Merge branch 'issue/668' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into issue/668

2025-12-06 17:22:49 +01:00 · 2020-05-13 17:22:34 -04:00
parent f3ff8dc18c 5e2a1b9346
commit d82c6c34ed
5 changed files with 13 additions and 13 deletions
--- a/salt/elastalert/files/elastalert_config.yaml
+++ b/salt/elastalert/files/elastalert_config.yaml
@@ -2,7 +2,7 @@
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 # This is the folder that contains the rule yaml files
 # Any .yaml file will be loaded as a rule
-rules_folder: /etc/elastalert/rules/
+rules_folder: /opt/elastalert/rules/

 # Sets whether or not ElastAlert should recursively descend
 # the rules directory - true or false
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -15,7 +15,7 @@ timeframe:
 buffer_time:
    minutes: 10
 allow_buffer_time_overlap: true
-query_key: ["rule.signature_id"]
+query_key: ["rule.uuid"]
 realert:
    days: 1
 filter:
@@ -23,11 +23,11 @@ filter:
   query_string:
      query: "event.module: suricata"

-alert: modules.so.thehive.TheHiveAlerter
+alert: hivealerter

 hive_connection:
  hive_host: http://{{hivehost}}
-  hive_port: 9000
+  hive_port: 9000/thehive
  hive_apikey: {{hivekey}}
  
 hive_proxies:
@@ -40,7 +40,7 @@ hive_alert_config:
  source: 'SecurityOnion'
  description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
  severity: 2
-  tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}']
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
  tlp: 3
  status: 'New'
  follow: True
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -118,7 +118,7 @@ so-elastalert:
    - user: elastalert
    - detach: True
    - binds:
-      - /opt/so/rules/elastalert:/opt/rules/:ro
+      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
      - /opt/so/log/elastalert:/var/log/elastalert:rw
      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1282,12 +1282,9 @@ set_hostname() {

 	set_hostname_iso

-	HOSTNAME=$(cat /etc/hostname)
 	if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then
-		if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then
-			if ! grep -q "$MSRVIP" /etc/hosts; then
-				echo "$MSRVIP   $MSRV" >> /etc/hosts
-			fi
+		if ! getent hosts "$MSRV"; then
+			echo "$MSRVIP   $MSRV" >> /etc/hosts
 		fi
 	fi

@@ -1297,9 +1294,10 @@ set_hostname_iso() {

 	hostnamectl set-hostname --static "$HOSTNAME"
 	echo "127.0.0.1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
-	echo "::1   $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
+	echo "::1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
 	echo "$HOSTNAME" > /etc/hostname

+	hostname -F /etc/hostname

 }

--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -905,6 +905,8 @@ whiptail_set_hostname() {

 	[ -n "$TESTING" ] && return

+	HOSTNAME=$(cat /etc/hostname)
+
 	HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3)