From ebd7531772580005e9ad21a3c2c167f2d1908433 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 25 Jul 2019 16:10:27 -0400 Subject: [PATCH 1/9] Update README.md --- README.md | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 944c1f91f..5183bd12e 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ ### Changes: -- Alpha is here!! Check out the [[Hybrid Hunter Quick Start Guide|Hybrid-Hunter-Quick-Start-Guide]]. -- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). Pivoting is done via Kibana. See details [[here|Pulling-PCAP]]. +- Alpha is here!! Check out the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). +- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). [Pivoting is done via Kibana](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Pulling-PCAP). - Bond interface setup now uses `nmcli` for better compatibility in the network based setup script. - Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions. - Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components. @@ -17,7 +17,7 @@ ### Warnings and Disclaimers -- This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED! +- This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! - If this breaks your system, you get to keep both pieces! - This script is a work in progress and is in constant flux. - This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final - release. @@ -72,19 +72,6 @@ sudo bash so-setup-network.sh ``` This is an active development repo so many things can and will be broken. -### Allow Access to Kibana -Once Setup is complete and services have initialized, you can then allow access to Kibana as follows. - -For a single host: -``` -sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.1 -``` -For a network range: -``` -sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.0/24 -``` -Then connect to your master via https://YOURMASTER - ### FAQ See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the Hybrid Hunter wiki. From d530c01a1bee58054f9efe38bbf1dfe01d45e509 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 25 Jul 2019 16:11:29 -0400 Subject: [PATCH 2/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5183bd12e..a1eadf498 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ### Changes: - Alpha is here!! Check out the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). -- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). [Pivoting is done via Kibana](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Pulling-PCAP). +- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). You can [pivot directly from Kibana to Sensoroni via the _id field](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Pulling-PCAP). - Bond interface setup now uses `nmcli` for better compatibility in the network based setup script. - Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions. - Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components. From ef695c78718461d04b0895c5b6e0fec623ac129f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 25 Jul 2019 16:13:43 -0400 Subject: [PATCH 3/9] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a1eadf498..d383e6c5d 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,10 @@ - This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! - If this breaks your system, you get to keep both pieces! - This script is a work in progress and is in constant flux. -- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final - release. +- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release. - Do NOT run this on a system that you care about! - Do NOT run this on a system that has data that you care about! - This script should only be run on a TEST box with TEST data! -- This script is only designed for standalone boxes and does NOT support distributed deployments. - Use of this script may result in nausea, vomiting, or a burning sensation. ### Requirements From 432b0eef0a82bf0be8077def2c4e7cb627fa0178 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Jul 2019 09:36:23 -0400 Subject: [PATCH 4/9] Update README.md --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index d383e6c5d..e5ef6bb84 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,15 @@ sudo hostnamectl set-hostname YOURHOSTNAME sudo reboot ``` +If you are running CentOS 7 or Ubuntu 16.04 and don't have hame resolution ensure you hosts file looks like this: + +``` +127.0.0.1 hybridhunter hybridhunter.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +``` +It is imperative that hostname.localdomain is included in this hosts entry for the install to complete properly. + + ### Installation Once you resolve those requirements or are using Ubuntu 16.04 do the following: From 534d1947bfc5b174779b52773226c0774354a7e1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Jul 2019 09:38:15 -0400 Subject: [PATCH 5/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e5ef6bb84..fa31681d9 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ sudo hostnamectl set-hostname YOURHOSTNAME sudo reboot ``` -If you are running CentOS 7 or Ubuntu 16.04 and don't have hame resolution ensure you hosts file looks like this: +If you are running CentOS 7 or Ubuntu 16.04 and don't have name resolution ensure you hosts file looks like this: ``` 127.0.0.1 hybridhunter hybridhunter.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 From bf8bd25efc1733db2ed054500a1ca66685bdfae7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Jul 2019 09:40:15 -0400 Subject: [PATCH 6/9] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fa31681d9..7b579eac8 100644 --- a/README.md +++ b/README.md @@ -55,10 +55,10 @@ sudo reboot If you are running CentOS 7 or Ubuntu 16.04 and don't have name resolution ensure you hosts file looks like this: ``` -127.0.0.1 hybridhunter hybridhunter.