zeek 2.4

pillar/zeek/init.sls

@@ -1,55 +0,0 @@
-zeek:
-  zeekctl:
-    MailTo: root@localhost
-    MailConnectionSummary: 1
-    MinDiskSpace: 5
-    MailHostUpDown: 1
-    LogRotationInterval: 3600
-    LogExpireInterval: 0
-    StatsLogEnable: 1
-    StatsLogExpireInterval: 0
-    StatusCmdShowAll: 0
-    CrashExpireInterval: 0
-    SitePolicyScripts: local.zeek
-    LogDir: /nsm/zeek/logs
-    SpoolDir: /nsm/zeek/spool
-    CfgDir: /opt/zeek/etc
-    CompressLogs: 1
-  local:
-    '@load':
-      - misc/loaded-scripts
-      - tuning/defaults
-      - misc/capture-loss
-      - misc/stats
-      - frameworks/software/vulnerable
-      - frameworks/software/version-changes
-      - protocols/ftp/software
-      - protocols/smtp/software
-      - protocols/ssh/software
-      - protocols/http/software
-      - protocols/dns/detect-external-names
-      - protocols/ftp/detect
-      - protocols/conn/known-hosts
-      - protocols/conn/known-services
-      - protocols/ssl/known-certs
-      - protocols/ssl/validate-certs
-      - protocols/ssl/log-hostcerts-only
-      - protocols/ssh/geo-data
-      - protocols/ssh/detect-bruteforcing
-      - protocols/ssh/interesting-hostnames
-      - protocols/http/detect-sqli
-      - frameworks/files/hash-all-files
-      - frameworks/files/detect-MHR
-      - policy/frameworks/notice/extend-email/hostnames
-      - ja3
-      - hassh
-      - intel
-      - cve-2020-0601
-      - securityonion/bpfconf
-      - securityonion/communityid
-      - securityonion/file-extraction
-    '@load-sigs':
-      - frameworks/signatures/detect-windows-shells
-    redef:
-      - LogAscii::use_json = T;
-      - CaptureLoss::watch_interval = 5 mins;

salt/vars/sensor.map.jinja

@@ -1,6 +1,9 @@
 {% set ROLE_GLOBALS = {} %}
 
-{% set SENSOR_GLOBALS = []
+{% set SENSOR_GLOBALS = {
+    'sensor': {
+      'interface': INIT.PILLAR.sensor.interface
+   }
 %}
 
 {% for sg in SENSOR_GLOBALS %}

salt/zeek/config.map.jinja

@@ -1,10 +1,9 @@
+{% from 'vars/sensor.map.jinja' import GLOBALS %}
 {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
-{% set zeek_pillar = pillar.zeek %}
+{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
-{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #}
+{% do ZEEKMERGED.zeek.config.node.update({'interface': GLOBALS.sensor.interface}) %} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #}
 {% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
 
-
-
 {% set ZEEKOPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}
 

salt/zeek/defaults.yaml

@@ -20,34 +20,7 @@ zeek:
       SpoolDir: /nsm/zeek/spool
       CfgDir: /opt/zeek/etc
       CompressLogs: 1
-  policy:
+    local:
-    file_extraction:
-      - application/x-dosexec: exe
-      - application/pdf: pdf
-      - application/msword: doc
-      - application/vnd.ms-powerpoint: doc
-      - application/rtf: doc
-      - application/vnd.ms-word.document.macroenabled.12: doc
-      - application/vnd.ms-word.template.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
-      - application/vnd.ms-excel: doc
-      - application/vnd.ms-excel.addin.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
-      - application/vnd.ms-excel.template.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
-      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument: doc
       load:
         - misc/loaded-scripts
         - tuning/defaults
@@ -85,3 +58,33 @@ zeek:
       redef:
         - LogAscii::use_json = T;
         - CaptureLoss::watch_interval = 5 mins;
+    networks:
+      HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+  file_extraction:
+    - application/x-dosexec: exe
+    - application/pdf: pdf
+    - application/msword: doc
+    - application/vnd.ms-powerpoint: doc
+    - application/rtf: doc
+    - application/vnd.ms-word.document.macroenabled.12: doc
+    - application/vnd.ms-word.template.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.template.macroenabled.12: doc
+    - application/vnd.ms-excel: doc
+    - application/vnd.ms-excel.addin.macroenabled.12: doc
+    - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
+    - application/vnd.ms-excel.template.macroenabled.12: doc
+    - application/vnd.ms-excel.sheet.macroenabled.12: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.template: doc
+    - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
+    - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
+    - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
+    - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
+    - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
+    - application/vnd.openxmlformats-officedocument: doc
+  bpf: []

salt/zeek/files/networks.cfg.jinja

@@ -1,9 +1,5 @@
-{%- if salt['pillar.get']('sensor:hnsensor') %}
+{%- if NETWORKS.HOME_NET %}
-{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %}
+{%-   for HN in NETWORKS.HOME_NET.split(',') %}
-{%- else %}
-{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
-{%- endif %}
-{%- set HNLIST = HOME_NET.split(',') %}
-{%- for HN in HNLIST %}
 {{ HN }}
 {%-   endfor %}
+{%- endif %}

salt/zeek/files/node.cfg.jinja

@@ -13,22 +13,22 @@ host=localhost
 [worker-1]
 type=worker
 host=localhost
-interface=af_packet::{{ ZEEKNODE.interface }}
+interface=af_packet::{{ NODE.interface }}
 lb_method=custom
-  {%- if ZEEKNODE.lbprocs %}
+  {%- if NODE.lbprocs %}
-lb_procs={{ ZEEKNODE.lbprocs }}
+lb_procs={{ NODE.lbprocs }}
     {%- else %}
-lb_procs={{ ZEEKNODE.zeek_pins | length }}
+lb_procs={{ NODE.zeek_pins | length }}
   {%- endif %}
-  {%- if ZEEKNODE.zeek_pins %}
+  {%- if NODE.zeek_pins %}
-pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }}
+pin_cpus={{ NODE.zeek_pins | join(", ") }}
   {%- endif %}
 af_packet_fanout_id=23
 af_packet_fanout_mode=AF_Packet::FANOUT_HASH
-af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }}
+af_packet_buffer_size={{ NODE.zeek_buffer }}
 {%- else %}
 [zeeksa]
 type=standalone
 host=localhost
-interface={{ ZEEKNODE.interface }}
+interface={{ NODE.interface }}
 {%- endif %}

salt/zeek/init.sls

@@ -6,15 +6,11 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
+{% from 'vars/globals.map.jinja' import GLOBALS with context %}
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
 
-{% set VERSION = salt['pillar.get']('global:soversion') %}
-{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{% set MANAGER = salt['grains.get']('master') %}
-{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
 
 # Zeek Salt State
 
@@ -76,6 +72,8 @@ zeekpolicysync:
     - user: 937
     - group: 939
     - template: jinja
+    - defaults:
+        FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }}
 
 # Ensure the zeek spool tree (and state.db) ownership is correct
 zeekspoolownership:
@@ -117,7 +115,7 @@ nodecfg:
     - group: 939
     - template: jinja
     - defaults:
-        ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }}
+        NODE: {{ ZEEKMERGED.zeek.config.node }}
 
 networkscfg:
   file.managed:
@@ -126,6 +124,8 @@ networkscfg:
     - user: 937
     - group: 939
     - template: jinja
+    - defaults:
+        NETWORKS: {{ ZEEKMERGED.zeek.networks }}
 
 #zeekcleanscript:
 #  file.managed:
@@ -159,8 +159,8 @@ zeekpacketlosscron:
     - dayweek: '*'
 
 # BPF compilation and configuration
-{% if BPF_ZEEK %}
+{% if ZEEKMERGED.zeek.bpf %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
        {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -178,7 +178,7 @@ zeekbpf:
     - user: 940
     - group: 940
 {% if BPF_STATUS %}
-    - contents_pillar: zeek:bpf
+    - contents: {{ ZEEKMERGED.bpf }}
 {% else %}
     - contents:
       - "ip or not ip"
@@ -193,12 +193,12 @@ localzeek:
     - group: 939
     - template: jinja
     - defaults:
-        LOCAL: {{ ZEEK.local | tojson }}
+        LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
 
 so-zeek:
   docker_container.{{ ZEEKOPTIONS.status }}:
   {% if ZEEKOPTIONS.status == 'running' %}
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
+    - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
     - start: {{ ZEEKOPTIONS.start }}
     - privileged: True
     - ulimits:

salt/zeek/policy/securityonion/file-extraction/extract.zeek

@@ -1,5 +1,3 @@
-{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
-{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
 # Directory to stage Zeek extracted files before processing
 redef FileExtract::prefix = "/nsm/zeek/extracted/";
 # Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
 # These are the mimetypes we want to rip off the networks
 export {
     global _mime_whitelist: table[string] of string = {
-        {%- for li in zeek.policy.file_extraction %}
+        {%- for li in FILE_EXTRACTION %}
           {%- if not loop.last %}
           {%- for k,v in li.items() %}
         ["{{ k }}"] = "{{ v }}",