Merge pull request #1031 from Security-Onion-Solutions/quickfix/bro2zeeklogs

change reference from bro to zeek
2025-12-06 17:22:49 +01:00 · 2020-07-17 14:53:47 -04:00
parent 74f6f2abee 7176fdf7a1
commit d3529686cc
15 changed files with 60 additions and 60 deletions
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -5,7 +5,7 @@
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
-{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 eval:
@@ -63,7 +63,7 @@ heavy_node:
    - so-suricata
    - so-wazuh
    - so-filebeat
-    {% if BROVER != 'SURICATA' %}
+    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
 helix:
@@ -186,7 +186,7 @@ sensor:
    - so-telegraf
    - so-steno
    - so-suricata
-    {% if BROVER != 'SURICATA' %}
+    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
    - so-wazuh
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -15,7 +15,7 @@ base:
  '*_sensor':
    - static
-    - brologs
+    - zeeklogs
    - healthcheck.sensor
    - minions.{{ grains.id }}
@@ -32,7 +32,7 @@ base:
  '*_eval':
    - data.*
-    - brologs
+    - zeeklogs
    - secrets
    - healthcheck.eval
    - elasticsearch.eval
@@ -45,7 +45,7 @@ base:
    - logstash.search
    - elasticsearch.search
    - data.*
-    - brologs
+    - zeeklogs
    - secrets
    - healthcheck.standalone
    - static
@@ -57,13 +57,13 @@ base:
  '*_heavynode':
    - static
-    - brologs
+    - zeeklogs
    - minions.{{ grains.id }}
  '*_helix':
    - static
    - fireeye
-    - brologs
+    - zeeklogs
    - logstash
    - logstash.helix
    - minions.{{ grains.id }}
--- a/pillar/zeeklogs.sls
+++ b/pillar/zeeklogs.sls
@@ -1,4 +1,4 @@
-brologs:
+zeeklogs:
  enabled:
    - conn
    - dce_rpc
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -33,7 +33,7 @@
 {% endif %}
 {% if role in ['heavynode', 'standalone'] %}
-  {{ append_containers('static', 'broversion', 'SURICATA') }}
+  {{ append_containers('static', 'zeekversion', 'SURICATA') }}
 {% endif %}
 {% if role == 'searchnode' %}
@@ -41,5 +41,5 @@
 {% endif %}
 {% if role == 'sensor' %}
-  {{ append_containers('static', 'broversion', 'SURICATA') }}
+  {{ append_containers('static', 'zeekversion', 'SURICATA') }}
 {% endif %}
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -1,17 +1,17 @@
 #!/bin/bash
 local_salt_dir=/opt/so/saltstack/local
-bro_logs_enabled() {
+zeek_logs_enabled() {
-  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
+  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
-  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
  for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
  done
 }
-whiptail_manager_adv_service_brologs() {
+whiptail_manager_adv_service_zeeklogs() {
  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
@@ -54,5 +54,5 @@ whiptail_manager_adv_service_brologs() {
  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
 }
-whiptail_manager_adv_service_brologs
+whiptail_manager_adv_service_zeeklogs
-bro_logs_enabled
+zeek_logs_enabled
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -6,7 +6,7 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %}
 {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %}
 {%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%}
@@ -100,8 +100,8 @@ filebeat.inputs:
  - drop_fields:
      fields: ["source", "prospector", "input", "offset", "beat"]
  fields_under_root: true
-  {%- if BROVER != 'SURICATA' %}
+  {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
+    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
 - type: log
  paths:
    - /nsm/zeek/logs/current/{{ LOGNAME }}.log
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -14,7 +14,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set BROVER = salt['pillar.get']('static:broversion', '') %}
+{% set ZEEKVER = salt['pillar.get']('static:zeekversion', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
--- a/salt/suricata/suricata_config.map.jinja
+++ b/salt/suricata/suricata_config.map.jinja
@@ -44,7 +44,7 @@ HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]"
 {% endfor %}
 {% set surimeta_evelog_index = surimeta_evelog_index[0] %}
-{% if salt['pillar.get']('static:broversion', 'ZEEK') == 'SURICATA' %}
+{% if salt['pillar.get']('static:zeekversion', 'ZEEK') == 'SURICATA' %}
  {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
 {% endif %}
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,4 +1,4 @@
-{%- set BROVER = salt['pillar.get']('static:broversion', '') -%}
+{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', '') -%}
 {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%}
@@ -48,7 +48,7 @@ base:
    - pcap
    - suricata
    - healthcheck
-    {%- if BROVER != 'SURICATA' %}
+    {%- if ZEEKVER != 'SURICATA' %}
    - zeek
    {%- endif %}
    - wazuh
@@ -86,7 +86,7 @@ base:
    - kibana
    - pcap
    - suricata
-    {%- if BROVER != 'SURICATA' %}
+    {%- if ZEEKVER != 'SURICATA' %}
    - zeek
    {%- endif %}
    {%- if STRELKA %}
@@ -188,7 +188,7 @@ base:
    - kibana
    - pcap
    - suricata
-    {%- if BROVER != 'SURICATA' %}
+    {%- if ZEEKVER != 'SURICATA' %}
    - zeek
    {%- endif %}
    {%- if STRELKA %}
@@ -347,7 +347,7 @@ base:
    {%- endif %}
    - pcap
    - suricata
-    {%- if BROVER != 'SURICATA' %}
+    {%- if ZEEKVER != 'SURICATA' %}
    - zeek
    {%- endif %}
    - filebeat
--- a/salt/zeek/files/node.cfg
+++ b/salt/zeek/files/node.cfg
@@ -38,7 +38,7 @@ af_packet_fanout_id=23
 af_packet_fanout_mode=AF_Packet::FANOUT_HASH
 af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
 {%- else %}
-[brosa]
+[zeeksa]
 type=standalone
 host=localhost
 interface={{ interface }}
--- a/setup/automation/pm_standalone_defaults
+++ b/setup/automation/pm_standalone_defaults
@@ -23,11 +23,11 @@ ADMINPASS1=onionuser
 ADMINPASS2=onionuser
 ALLOW_CIDR=0.0.0.0/0
 ALLOW_ROLE=a
-BASICBRO=7
+BASICZEEK=7
 BASICSURI=7
 # BLOGS=
 BNICS=eth1
-BROVERSION=ZEEK
+ZEEKVERSION=ZEEK
 # CURCLOSEDAYS=
 # EVALADVANCED=BASIC
 GRAFANA=1
--- a/setup/so-common-functions
+++ b/setup/so-common-functions
@@ -32,9 +32,9 @@ filter_unused_nics() {
 calculate_useable_cores() {
 	# Calculate reasonable core usage
-	local cores_for_bro=$(( (num_cpu_cores/2) - 1 ))
+	local cores_for_zeek=$(( (num_cpu_cores/2) - 1 ))
 	local lb_procs_round
-	lb_procs_round=$(printf "%.0f\n" $cores_for_bro)
+	lb_procs_round=$(printf "%.0f\n" $cores_for_zeek)
 	if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi
    export lb_procs
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -143,18 +143,18 @@ secrets_pillar(){
 }
 # Enable Bro Logs
-bro_logs_enabled() {
+zeek_logs_enabled() {
 	echo "Enabling Bro Logs" >> "$setup_log" 2>&1
-	local brologs_pillar=./pillar/brologs.sls
+	local zeeklogs_pillar=./pillar/zeeklogs.sls
 	printf '%s\n'\
-		"brologs:"\
+		"zeeklogs:"\
-		"  enabled:" > "$brologs_pillar"
+		"  enabled:" > "$zeeklogs_pillar"
 	if [ "$MANAGERADV" = 'ADVANCED' ]; then
 		for BLOG in "${BLOGS[@]}"; do
-			echo "    - $BLOG" | tr -d '"' >> "$brologs_pillar"
+			echo "    - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
 		done
 	else
 		printf '%s\n'\
@@ -195,11 +195,11 @@ bro_logs_enabled() {
 			"    - weird"\
 			"    - mysql"\
 			"    - socks"\
-			"    - x509" >> "$brologs_pillar"
+			"    - x509" >> "$zeeklogs_pillar"
 	fi
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$brologs_pillar" >> "$setup_log" 2>&1
+	cat "$zeeklogs_pillar" >> "$setup_log" 2>&1
 }
 check_admin_pass() {
