CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-24 08:53:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into feature/pfsense_suricata

Browse Source
This commit is contained in:
weslambert
2024-03-25 10:08:03 -04:00
committed by GitHub
parent 5e21da443f 7898277a9b
commit df058b3f4a
8 changed files with 274 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/common/tools/sbin/so-log-check
View File

@@ -122,6 +122,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating" # Elasticsearch MS -> HN "sensor" temporarily unavailable EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating" # Elasticsearch MS -> HN "sensor" temporarily unavailable
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error" # Docker registry container when new node comes onlines EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error" # Docker registry container when new node comes onlines
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in
fi fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

107
salt/elasticsearch/defaults.yaml
View File

@@ -227,6 +227,113 @@ elasticsearch:
sort: sort:
field: '@timestamp' field: '@timestamp'
order: desc order: desc
so-logs-soc:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
index_patterns:
- logs-soc-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-soc-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
warm: 7
so-common: so-common:
close: 30 close: 30
delete: 365 delete: 365

6
salt/elasticsearch/files/ingest-dynamic/common
View File

@@ -57,11 +57,11 @@
{ "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{ "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }}, { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" } },
{ "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } }, { "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } },
{ "grok": { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]}}, { "grok": { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
{%- endraw %} {%- endraw %}
{%- if HIGHLANDER %} {%- if HIGHLANDER %}

