Merge branch 'dev' into kilo

2026-02-21 22:45:27 +01:00 · 2022-04-22 15:11:24 -04:00
parent 459d388614 677db7c563
commit d8fdf2b701
10 changed files with 23 additions and 20 deletions
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -18,7 +18,7 @@
 . /usr/sbin/so-common

 # Check to see if we are already running
-NUM_RUNNING=$(pgrep -cf "so-playbook-sync")
+NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-playbook-sync")
 [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING Playbook sync processes running...exiting." && exit 0

 docker exec so-soctopus python3 playbook_play-sync.py
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -115,7 +115,7 @@ clean() {
 }

 # Check to see if we are already running
-NUM_RUNNING=$(pgrep -cf "so-sensor-clean")
+NUM_RUNNING=$(pgrep -cf "/bin/bash /usr/sbin/so-sensor-clean")
 [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0

 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -4067,7 +4067,7 @@ elasticsearch:
                field: "@timestamp"
                order: desc
              refresh_interval: 30s
-              number_of_shards: 1
+              number_of_shards: 2
              number_of_replicas: 0
        composed_of: 
          - agent-mappings
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -59,7 +59,7 @@ update() {

    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
 
--- a/salt/kibana/files/config_saved_objects.ndjson
+++ b/salt/kibana/files/config_saved_objects.ndjson
@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.2","id": "7.17.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.3","id": "7.17.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
--- a/salt/workstation/packages.sls
+++ b/salt/workstation/packages.sls
@@ -26,7 +26,6 @@ workstation_packages:
      - mono-basic
      - mono-winforms
      - expect
-      - securityonion-networkminer
      - wireshark-gnome
      - dsniff
      - hping3
@@ -37,17 +36,20 @@ workstation_packages:
      - tcpdump
      - tcpflow
      - whois
-      - securityonion-foremost
      - chromium
-      - securityonion-tcpstat
-      - securityonion-tcptrace
      - libevent
      - sslsplit
-      - securityonion-bittwist
      - perl-IO-Compress 
      - perl-Net-DNS
+      - securityonion-networkminer
      - securityonion-chaosreader
      - securityonion-analyst-extras
+      - securityonion-bittwist
+      - securityonion-tcpstat
+      - securityonion-tcptrace
+      - securityonion-foremost
+      - securityonion-strelka-oneshot
+      - securityonion-strelka-fileshot

 {% else %}

--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -38,12 +38,12 @@ event file_state_remove(f: fa_file)
        if ( !f$info?$extracted || FileExtract::prefix == "" ) {
                return;
        }
-        # Check some conditions so we know the file is intact:
-        # Check for MD5
-        # Check for total_bytes
-        # Check for missing bytes
-        # Check if timed out
-        if ( !f$info?$md5 || !f?$total_bytes || f$missing_bytes > 0 || f$info$timedout) {
+        # Check if any of the following conditions exist:
+        # - missing MD5
+        # - total_bytes exists (some protocols aren't populating this field) but is 0
+        # - missing bytes
+        # - timed out
+        if ( !f$info?$md5 || (f?$total_bytes && f$total_bytes == 0) || f$missing_bytes > 0 || f$info$timedout) {
          # Delete the file if it didn't pass our requirements check.

          local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted);