame }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
{% if TRUE_CLUSTER %}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
{% endif %}
self:
portgroups:
- {{ portgroups.syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
minion:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.syslog}}
- {{ portgroups.beats_5644 }}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
endgame:
portgroups:
- {{ portgroups.endgame }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% for service in idh_services %}
- {{ portgroups['idh_'~service] }}
{% endfor %}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
manager:
portgroups:
- {{ portgroups.ssh }}

0
salt/firewall/hostgroups/beats_endpoint Normal file
View File

0
salt/firewall/hostgroups/beats_endpoint_ssl Normal file
View File

0
salt/firewall/hostgroups/elastic_agent_endpoint Normal file
View File

0
salt/firewall/hostgroups/elasticsearch_rest Normal file
View File

0
salt/firewall/hostgroups/endgame Normal file
View File

0
salt/firewall/hostgroups/minion Normal file
View File

0
salt/firewall/hostgroups/strelka_frontend Normal file
View File

0
salt/firewall/hostgroups/syslog Normal file
View File

33
salt/firewall/map.jinja
View File

@@ -1,8 +1,8 @@
{% set role = grains.id.split('_') | last %} {% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %} {% set translated_pillar_assigned_hostgroups = {} %}
{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.aliases.ports %} {% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.aliases.ports %} {% if local_portgroups.firewall.aliases.ports %}
{% set local_portgroups = local_portgroups.firewall.aliases.ports %} {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
@@ -13,7 +13,34 @@
{% set defined_portgroups = portgroups %} {% set defined_portgroups = portgroups %}
{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %} {#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = [
'analyst',
'analyst_workstations',
'eval',
'heavynodes',
'idh',
'manager',
'minion',
'receivers',
'searchnodes',
'sensors',
'standalone',
'beats_endpoint',
'beats_endpoint_ssl',
'elasticsearch_rest',
'elastic_agent_endpoint',
'endgame',
'strelka_frontend',
'syslog'
]
%}
{% for hg in hostgroup_list %}
{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}

2
salt/grafana/dashboards/common_template.json.jinja
View File

@@ -57,6 +57,8 @@
"title": "{{ TITLE }}", "title": "{{ TITLE }}",
{% if TITLE | lower == 'security onion grid overview' %} {% if TITLE | lower == 'security onion grid overview' %}
"uid": "so_overview", "uid": "so_overview",
{% else %}
"uid": "{{ UID }}",
{% endif %} {% endif %}
"version": 1 "version": 1
} }

1
salt/grafana/init.sls
View File

@@ -117,6 +117,7 @@ so-grafana-dashboard-folder-delete:
TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}} TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}}
TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }} TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }}
ID: {{ loop.index }} ID: {{ loop.index }}
UID: {{ dashboard }}
{% endfor %} {% endfor %}
so-grafana: so-grafana:

105
salt/soc/defaults.yaml
View File

@@ -64,7 +64,7 @@ soc:
remoteHostUrls: [] remoteHostUrls: []
username: username:
password: password:
index: '*:so-*,*:endgame-*' index: '*:so-*,*:endgame-*,*:logs-*'
cacheMs: 300000 cacheMs: 300000
verifyCert: false verifyCert: false
casesEnabled: true casesEnabled: true
@@ -93,7 +93,7 @@ soc:
client: client:
docsUrl: /docs/ docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/#release-notes releaseNotesUrl: /docs/release-notes.html
apiTimeoutMs: 0 apiTimeoutMs: 0
webSocketTimeoutMs: 0 webSocketTimeoutMs: 0
tipTimeoutMs: 0 tipTimeoutMs: 0
@@ -656,10 +656,53 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter: queryBaseFilter:
queryToggleFilters: queryToggleFilters:
- name: caseExcludeToggle - name: caseExcludeToggle
filter: NOT _index:\"*:so-case*\" filter: 'NOT _index:"*:so-case*"'
enabled: true enabled: true
queries: queries:
- name: Default Query - name: Default Query
@@ -680,6 +723,9 @@ soc:
- name: NIDS Alerts - name: NIDS Alerts
description: Show all NIDS alerts grouped by alert description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name'
- name: Osquery - Live Query
description: Show all Osquery Live Query results
query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
- name: Wazuh/OSSEC Alerts - name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 5 or higher grouped by category description: Show all Wazuh alerts at Level 5 or higher grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
@@ -794,9 +840,6 @@ soc:
- name: NTLM - name: NTLM
description: NTLM grouped by computer name description: NTLM grouped by computer name
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' query: 'event.dataset:ntlm | groupby ntlm.server.dns.name'
- name: Osquery Live Queries
description: Osquery Live Query results grouped by computer name
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE - name: PE
description: PE files list description: PE files list
query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' query: 'event.dataset:pe | groupby file.machine file.os file.subsystem'
@@ -1373,9 +1416,52 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter: queryBaseFilter:
queryToggleFilters: queryToggleFilters:
- name: caseExcludeToggle, - name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"' filter: 'NOT _index:"*:so-case*"'
enabled: true enabled: true
queries: queries:
@@ -1454,9 +1540,6 @@ soc:
- name: NTLM - name: NTLM
description: NTLM logs description: NTLM logs
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Osquery Live Queries
description: Osquery Live Query results
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE - name: PE
description: PE files list description: PE files list
query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
@@ -1601,7 +1684,7 @@ soc:
- so_case.severity - so_case.severity
- so_case.assigneeId - so_case.assigneeId
- so_case.createTime - so_case.createTime
queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' queryBaseFilter: '_index:"*:so-case" AND so_kind:case'
queryToggleFilters: [] queryToggleFilters: []
queries: queries:
- name: Open Cases - name: Open Cases

18
salt/soc/files/soc/motd.md
View File

@@ -6,22 +6,8 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
## What's New ## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/#release-notes) link. To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Customize This Space ## Customize This Space
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. To learn more about the format, please see [markdownguide.org](https://www.markdownguide.org/). Make this area your own by customizing the content in the [Config](/#/config) interface.
To customize this content, login to the manager via SSH and execute the following command:
```bash
sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
```
Then edit the new file as desired using your favorite text editor.
Finally, restart SOC to make the changes take effect:
```bash
sudo so-soc-restart
```

10
salt/vars/sensor.map.jinja
View File

@@ -1,8 +1,10 @@
{% set ROLE_GLOBALS = {} %} {% set ROLE_GLOBALS = {} %}
{% set SENSOR_GLOBALS = [] {% set SENSOR_GLOBALS = {
'sensor': {
'interface': pillar.sensor.interface
}
}
%} %}
{% for sg in SENSOR_GLOBALS %} {% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %}
{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
{% endfor %}

6
salt/zeek/config.map.jinja
View File

@@ -1,3 +1,9 @@
{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
{% set ZEEKOPTIONS = {} %} {% set ZEEKOPTIONS = {} %}
{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

140
salt/zeek/defaults.yaml
View File

@@ -1,9 +1,10 @@
zeek: zeek:
config: config:
node: node:
lb_procs: 1 lb_procs: 0
zeek_pins_enabled: False pins_enabled: False
zeek_pins: [] pins: []
buffer: 128*1024*1024
zeekctl: zeekctl:
MailTo: root@localhost MailTo: root@localhost
MailConnectionSummary: 1 MailConnectionSummary: 1
@@ -20,68 +21,71 @@ zeek:
SpoolDir: /nsm/zeek/spool SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc CfgDir: /opt/zeek/etc
CompressLogs: 1 CompressLogs: 1
policy: local:
file_extraction: '@load':
- application/x-dosexec: exe - misc/loaded-scripts
- application/pdf: pdf - tuning/defaults
- application/msword: doc - misc/capture-loss
- application/vnd.ms-powerpoint: doc - misc/stats
- application/rtf: doc - frameworks/software/vulnerable
- application/vnd.ms-word.document.macroenabled.12: doc - frameworks/software/version-changes
- application/vnd.ms-word.template.macroenabled.12: doc - protocols/ftp/software
- application/vnd.ms-powerpoint.template.macroenabled.12: doc - protocols/smtp/software
- application/vnd.ms-excel: doc - protocols/ssh/software
- application/vnd.ms-excel.addin.macroenabled.12: doc - protocols/http/software
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - protocols/dns/detect-external-names
- application/vnd.ms-excel.template.macroenabled.12: doc - protocols/ftp/detect
- application/vnd.ms-excel.sheet.macroenabled.12: doc - protocols/conn/known-hosts
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - protocols/conn/known-services
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc - protocols/ssl/known-certs
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - protocols/ssl/validate-certs
- application/vnd.openxmlformats-officedocument.presentationml.template: doc - protocols/ssl/log-hostcerts-only
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - protocols/ssh/geo-data
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - protocols/ssh/detect-bruteforcing
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - protocols/ssh/interesting-hostnames
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - protocols/http/detect-sqli
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc - frameworks/files/hash-all-files
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc - frameworks/files/detect-MHR
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - policy/frameworks/notice/extend-email/hostnames
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - ja3
- application/vnd.openxmlformats-officedocument: doc - hassh
load: - intel
- misc/loaded-scripts - cve-2020-0601
- tuning/defaults - securityonion/bpfconf
- misc/capture-loss - securityonion/communityid
- misc/stats - securityonion/file-extraction
- frameworks/software/vulnerable '@load-sigs':
- frameworks/software/version-changes - frameworks/signatures/detect-windows-shells
- protocols/ftp/software redef:
- protocols/smtp/software - LogAscii::use_json = T;
- protocols/ssh/software - CaptureLoss::watch_interval = 5 mins;
- protocols/http/software networks:
- protocols/dns/detect-external-names HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
- protocols/ftp/detect file_extraction:
- protocols/conn/known-hosts - application/x-dosexec: exe
- protocols/conn/known-services - application/pdf: pdf
- protocols/ssl/known-certs - application/msword: doc
- protocols/ssl/validate-certs - application/vnd.ms-powerpoint: doc
- protocols/ssl/log-hostcerts-only - application/rtf: doc
- protocols/ssh/geo-data - application/vnd.ms-word.document.macroenabled.12: doc
- protocols/ssh/detect-bruteforcing - application/vnd.ms-word.template.macroenabled.12: doc
- protocols/ssh/interesting-hostnames - application/vnd.ms-powerpoint.template.macroenabled.12: doc
- protocols/http/detect-sqli - application/vnd.ms-excel: doc
- frameworks/files/hash-all-files - application/vnd.ms-excel.addin.macroenabled.12: doc
- frameworks/files/detect-MHR - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- policy/frameworks/notice/extend-email/hostnames - application/vnd.ms-excel.template.macroenabled.12: doc
- ja3 - application/vnd.ms-excel.sheet.macroenabled.12: doc
- hassh - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- intel - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- cve-2020-0601 - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- securityonion/bpfconf - application/vnd.openxmlformats-officedocument.presentationml.template: doc
- securityonion/communityid - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- securityonion/file-extraction - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
load-sigs: - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- frameworks/signatures/detect-windows-shells - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
redef: - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- LogAscii::use_json = T; - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- CaptureLoss::watch_interval = 5 mins; - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
bpf: []

12
salt/zeek/files/networks.cfg.jinja
View File

@@ -1,9 +1,5 @@
{%- if salt['pillar.get']('sensor:hnsensor') %} {%- if NETWORKS.HOME_NET %}
{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %} {%- for HN in NETWORKS.HOME_NET.split(',') %}
{%- else %}
{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
{%- endif %}
{%- set HNLIST = HOME_NET.split(',') %}
{%- for HN in HNLIST %}
{{ HN }} {{ HN }}
{%- endfor %} {%- endfor %}
{%- endif %}

45
salt/zeek/files/node.cfg
View File

@@ -1,45 +0,0 @@
{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
{%- if salt['pillar.get']('sensor:zeek_proxies') %}
{%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %}
{%- else %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
{%- else %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
{%- endif %}
{%- endif %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ interface }}
lb_method=custom
{%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
{%- else %}
lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
{%- endif %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ interface }}
{%- endif %}

35
salt/zeek/files/node.cfg.jinja Normal file
View File

@@ -0,0 +1,35 @@
{%- if NODE.pins or NODE.lb_procs %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
lb_procs={{ NODE.pins | length }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ NODE.buffer }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ NODE.interface }}
{%- endif %}