115
salt/soc/defaults.yaml
View File

@@ -92,6 +92,7 @@ soc:
- http_request.headers.x-real-ip - http_request.headers.x-real-ip
- identity_id - identity_id
- http_request.headers.user-agent - http_request.headers.user-agent
- event.dataset
'::conn': '::conn':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -102,6 +103,7 @@ soc:
- network.protocol - network.protocol
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
'::dce_rpc': '::dce_rpc':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -112,6 +114,7 @@ soc:
- dce_rpc.named_pipe - dce_rpc.named_pipe
- dce_rpc.operation - dce_rpc.operation
- log.id.uid - log.id.uid
- event.dataset
'::dhcp': '::dhcp':
- soc_timestamp - soc_timestamp
- client.address - client.address
@@ -120,6 +123,7 @@ soc:
- host.hostname - host.hostname
- dhcp.message_types - dhcp.message_types
- log.id.uid - log.id.uid
- event.dataset
'::dnp3': '::dnp3':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -128,6 +132,7 @@ soc:
- destination.port - destination.port
- dnp3.fc_reply - dnp3.fc_reply
- log.id.uid - log.id.uid
- event.dataset
'::dnp3_control': '::dnp3_control':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -137,6 +142,7 @@ soc:
- dnp3.function_code - dnp3.function_code
- dnp3.block_type - dnp3.block_type
- log.id.uid - log.id.uid
- event.dataset
'::dnp3_objects': '::dnp3_objects':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -146,6 +152,7 @@ soc:
- dnp3.function_code - dnp3.function_code
- dnp3.object_type - dnp3.object_type
- log.id.uid - log.id.uid
- event.dataset
'::dns': '::dns':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -158,6 +165,7 @@ soc:
- dns.response.code_name - dns.response.code_name
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
'::dpd': '::dpd':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -168,6 +176,7 @@ soc:
- observer.analyser - observer.analyser
- error.reason - error.reason
- log.id.uid - log.id.uid
- event.dataset
'::file': '::file':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -178,6 +187,7 @@ soc:
- file.bytes.total - file.bytes.total
- log.id.fuid - log.id.fuid
- log.id.uid - log.id.uid
- event.dataset
'::ftp': '::ftp':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -190,6 +200,7 @@ soc:
- ftp.reply_code - ftp.reply_code
- file.size - file.size
- log.id.uid - log.id.uid
- event.dataset
'::http': '::http':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -204,6 +215,7 @@ soc:
- http.response.body.length - http.response.body.length
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
'::intel': '::intel':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -214,6 +226,7 @@ soc:
- intel.indicator_type - intel.indicator_type
- intel.seen_where - intel.seen_where
- log.id.uid - log.id.uid
- event.dataset
'::irc': '::irc':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -226,6 +239,7 @@ soc:
- irc.command.value - irc.command.value
- irc.command.info - irc.command.info
- log.id.uid - log.id.uid
- event.dataset
'::kerberos': '::kerberos':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -236,6 +250,7 @@ soc:
- kerberos.service - kerberos.service
- kerberos.request_type - kerberos.request_type
- log.id.uid - log.id.uid
- event.dataset
'::modbus': '::modbus':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -244,6 +259,7 @@ soc:
- destination.port - destination.port
- modbus.function - modbus.function
- log.id.uid - log.id.uid
- event.dataset
'::mysql': '::mysql':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -255,6 +271,7 @@ soc:
- mysql.success - mysql.success
- mysql.response - mysql.response
- log.id.uid - log.id.uid
- event.dataset
'::notice': '::notice':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -266,6 +283,7 @@ soc:
- log.id.fuid - log.id.fuid
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
'::ntlm': '::ntlm':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -278,6 +296,7 @@ soc:
- ntlm.server.nb.name - ntlm.server.nb.name
- ntlm.server.tree.name - ntlm.server.tree.name
- log.id.uid - log.id.uid
- event.dataset
'::pe': '::pe':
- soc_timestamp - soc_timestamp
- file.is_64bit - file.is_64bit
@@ -286,6 +305,7 @@ soc:
- file.os - file.os
- file.subsystem - file.subsystem
- log.id.fuid - log.id.fuid
- event.dataset
'::radius': '::radius':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -297,6 +317,7 @@ soc:
- radius.framed_address - radius.framed_address
- radius.reply_message - radius.reply_message
- radius.result - radius.result
- event.dataset
'::rdp': '::rdp':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -312,6 +333,7 @@ soc:
- rdp.result - rdp.result
- rdp.security_protocol - rdp.security_protocol
- log.id.uid - log.id.uid
- event.dataset
'::rfb': '::rfb':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -323,6 +345,7 @@ soc:
- rfb.share_flag - rfb.share_flag
- rfb.desktop.name - rfb.desktop.name
- log.id.uid - log.id.uid
- event.dataset
'::signatures': '::signatures':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -336,6 +359,7 @@ soc:
- signature_count - signature_count
- host.count - host.count
- log.id.uid - log.id.uid
- event.dataset
'::sip': '::sip':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -353,6 +377,7 @@ soc:
- sip.user_agent - sip.user_agent
- sip.status_code - sip.status_code
- log.id.uid - log.id.uid
- event.dataset
'::smb_files': '::smb_files':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -366,6 +391,7 @@ soc:
- file.size - file.size
- file.prev_name - file.prev_name
- log.id.uid - log.id.uid
- event.dataset
'::smb_mapping': '::smb_mapping':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -376,6 +402,7 @@ soc:
- smb.service - smb.service
- smb.share_type - smb.share_type
- log.id.uid - log.id.uid
- event.dataset
'::smtp': '::smtp':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -388,6 +415,7 @@ soc:
- smtp.useragent - smtp.useragent
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
'::snmp': '::snmp':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -397,6 +425,7 @@ soc:
- snmp.community - snmp.community
- snmp.version - snmp.version
- log.id.uid - log.id.uid
- event.dataset
'::socks': '::socks':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -408,11 +437,13 @@ soc:
- socks.request.port - socks.request.port
- socks.status - socks.status
- log.id.uid - log.id.uid
- event.dataset
'::software': '::software':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
- software.name - software.name
- software.type - software.type
- event.dataset
'::ssh': '::ssh':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -425,6 +456,7 @@ soc:
- ssh.client - ssh.client
- ssh.server - ssh.server
- log.id.uid - log.id.uid
- event.dataset
'::ssl': '::ssl':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -436,6 +468,7 @@ soc:
- ssl.validation_status - ssl.validation_status
- ssl.version - ssl.version
- log.id.uid - log.id.uid
- event.dataset
':zeek:syslog': ':zeek:syslog':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -446,6 +479,7 @@ soc:
- network.protocol - network.protocol
- syslog.severity - syslog.severity
- log.id.uid - log.id.uid
- event.dataset
'::tunnels': '::tunnels':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -455,6 +489,7 @@ soc:
- tunnel_type - tunnel_type
- action - action
- log.id.uid - log.id.uid
- event.dataset
'::weird': '::weird':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -463,6 +498,7 @@ soc:
- destination.port - destination.port
- weird.name - weird.name
- log.id.uid - log.id.uid
- event.dataset
'::x509': '::x509':
- soc_timestamp - soc_timestamp
- x509.certificate.subject - x509.certificate.subject
@@ -470,6 +506,7 @@ soc:
- x509.certificate.key.length - x509.certificate.key.length
- x509.certificate.issuer - x509.certificate.issuer
- log.id.fuid - log.id.fuid
- event.dataset
'::firewall': '::firewall':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -481,6 +518,7 @@ soc:
- observer.ingress.interface.name - observer.ingress.interface.name
- event.action - event.action
- network.community_id - network.community_id
- event.dataset
':pfsense:': ':pfsense:':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -492,6 +530,7 @@ soc:
- observer.ingress.interface.name - observer.ingress.interface.name
- event.action - event.action
- network.community_id - network.community_id
- event.dataset
':osquery:': ':osquery:':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -499,9 +538,9 @@ soc:
- destination.ip - destination.ip
- destination.port - destination.port
- source.hostname - source.hostname
- event.dataset
- process.executable - process.executable
- user.name - user.name
- event.dataset
':strelka:file': ':strelka:file':
- soc_timestamp - soc_timestamp
- file.name - file.name
@@ -510,6 +549,7 @@ soc:
- file.source - file.source
- file.mime_type - file.mime_type
- log.id.fuid - log.id.fuid
- event.dataset
':suricata:': ':suricata:':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -521,9 +561,11 @@ soc:
- event.severity_label - event.severity_label
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset
':windows_eventlog:': ':windows_eventlog:':
- soc_timestamp - soc_timestamp
- user.name - user.name
- event.dataset
':elasticsearch:': ':elasticsearch:':
- soc_timestamp - soc_timestamp
- agent.name - agent.name
@@ -545,6 +587,7 @@ soc:
- real_message - real_message
- syslog.priority - syslog.priority
- syslog.application - syslog.application
- event.dataset
':aws:': ':aws:':
- soc_timestamp - soc_timestamp
- aws.cloudtrail.event_category - aws.cloudtrail.event_category
@@ -556,6 +599,7 @@ soc:
- user.name - user.name
- source.ip - source.ip
- source.geo.region_iso_code - source.geo.region_iso_code
- event.dataset
':squid:': ':squid:':
- soc_timestamp - soc_timestamp
- url.original - url.original
@@ -563,6 +607,7 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
- event.dataset
'::sysmon_operational': '::sysmon_operational':
- soc_timestamp - soc_timestamp
- event.action - event.action
@@ -570,6 +615,7 @@ soc:
- user.name - user.name
- process.executable - process.executable
- process.pid - process.pid
- event.dataset
'::network_connection': '::network_connection':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -577,44 +623,50 @@ soc:
- destination.ip - destination.ip
- destination.port - destination.port
- source.hostname - source.hostname
- event.dataset
- process.executable - process.executable
- user.name - user.name
- event.dataset
'::process_terminated': '::process_terminated':
- soc_timestamp - soc_timestamp
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
- event.dataset
'::file_create': '::file_create':
- soc_timestamp - soc_timestamp
- file.target - file.target
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
- event.dataset
'::registry_value_set': '::registry_value_set':
- soc_timestamp - soc_timestamp
- winlog.event_data.TargetObject - winlog.event_data.TargetObject
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
- event.dataset
'::process_creation': '::process_creation':
- soc_timestamp - soc_timestamp
- process.command_line - process.command_line
- process.pid - process.pid
- process.parent.executable - process.parent.executable
- process.working_directory - process.working_directory
- event.dataset
'::registry_create_delete': '::registry_create_delete':
- soc_timestamp - soc_timestamp
- winlog.event_data.TargetObject - winlog.event_data.TargetObject
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
- event.dataset
'::dns_query': '::dns_query':
- soc_timestamp - soc_timestamp
- dns.query.name - dns.query.name
- dns.answers.name - dns.answers.name
- process.executable - process.executable
- winlog.computer_name - winlog.computer_name