@@ -1002,7 +1002,7 @@ manager_static() {
 		"  hnmanager: $HNMANAGER"\
 		"  ntpserver: $NTPSERVER"\
 		"  proxy: $PROXY"\
-		"  broversion: $BROVERSION"\
+		"  zeekversion: $ZEEKVERSION"\
 		"  ids: $NIDS"\
 		"  managerip: $MAINIP"\
 		"  hiveuser: $WEBUSER"\
@@ -1470,7 +1470,7 @@ sensor_pillar() {
 	if [ "$NSMSETUP" = 'ADVANCED' ]; then
 		echo "  zeek_pins:" >> "$pillar_file"
-		for PIN in "${BROPINS[@]}"; do
+		for PIN in "${ZEEKPINS[@]}"; do
 			PIN=$(echo "$PIN" |  cut -d\" -f2)
 		echo "    - $PIN" >> "$pillar_file"
 		done
@@ -1483,11 +1483,11 @@ sensor_pillar() {
 		echo "  zeek_lbprocs: $lb_procs" >> "$pillar_file"
 		echo "  suriprocs: $lb_procs" >> "$pillar_file"
 	else
-		echo "  zeek_lbprocs: $BASICBRO" >> "$pillar_file"
+		echo "  zeek_lbprocs: $BASICZEEK" >> "$pillar_file"
 		echo "  suriprocs: $BASICSURI" >> "$pillar_file"
 	fi
 	printf '%s\n'\
-		"  brobpf:"\
+		"  zeekbpf:"\
 		"  pcapbpf:"\
 		"  nidsbpf:"\
 		"  manager: $MSRV"\
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -230,7 +230,7 @@ if [[ $is_manager && $is_node ]]; then
 	LSINPUTTHREADS=1
 	LSINPUTBATCHCOUNT=125
 	NIDS=Suricata
-	BROVERSION=ZEEK
+	ZEEKVERSION=ZEEK
 fi
 if [[ $is_node ]]; then
@@ -253,7 +253,7 @@ fi
 if [[ $is_manager && ! $is_eval ]]; then
 	whiptail_manager_adv
-	whiptail_bro_version
+	whiptail_zeek_version
 	whiptail_nids
 	whiptail_rule_setup
@@ -261,8 +261,8 @@ if [[ $is_manager && ! $is_eval ]]; then
 		whiptail_oinkcode
 	fi
-	if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then
+	if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then
-		whiptail_manager_adv_service_brologs
+		whiptail_manager_adv_service_zeeklogs
 	fi
 fi
@@ -295,11 +295,11 @@ if [[ $is_sensor && ! $is_eval ]]; then
 	whiptail_homenet_sensor
 	whiptail_sensor_config
 	if [ $NSMSETUP == 'ADVANCED' ]; then
-		whiptail_bro_pins
+		whiptail_zeek_pins
 		whiptail_suricata_pins
 		whiptail_bond_nics_mtu
 	else
-		whiptail_basic_bro
+		whiptail_basic_zeek
 		whiptail_basic_suri
 	fi
 fi
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -19,11 +19,11 @@ source ./so-variables
 source ./so-common-functions
-whiptail_basic_bro() {
+whiptail_basic_zeek() {
 	[ -n "$TESTING" ] && return
-	BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
+	BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
@@ -42,7 +42,7 @@ whiptail_basic_suri() {
 }
-whiptail_bro_pins() {
+whiptail_zeek_pins() {
 	[ -n "$TESTING" ] && return
@@ -51,20 +51,20 @@ whiptail_bro_pins() {
 		cpu_core_list_whiptail+=("$item" "OFF")
 	done
-	BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
+	ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
-	BROPINS=$(echo "$BROPINS" | tr -d '"')
+	ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"')
-	IFS=' ' read -ra BROPINS <<< "$BROPINS"
+	IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS"
 }
-whiptail_bro_version() {
+whiptail_zeek_version() {
 	[ -n "$TESTING" ] && return
-	BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)"  ON \
+	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)"  ON \
 	"SURICATA" "Use Suricata 5" OFF 3>&1 1>&2 2>&3)
 	local exitstatus=$?
@@ -642,7 +642,7 @@ whiptail_manager_adv() {
 }
 # Ask which additional components to install
-whiptail_manager_adv_service_brologs() {
+whiptail_manager_adv_service_zeeklogs() {
 	[ -n "$TESTING" ] && return
@@ -1122,7 +1122,7 @@ whiptail_suricata_pins() {
 	[ -n "$TESTING" ] && return
 	local filtered_core_list
-	readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${BROPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')"
+	readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')"
 	local filtered_core_str=()
    for item in "${filtered_core_list[@]}"; do