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 +127.0.0.1 YOURHOSTNAME YOURHOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ``` -It is imperative that hostname.localdomain is included in this hosts entry for the install to complete properly. +It is imperative that YOURHOSTNAME.localdomain is included in this hosts entry for the install to complete properly. ### Installation From 1a3eacb444c20c40ecf447f9d55cf3f0ccba3375 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 26 Jul 2019 10:59:01 -0400 Subject: [PATCH 7/9] Update README.md --- README.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7b579eac8..583667298 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ sudo hostnamectl set-hostname YOURHOSTNAME sudo reboot ``` -If you are running CentOS 7 or Ubuntu 16.04 and don't have name resolution ensure you hosts file looks like this: +If you are running CentOS 7 or Ubuntu 16.04 and don't have name resolution ensure your `/etc/hosts` file looks like this: ``` 127.0.0.1 YOURHOSTNAME YOURHOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 @@ -72,13 +72,7 @@ sudo bash so-setup-network.sh ``` Follow the prompts and reboot if asked to do so. -Want to try the bleeding edge? You can install the following: -``` -git clone https://github.com/TOoSmOotH/securityonion-saltstack -cd securityonion-saltstack -sudo bash so-setup-network.sh -``` -This is an active development repo so many things can and will be broken. +Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). ### FAQ See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the Hybrid Hunter wiki. From 76b5624e0324d53f870a7775ce995b5a4d61aeb7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Sep 2019 14:34:59 -0400 Subject: [PATCH 8/9] Update README.md --- README.md | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 583667298..38abd44c4 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,20 @@ -## Hybrid Hunter Alpha 1.1.0 +## Hybrid Hunter Alpha 1.1.1 ### Changes: -- Alpha is here!! Check out the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). -- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). You can [pivot directly from Kibana to Sensoroni via the _id field](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Pulling-PCAP). -- Bond interface setup now uses `nmcli` for better compatibility in the network based setup script. -- Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions. -- Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components. -- Add users to the web interface via `so-user-add` and follow the prompts. -- `so-allow` now exists to make your life easier. -- Bro 2.6.2. -- All Docker images were updated to reflect Alpha status. -- Disabled DEBUG logging on a lot of components to reduce space usage. -- Added a rule update cron job so the master pulls new rules down every day at 7AM UTC. -- You can now manually run a rule update using the `so-rule-update` command. +- Alpha 2 is here!! Check out the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). +- Suricata 4.1.5 +- Bro/Zeek 2.6.4 +- Fixed an issue where the filbeat docker was logging to stdout instead of the actual log file causing the docker to get extremely large. +- Now using elastic ingest for zeek logs and suricata alerts. This reduces the memory footprint of logstash dramatically! +- Several changes to the setup script to improve installation success: + - Setup now modifes your hosts file so that the install works better in environments without DNS. + - You are now prompted for setting a password for the socore user. + - The install now forces a reboot at the end of the install. This fixes an issue with some of the docker containers being in the wrong state from a manual reboot. Manual reboots are fine after the initial reboot. +- Updated The Hive to 3.4.0 and the ES instance to 6.8.3. +- NIDS and HIDS dashboard updates. +- Added new Playbook and Navigator features. + ### Warnings and Disclaimers From ca8c4a6b936612297eece9a25d94453df9e25e73 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Sep 2019 14:56:35 -0400 Subject: [PATCH 9/9] Update README.md --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 38abd44c4..fbf64b35e 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,17 @@ - Alpha 2 is here!! Check out the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). - Suricata 4.1.5 - Bro/Zeek 2.6.4 -- Fixed an issue where the filbeat docker was logging to stdout instead of the actual log file causing the docker to get extremely large. -- Now using elastic ingest for zeek logs and suricata alerts. This reduces the memory footprint of logstash dramatically! -- Several changes to the setup script to improve installation success: - - Setup now modifes your hosts file so that the install works better in environments without DNS. - - You are now prompted for setting a password for the socore user. - - The install now forces a reboot at the end of the install. This fixes an issue with some of the docker containers being in the wrong state from a manual reboot. Manual reboots are fine after the initial reboot. -- Updated The Hive to 3.4.0 and the ES instance to 6.8.3. -- NIDS and HIDS dashboard updates. -- Added new Playbook and Navigator features. +- TheHive 3.4.0 (ES to 6.8.3) +- NIDS and HIDS dashboard updates +- Playbook and ATT&CK Navigator features are now included. +- Filebeat now logs to a file, instead of stdout. +- Elastalert has been updated to use Python 3 and allow for use of custom alerters. +- Elasticsearch Ingest is now used to consume Zeek logs and Suricata alerts (instead of the traditional Logstash pipeline). + This reduces the memory footprint of Logstash dramatically! +- Several changes to the setup script have been made to improve stability of the setup process: + - Setup now modifies your hosts file so that the install works better in environments without DNS + - You are now prompted for setting a password for the socore user + - The install now forces a reboot at the end of the install. This fixes an issue with some of the Docker containers being in the wrong state from a manual reboot. Manual reboots are fine after the initial reboot. ### Warnings and Disclaimers