- event.dataset
'::file_create_stream_hash': '::file_create_stream_hash':
- soc_timestamp - soc_timestamp
- file.target - file.target
@@ -623,6 +675,7 @@ soc:
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
- event.dataset
'::bacnet': '::bacnet':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -632,6 +685,7 @@ soc:
- bacnet.bclv.function - bacnet.bclv.function
- bacnet.result.code - bacnet.result.code
- log.id.uid - log.id.uid
- event.dataset
'::bacnet_discovery': '::bacnet_discovery':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -641,6 +695,7 @@ soc:
- bacnet.vendor - bacnet.vendor
- bacnet.pdu.service - bacnet.pdu.service
- log.id.uid - log.id.uid
- event.dataset
'::bacnet_property': '::bacnet_property':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -650,6 +705,7 @@ soc:
- bacnet.property - bacnet.property
- bacnet.pdu.service - bacnet.pdu.service
- log.id.uid - log.id.uid
- event.dataset
'::bsap_ip_header': '::bsap_ip_header':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -659,12 +715,14 @@ soc:
- bsap.message.type - bsap.message.type
- bsap.number.messages - bsap.number.messages
- log.id.uid - log.id.uid
- event.dataset
'::bsap_ip_rdb': '::bsap_ip_rdb':
- soc_timestamp - soc_timestamp
- bsap.application.function - bsap.application.function
- bsap.application.sub.function - bsap.application.sub.function
- bsap.vector.variables - bsap.vector.variables
- log.id.uid - log.id.uid
- event.dataset
'::bsap_serial_header': '::bsap_serial_header':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -675,11 +733,13 @@ soc:
- bsap.destination.function - bsap.destination.function
- bsap.message.type - bsap.message.type
- log.id.uid - log.id.uid
- event.dataset
'::bsap_serial_rdb': '::bsap_serial_rdb':
- soc_timestamp - soc_timestamp
- bsap.rdb.function - bsap.rdb.function
- bsap.vector.variables - bsap.vector.variables
- log.id.uid - log.id.uid
- event.dataset
'::cip': '::cip':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -699,6 +759,7 @@ soc:
- cip.device.type.name - cip.device.type.name
- cip.vendor.name - cip.vendor.name
- log.id.uid - log.id.uid
- event.dataset
'::cip_io': '::cip_io':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -708,6 +769,7 @@ soc:
- cip.connection.id - cip.connection.id
- cip.io.data - cip.io.data
- log.id.uid - log.id.uid
- event.dataset
'::cotp': '::cotp':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -716,6 +778,7 @@ soc:
- destination.port - destination.port
- cotp.pdu.name - cotp.pdu.name
- log.id.uid - log.id.uid
- event.dataset
'::ecat_arp_info': '::ecat_arp_info':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -723,6 +786,7 @@ soc:
- source.mac - source.mac
- destination.mac - destination.mac
- ecat.arp.type - ecat.arp.type
- event.dataset
'::ecat_aoe_info': '::ecat_aoe_info':
- soc_timestamp - soc_timestamp
- source.mac - source.mac
@@ -730,6 +794,7 @@ soc:
- destination.mac - destination.mac
- destination.port - destination.port
- ecat.command - ecat.command
- event.dataset
'::ecat_coe_info': '::ecat_coe_info':
- soc_timestamp - soc_timestamp
- ecat.message.number - ecat.message.number
@@ -737,6 +802,7 @@ soc:
- ecat.request.response.type - ecat.request.response.type
- ecat.index - ecat.index
- ecat.sub.index - ecat.sub.index
- event.dataset
'::ecat_dev_info': '::ecat_dev_info':
- soc_timestamp - soc_timestamp
- ecat.device.type - ecat.device.type
@@ -744,17 +810,20 @@ soc:
- ecat.ram.size - ecat.ram.size
- ecat.revision - ecat.revision
- ecat.slave.address - ecat.slave.address
- event.dataset
'::ecat_log_address': '::ecat_log_address':
- soc_timestamp - soc_timestamp
- source.mac - source.mac
- destination.mac - destination.mac
- ecat.command - ecat.command
- event.dataset
'::ecat_registers': '::ecat_registers':
- soc_timestamp - soc_timestamp
- source.mac - source.mac
- destination.mac - destination.mac
- ecat.command - ecat.command
- ecat.register.type - ecat.register.type
- event.dataset
'::enip': '::enip':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -773,6 +842,7 @@ soc:
- destination.port - destination.port
- modbus.function - modbus.function
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary': '::opcua_binary':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -782,6 +852,7 @@ soc:
- opcua.identifier_string - opcua.identifier_string
- opcua.message_type - opcua.message_type
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_activate_session': '::opcua_binary_activate_session':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -792,6 +863,7 @@ soc:
- opcua.identifier_string - opcua.identifier_string
- opcua.user_name - opcua.user_name
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_activate_session_diagnostic_info': '::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -801,6 +873,7 @@ soc:
- opcua.activate_session_diag_info_link_id - opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id - opcua.diag_info_link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_activate_session_locale_id': '::opcua_binary_activate_session_locale_id':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -810,6 +883,7 @@ soc:
- opcua.local_id - opcua.local_id
- opcua.locale_link_id - opcua.locale_link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_browse': '::opcua_binary_browse':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -819,6 +893,7 @@ soc:
- opcua.link_id - opcua.link_id
- opcua.service_type - opcua.service_type
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_browse_description': '::opcua_binary_browse_description':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -826,6 +901,7 @@ soc:
- destination.ip - destination.ip
- destination.port - destination.port
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_browse_response_references': '::opcua_binary_browse_response_references':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -835,6 +911,7 @@ soc:
- opcua.node_class - opcua.node_class
- opcua.display_name_text - opcua.display_name_text
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_browse_result': '::opcua_binary_browse_result':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -843,6 +920,7 @@ soc:
- destination.port - destination.port
- opcua.response_link_id - opcua.response_link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_create_session': '::opcua_binary_create_session':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -851,6 +929,7 @@ soc:
- destination.port - destination.port
- opcua.link_id - opcua.link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_create_session_endpoints': '::opcua_binary_create_session_endpoints':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -860,6 +939,7 @@ soc:
- opcua.endpoint_link_id - opcua.endpoint_link_id
- opcua.endpoint_url - opcua.endpoint_url
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_create_session_user_token': '::opcua_binary_create_session_user_token':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -868,6 +948,7 @@ soc:
- destination.port - destination.port
- opcua.user_token_link_id - opcua.user_token_link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_create_subscription': '::opcua_binary_create_subscription':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -876,6 +957,7 @@ soc:
- destination.port - destination.port
- opcua.link_id - opcua.link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_get_endpoints': '::opcua_binary_get_endpoints':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -885,6 +967,7 @@ soc:
- opcua.endpoint_url - opcua.endpoint_url
- opcua.link_id - opcua.link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_get_endpoints_description': '::opcua_binary_get_endpoints_description':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -894,6 +977,7 @@ soc:
- opcua.endpoint_description_link_id - opcua.endpoint_description_link_id
- opcua.endpoint_uri - opcua.endpoint_uri
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_get_endpoints_user_token': '::opcua_binary_get_endpoints_user_token':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -903,6 +987,7 @@ soc:
- opcua.user_token_link_id - opcua.user_token_link_id
- opcua.user_token_type - opcua.user_token_type
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_read': '::opcua_binary_read':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -912,6 +997,7 @@ soc:
- opcua.link_id - opcua.link_id
- opcua.read_results_link_id - opcua.read_results_link_id
- log.id.uid - log.id.uid
- event.dataset
'::opcua_binary_status_code_detail': '::opcua_binary_status_code_detail':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -921,6 +1007,7 @@ soc:
- opcua.info_type_string - opcua.info_type_string
- opcua.source_string - opcua.source_string
- log.id.uid - log.id.uid
- event.dataset
'::profinet': '::profinet':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -930,6 +1017,7 @@ soc:
- profinet.index - profinet.index
- profinet.operation_type - profinet.operation_type
- log.id.uid - log.id.uid
- event.dataset
'::profinet_dce_rpc': '::profinet_dce_rpc':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -938,6 +1026,7 @@ soc:
- destination.port - destination.port
- profinet.operation - profinet.operation
- log.id.uid - log.id.uid
- event.dataset
'::s7comm': '::s7comm':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -947,6 +1036,7 @@ soc:
- s7.ros.control.name - s7.ros.control.name
- s7.function.name - s7.function.name
- log.id.uid - log.id.uid
- event.dataset
'::s7comm_plus': '::s7comm_plus':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -956,6 +1046,7 @@ soc:
- s7.opcode.name - s7.opcode.name
- s7.version - s7.version
- log.id.uid - log.id.uid
- event.dataset
'::s7comm_read_szl': '::s7comm_read_szl':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -965,6 +1056,7 @@ soc:
- s7.szl_id_name - s7.szl_id_name
- s7.return_code_name - s7.return_code_name
- log.id.uid - log.id.uid
- event.dataset
'::s7comm_upload_download': '::s7comm_upload_download':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -974,6 +1066,7 @@ soc:
- s7.ros.control.name - s7.ros.control.name
- s7.function_code - s7.function_code
- log.id.uid - log.id.uid
- event.dataset
'::tds': '::tds':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -1064,6 +1157,15 @@ soc:
- event.action - event.action
- event.outcome - event.outcome
- event.dataset - event.dataset
':system:':
- soc_timestamp
- process.name
- process.pid
- user.effective.name
- user.name
- system.auth.sudo.command
- event.dataset
- message
server: server:
bindAddress: 0.0.0.0:9822 bindAddress: 0.0.0.0:9822
baseUrl: / baseUrl: /
@@ -1084,6 +1186,10 @@ soc:
denyRegex: '' denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert elastAlertRulesFolder: /opt/sensoroni/elastalert
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
rulesRepos:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources
license: DRL
folder: sigma/stable
sigmaRulePackages: sigmaRulePackages:
- core - core
- emerging_threats_addon - emerging_threats_addon
@@ -1157,7 +1263,7 @@ soc:
tipTimeoutMs: 6000 tipTimeoutMs: 6000
cacheExpirationMs: 300000 cacheExpirationMs: 300000
casesEnabled: true casesEnabled: true
detectionsEnabled: false detectionsEnabled: true
inactiveTools: ['toolUnused'] inactiveTools: ['toolUnused']
tools: tools:
- name: toolKibana - name: toolKibana
@@ -1881,8 +1987,9 @@ soc:
default: default:
- so_detection.title - so_detection.title
- so_detection.isEnabled - so_detection.isEnabled
- so_detection.language
- so_detection.severity - so_detection.severity
- so_detection.language
- so_detection.ruleset
queries: queries:
- name: "All Detections" - name: "All Detections"
query: "_id:*" query: "_id:*"

