From d56e66917a8ba2da676cee3044657734520bb0ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 26 Apr 2021 09:18:15 -0400 Subject: [PATCH 1/7] 2.3.50 sig files --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.50.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.50.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 774116411..bd29a864e 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.40 ISO image built on 2021/03/22 +### 2.3.50 ISO image built on 2021/04/25 ### Download and Verify -2.3.40 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso +2.3.50 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso -MD5: FB72C0675F262A714B287BB33CE82504 -SHA1: E8F5A9AA23990DF794611F9A178D88414F5DA81C -SHA256: DB125D6E770F75C3FD35ABE3F8A8B21454B7A7618C2B446D11B6AC8574601070 +MD5: 8B74AF6F29DB156E3D467B25E1D46449 +SHA1: 99A0A96C5F206471E4F1D26A8A2D577A8ECDAED5 +SHA256: CA0EE3793FC1356FB5C50D36107FA3BB39DE6C40EBE6C7C90075D5C189BB3083 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.40.iso.sig securityonion-2.3.40.iso +gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 22 Mar 2021 09:35:50 AM EDT using RSA key ID FE507013 +gpg: Signature made Sun 25 Apr 2021 01:01:35 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..05d0d01628f4cc4ce32b0d49cb57937d6a64747f GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;7&pl<*Q2@re`V7LBIa1(075B(nuX|)-z2+BYNjp#JV zwG*X@!I*qu0;DHkt_(+G{1bx~=74ROQ|+^>iQ=eq30|oU$B|6zn7a;l6~_#8TWrFJ z#pv%-j>;urN7F1K>I?1*A3h$x+uX&u~; zR;Iz2peomHkFY@}XLP`^$fPQi7yfGmF#8Ut$kQ?DI!8UCUJSCv5%OeWD~!UF=RMOU zCyBZDsV1-9LZWO5u!M|T7|rLeiUNMIp?-aKzdvLfh5I_$j6nBM_jzszPS0A@mbQ-! z0&AK6zt_clEB5r5%p?#=7<^TH!vbk%Rmxak4^j?UR#<+G6rLq|_bMP$uupz){3HLK z1ziwXGXcyc$d*M;BgRN*+64@Kz6x;NpvxH^AeUiRFC2!>CjzZ363vg*q5pHIVn^h9 zq}nOvd;OV?mVma6M{!Eh{FV_g8jI}(?;WTg*3KlPQGS+4-IO#W;jD!mE2okD=jS|# zd@eLnP!+GyJteB893Q(0)}X}u;!nRY81Wpc!2CP2_ZD+%*zl-Ctm;*PE(C-QThdOj hcQvOU(|8|fj`^ZuqH_3q3de7e;9z+|B+g|eSJ)6+1Kj`s literal 0 HcmV?d00001 From a6b2eefee1ac6bcd13f0d95e6a1a45d10d018863 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 27 Apr 2021 15:33:52 -0400 Subject: [PATCH 2/7] Prompt airgap to update --- VERIFY_ISO.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 VERIFY_ISO.md diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md new file mode 100644 index 000000000..ca819a403 --- /dev/null +++ b/VERIFY_ISO.md @@ -0,0 +1,51 @@ +### 2.3.50 ISO image built on 2021/04/26 + + +### Download and Verify + +2.3.50 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso + +MD5: 1FF774520D3B1323D83BBF90BD9EFACE +SHA1: 0F323335459A11850B68BB82E062F581225303EE +SHA256: 2AACD535E0EACE17E8DC7B560353D43111A287C59C23827612B720D742DFD994 + +Signature for ISO image: +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig + +Signing key: +https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS + +For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image. + +Download and import the signing key: +``` +wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -O - | gpg --import - +``` + +Download the signature file for the ISO: +``` +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +``` + +Download the ISO image: +``` +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +``` + +Verify the downloaded ISO image using the signature file: +``` +gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso +``` + +The output should show "Good signature" and the Primary key fingerprint should match what's shown below: +``` +gpg: Signature made Mon 26 Apr 2021 03:54:51 PM EDT using RSA key ID FE507013 +gpg: Good signature from "Security Onion Solutions, LLC " +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 +``` + +Once you've verified the ISO image, you're ready to proceed to our Installation guide: +https://docs.securityonion.net/en/2.3/installation.html From 77533f78734ee7b1106e5a7500c1538b4b7bef7a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 27 Apr 2021 15:45:35 -0400 Subject: [PATCH 3/7] Repo Fix --- sigs/securityonion-2.3.50.