zeek 2.4

2025-12-06 17:22:49 +01:00 · 2022-09-20 11:11:29 -04:00
parent 79785fc053
commit d1ee3a7d04
8 changed files with 99 additions and 155 deletions
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -1,55 +0,0 @@
-zeek:
-  zeekctl:
-    MailTo: root@localhost
-    MailConnectionSummary: 1
-    MinDiskSpace: 5
-    MailHostUpDown: 1
-    LogRotationInterval: 3600
-    LogExpireInterval: 0
-    StatsLogEnable: 1
-    StatsLogExpireInterval: 0
-    StatusCmdShowAll: 0
-    CrashExpireInterval: 0
-    SitePolicyScripts: local.zeek
-    LogDir: /nsm/zeek/logs
-    SpoolDir: /nsm/zeek/spool
-    CfgDir: /opt/zeek/etc
-    CompressLogs: 1
-  local:
-    '@load':
-      - misc/loaded-scripts
-      - tuning/defaults
-      - misc/capture-loss
-      - misc/stats
-      - frameworks/software/vulnerable
-      - frameworks/software/version-changes
-      - protocols/ftp/software
-      - protocols/smtp/software
-      - protocols/ssh/software
-      - protocols/http/software
-      - protocols/dns/detect-external-names
-      - protocols/ftp/detect
-      - protocols/conn/known-hosts
-      - protocols/conn/known-services
-      - protocols/ssl/known-certs
-      - protocols/ssl/validate-certs
-      - protocols/ssl/log-hostcerts-only
-      - protocols/ssh/geo-data
-      - protocols/ssh/detect-bruteforcing
-      - protocols/ssh/interesting-hostnames
-      - protocols/http/detect-sqli
-      - frameworks/files/hash-all-files
-      - frameworks/files/detect-MHR
-      - policy/frameworks/notice/extend-email/hostnames
-      - ja3
-      - hassh
-      - intel
-      - cve-2020-0601
-      - securityonion/bpfconf
-      - securityonion/communityid
-      - securityonion/file-extraction
-    '@load-sigs':
-      - frameworks/signatures/detect-windows-shells
-    redef:
-      - LogAscii::use_json = T;
-      - CaptureLoss::watch_interval = 5 mins;
--- a/salt/vars/sensor.map.jinja
+++ b/salt/vars/sensor.map.jinja
@@ -1,6 +1,9 @@
 {% set ROLE_GLOBALS = {} %}

-{% set SENSOR_GLOBALS = []
+{% set SENSOR_GLOBALS = {
+    'sensor': {
+      'interface': INIT.PILLAR.sensor.interface
+   }
 %}

 {% for sg in SENSOR_GLOBALS %}
--- a/salt/zeek/config.map.jinja
+++ b/salt/zeek/config.map.jinja
@@ -1,10 +1,9 @@
+{% from 'vars/sensor.map.jinja' import GLOBALS %}
 {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
-{% set zeek_pillar = pillar.zeek %}
-{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #}
+{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
+{% do ZEEKMERGED.zeek.config.node.update({'interface': GLOBALS.sensor.interface}) %} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #}
 {% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}