6
salt/suricata/defaults.yaml
View File

@@ -33,6 +33,12 @@ suricata:
threads: 1 threads: 1
tpacket-v3: "yes" tpacket-v3: "yes"
ring-size: 5000 ring-size: 5000
block-size: 32768
block-timeout: 10
use-emergency-flush: "yes"
buffer-size: 32768
disable-promisc: "no"
checksum-checks: kernel
vars: vars:
address-groups: address-groups:
HOME_NET: HOME_NET:

16
salt/suricata/map.jinja
View File

@@ -32,11 +32,21 @@
- interface: {{ GLOBALS.sensor.interface }} - interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
threads: {{ SURICATAMERGED.config['af-packet'].threads }} threads: {{ SURICATAMERGED.config['af-packet'].threads }}
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
{% else %}
checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
{% endif %}
{% endload %} {% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

30
salt/suricata/soc_suricata.yaml
View File

@@ -94,6 +94,36 @@ suricata:
description: Buffer size for packets per thread. description: Buffer size for packets per thread.
forcedType: int forcedType: int
helpLink: suricata.html helpLink: suricata.html
block-size:
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
advanced: True
forcedType: int
helpLink: suricata.html
block-timeout:
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
advanced: True
forcedType: int
helpLink: suricata.html
use-emergency-flush:
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
buffer-size:
description: Increasing the value of the receive buffer may improve performance.
advanced: True
forcedType: int
helpLink: suricata.html
disable-promisc:
description: Promiscuous mode can be disabled by setting this to "yes".
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
advanced: True
regex: ^(kernel|yes|no|auto)$
helpLink: suricata.html
threading: threading:
set-cpu-affinity: set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.

6
setup/so-whiptail
View File

@@ -288,9 +288,9 @@ whiptail_dhcp_or_static() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
address_type=$(whiptail --title "$whiptail_title" --menu \ address_type=$(whiptail --title "$whiptail_title" --menu \
"Choose how to set up your management interface:" 20 78 4 \ "Choose how to set up your management interface. We recommend using a static IP address." 20 78 4 \
"STATIC" "Set a static IPv4 address" \ "STATIC" "Set a static IPv4 address (recommended)" \
"DHCP" "Use DHCP to configure the Management Interface" 3>&1 1>&2 2>&3 ) "DHCP" "Use DHCP to configure the management interface" 3>&1 1>&2 2>&3 )
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus