CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge in 2.4./firewall changes

Browse Source
This commit is contained in:
m0duspwnens
2022-09-22 10:55:39 -04:00
parent 85339d7cb1 2995ae32bd
commit c77fcc74c1
35 changed files with 1168 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.3.120
## Security Onion 2.4.0
Security Onion 2.3.120 is here!
Security Onion 2.4.0 is here!
## Screenshots
@@ -12,24 +12,24 @@ Hunt
### Release Notes
https://docs.securityonion.net/en/2.3/release-notes.html
https://docs.securityonion.net/en/2.4/release-notes.html
### Requirements
https://docs.securityonion.net/en/2.3/hardware.html
https://docs.securityonion.net/en/2.4/hardware.html
### Download
https://docs.securityonion.net/en/2.3/download.html
https://docs.securityonion.net/en/2.4/download.html
### Installation
https://docs.securityonion.net/en/2.3/installation.html
https://docs.securityonion.net/en/2.4/installation.html
### FAQ
https://docs.securityonion.net/en/2.3/faq.html
https://docs.securityonion.net/en/2.4/faq.html
### Feedback
https://docs.securityonion.net/en/2.3/community-support.html
https://docs.securityonion.net/en/2.4/community-support.html

1
files/firewall/portgroups.local.yaml
View File

@@ -1,3 +1,2 @@
firewall:
aliases:
ports:

54
pillar/zeek/init.sls
View File

@@ -1,55 +1 @@
zeek:
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
MinDiskSpace: 5
MailHostUpDown: 1
LogRotationInterval: 3600
LogExpireInterval: 0
StatsLogEnable: 1
StatsLogExpireInterval: 0
StatusCmdShowAll: 0
CrashExpireInterval: 0
SitePolicyScripts: local.zeek
LogDir: /nsm/zeek/logs
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;

44
salt/elasticsearch/defaults.yaml
View File

@@ -80,8 +80,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.apm_server@package"
- "so-logs-elastic_agent.apm_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -114,8 +114,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.auditbeat@package"
- "so-logs-elastic_agent.auditbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -148,8 +148,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.cloudbeat@package"
- "so-logs-elastic_agent.cloudbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -182,8 +182,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.endpoint_security@package"
- "so-logs-elastic_agent.endpoint_security@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -216,8 +216,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.filebeat@package"
- "so-logs-elastic_agent.filebeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -250,8 +250,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.fleet_server@package"
- "so-logs-elastic_agent.fleet_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -284,8 +284,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.heartbeat@package"
- "so-logs-elastic_agent.heartbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -318,8 +318,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent@package"
- "so-logs-elastic_agent@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -352,8 +352,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.metricbeat@package"
- "so-logs-elastic_agent.metricbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -386,8 +386,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.osquerybeat@package"
- "so-logs-elastic_agent.osquerybeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:
@@ -420,8 +420,8 @@ elasticsearch:
composed_of:
- "so-logs-elastic_agent.packetbeat@package"
- "so-logs-elastic_agent.packetbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 500
_meta:
package:

9
salt/elasticsearch/files/ingest/sysmon
View File

@@ -25,6 +25,11 @@
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } },
{ "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } },
{ "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
@@ -64,6 +69,10 @@
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } },
{ "community_id": {} }
]
}

9
salt/elasticsearch/init.sls
View File

@@ -346,6 +346,15 @@ append_so-elasticsearch_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch
so-es-cluster-settings:
cmd.run:
- name: /usr/sbin/so-elasticsearch-cluster-settings
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: es_sync_scripts
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load

74
salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json Normal file
View File

@@ -0,0 +1,74 @@
{
"component_templates": [
{
"name": "so-fleet_agent_id_verification-1",
"component_template": {
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"final_pipeline": ".fleet_final_pipeline-1"
}
},
"mappings": {
"properties": {
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
}
}
}
},
"_meta": {
"managed_by": "fleet",
"managed": true
}
}
}
]
}

73
salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json Normal file
View File

@@ -0,0 +1,73 @@
{
"component_templates": [
{
"name": "so-fleet_globals-1",
"component_template": {
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"_meta": {
"managed_by": "security_onion",
"managed": true
},
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
}
},
"_meta": {
"managed_by": "security_onion",
"managed": true
}
}
}
]
}

30
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -62,6 +62,13 @@
}
}
}
},
"elf": {
"properties": {
"sections": {
"properties": {
"entropy": {
"type": "long"
}
}
}
@@ -69,3 +76,26 @@
}
}
}
}
}
}
}

36
salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings Executable file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
{% set ES = salt['pillar.get']('manager:mainip', '') %}
{% set MANAGER = salt['grains.get']('master') %}
ELASTICSEARCH_PORT=9200
# Wait for ElasticSearch to come up, so that we can query for version infromation
echo -n "Waiting for ElasticSearch..."
COUNT=0
ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 30 ]]; do
curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://localhost:"$ELASTICSEARCH_PORT"
if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes"
echo "connected!"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'"
echo
exit
fi
# Check to see if config already exists
CLUSTER_SETTINGS=$(so-elasticsearch-query _cluster/settings | jq .persistent.cluster.remote)
if [[ ! -z "$CLUSTER_SETTINGS" ]]; then
echo "Applying cross cluster search config..."
so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT
fi

2
salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load
View File

@@ -58,7 +58,7 @@ echo
cd ${ELASTICSEARCH_TEMPLATES}/index
echo "Loading Security Onion index templates..."
for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
echo
cd - >/dev/null

567
salt/firewall/assigned_hostgroups.map.yaml Normal file
View File

@@ -0,0 +1,567 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/portgroups.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.aliases.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.yum }}
{% endif %}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.syslog}}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
endgame:
portgroups:
- {{ portgroups.endgame }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.cortex }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.cortex_es_rest }}
- {{ portgroups.cortex_es_node }}
minion:
portgroups:
- {{ portgroups.acng }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
{% if TRUE_CLUSTER %}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
{% endif %}
self:
portgroups:
- {{ portgroups.syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
minion:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
minion:
portgroups:
- {{ portgroups.salt_manager }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.syslog}}
- {{ portgroups.beats_5644 }}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
endgame:
portgroups:
- {{ portgroups.endgame }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% for service in idh_services %}
- {{ portgroups['idh_'~service] }}
{% endfor %}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
manager:
portgroups:
- {{ portgroups.ssh }}

0
salt/firewall/hostgroups/beats_endpoint Normal file
View File

0
salt/firewall/hostgroups/beats_endpoint_ssl Normal file
View File

0
salt/firewall/hostgroups/elastic_agent_endpoint Normal file
View File

0
salt/firewall/hostgroups/elasticsearch_rest Normal file
View File

0
salt/firewall/hostgroups/endgame Normal file
View File

0
salt/firewall/hostgroups/minion Normal file
View File

0
salt/firewall/hostgroups/strelka_frontend Normal file
View File

0
salt/firewall/hostgroups/syslog Normal file
View File

33
salt/firewall/map.jinja
View File

@@ -1,8 +1,8 @@
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.aliases.ports %}
{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
@@ -13,7 +13,34 @@
{% set defined_portgroups = portgroups %}
{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = [
'analyst',
'analyst_workstations',
'eval',
'heavynodes',
'idh',
'manager',
'minion',
'receivers',
'searchnodes',
'sensors',
'standalone',
'beats_endpoint',
'beats_endpoint_ssl',
'elasticsearch_rest',
'elastic_agent_endpoint',
'endgame',
'strelka_frontend',
'syslog'
]
%}
{% for hg in hostgroup_list %}
{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}

2
salt/grafana/dashboards/common_template.json.jinja
View File

@@ -57,6 +57,8 @@
"title": "{{ TITLE }}",
{% if TITLE | lower == 'security onion grid overview' %}
"uid": "so_overview",
{% else %}
"uid": "{{ UID }}",
{% endif %}
"version": 1
}

1
salt/grafana/init.sls
View File

@@ -117,6 +117,7 @@ so-grafana-dashboard-folder-delete:
TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}}
TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }}
ID: {{ loop.index }}
UID: {{ dashboard }}
{% endfor %}
so-grafana:

