From 36827543992de5f52876d74398b8e5f7d5206e1c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 Apr 2022 11:29:46 -0400 Subject: [PATCH 01/12] remove old comments from so-whiptail --- setup/so-whiptail | 2 -- 1 file changed, 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 289752667..07e5b096b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -932,8 +932,6 @@ whiptail_install_type_other() { [ -n "$TESTING" ] && return - # so-analyst-install will only work with a working network connection - # so only show it on network installs for now install_type=$(whiptail --title "$whiptail_title" --radiolist \ "Choose node type:" 9 65 2 \ "ANALYST" "Setup will run 'so-setup analyst' " ON \ From 5d62ece03bd6cea10e62ee70e2f75970e87b5d65 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 Apr 2022 16:33:54 -0400 Subject: [PATCH 02/12] Slight change to IDH verbiage in so-whiptail --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 07e5b096b..2c60b7e3e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -784,7 +784,7 @@ whiptail_homenet_sensor() { [ -n "$TESTING" ] && return idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ - "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \ + "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? From 807f6adf1ebb1c2f4274a9404e799c4fae471d1c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 19 Apr 2022 09:19:09 -0400 Subject: [PATCH 03/12] add securityonion-strelka-oneshot and securityonion-strelka-fileshot to workstation --- salt/workstation/packages.sls | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls index 6f31bcceb..59b24ec2a 100644 --- a/salt/workstation/packages.sls +++ b/salt/workstation/packages.sls @@ -26,7 +26,6 @@ workstation_packages: - mono-basic - mono-winforms - expect - - securityonion-networkminer - wireshark-gnome - dsniff - hping3 @@ -37,17 +36,20 @@ workstation_packages: - tcpdump - tcpflow - whois - - securityonion-foremost - chromium - - securityonion-tcpstat - - securityonion-tcptrace - libevent - sslsplit - - securityonion-bittwist - perl-IO-Compress - perl-Net-DNS + - securityonion-networkminer - securityonion-chaosreader - securityonion-analyst-extras + - securityonion-bittwist + - securityonion-tcpstat + - securityonion-tcptrace + - securityonion-foremost + - securityonion-strelka-oneshot + - securityonion-strelka-fileshot {% else %} From 15ef0968d9ff28b4b0c7c33141afbb0cdf4ee1fe Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 20 Apr 2022 14:01:46 -0400 Subject: [PATCH 04/12] FIX: Improve Zeek file extraction #7829 --- .../securityonion/file-extraction/extract.zeek | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index e5b7db864..8cdaf42dd 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -38,12 +38,12 @@ event file_state_remove(f: fa_file) if ( !f$info?$extracted || FileExtract::prefix == "" ) { return; } - # Check some conditions so we know the file is intact: - # Check for MD5 - # Check for total_bytes - # Check for missing bytes - # Check if timed out - if ( !f$info?$md5 || !f?$total_bytes || f$missing_bytes > 0 || f$info$timedout) { + # Check if any of the following conditions exist: + # - missing MD5 + # - total_bytes exists (some protocols aren't populating this field) but is 0 + # - missing bytes + # - timed out + if ( !f$info?$md5 || (f?$total_bytes && f$total_bytes == 0) || f$missing_bytes > 0 || f$info$timedout) { # Delete the file if it didn't pass our requirements check. local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted); From c3952e94c80592777e89d5cad2bbf2e8f1db02fc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 20 Apr 2022 14:36:38 -0400 Subject: [PATCH 05/12] Remove setup from auto starting if you choose to not enter the grid --- setup/so-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8bf893d8c..e06b5ded9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -102,6 +102,9 @@ if [[ $is_analyst ]]; then if ! whiptail_analyst_install; then if [[ $is_analyst_iso ]]; then if whiptail_analyst_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target startx From 8fc03afdc05f813beaaa6f42fadece9eb579c22d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 20 Apr 2022 16:47:18 -0400 Subject: [PATCH 06/12] so-sensor-clean pgrep should be more strict to avoid matching multiples on Ubuntu --- salt/common/tools/sbin/so-sensor-clean | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 22a0ae22b..624ff8106 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -115,7 +115,7 @@ clean() { } # Check to see if we are already running -NUM_RUNNING=$(pgrep -cf "so-sensor-clean") +NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-sensor-clean") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then From 1edb443c5d19747df446358f4de1fa092150a82d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 20 Apr 2022 16:48:26 -0400 Subject: [PATCH 07/12] so-playbook-sync pgrep should be more strict to avoid multiple matches on Ubuntu --- salt/common/tools/sbin/so-playbook-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 91560aa0c..c2d20766e 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -18,7 +18,7 @@ . /usr/sbin/so-common # Check to see if we are already running -NUM_RUNNING=$(pgrep -cf "so-playbook-sync") +NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-playbook-sync") [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING Playbook sync processes running...exiting." && exit 0 docker exec so-soctopus python3 playbook_play-sync.py From feb7eeeb8ecb7b1349014aca9acfcd6a4fe180f0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 21 Apr 2022 08:47:40 -0400 Subject: [PATCH 08/12] UPGRADE: Elastic 7.17.3 #7807 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 38e592586..87e5ead90 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.2","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 04856540dcffbe3f04092562ff5ab69db7cffacd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 21 Apr 2022 08:54:09 -0400 Subject: [PATCH 09/12] UPGRADE: Elastic 7.17.3 #7807 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 87e5ead90..0267ec4fb 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From e608285341d02a5e0b40314338e64dd104dbe137 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 21 Apr 2022 08:57:08 -0400 Subject: [PATCH 10/12] UPGRADE: Elastic 7.17.3 #7807 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 248d6ebaf..b21858369 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 542db5b7f5d4ace5187852871c0fbf3806d51c6e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 21 Apr 2022 17:24:24 -0400 Subject: [PATCH 11/12] Update defaults.yaml --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2bb90792..03fc3facf 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -4067,7 +4067,7 @@ elasticsearch: field: "@timestamp" order: desc refresh_interval: 30s - number_of_shards: 1 + number_of_shards: 2 number_of_replicas: 0 composed_of: - agent-mappings From c81988ab006417a88cf6bba97e14308638d7b4f3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 21 Apr 2022 17:26:30 -0400 Subject: [PATCH 12/12] Update shard count for Zeek in setup --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 9ed528419..61c3985e3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1915,7 +1915,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " number_of_shards: 1"\ + " number_of_shards: 2"\ " warm: 7"\ " close: 45"\ " delete: 365"\