diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 91560aa0c..c2d20766e 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -18,7 +18,7 @@ . /usr/sbin/so-common # Check to see if we are already running -NUM_RUNNING=$(pgrep -cf "so-playbook-sync") +NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-playbook-sync") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING Playbook sync processes running...exiting." && exit 0 docker exec so-soctopus python3 playbook_play-sync.py diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 22a0ae22b..624ff8106 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -115,7 +115,7 @@ clean() { } # Check to see if we are already running -NUM_RUNNING=$(pgrep -cf "so-sensor-clean") +NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-sensor-clean") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2bb90792..03fc3facf 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -4067,7 +4067,7 @@ elasticsearch: field: "@timestamp" order: desc refresh_interval: 30s - number_of_shards: 1 + number_of_shards: 2 number_of_replicas: 0 composed_of: - agent-mappings diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 248d6ebaf..b21858369 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 38e592586..0267ec4fb 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.2","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls index 6f31bcceb..59b24ec2a 100644 --- a/salt/workstation/packages.sls +++ b/salt/workstation/packages.sls @@ -26,7 +26,6 @@ workstation_packages: - mono-basic - mono-winforms - expect - - securityonion-networkminer - wireshark-gnome - dsniff - hping3 @@ -37,17 +36,20 @@ workstation_packages: - tcpdump - tcpflow - whois - - securityonion-foremost - chromium - - securityonion-tcpstat - - securityonion-tcptrace - libevent - sslsplit - - securityonion-bittwist - perl-IO-Compress - perl-Net-DNS + - securityonion-networkminer - securityonion-chaosreader - securityonion-analyst-extras + - securityonion-bittwist + - securityonion-tcpstat + - securityonion-tcptrace + - securityonion-foremost + - securityonion-strelka-oneshot + - securityonion-strelka-fileshot {% else %} diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index e5b7db864..8cdaf42dd 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -38,12 +38,12 @@ event file_state_remove(f: fa_file) if ( !f$info?$extracted || FileExtract::prefix == "" ) { return; } - # Check some conditions so we know the file is intact: - # Check for MD5 - # Check for total_bytes - # Check for missing bytes - # Check if timed out - if ( !f$info?$md5 || !f?$total_bytes || f$missing_bytes > 0 || f$info$timedout) { + # Check if any of the following conditions exist: + # - missing MD5 + # - total_bytes exists (some protocols aren't populating this field) but is 0 + # - missing bytes + # - timed out + if ( !f$info?$md5 || (f?$total_bytes && f$total_bytes == 0) || f$missing_bytes > 0 || f$info$timedout) { # Delete the file if it didn't pass our requirements check. local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted); diff --git a/setup/so-functions b/setup/so-functions index 9ed528419..61c3985e3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1915,7 +1915,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " number_of_shards: 1"\ + " number_of_shards: 2"\ " warm: 7"\ " close: 45"\ " delete: 365"\ diff --git a/setup/so-setup b/setup/so-setup index 8bf893d8c..e06b5ded9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -102,6 +102,9 @@ if [[ $is_analyst ]]; then if ! whiptail_analyst_install; then if [[ $is_analyst_iso ]]; then if whiptail_analyst_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target startx diff --git a/setup/so-whiptail b/setup/so-whiptail index 289752667..2c60b7e3e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -784,7 +784,7 @@ whiptail_homenet_sensor() { [ -n "$TESTING" ] && return idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ - "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \ + "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? @@ -932,8 +932,6 @@ whiptail_install_type_other() { [ -n "$TESTING" ] && return - # so-analyst-install will only work with a working network connection - # so only show it on network installs for now install_type=$(whiptail --title "$whiptail_title" --radiolist \ "Choose node type:" 9 65 2 \ "ANALYST" "Setup will run 'so-setup analyst' " ON \