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.50.iso.sig diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..d8405a0421e494f77a03bee88e5207e9f73c1e29 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;7*RW$$#2@re`V7LBIa1$Um5CESxa#R+gq=PYL1RQjp zIUjoz5JIvAI&fTWU%o>h~+eB02ca8Fb5cDUR*+^E@ z`nMVQYSe6b-cVv-tuz_HMkKDGT76lmx(uDa5)|)sD?MLv{R* z1E#5Ie<@~K-Zay`EJ1)0fqS55MnW%AwIRWoN&_XyX$rPwU}^qQ1m*+fU}lY}1jLZC h24TfxOI&zaA^x(3X|swT8BU^s0 Date: Thu, 1 Jul 2021 14:37:56 -0400 Subject: [PATCH 4/7] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 678d59d4f..e183d6a6c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.60 +2.3.70 From 693f455862086de7a0dd53c945c9246d0ef44e0b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 2 Jul 2021 08:55:49 -0400 Subject: [PATCH 5/7] ECS hotfix --- HOTFIX | 2 +- VERSION | 2 +- salt/elasticsearch/files/ingest/ossec | 3 +-- salt/elasticsearch/files/ingest/strelka.file | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..f32bc0381 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +ECSFIX diff --git a/VERSION b/VERSION index e183d6a6c..678d59d4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.70 +2.3.60 diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 1c5a0fd42..868de2798 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -63,8 +63,7 @@ { "rename": { "field": "fields.module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "ossec.alert", "override": true } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.kind", "value": "alert", "override": true } }, + { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "alert", "override": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index cf2772305..e5e8560f8 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -53,8 +53,7 @@ { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }}, { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "strelka.alert", "override": true }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind", "value": "alert", "override": true }}, + { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }}, { "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }}, { "set": { "if": "ctx.rule?.name != null && ctx.rule?.score == null", "field": "event.severity", "value": 3, "override": true } }, { "convert" : { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}}, From 22aa695508be3df25f7c91160218d36bb4c11a44 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 2 Jul 2021 09:47:31 -0400 Subject: [PATCH 6/7] Update telegraf.conf --- salt/telegraf/etc/telegraf.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 44e78ecda..abb928a76 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -630,8 +630,10 @@ {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" +{% endif %} insecure_skip_verify = true {% endif %} From 0a91f571c1f19958511a8880c7fbcfbb4ccb719e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 2 Jul 2021 10:41:15 -0400 Subject: [PATCH 7/7] 2.3.60 ECSFIX --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.60-ECSFIX.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.60-ECSFIX.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index cd1dfa825..d64b20075 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60 ISO image built on 2021/04/27 +### 2.3.60-ECSFIX ISO image built on 2021/07/02 ### Download and Verify -2.3.60 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +2.3.60-ECSFIX ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso -MD5: 0470325615C42C206B028EE37A1AD897 -SHA1: 496E70BD529D3B8A02D0B32F68B8F7527C953612 -SHA256: 417E34DFCD63D84A16FF2041DC712F02D9E0515C8B78BDF0EE1037DD13C32030 +MD5: BCD2C449BD3B65D96A0D1E479C0414F9 +SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933 +SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60.iso.sig securityonion-2.3.60.iso +gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 01 Jul 2021 10:59:24 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.60-ECSFIX.iso.sig b/sigs/securityonion-2.3.60-ECSFIX.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..cc55927fa51558aa37f22edf51f0e4d673d0176d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;8-A7}sy2@re`V7LBIa1%wI5CFR1D4`vbrDu+;!sTS* zE!py=ZSCBYZV&cUPU9O^iSLFIgJqf7<;>XyJT$j|tglSD5kcE>_xLjiFsSzhsq-pm@2~( z`ODPPDm?sgWAKH%=TtyCuKCRJ{8xw>=H^BMk&XcvQxadMMc$nF6c1%Pja`$8Pekn$aUMi3 zo#Ljw5X3_uxJ%t&R}YR7e}gbg4%L_f$+yf1`eXf^2m*6P`j~mh%fqTxYKxt@Y5{y5*5@Ghj3)zUivs_ zfKQf#=)m(F*^B<*&D&adjU26cS|(#5N}FU= zGgWoFWNPvIBQ6!3p37o?om4$H^C&lJwhZzzyx@6{^Err2-8rXYiQ*PLnjA^do)(oY h$e~h9tfW>;@LmY}O&&)QYg-Ckik79+CJ{}Ek~!yY3sV39 literal 0 HcmV?d00001