105
salt/soc/defaults.yaml
View File

@@ -64,7 +64,7 @@ soc:
remoteHostUrls: []
username:
password:
index: '*:so-*,*:endgame-*'
index: '*:so-*,*:endgame-*,*:logs-*'
cacheMs: 300000
verifyCert: false
casesEnabled: true
@@ -93,7 +93,7 @@ soc:
client:
docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/#release-notes
releaseNotesUrl: /docs/release-notes.html
apiTimeoutMs: 0
webSocketTimeoutMs: 0
tipTimeoutMs: 0
@@ -656,10 +656,53 @@ soc:
- destination.geo.country_iso_code
- user.name
- source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle
filter: NOT _index:\"*:so-case*\"
filter: 'NOT _index:"*:so-case*"'
enabled: true
queries:
- name: Default Query
@@ -680,6 +723,9 @@ soc:
- name: NIDS Alerts
description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name'
- name: Osquery - Live Query
description: Show all Osquery Live Query results
query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
- name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 5 or higher grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
@@ -794,9 +840,6 @@ soc:
- name: NTLM
description: NTLM grouped by computer name
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name'
- name: Osquery Live Queries
description: Osquery Live Query results grouped by computer name
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE
description: PE files list
query: 'event.dataset:pe | groupby file.machine file.os file.subsystem'
@@ -1373,9 +1416,52 @@ soc:
- destination.geo.country_iso_code
- user.name
- source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle,
- name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"'
enabled: true
queries:
@@ -1454,9 +1540,6 @@ soc:
- name: NTLM
description: NTLM logs
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Osquery Live Queries
description: Osquery Live Query results
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE
description: PE files list
query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
@@ -1601,7 +1684,7 @@ soc:
- so_case.severity
- so_case.assigneeId
- so_case.createTime
queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case'
queryBaseFilter: '_index:"*:so-case" AND so_kind:case'
queryToggleFilters: []
queries:
- name: Open Cases

18
salt/soc/files/soc/motd.md
View File

@@ -6,22 +6,8 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/#release-notes) link.
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Customize This Space
Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. To learn more about the format, please see [markdownguide.org](https://www.markdownguide.org/).
To customize this content, login to the manager via SSH and execute the following command:
```bash
sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
```
Then edit the new file as desired using your favorite text editor.
Finally, restart SOC to make the changes take effect:
```bash
sudo so-soc-restart
```
Make this area your own by customizing the content in the [Config](/#/config) interface.

10
salt/vars/sensor.map.jinja
View File

@@ -1,8 +1,10 @@
{% set ROLE_GLOBALS = {} %}
{% set SENSOR_GLOBALS = []
{% set SENSOR_GLOBALS = {
'sensor': {
'interface': pillar.sensor.interface
}
}
%}
{% for sg in SENSOR_GLOBALS %}
{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
{% endfor %}
{% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %}

6
salt/zeek/config.map.jinja
View File

@@ -1,3 +1,9 @@
{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
{% set ZEEKOPTIONS = {} %}
{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

70
salt/zeek/defaults.yaml
View File

@@ -1,9 +1,10 @@
zeek:
config:
node:
lb_procs: 1
zeek_pins_enabled: False
zeek_pins: []
lb_procs: 0
pins_enabled: False
pins: []
buffer: 128*1024*1024
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
@@ -20,35 +21,8 @@ zeek:
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
policy:
file_extraction:
- application/x-dosexec: exe
- application/pdf: pdf
- application/msword: doc
- application/vnd.ms-powerpoint: doc
- application/rtf: doc
- application/vnd.ms-word.document.macroenabled.12: doc
- application/vnd.ms-word.template.macroenabled.12: doc
- application/vnd.ms-powerpoint.template.macroenabled.12: doc
- application/vnd.ms-excel: doc
- application/vnd.ms-excel.addin.macroenabled.12: doc
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- application/vnd.ms-excel.template.macroenabled.12: doc
- application/vnd.ms-excel.sheet.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- application/vnd.openxmlformats-officedocument.presentationml.template: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
load:
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
@@ -80,8 +54,38 @@ zeek:
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
load-sigs:
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;
networks:
HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
file_extraction:
- application/x-dosexec: exe
- application/pdf: pdf
- application/msword: doc
- application/vnd.ms-powerpoint: doc
- application/rtf: doc
- application/vnd.ms-word.document.macroenabled.12: doc
- application/vnd.ms-word.template.macroenabled.12: doc
- application/vnd.ms-powerpoint.template.macroenabled.12: doc
- application/vnd.ms-excel: doc
- application/vnd.ms-excel.addin.macroenabled.12: doc
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- application/vnd.ms-excel.template.macroenabled.12: doc
- application/vnd.ms-excel.sheet.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- application/vnd.openxmlformats-officedocument.presentationml.template: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
bpf: []

