IDH - Play tweaks, Setup summary, log rotate

2025-12-06 17:22:49 +01:00 · 2022-02-24 19:57:11 -05:00
parent fbc702375c
commit cf7325a546
20 changed files with 93 additions and 22 deletions
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -23,6 +23,7 @@
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
 /nsm/idh/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
 }
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -4,7 +4,7 @@ idh:
      http.banner: Apache/2.2.34 (Ubuntu)
      http.enabled: true
      http.port: 80
-      http.skin: basicLogin
+      http.skin: nasLogin
      http.skin.list:
      - desc: Plain HTML Login
        name: basicLogin
--- a/salt/idh/plays/idh_ftp.yml
+++ b/salt/idh/plays/idh_ftp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 2000
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_git.yml
+++ b/salt/idh/plays/idh_git.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 16001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_http_get.yml
+++ b/salt/idh/plays/idh_http_get.yml
@@ -1,7 +1,7 @@
 title: SO IDH - HTTP Accessed
 id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
 status: experimental
-description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+description: Detects when the HTTP service on a SO IDH node has had a Get request.
 author: Security Onion Solutions
 license: MIT
 references: 
@@ -12,9 +12,11 @@ logsource:
 detection:
  selection:
    logtype:
-    - 3000 #Get request
+    - 3000
-    - 3001 #Login attempt
+  custom_filter:
-  condition: selection
+    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_http_login.yml
+++ b/salt/idh/plays/idh_http_login.yml
@@ -0,0 +1,24 @@
 title: SO IDH - HTTP Login Attempt
 id: 19449e62-93fa-40bd-8d0a-2564535d3652
 status: experimental
 description: Detects when the HTTP service on a SO IDH node has had a login attempt.
 author: Security Onion Solutions
 license: MIT
 references: 
  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
  product: opencanary
 detection:
  selection:
    logtype:
    - 3001
  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
  - source.ip
 level: critical
--- a/salt/idh/plays/idh_httpproxy.yml
+++ b/salt/idh/plays/idh_httpproxy.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 7001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_mssql.yml
+++ b/salt/idh/plays/idh_mssql.yml
@@ -14,7 +14,10 @@ detection:
    logtype:
    - 9001 #SQL Auth
    - 9002 #Windows Auth
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_mysql.yml
+++ b/salt/idh/plays/idh_mysql.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 8001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_ntp.yml
+++ b/salt/idh/plays/idh_ntp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 11001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_redis.yml
+++ b/salt/idh/plays/idh_redis.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 17001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_sip.yml
+++ b/salt/idh/plays/idh_sip.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 15001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_smb.yml
+++ b/salt/idh/plays/idh_smb.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 5000
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_snmp.yml
+++ b/salt/idh/plays/idh_snmp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 13001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_ssh.yml
+++ b/salt/idh/plays/idh_ssh.yml
@@ -15,7 +15,10 @@ detection:
    - 4000 
    - 4001
    - 4002
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_telnet.yml
+++ b/salt/idh/plays/idh_telnet.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 6001 
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_tftp.yml
+++ b/salt/idh/plays/idh_tftp.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 10001
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/salt/idh/plays/idh_vnc.yml
+++ b/salt/idh/plays/idh_vnc.yml
@@ -13,7 +13,10 @@ detection:
  selection:
    logtype:
    - 12001 
-  condition: selection
+  custom_filter:
    source.ip:
    - x.x.x.x
  condition: selection #and not custom_filter
 falsepositives:
  - None
 fields:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -451,7 +451,7 @@ collect_idh_services() {
 	whiptail_idh_services
 	case "$idh_services" in
-		'Linux Webserver')
+		'Linux Webserver (NAS Skin)')
 			idh_services=("HTTP" "FTP" "SSH")
 		;;
 		'MySQL Server')
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -732,10 +732,10 @@ whiptail_idh_services() {
 	idh_services=$(whiptail --title "$whiptail_title" --radiolist \
 		"\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \
-		"Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \
+		"Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \
 		"MySQL Server" "MySQL (3306), SSH (22)" OFF \
 		"MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \
-		"Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 )
+		"Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1784,6 +1784,8 @@ whiptail_setup_complete() {
 			local sentence_prefix="Run so-allow after reboot to access"
 		fi
 		local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n"
 	elif [[ $is_idh ]]; then
 		local accessMessage="SSH for this node has been moved to TCP/2222, accessible only from the Manager node."
 	else
 		local accessMessage=""
 	fi