diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index dd73f3aa9..4d70fd517 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -5,7 +5,7 @@ {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} eval: @@ -63,7 +63,7 @@ heavy_node: - so-suricata - so-wazuh - so-filebeat - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} helix: @@ -186,7 +186,7 @@ sensor: - so-telegraf - so-steno - so-suricata - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} - so-wazuh diff --git a/pillar/top.sls b/pillar/top.sls index 9ab170a97..889f0b63f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -15,7 +15,7 @@ base: '*_sensor': - static - - brologs + - zeeklogs - healthcheck.sensor - minions.{{ grains.id }} @@ -32,7 +32,7 @@ base: '*_eval': - data.* - - brologs + - zeeklogs - secrets - healthcheck.eval - elasticsearch.eval @@ -45,7 +45,7 @@ base: - logstash.search - elasticsearch.search - data.* - - brologs + - zeeklogs - secrets - healthcheck.standalone - static @@ -57,13 +57,13 @@ base: '*_heavynode': - static - - brologs + - zeeklogs - minions.{{ grains.id }} '*_helix': - static - fireeye - - brologs + - zeeklogs - logstash - logstash.helix - minions.{{ grains.id }} diff --git a/pillar/brologs.sls b/pillar/zeeklogs.sls similarity index 97% rename from pillar/brologs.sls rename to pillar/zeeklogs.sls index 95f18691e..882cb92a9 100644 --- a/pillar/brologs.sls +++ b/pillar/zeeklogs.sls @@ -1,4 +1,4 @@ -brologs: +zeeklogs: enabled: - conn - dce_rpc diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index f30291f90..93f5f3d13 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -33,7 +33,7 @@ {% endif %} {% if role in ['heavynode', 'standalone'] %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} {% if role == 'searchnode' %} @@ -41,5 +41,5 @@ {% endif %} {% if role == 'sensor' %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs index 4f55eb7f4..353eece1e 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-bro-logs @@ -1,17 +1,17 @@ #!/bin/bash local_salt_dir=/opt/so/saltstack/local -bro_logs_enabled() { +zeek_logs_enabled() { - echo "brologs:" > $local_salt_dir/pillar/brologs.sls - echo " enabled:" >> $local_salt_dir/pillar/brologs.sls + echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls + echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls for BLOG in ${BLOGS[@]}; do - echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls + echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls done } -whiptail_manager_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \ "conn" "Connection Logging" ON \ @@ -54,5 +54,5 @@ whiptail_manager_adv_service_brologs() { "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) } -whiptail_manager_adv_service_brologs -bro_logs_enabled +whiptail_manager_adv_service_zeeklogs +zeek_logs_enabled diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 1342775b7..825ffaf64 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -6,7 +6,7 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} @@ -100,8 +100,8 @@ filebeat.inputs: - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] fields_under_root: true - {%- if BROVER != 'SURICATA' %} - {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} + {%- if ZEEKVER != 'SURICATA' %} + {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: log paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 4bb192316..c0677db16 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -14,7 +14,7 @@ # along with this program. If not, see . {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BROVER = salt['pillar.get']('static:broversion', '') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 557d4e519..9fb3c9a7f 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -44,7 +44,7 @@ HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]" {% endfor %} {% set surimeta_evelog_index = surimeta_evelog_index[0] %} -{% if salt['pillar.get']('static:broversion', 'ZEEK') == 'SURICATA' %} +{% if salt['pillar.get']('static:zeekversion', 'ZEEK') == 'SURICATA' %} {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} {% endif %} diff --git a/salt/top.sls b/salt/top.sls index f95223354..5f316dd15 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,4 +1,4 @@ -{%- set BROVER = salt['pillar.get']('static:broversion', '') -%} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', '') -%} {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} {%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%} @@ -48,7 +48,7 @@ base: - pcap - suricata - healthcheck - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - wazuh @@ -86,7 +86,7 @@ base: - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -188,7 +188,7 @@ base: - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -347,7 +347,7 @@ base: {%- endif %} - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - filebeat diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6be5aa5b1..55f77982c 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -38,7 +38,7 @@ af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} {%- else %} -[brosa] +[zeeksa] type=standalone host=localhost interface={{ interface }} diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index 156697a28..d7bc1ea1f 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -23,11 +23,11 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICBRO=7 +BASICZEEK=7 BASICSURI=7 # BLOGS= BNICS=eth1 -BROVERSION=ZEEK +ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC GRAFANA=1 diff --git a/setup/so-common-functions b/setup/so-common-functions index 078a721bf..c3df787cc 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -32,9 +32,9 @@ filter_unused_nics() { calculate_useable_cores() { # Calculate reasonable core usage - local cores_for_bro=$(( (num_cpu_cores/2) - 1 )) + local cores_for_zeek=$(( (num_cpu_cores/2) - 1 )) local lb_procs_round - lb_procs_round=$(printf "%.0f\n" $cores_for_bro) + lb_procs_round=$(printf "%.0f\n" $cores_for_zeek) if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi export lb_procs diff --git a/setup/so-functions b/setup/so-functions index 493030652..526fd37ae 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -143,18 +143,18 @@ secrets_pillar(){ } # Enable Bro Logs -bro_logs_enabled() { +zeek_logs_enabled() { echo "Enabling Bro Logs" >> "$setup_log" 2>&1 - local brologs_pillar=./pillar/brologs.sls + local zeeklogs_pillar=./pillar/zeeklogs.sls printf '%s\n'\ - "brologs:"\ - " enabled:" > "$brologs_pillar" + "zeeklogs:"\ + " enabled:" > "$zeeklogs_pillar" if [ "$MANAGERADV" = 'ADVANCED' ]; then for BLOG in "${BLOGS[@]}"; do - echo " - $BLOG" | tr -d '"' >> "$brologs_pillar" + echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done else printf '%s\n'\ @@ -195,11 +195,11 @@ bro_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$brologs_pillar" + " - x509" >> "$zeeklogs_pillar" fi printf '%s\n' '----' >> "$setup_log" 2>&1 - cat "$brologs_pillar" >> "$setup_log" 2>&1 + cat "$zeeklogs_pillar" >> "$setup_log" 2>&1 } check_admin_pass() { @@ -1002,7 +1002,7 @@ manager_static() { " hnmanager: $HNMANAGER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ - " broversion: $BROVERSION"\ + " zeekversion: $ZEEKVERSION"\ " ids: $NIDS"\ " managerip: $MAINIP"\ " hiveuser: $WEBUSER"\ @@ -1470,7 +1470,7 @@ sensor_pillar() { if [ "$NSMSETUP" = 'ADVANCED' ]; then echo " zeek_pins:" >> "$pillar_file" - for PIN in "${BROPINS[@]}"; do + for PIN in "${ZEEKPINS[@]}"; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" done @@ -1483,11 +1483,11 @@ sensor_pillar() { echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else - echo " zeek_lbprocs: $BASICBRO" >> "$pillar_file" + echo " zeek_lbprocs: $BASICZEEK" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ - " brobpf:"\ + " zeekbpf:"\ " pcapbpf:"\ " nidsbpf:"\ " manager: $MSRV"\ diff --git a/setup/so-setup b/setup/so-setup index 7f8862841..b0aabbb89 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -230,7 +230,7 @@ if [[ $is_manager && $is_node ]]; then LSINPUTTHREADS=1 LSINPUTBATCHCOUNT=125 NIDS=Suricata - BROVERSION=ZEEK + ZEEKVERSION=ZEEK fi if [[ $is_node ]]; then @@ -253,7 +253,7 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv - whiptail_bro_version + whiptail_zeek_version whiptail_nids whiptail_rule_setup @@ -261,8 +261,8 @@ if [[ $is_manager && ! $is_eval ]]; then whiptail_oinkcode fi - if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then - whiptail_manager_adv_service_brologs + if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then + whiptail_manager_adv_service_zeeklogs fi fi @@ -295,11 +295,11 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_bro_pins + whiptail_zeek_pins whiptail_suricata_pins whiptail_bond_nics_mtu else - whiptail_basic_bro + whiptail_basic_zeek whiptail_basic_suri fi fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 52889106e..cd0fb393c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -19,11 +19,11 @@ source ./so-variables source ./so-common-functions -whiptail_basic_bro() { +whiptail_basic_zeek() { [ -n "$TESTING" ] && return - BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \ + BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_bro_pins() { +whiptail_zeek_pins() { [ -n "$TESTING" ] && return @@ -51,20 +51,20 @@ whiptail_bro_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) + ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus - BROPINS=$(echo "$BROPINS" | tr -d '"') + ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - IFS=' ' read -ra BROPINS <<< "$BROPINS" + IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" } -whiptail_bro_version() { +whiptail_zeek_version() { [ -n "$TESTING" ] && return - BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ "SURICATA" "Use Suricata 5" OFF 3>&1 1>&2 2>&3) local exitstatus=$? @@ -642,7 +642,7 @@ whiptail_manager_adv() { } # Ask which additional components to install -whiptail_manager_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { [ -n "$TESTING" ] && return @@ -1122,7 +1122,7 @@ whiptail_suricata_pins() { [ -n "$TESTING" ] && return local filtered_core_list - readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${BROPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" + readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" local filtered_core_str=() for item in "${filtered_core_list[@]}"; do