Merge pull request #9730 from Security-Onion-Solutions/dev

2.3.210
2025-12-06 01:02:46 +01:00 · 2023-02-07 08:58:36 -05:00
parent cd8cf4a1ac 2ff284fc7f
commit db27c22158
11 changed files with 42 additions and 28 deletions
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.3.200-20230113 ISO image built on 2023/01/13
+### 2.3.210-20230202 ISO image built on 2023/02/02



 ### Download and Verify

-2.3.200-20230113 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
+2.3.210-20230202 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso

-MD5: 70291FFE925E2751559589E749B12164  
-SHA1: EFD3C7BA6F4EF6774F4F18ECD667A13F7FDF5CFF  
-SHA256: 7794C1325F9B72856FC2A47691F7E0292CA28976711A18F550163E3B58E7A401 
+MD5: ED38C36DBE40509FC5E87D82B07141C0  
+SHA1: EDEBDBE75FF34DAD87E141CA8F8614295ED23FB5  
+SHA256: 30068D4B910E83B63287EAB98E49497A584BAE07854367716813E5D610D3E5E3 

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.200-20230113.iso.sig securityonion-2.3.200-20230113.iso
+gpg --verify securityonion-2.3.210-20230202.iso.sig securityonion-2.3.210-20230202.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 13 Jan 2023 11:11:11 AM EST using RSA key ID FE507013
+gpg: Signature made Thu 02 Feb 2023 08:31:18 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.3.200
+2.3.210
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -110,7 +110,6 @@ commonpkgs:
      - libssl-dev
      - python3-dateutil
      - python3-m2crypto
-      - python3-mysqldb
      - python3-packaging
      - python3-lxml
      - git
@@ -153,7 +152,6 @@ commonpkgs:
      - python36-docker
      - python36-dateutil
      - python36-m2crypto
-      - python36-mysql
      - python36-packaging
      - python36-lxml
      - yum-utils
@@ -170,6 +168,7 @@ heldpackages:
      - docker-ce: 3:20.10.5-3.el7
      - docker-ce-cli: 1:20.10.5-3.el7
      - docker-ce-rootless-extras: 20.10.5-3.el7
+      - python36-mysql: 1.3.12-2.el7
    - hold: True
    - update_holds: True
 {% endif %}
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -552,6 +552,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
    [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
    [[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
+    [[ "$INSTALLEDVERSION" == 2.3.200 ]] && up_to_2.3.210
    true
 }

@@ -576,6 +577,7 @@ postupgrade_changes() {
    [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
    [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
    [[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
+    [[ "$POSTVERSION" == 2.3.200 ]] && post_to_2.3.210

    true
 }
@@ -699,6 +701,11 @@ post_to_2.3.200() {
  POSTVERSION=2.3.200
 }

+post_to_2.3.210() {
+  echo "Nothing to do for .210"
+  POSTVERSION=2.3.210
+}
+
 stop_salt_master() {
    # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
    set +e
@@ -1029,6 +1036,11 @@ up_to_2.3.200() {
  INSTALLEDVERSION=2.3.200
 }

+up_to_2.3.210() {
+  echo "Upgrading to 2.3.210"
+  INSTALLEDVERSION=2.3.210
+}
+
 verify_upgradespace() {
  CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
  if [ "$CURRENTSPACE" -lt "10" ]; then
--- a/salt/elasticsearch/files/ingest/suricata.dhcp
+++ b/salt/elasticsearch/files/ingest/suricata.dhcp
@@ -1,15 +1,17 @@
 {
  "description" : "suricata.dhcp",
  "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.type", 	"target_field": "dhcp.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.app_proto",	"target_field": "network.protocol",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.type",	"target_field": "dhcp.type",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true		} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'request'",	"field": "server.address",		"value": "{{destination.ip}}"	} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'reply'",	"field": "server.address",		"value": "{{source.ip}}"	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -59,7 +59,7 @@ update() {

    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
 
--- a/salt/kibana/files/config_saved_objects.ndjson
+++ b/salt/kibana/files/config_saved_objects.ndjson
@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.5.3","id": "8.5.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
--- a/salt/soc/files/soc/dashboards.queries.json
+++ b/salt/soc/files/soc/dashboards.queries.json
@@ -15,7 +15,7 @@
            { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
            { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"},
            { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
-            { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address"},
+            { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain"},
            { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
            { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
            { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"},
--- a/salt/strelka/defaults.yaml
+++ b/salt/strelka/defaults.yaml
@@ -16,3 +16,4 @@ strelka:
    - gen_sign_anomalies.yar
    - gen_susp_xor.yar
    - gen_webshells_ext_vars.yar
+    - configured_vulns_ext_vars.yar
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -145,7 +145,7 @@ analyst_salt_local() {
 	securityonion_repo
 	gpg_rpm_import
 	# Install salt
-	logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
+	logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
 	logCmd "yum -y update --exclude=salt*"

 	salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
@@ -2291,7 +2291,7 @@ saltify() {
 		fi
 		set_progress_str 8 'Installing salt-minion & python modules'
 			if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then
-				logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
+				logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
 				logCmd "yum -y update --exclude=salt*"
 			fi
 		logCmd "systemctl enable salt-minion"
--- a/sigs/securityonion-2.3.210-20230202.iso.sig
+++ b/sigs/securityonion-2.3.210-20230202.iso.sig
@@ -1 +1 @@
 .3.200
 .3.210