10
salt/zeek/files/networks.cfg.jinja
View File

@@ -1,9 +1,5 @@
{%- if salt['pillar.get']('sensor:hnsensor') %}
{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %}
{%- else %}
{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
{%- endif %}
{%- set HNLIST = HOME_NET.split(',') %}
{%- for HN in HNLIST %}
{%- if NETWORKS.HOME_NET %}
{%- for HN in NETWORKS.HOME_NET.split(',') %}
{{ HN }}
{%- endfor %}
{%- endif %}

45
salt/zeek/files/node.cfg
View File

@@ -1,45 +0,0 @@
{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
{%- if salt['pillar.get']('sensor:zeek_proxies') %}
{%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %}
{%- else %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
{%- else %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
{%- endif %}
{%- endif %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ interface }}
lb_method=custom
{%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
{%- else %}
lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
{%- endif %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ interface }}
{%- endif %}

35
salt/zeek/files/node.cfg.jinja Normal file
View File

@@ -0,0 +1,35 @@
{%- if NODE.pins or NODE.lb_procs %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
lb_procs={{ NODE.pins | length }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ NODE.buffer }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ NODE.interface }}
{%- endif %}

29
salt/zeek/init.sls
View File

@@ -6,16 +6,11 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS with context %}
{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %}
{% set BPF_STATUS = 0 %}
{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
{% set ZEEK = salt['pillar.get']('zeek', {}) %}
# Zeek Salt State
@@ -77,6 +72,8 @@ zeekpolicysync:
- user: 937
- group: 939
- template: jinja
- defaults:
FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
# Ensure the zeek spool tree (and state.db) ownership is correct
zeekspoolownership:
@@ -107,16 +104,18 @@ zeekctlcfg:
- group: 939
- template: jinja
- defaults:
ZEEKCTL: {{ ZEEK.zeekctl | tojson }}
ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
# Sync node.cfg
nodecfg:
file.managed:
- name: /opt/so/conf/zeek/node.cfg
- source: salt://zeek/files/node.cfg
- source: salt://zeek/files/node.cfg.jinja
- user: 937
- group: 939
- template: jinja
- defaults:
NODE: {{ ZEEKMERGED.zeek.config.node }}
networkscfg:
file.managed:
@@ -125,6 +124,8 @@ networkscfg:
- user: 937
- group: 939
- template: jinja
- defaults:
NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
#zeekcleanscript:
# file.managed:
@@ -158,8 +159,8 @@ zeekpacketlosscron:
- dayweek: '*'
# BPF compilation and configuration
{% if BPF_ZEEK %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %}
{% if ZEEKMERGED.zeek.bpf %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
@@ -177,7 +178,7 @@ zeekbpf:
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents_pillar: zeek:bpf
- contents: {{ ZEEKMERGED.bpf }}
{% else %}
- contents:
- "ip or not ip"
@@ -192,12 +193,12 @@ localzeek:
- group: 939
- template: jinja
- defaults:
LOCAL: {{ ZEEK.local | tojson }}
LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
so-zeek:
docker_container.{{ ZEEKOPTIONS.status }}:
{% if ZEEKOPTIONS.status == 'running' %}
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
- image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: {{ ZEEKOPTIONS.start }}
- privileged: True
- ulimits:

4
salt/zeek/policy/securityonion/file-extraction/extract.zeek
View File

@@ -1,5 +1,3 @@
{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
# Directory to stage Zeek extracted files before processing
redef FileExtract::prefix = "/nsm/zeek/extracted/";
# Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
# These are the mimetypes we want to rip off the networks
export {
global _mime_whitelist: table[string] of string = {
{%- for li in zeek.policy.file_extraction %}
{%- for li in FILE_EXTRACTION %}
{%- if not loop.last %}
{%- for k,v in li.items() %}
["{{ k }}"] = "{{ v }}",

19
salt/zeek/soc_zeek.yaml
View File

@@ -3,16 +3,23 @@ zeek:
enabled:
description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
config:
local:
'@load':
description: List of Zeek policies to load
'@load-sigs':
description: List of Zeek signatures to load
node:
lb_procs:
description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
node: True
zeek_pins_enabled:
description:
pins_enabled:
description: Enabled CPU pinning
node: True
zeek_pins:
description: List of CPUs you want to
advanced: True
pins:
description: List of CPUs you want to pin to
node: True
advanced: True
zeekctl:
CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
@@ -26,8 +33,4 @@ zeek:
advanced: True
file_extraction:
description: This is a list of mime types Zeek will extract from the network streams.
load:
description: List of Zeek policies to load
load-sigs:
description: List of Zeek signatures to load