From e9fa84d71b46d8ecc4e127e928118c816f0b0b84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 17 Jan 2023 09:39:35 -0500 Subject: [PATCH 01/11] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 211306add..94bcb4d36 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.200 +2.3.210 From 127533492f94dc5f5f3a0e4bbc85038f02fd3729 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 26 Jan 2023 16:08:15 -0500 Subject: [PATCH 02/11] Update to Elastic 8.6.1 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 409bc9209..3ac67ed27 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.5.3","id": "8.5.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 0ff519ed2ff1bafd169715076845c0b6677b3c21 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 26 Jan 2023 16:09:13 -0500 Subject: [PATCH 03/11] Update to Elastic 8.6.1 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 292084d2e..942cbe58a 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From a96825f43e9889c5f91a5ad896cf485bf9c6e4b0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 30 Jan 2023 09:16:00 -0500 Subject: [PATCH 04/11] Update soup for 2.3.210 --- salt/common/tools/sbin/soup | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 417c0289e..4f5fdc29c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -552,6 +552,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182 [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190 [[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200 + [[ "$INSTALLEDVERSION" == 2.3.200 ]] && up_to_2.3.210 true } @@ -576,6 +577,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182 [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190 [[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200 + [[ "$POSTVERSION" == 2.3.200 ]] && post_to_2.3.210 true } @@ -699,6 +701,11 @@ post_to_2.3.200() { POSTVERSION=2.3.200 } +post_to_2.3.210() { + echo "Nothing to do for .210" + POSTVERSION=2.3.210 +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -1029,6 +1036,11 @@ up_to_2.3.200() { INSTALLEDVERSION=2.3.200 } +up_to_2.3.210() { + echo "Upgrading to 2.3.210" + INSTALLEDVERSION=2.3.210 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From 17bcf50ccb78d6cea88416fc47fd781eaa4d3341 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 30 Jan 2023 15:57:47 -0500 Subject: [PATCH 05/11] update Suricata DHCP parser to set server.address --- salt/elasticsearch/files/ingest/suricata.dhcp | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dhcp b/salt/elasticsearch/files/ingest/suricata.dhcp index 9ecc41837..46eb9cde4 100644 --- a/salt/elasticsearch/files/ingest/suricata.dhcp +++ b/salt/elasticsearch/files/ingest/suricata.dhcp @@ -1,15 +1,17 @@ { "description" : "suricata.dhcp", "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, + { "set": { "if": "ctx.dhcp?.type == 'request'", "field": "server.address", "value": "{{destination.ip}}" } }, + { "set": { "if": "ctx.dhcp?.type == 'reply'", "field": "server.address", "value": "{{source.ip}}" } }, { "pipeline": { "name": "common" } } ] } From d12aa0ed568823b98a03a5a1b52a653d05b4900f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 31 Jan 2023 07:14:18 -0500 Subject: [PATCH 06/11] Move host.domain table to end of DHCP tables --- salt/soc/files/soc/dashboards.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 29b9ccdb1..5712e0242 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -15,7 +15,7 @@ { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"}, { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, - { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address"}, + { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain"}, { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"}, From 0c4a27d120ed6208ef455c5d2d9d1b6c77955c2d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Feb 2023 12:33:19 -0500 Subject: [PATCH 07/11] lock python36-mysql-1.3.12-2.el7 version --- salt/common/init.sls | 3 +-- setup/so-functions | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 94a1b4869..49189b8e9 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -110,7 +110,6 @@ commonpkgs: - libssl-dev - python3-dateutil - python3-m2crypto - - python3-mysqldb - python3-packaging - python3-lxml - git @@ -153,7 +152,7 @@ commonpkgs: - python36-docker - python36-dateutil - python36-m2crypto - - python36-mysql + - python36-mysql: 1.3.12-2.el7 - python36-packaging - python36-lxml - yum-utils diff --git a/setup/so-functions b/setup/so-functions index 4b2ec3255..a38a8ce7b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -145,7 +145,7 @@ analyst_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile @@ -2291,7 +2291,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" From d43346a084ad112d05eb99a5541e72330a9fc54b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Feb 2023 14:11:27 -0500 Subject: [PATCH 08/11] hold python mysql --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 49189b8e9..5ed67ad62 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -152,7 +152,6 @@ commonpkgs: - python36-docker - python36-dateutil - python36-m2crypto - - python36-mysql: 1.3.12-2.el7 - python36-packaging - python36-lxml - yum-utils @@ -169,6 +168,7 @@ heldpackages: - docker-ce: 3:20.10.5-3.el7 - docker-ce-cli: 1:20.10.5-3.el7 - docker-ce-rootless-extras: 20.10.5-3.el7 + - python36-mysql: 1.3.12-2.el7 - hold: True - update_holds: True {% endif %} From 2dced35800c8dc0cce5fc27916319b0454f99647 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 1 Feb 2023 14:24:20 -0500 Subject: [PATCH 09/11] Add 'configured_vulns_ext_vars.yar' to exclusion list --- salt/strelka/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 8df73a212..792431dc6 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -16,3 +16,4 @@ strelka: - gen_sign_anomalies.yar - gen_susp_xor.yar - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar From ac9c10dd3af88042796045a96860531a3d9d4095 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Feb 2023 15:46:27 -0500 Subject: [PATCH 10/11] 2.3.210 --- VERIFY_ISO.md | 14 +++++++------- sigs/securityonion-2.3.210-20230202.iso.sig | Bin 0 -> 543 bytes 2 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 sigs/securityonion-2.3.210-20230202.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index a5498db0a..db9fb6d85 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.200-20230113 ISO image built on 2023/01/13 +### 2.3.210-20230202 ISO image built on 2023/02/02 ### Download and Verify -2.3.200-20230113 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso +2.3.210-20230202 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso MD5: 70291FFE925E2751559589E749B12164 SHA1: EFD3C7BA6F4EF6774F4F18ECD667A13F7FDF5CFF SHA256: 7794C1325F9B72856FC2A47691F7E0292CA28976711A18F550163E3B58E7A401 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,17 +26,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.200-20230113.iso.sig securityonion-2.3.200-20230113.iso +gpg --verify securityonion-2.3.210-20230202.iso.sig securityonion-2.3.210-20230202.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: diff --git a/sigs/securityonion-2.3.210-20230202.iso.sig b/sigs/securityonion-2.3.210-20230202.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..5e9fd4c09e51c2801bbf818df102203fd12f0855 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;H-W99$~2@re`V7LBIa1&b35CDb{1GfUJyvs&DSXJfl z#j}qW#B*;% zx)Q8*0w|nN7xX)T+8)f-HY1?Y8ht^($3~%qaGP)EW=D!`iIozdNXk)(Xige=T&uGo z6>Fg3b{6+i@K|M3jKPwZD?3pMu7G~vSb)=`Duzpy4HNsA@G3jix#L?@l;y5a-SeFL zK%B>bSQd%wI?sxT##=(}4D`q3N(^L*nW8vxMk-{qxr!3m7M2%|d3%I|9E|$=I!AYK zTzbnZ*SNe%z$1DqH#^S=-o8B~)2<0&1V hz>bBZYQQ-;0)G|Ju36Y8`(Q{VrH9P5f>6?u*94jY|JMKj literal 0 HcmV?d00001 From 5d0a3ef205fc4ce47befd3499899121218086b1a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Feb 2023 16:32:45 -0500 Subject: [PATCH 11/11] 2.3.210 --- VERIFY_ISO.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index db9fb6d85..0cdeb52be 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -7,9 +7,9 @@ 2.3.210-20230202 ISO image: https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso -MD5: 70291FFE925E2751559589E749B12164 -SHA1: EFD3C7BA6F4EF6774F4F18ECD667A13F7FDF5CFF -SHA256: 7794C1325F9B72856FC2A47691F7E0292CA28976711A18F550163E3B58E7A401 +MD5: ED38C36DBE40509FC5E87D82B07141C0 +SHA1: EDEBDBE75FF34DAD87E141CA8F8614295ED23FB5 +SHA256: 30068D4B910E83B63287EAB98E49497A584BAE07854367716813E5D610D3E5E3 Signature for ISO image: https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig @@ -41,7 +41,7 @@ gpg --verify securityonion-2.3.210-20230202.iso.sig securityonion-2.3.210-202302 The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 13 Jan 2023 11:11:11 AM EST using RSA key ID FE507013 +gpg: Signature made Thu 02 Feb 2023 08:31:18 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.