-
-
 {% set ZEEKOPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -20,34 +20,7 @@ zeek:
      SpoolDir: /nsm/zeek/spool
      CfgDir: /opt/zeek/etc
      CompressLogs: 1
-  policy:
-    file_extraction:
-      - application/x-dosexec: exe
-      - application/pdf: pdf
-      - application/msword: doc
-      - application/vnd.ms-powerpoint: doc
-      - application/rtf: doc
-      - application/vnd.ms-word.document.macroenabled.12: doc
-      - application/vnd.ms-word.template.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
-      - application/vnd.ms-excel: doc
-      - application/vnd.ms-excel.addin.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
-      - application/vnd.ms-excel.template.macroenabled.12: doc
-      - application/vnd.ms-excel.sheet.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
-      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
-      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
-      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
-      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
-      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
-      - application/vnd.openxmlformats-officedocument: doc
+    local:
      load:
        - misc/loaded-scripts
        - tuning/defaults
@@ -85,3 +58,33 @@ zeek:
      redef:
        - LogAscii::use_json = T;
        - CaptureLoss::watch_interval = 5 mins;
+    networks:
+      HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+  file_extraction:
+    - application/x-dosexec: exe
+    - application/pdf: pdf
+    - application/msword: doc
+    - application/vnd.ms-powerpoint: doc
+    - application/rtf: doc
+    - application/vnd.ms-word.document.macroenabled.12: doc
+    - application/vnd.ms-word.template.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.template.macroenabled.12: doc
+    - application/vnd.ms-excel: doc
+    - application/vnd.ms-excel.addin.macroenabled.12: doc
+    - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
+    - application/vnd.ms-excel.template.macroenabled.12: doc
+    - application/vnd.ms-excel.sheet.macroenabled.12: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
+    - application/vnd.openxmlformats-officedocument.presentationml.template: doc
+    - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
+    - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
+    - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
+    - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
+    - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
+    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
+    - application/vnd.openxmlformats-officedocument: doc
+  bpf: []
--- a/salt/zeek/files/networks.cfg.jinja
+++ b/salt/zeek/files/networks.cfg.jinja
@@ -1,9 +1,5 @@
-{%- if salt['pillar.get']('sensor:hnsensor') %}
-{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %}
-{%- else %}
-{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
-{%- endif %}
-{%- set HNLIST = HOME_NET.split(',') %}
-{%- for HN in HNLIST %}
+{%- if NETWORKS.HOME_NET %}
+{%-   for HN in NETWORKS.HOME_NET.split(',') %}
 {{ HN }}
 {%-   endfor %}
+{%- endif %}
--- a/salt/zeek/files/node.cfg.jinja
+++ b/salt/zeek/files/node.cfg.jinja
@@ -13,22 +13,22 @@ host=localhost
 [worker-1]
 type=worker
 host=localhost
-interface=af_packet::{{ ZEEKNODE.interface }}
+interface=af_packet::{{ NODE.interface }}
 lb_method=custom
-  {%- if ZEEKNODE.lbprocs %}
-lb_procs={{ ZEEKNODE.lbprocs }}
+  {%- if NODE.lbprocs %}
+lb_procs={{ NODE.lbprocs }}
    {%- else %}
-lb_procs={{ ZEEKNODE.zeek_pins | length }}
+lb_procs={{ NODE.zeek_pins | length }}
  {%- endif %}
-  {%- if ZEEKNODE.zeek_pins %}
-pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }}
+  {%- if NODE.zeek_pins %}
+pin_cpus={{ NODE.zeek_pins | join(", ") }}
  {%- endif %}
 af_packet_fanout_id=23
 af_packet_fanout_mode=AF_Packet::FANOUT_HASH
-af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }}
+af_packet_buffer_size={{ NODE.zeek_buffer }}
 {%- else %}
 [zeeksa]
 type=standalone
 host=localhost
-interface={{ ZEEKNODE.interface }}
+interface={{ NODE.interface }}
 {%- endif %}
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -6,15 +6,11 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

+{% from 'vars/globals.map.jinja' import GLOBALS with context %}
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}

-{% set VERSION = salt['pillar.get']('global:soversion') %}
-{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{% set MANAGER = salt['grains.get']('master') %}
-{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface') %}

 # Zeek Salt State

@@ -76,6 +72,8 @@ zeekpolicysync:
    - user: 937
    - group: 939
    - template: jinja
+    - defaults:
+        FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }}

 # Ensure the zeek spool tree (and state.db) ownership is correct
 zeekspoolownership:
@@ -117,7 +115,7 @@ nodecfg:
    - group: 939
    - template: jinja
    - defaults:
-        ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }}
+        NODE: {{ ZEEKMERGED.zeek.config.node }}

 networkscfg:
  file.managed:
@@ -126,6 +124,8 @@ networkscfg:
    - user: 937
    - group: 939
    - template: jinja
+    - defaults:
+        NETWORKS: {{ ZEEKMERGED.zeek.networks }}

 #zeekcleanscript:
 #  file.managed:
@@ -159,8 +159,8 @@ zeekpacketlosscron:
    - dayweek: '*'

 # BPF compilation and configuration
-{% if BPF_ZEEK %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %}
+{% if ZEEKMERGED.zeek.bpf %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_STATUS = 1  %}
  {% else  %}
@@ -178,7 +178,7 @@ zeekbpf:
    - user: 940
    - group: 940
 {% if BPF_STATUS %}
-    - contents_pillar: zeek:bpf
+    - contents: {{ ZEEKMERGED.bpf }}
 {% else %}
    - contents:
      - "ip or not ip"
@@ -193,12 +193,12 @@ localzeek:
    - group: 939
    - template: jinja
    - defaults:
-        LOCAL: {{ ZEEK.local | tojson }}
+        LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}

 so-zeek:
  docker_container.{{ ZEEKOPTIONS.status }}:
  {% if ZEEKOPTIONS.status == 'running' %}
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
+    - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
    - start: {{ ZEEKOPTIONS.start }}
    - privileged: True
    - ulimits:
--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -1,5 +1,3 @@
-{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
-{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
 # Directory to stage Zeek extracted files before processing
 redef FileExtract::prefix = "/nsm/zeek/extracted/";
 # Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
 # These are the mimetypes we want to rip off the networks
 export {
    global _mime_whitelist: table[string] of string = {
-        {%- for li in zeek.policy.file_extraction %}
+        {%- for li in FILE_EXTRACTION %}
          {%- if not loop.last %}
          {%- for k,v in li.items() %}
        ["{{ k }}"] = "{{ v }}",