diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls deleted file mode 100644 index 5eeb273b9..000000000 --- a/pillar/zeek/init.sls +++ /dev/null @@ -1,55 +0,0 @@ -zeek: - zeekctl: - MailTo: root@localhost - MailConnectionSummary: 1 - MinDiskSpace: 5 - MailHostUpDown: 1 - LogRotationInterval: 3600 - LogExpireInterval: 0 - StatsLogEnable: 1 - StatsLogExpireInterval: 0 - StatusCmdShowAll: 0 - CrashExpireInterval: 0 - SitePolicyScripts: local.zeek - LogDir: /nsm/zeek/logs - SpoolDir: /nsm/zeek/spool - CfgDir: /opt/zeek/etc - CompressLogs: 1 - local: - '@load': - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - '@load-sigs': - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja index 477761d7c..33f26de84 100644 --- a/salt/vars/sensor.map.jinja +++ b/salt/vars/sensor.map.jinja @@ -1,6 +1,9 @@ {% set ROLE_GLOBALS = {} %} -{% set SENSOR_GLOBALS = [] +{% set SENSOR_GLOBALS = { + 'sensor': { + 'interface': INIT.PILLAR.sensor.interface + } %} {% for sg in SENSOR_GLOBALS %} diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index e321b3e3f..74e4942c2 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,10 +1,9 @@ +{% from 'vars/sensor.map.jinja' import GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} -{% set zeek_pillar = pillar.zeek %} -{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} +{% set zeek_pillar = salt['pillar.get']('zeek', []) %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': GLOBALS.sensor.interface}) %} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} {% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} - - {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 8d2a96444..b3cd183cd 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -20,68 +20,71 @@ zeek: SpoolDir: /nsm/zeek/spool CfgDir: /opt/zeek/etc CompressLogs: 1 - policy: - file_extraction: - - application/x-dosexec: exe - - application/pdf: pdf - - application/msword: doc - - application/vnd.ms-powerpoint: doc - - application/rtf: doc - - application/vnd.ms-word.document.macroenabled.12: doc - - application/vnd.ms-word.template.macroenabled.12: doc - - application/vnd.ms-powerpoint.template.macroenabled.12: doc - - application/vnd.ms-excel: doc - - application/vnd.ms-excel.addin.macroenabled.12: doc - - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - - application/vnd.ms-excel.template.macroenabled.12: doc - - application/vnd.ms-excel.sheet.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - - application/vnd.openxmlformats-officedocument.presentationml.template: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument: doc - load: - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - load-sigs: - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file + local: + load: + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + load-sigs: + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - CaptureLoss::watch_interval = 5 mins; + networks: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc + bpf: [] diff --git a/salt/zeek/files/networks.cfg.jinja b/salt/zeek/files/networks.cfg.jinja index f1ee065de..5818380ce 100644 --- a/salt/zeek/files/networks.cfg.jinja +++ b/salt/zeek/files/networks.cfg.jinja @@ -1,9 +1,5 @@ -{%- if salt['pillar.get']('sensor:hnsensor') %} -{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %} -{%- else %} -{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %} -{%- endif %} -{%- set HNLIST = HOME_NET.split(',') %} -{%- for HN in HNLIST %} +{%- if NETWORKS.HOME_NET %} +{%- for HN in NETWORKS.HOME_NET.split(',') %} {{ HN }} -{%- endfor %} +{%- endfor %} +{%- endif %} diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja index 201a2ab6e..f852e2ef0 100644 --- a/salt/zeek/files/node.cfg.jinja +++ b/salt/zeek/files/node.cfg.jinja @@ -13,22 +13,22 @@ host=localhost [worker-1] type=worker host=localhost -interface=af_packet::{{ ZEEKNODE.interface }} +interface=af_packet::{{ NODE.interface }} lb_method=custom - {%- if ZEEKNODE.lbprocs %} -lb_procs={{ ZEEKNODE.lbprocs }} + {%- if NODE.lbprocs %} +lb_procs={{ NODE.lbprocs }} {%- else %} -lb_procs={{ ZEEKNODE.zeek_pins | length }} +lb_procs={{ NODE.zeek_pins | length }} {%- endif %} - {%- if ZEEKNODE.zeek_pins %} -pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }} + {%- if NODE.zeek_pins %} +pin_cpus={{ NODE.zeek_pins | join(", ") }} {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }} +af_packet_buffer_size={{ NODE.zeek_buffer }} {%- else %} [zeeksa] type=standalone host=localhost -interface={{ ZEEKNODE.interface }} +interface={{ NODE.interface }} {%- endif %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index e5bc34716..c2b1af5d0 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -6,15 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS with context %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKMERGED with context %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} -{% set INTERFACE = salt['pillar.get']('sensor:interface') %} # Zeek Salt State @@ -76,6 +72,8 @@ zeekpolicysync: - user: 937 - group: 939 - template: jinja + - defaults: + FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -117,7 +115,7 @@ nodecfg: - group: 939 - template: jinja - defaults: - ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }} + NODE: {{ ZEEKMERGED.zeek.config.node }} networkscfg: file.managed: @@ -126,6 +124,8 @@ networkscfg: - user: 937 - group: 939 - template: jinja + - defaults: + NETWORKS: {{ ZEEKMERGED.zeek.networks }} #zeekcleanscript: # file.managed: @@ -159,8 +159,8 @@ zeekpacketlosscron: - dayweek: '*' # BPF compilation and configuration -{% if BPF_ZEEK %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %} +{% if ZEEKMERGED.zeek.bpf %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -178,7 +178,7 @@ zeekbpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents_pillar: zeek:bpf + - contents: {{ ZEEKMERGED.bpf }} {% else %} - contents: - "ip or not ip" @@ -193,12 +193,12 @@ localzeek: - group: 939 - template: jinja - defaults: - LOCAL: {{ ZEEK.local | tojson }} + LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }} so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: {% if ZEEKOPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: {{ ZEEKOPTIONS.start }} - privileged: True - ulimits: diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index 8cdaf42dd..d4ba0551e 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,5 +1,3 @@ -{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%} -{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - {%- for li in zeek.policy.file_extraction %} + {%- for li in FILE_EXTRACTION %} {%- if not loop.last %} {%- for k,v in li.items() %} ["{{ k }}"] = "{{ v }}",