diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index e71f41bf8..2ecf08ffa 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -2,7 +2,7 @@ {% set esport = salt['pillar.get']('master:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule -rules_folder: /etc/elastalert/rules/ +rules_folder: /opt/elastalert/rules/ # Sets whether or not ElastAlert should recursively descend # the rules directory - true or false diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index b7593b1d2..dc67119e4 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -15,7 +15,7 @@ timeframe: buffer_time: minutes: 10 allow_buffer_time_overlap: true -query_key: ["rule.signature_id"] +query_key: ["rule.uuid"] realert: days: 1 filter: @@ -23,13 +23,13 @@ filter: query_string: query: "event.module: suricata" -alert: modules.so.thehive.TheHiveAlerter +alert: hivealerter hive_connection: hive_host: http://{{hivehost}} - hive_port: 9000 + hive_port: 9000/thehive hive_apikey: {{hivekey}} - + hive_proxies: http: '' https: '' @@ -40,7 +40,7 @@ hive_alert_config: source: 'SecurityOnion' description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 - tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}'] + tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 status: 'New' follow: True diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 83e7b5655..08cb0836d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -118,7 +118,7 @@ so-elastalert: - user: elastalert - detach: True - binds: - - /opt/so/rules/elastalert:/opt/rules/:ro + - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro diff --git a/setup/so-functions b/setup/so-functions index c577e4b7e..288053ffb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1282,12 +1282,9 @@ set_hostname() { set_hostname_iso - HOSTNAME=$(cat /etc/hostname) if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then - if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then - if ! grep -q "$MSRVIP" /etc/hosts; then - echo "$MSRVIP $MSRV" >> /etc/hosts - fi + if ! getent hosts "$MSRV"; then + echo "$MSRVIP $MSRV" >> /etc/hosts fi fi @@ -1297,9 +1294,10 @@ set_hostname_iso() { hostnamectl set-hostname --static "$HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts - echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts + echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname + hostname -F /etc/hostname } diff --git a/setup/so-whiptail b/setup/so-whiptail index 6de8e6fdd..fe9c4c7b1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -905,6 +905,8 @@ whiptail_set_hostname() { [ -n "$TESTING" ] && return + HOSTNAME=$(cat /etc/hostname) + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3)