From 9a7e2153eedec1fbeb61df3db918ba5b7e7baa39 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 11:01:53 -0500 Subject: [PATCH 1/4] add classification.config --- salt/suricata/classification/classification.config | 2 ++ salt/suricata/config.sls | 7 +++++++ salt/suricata/enabled.sls | 1 + salt/suricata/soc_suricata.yaml | 7 +++++++ 4 files changed, 17 insertions(+) create mode 100644 salt/suricata/classification/classification.config diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config new file mode 100644 index 000000000..69918fed7 --- /dev/null +++ b/salt/suricata/classification/classification.config @@ -0,0 +1,2 @@ +# configuration classification: shortname,description,priority +# configuration classification: misc-activity,Misc activity,3 diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index 3ec1324bf..00364f384 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -129,6 +129,13 @@ surithresholding: - group: 940 - template: jinja +suriclassifications: + file.managed: + - name: /opt/so/conf/suricata/classification.config + - source: salt://suricata/classification/classification.config + - user: 940 + - group: 940 + # BPF compilation and configuration {% if SURICATABPF %} {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ce309e41a..f96472ae2 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -27,6 +27,7 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro + - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 30f277c0a..4fd720ef1 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -11,6 +11,13 @@ suricata: multiline: True title: SIDS helpLink: suricata.html + classification: + classification__config: + description: Classifications config file. + file: True + global: True + multiline: True + helpLink: suricata.html config: af-packet: interface: From 466dac30bbf0f7b6d3d2d065ea8eed3639541ac8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 12:15:17 -0500 Subject: [PATCH 2/4] soup for classifications --- salt/manager/tools/sbin/soup | 15 +++++++++++++++ salt/suricata/soc_suricata.yaml | 1 + 2 files changed, 16 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 90ec636ef..752ae6e21 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -356,6 +356,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30 [[ "$INSTALLEDVERSION" == 2.4.30 ]] && up_to_2.4.40 [[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50 + [[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60 true } @@ -371,6 +372,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40 [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50 + [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60 true } @@ -427,6 +429,11 @@ post_to_2.4.50() { POSTVERSION=2.4.50 } +post_to_2.4.60() { + echo "Nothing to apply" + POSTVERSION=2.4.60 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -556,6 +563,14 @@ up_to_2.4.50() { INSTALLEDVERSION=2.4.50 } +up_to_2.4.60() { + echo "Creating directory to store Suricata classification.config" + mkdir -vp /opt/so/saltstack/local/salt/suricata/classification + chown socore:socore /opt/so/saltstack/local/salt/suricata/classification + + INSTALLEDVERSION=2.4.60 +} + determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 4fd720ef1..b54a44cbc 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -17,6 +17,7 @@ suricata: file: True global: True multiline: True + title: Classifications helpLink: suricata.html config: af-packet: From 8b7f7933bdfa4e67aa7e3a84dd1c3d03340935c7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 26 Feb 2024 15:29:13 -0500 Subject: [PATCH 3/4] suricata container watch classification.config --- salt/suricata/classification/classification.config | 4 ++-- salt/suricata/enabled.sls | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config index 69918fed7..e597eb5a1 100644 --- a/salt/suricata/classification/classification.config +++ b/salt/suricata/classification/classification.config @@ -1,2 +1,2 @@ -# configuration classification: shortname,description,priority -# configuration classification: misc-activity,Misc activity,3 +# config classification: shortname,description,priority +# config classification: misc-activity,Misc activity,3 diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index f96472ae2..94b95ff5d 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -50,10 +50,12 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf + - file: suriclassifications - require: - file: suriconfig - file: surithresholding - file: suribpf + - file: suriclassifications delete_so-suricata_so-status.disabled: file.uncomment: From fcc0f9d14f50019dcad5ffc02035173fe50c6bbe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 27 Feb 2024 13:20:58 -0500 Subject: [PATCH 4/4] redo classifications --- .../classification/classification.config | 53 ++++++++++++++++++- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config index e597eb5a1..220736c94 100644 --- a/salt/suricata/classification/classification.config +++ b/salt/suricata/classification/classification.config @@ -1,2 +1,51 @@ -# config classification: shortname,description,priority -# config classification: misc-activity,Misc activity,3 +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: inappropriate-content,Inappropriate Content was Detected,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 +config classification: command-and-control,Malware Command and Control Activity Detected,1