29
salt/zeek/init.sls
View File

@@ -6,16 +6,11 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS with context %}
{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %}
{% set BPF_STATUS = 0 %} {% set BPF_STATUS = 0 %}
{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
{% set ZEEK = salt['pillar.get']('zeek', {}) %}
# Zeek Salt State # Zeek Salt State
@@ -77,6 +72,8 @@ zeekpolicysync:
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
# Ensure the zeek spool tree (and state.db) ownership is correct # Ensure the zeek spool tree (and state.db) ownership is correct
zeekspoolownership: zeekspoolownership:
@@ -107,16 +104,18 @@ zeekctlcfg:
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults: - defaults:
ZEEKCTL: {{ ZEEK.zeekctl | tojson }} ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
# Sync node.cfg # Sync node.cfg
nodecfg: nodecfg:
file.managed: file.managed:
- name: /opt/so/conf/zeek/node.cfg - name: /opt/so/conf/zeek/node.cfg
- source: salt://zeek/files/node.cfg - source: salt://zeek/files/node.cfg.jinja
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
NODE: {{ ZEEKMERGED.zeek.config.node }}
networkscfg: networkscfg:
file.managed: file.managed:
@@ -125,6 +124,8 @@ networkscfg:
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
#zeekcleanscript: #zeekcleanscript:
# file.managed: # file.managed:
@@ -158,8 +159,8 @@ zeekpacketlosscron:
- dayweek: '*' - dayweek: '*'
# BPF compilation and configuration # BPF compilation and configuration
{% if BPF_ZEEK %} {% if ZEEKMERGED.zeek.bpf %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %} {% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %} {% set BPF_STATUS = 1 %}
{% else %} {% else %}
@@ -177,7 +178,7 @@ zeekbpf:
- user: 940 - user: 940
- group: 940 - group: 940
{% if BPF_STATUS %} {% if BPF_STATUS %}
- contents_pillar: zeek:bpf - contents: {{ ZEEKMERGED.bpf }}
{% else %} {% else %}
- contents: - contents:
- "ip or not ip" - "ip or not ip"
@@ -192,12 +193,12 @@ localzeek:
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults: - defaults:
LOCAL: {{ ZEEK.local | tojson }} LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
so-zeek: so-zeek:
docker_container.{{ ZEEKOPTIONS.status }}: docker_container.{{ ZEEKOPTIONS.status }}:
{% if ZEEKOPTIONS.status == 'running' %} {% if ZEEKOPTIONS.status == 'running' %}
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: {{ ZEEKOPTIONS.start }} - start: {{ ZEEKOPTIONS.start }}
- privileged: True - privileged: True
- ulimits: - ulimits:

4
salt/zeek/policy/securityonion/file-extraction/extract.zeek
View File

@@ -1,5 +1,3 @@
{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
# Directory to stage Zeek extracted files before processing # Directory to stage Zeek extracted files before processing
redef FileExtract::prefix = "/nsm/zeek/extracted/"; redef FileExtract::prefix = "/nsm/zeek/extracted/";
# Set a limit to the file size # Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
# These are the mimetypes we want to rip off the networks # These are the mimetypes we want to rip off the networks
export { export {
global _mime_whitelist: table[string] of string = { global _mime_whitelist: table[string] of string = {
{%- for li in zeek.policy.file_extraction %} {%- for li in FILE_EXTRACTION %}
{%- if not loop.last %} {%- if not loop.last %}
{%- for k,v in li.items() %} {%- for k,v in li.items() %}
["{{ k }}"] = "{{ v }}", ["{{ k }}"] = "{{ v }}",

23
salt/zeek/soc_zeek.yaml
View File

@@ -3,16 +3,23 @@ zeek:
enabled: enabled:
description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
config: config:
local:
'@load':
description: List of Zeek policies to load
'@load-sigs':
description: List of Zeek signatures to load
node: node:
lb_procs: lb_procs:
description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
node: True node: True
zeek_pins_enabled: pins_enabled:
description: description: Enabled CPU pinning
node: True node: True
zeek_pins: advanced: True
description: List of CPUs you want to pins:
description: List of CPUs you want to pin to
node: True node: True
advanced: True
zeekctl: zeekctl:
CompressLogs: CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
@@ -24,10 +31,6 @@ zeek:
file: True file: True
global: True global: True
advanced: True advanced: True
file_extraction: file_extraction:
description: This is a list of mime types Zeek will extract from the network streams. description: This is a list of mime types Zeek will extract from the network streams.
load:
description: List of Zeek policies to load
load-sigs:
description: List of Zeek signatures to load