mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-08 18:22:47 +01:00
Merge branch 'kilo' of github.com:security-onion-solutions/securityonion into kilo
This commit is contained in:
Corey Ogburn
@@ -8,7 +8,7 @@ idstools:
|
|||||||
global: True
|
global: True
|
||||||
helpLink: rules.html
|
helpLink: rules.html
|
||||||
ruleset:
|
ruleset:
|
||||||
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
|
description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO. -- WARNING -- Changing the ruleset will remove all existing Suricata rules of the previous ruleset and their associated overrides.'
|
||||||
global: True
|
global: True
|
||||||
regex: ETPRO\b|ETOPEN\b
|
regex: ETPRO\b|ETOPEN\b
|
||||||
helpLink: rules.html
|
helpLink: rules.html
|
||||||
|
|||||||
@@ -9,9 +9,16 @@
|
|||||||
include:
|
include:
|
||||||
- manager.sync_es_users
|
- manager.sync_es_users
|
||||||
|
|
||||||
|
socdirtest:
|
||||||
|
file.directory:
|
||||||
|
- name: /opt/so/rules/elastalert/rules
|
||||||
|
- user: 939
|
||||||
|
- group: 939
|
||||||
|
- makedirs: True
|
||||||
|
|
||||||
socdir:
|
socdir:
|
||||||
file.directory:
|
file.directory:
|
||||||
- name: /opt/so/conf/soc
|
- name: /opt/so/conf/soc/fingerprints
|
||||||
- user: 939
|
- user: 939
|
||||||
- group: 939
|
- group: 939
|
||||||
- makedirs: True
|
- makedirs: True
|
||||||
|
|||||||
@@ -1006,7 +1006,7 @@ soc:
|
|||||||
communityRulesImportFrequencySeconds: 180
|
communityRulesImportFrequencySeconds: 180
|
||||||
elastAlertRulesFolder: /opt/sensoroni/elastalert
|
elastAlertRulesFolder: /opt/sensoroni/elastalert
|
||||||
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
|
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
|
||||||
sigmaRulePackages: all
|
sigmaRulePackages: core
|
||||||
elastic:
|
elastic:
|
||||||
hostUrl:
|
hostUrl:
|
||||||
remoteHostUrls: []
|
remoteHostUrls: []
|
||||||
@@ -1050,10 +1050,10 @@ soc:
|
|||||||
- rbac/users_roles
|
- rbac/users_roles
|
||||||
strelkaengine:
|
strelkaengine:
|
||||||
compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
|
compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
|
||||||
reposFolder: /nsm/rules/strelka/repos
|
reposFolder: /opt/sensoroni/yara/repos
|
||||||
rulesRepos:
|
rulesRepos:
|
||||||
- https://github.com/Security-Onion-Solutions/securityonion-yara
|
- https://github.com/Security-Onion-Solutions/securityonion-yara
|
||||||
yaraRulesFolder: /opt/sensoroni/yara
|
yaraRulesFolder: /opt/sensoroni/yara/rules
|
||||||
suricataengine:
|
suricataengine:
|
||||||
communityRulesFile: /nsm/rules/suricata/emerging-all.rules
|
communityRulesFile: /nsm/rules/suricata/emerging-all.rules
|
||||||
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
|
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
|
||||||
@@ -1770,21 +1770,23 @@ soc:
|
|||||||
- so_detection.title
|
- so_detection.title
|
||||||
- so_detection.isEnabled
|
- so_detection.isEnabled
|
||||||
- so_detection.language
|
- so_detection.language
|
||||||
- "@timestamp"
|
- so_detection.severity
|
||||||
queries:
|
queries:
|
||||||
- name: "All Detections"
|
- name: "All Detections"
|
||||||
query: "_id:*"
|
query: "_id:*"
|
||||||
- name: "Local Rules"
|
- name: "Custom Detections"
|
||||||
query: "so_detection.isCommunity:false"
|
query: "so_detection.isCommunity:false"
|
||||||
- name: "Enabled"
|
- name: "All Detections - Enabled"
|
||||||
query: "so_detection.isEnabled:true"
|
query: "so_detection.isEnabled:true"
|
||||||
- name: "Disabled"
|
- name: "All Detections - Disabled"
|
||||||
query: "so_detection.isEnabled:false"
|
query: "so_detection.isEnabled:false"
|
||||||
- name: "Suricata"
|
- name: "Detection Type - Suricata (NIDS)"
|
||||||
query: "so_detection.language:suricata"
|
query: "so_detection.language:suricata"
|
||||||
- name: "Sigma"
|
- name: "Detection Type - Sigma - All"
|
||||||
query: "so_detection.language:sigma"
|
query: "so_detection.language:sigma"
|
||||||
- name: "Yara"
|
- name: "Detection Type - Sigma - Windows"
|
||||||
|
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
|
||||||
|
- name: "Detection Type - Yara (Strelka)"
|
||||||
query: "so_detection.language:yara"
|
query: "so_detection.language:yara"
|
||||||
detection:
|
detection:
|
||||||
presets:
|
presets:
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ so-soc:
|
|||||||
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
|
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
|
||||||
- binds:
|
- binds:
|
||||||
- /nsm/rules:/nsm/rules:rw #Need to tighten this up?
|
- /nsm/rules:/nsm/rules:rw #Need to tighten this up?
|
||||||
- /opt/so/rules/yara:/opt/sensoroni/yara:rw
|
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
|
||||||
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
|
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
|
||||||
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
|
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
|
||||||
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw
|
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw
|
||||||
|
|||||||
@@ -72,7 +72,7 @@ soc:
|
|||||||
modules:
|
modules:
|
||||||
elastalertengine:
|
elastalertengine:
|
||||||
sigmaRulePackages:
|
sigmaRulePackages:
|
||||||
description: 'One of the following: core | core+ | core++ | all'
|
description: 'Defines the Sigma Community Ruleset you want to run: core | core+ | core++ | all. -- WARNING -- Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides.'
|
||||||
global: True
|
global: True
|
||||||
advanced: False
|
advanced: False
|
||||||
elastic:
|
elastic:
|
||||||
|
|||||||
Reference in New Issue
Block a user