Merge branch 'dev' into feature/wait-for-apt

2025-12-07 09:42:46 +01:00 · 2020-12-28 18:26:38 -05:00
parent 97466957a7 deb38844ba
commit e9a6155e44
5 changed files with 57 additions and 67 deletions
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -17,14 +17,42 @@

 # Usage: so-tcpreplay "/opt/samples/*"

-REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
-REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
+. /usr/sbin/so-common
+. /usr/sbin/so-image-common

-if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
-   docker cp so-tcpreplay:/opt/samples /opt/samples
-   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 $1
-else
-  echo "Replay functionality not enabled!  To enable, run `so-tcpreplay-start`"
+REPLAYIFACE=${REPLAYIFACE:-bond0}
+REPLAYSPEED=${REPLAYSPEED:-10}
+
+if [[ $# -lt 1 ]]; then
+	echo "Replays one or more PCAP sample files to the Security Onion monitoring interface."
 	echo
-  echo "Note that you will need internet access to download the appropriate components"
+	echo "Usage: $0 <pcap-sample(s)>"
+	echo 
+	echo "All PCAPs must be placed in the /opt/so/samples directory unless replaying"
+	echo "a sample pcap that is included in the so-tcpreplay image. Those PCAP sampes"
+	echo "are located in the /opt/samples directory inside of the image."
+	echo 
+	echo "Customer provided PCAP example:"
+	echo "  $0 /opt/so/samples/some_event.pcap"
+	echo
+	echo "Security Onion-provided PCAP example:"
+	echo "  $0 /opt/samples/4in6.pcap"
+
+	exit 1
 fi
+
+if ! docker ps | grep -q so-tcpreplay; then
+  echo "Replay functionality not enabled; attempting to enable now (may require Internet access)..."
+  echo
+
+  TRUSTED_CONTAINERS=("so-tcpreplay")
+  update_docker_containers "tcpreplay"
+  so-tcpreplay-start || fail "Unable to initialize tcpreplay"
+  mkdir -p /opt/so/samples
+	docker cp so-tcpreplay:/opt/samples/* /opt/so/samples
+fi
+
+echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..."
+docker exec -it so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@"
+
+echo "Replay completed. Warnings shown above are typically expected."
--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -15,31 +15,4 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-# Usage: so-test
-
-. /usr/sbin/so-common
-
-REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
-REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
-
-if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
-   echo
-   echo "Preparing to replay PCAPs..."
-   docker cp so-tcpreplay:/opt/samples /opt/samples
-   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
-   echo
-   echo "PCAP's have been replayed - it is normal to see some warnings."
-   echo
-else
-  echo "Replay functionality not enabled!  Enabling Now...."
-  echo
-  echo "Note that you will need internet access to download the appropriate components"
-  /usr/sbin/so-start tcpreplay
-  echo "Replay functionality enabled.  Replaying PCAPs Now...."
-  docker cp so-tcpreplay:/opt/samples /opt/samples
-  docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
-  echo
-  echo "PCAP's have been replayed - it is normal to see some warnings."
-  echo
-fi
-
+so-tcpreplay /opt/samples/*
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -3,18 +3,6 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}

-so-tcpreplayimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }}
-
-so-tcpreplaytag:
- cmd.run:
-   - name: docker tag {{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }} {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }}         
-
-so-tcpreplaypush:
- cmd.run:
-   - name: docker push {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }}
-
 so-tcpreplay:
  docker_container.running:
    - network_mode: "host"
@@ -23,6 +11,9 @@ so-tcpreplay:
    - user: root
    - interactive: True
    - tty: True
+    - binds:
+      - /opt/so/samples:/opt/so/samples:ro
+

 {% else %}

--- a/salt/thehive/scripts/cortex_init
+++ b/salt/thehive/scripts/cortex_init
@@ -1,6 +1,5 @@
 #!/bin/bash
 # {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
-# {%- set URLBASE = salt['pillar.get']('global:url_base', '') %}
 # {%- set CORTEXUSER = salt['pillar.get']('global:cortexuser', 'cortexadmin') %}
 # {%- set CORTEXPASSWORD = salt['pillar.get']('global:cortexpassword', 'cortexchangeme') %}
 # {%- set CORTEXKEY = salt['pillar.get']('global:cortexkey', '') %}
@@ -19,8 +18,8 @@ cortex_clean(){
 }

 cortex_init(){
-    CORTEX_URL="{{URLBASE}}/cortex"
-    CORTEX_API_URL="$CORTEX_URL/api"
+    CORTEX_URL="http://{{MANAGERIP}}:9001/cortex/"
+    CORTEX_API_URL="${CORTEX_URL}api"
    CORTEX_USER="{{CORTEXUSER}}"
    CORTEX_PASSWORD="{{CORTEXPASSWORD}}"
    CORTEX_KEY="{{CORTEXKEY}}"    
@@ -30,27 +29,27 @@ cortex_init(){
    CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"

-    if wait_for_web_response https://$CORTEX_URL "Cortex"; then
+    if wait_for_web_response $CORTEX_URL "Cortex"; then
        # Migrate DB
-        curl -sk -XPOST -L "https://$CORTEX_API_URL/maintenance/migrate"
+        curl -sk -XPOST -L "$CORTEX_API_URL/maintenance/migrate"

        # Create intial Cortex superadmin
-        curl -sk -L "https://$CORTEX_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"
+        curl -sk -L "$CORTEX_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"

        # Create user-supplied org
-        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization" -d "{  \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}"
+        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization" -d "{  \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}"
        
        # Create user-supplied org user
-        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }"
+        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }"

        # Enable URLScan.io Analyzer
-        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'
+        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'

        # Enable Cert PassiveDNS Analyzer
-        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}'
+        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}'
    	
        # Revoke $CORTEX_USER key
-        curl -sk -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "https://$CORTEX_API_URL/user/$CORTEX_USER/key" 
+        curl -sk -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "$CORTEX_API_URL/user/$CORTEX_USER/key" 

        # Update SOCtopus config with apikey value
        #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG
--- a/salt/thehive/scripts/hive_init
+++ b/salt/thehive/scripts/hive_init
@@ -1,6 +1,5 @@
 #!/bin/bash
 # {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
-# {%- set URLBASE = salt['pillar.get']('global:url_base', '') %}
 # {%- set THEHIVEUSER = salt['pillar.get']('global:hiveuser', 'hiveadmin') %}
 # {%- set THEHIVEPASSWORD = salt['pillar.get']('global:hivepassword', 'hivechangeme') %}
 # {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
@@ -13,25 +12,25 @@ thehive_clean(){
 }

 thehive_init(){
-    THEHIVE_URL="{{URLBASE}}/thehive"
-    THEHIVE_API_URL="$THEHIVE_URL/api"
+    THEHIVE_URL="http://{{MANAGERIP}}:9000/thehive/"
+    THEHIVE_API_URL="${THEHIVE_URL}api"
    THEHIVE_USER="{{THEHIVEUSER}}"
    THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}"
    THEHIVE_KEY="{{THEHIVEKEY}}"
    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"

    echo -n "Waiting for TheHive..."
-    if wait_for_web_response https://$THEHIVE_URL "TheHive"; then
+    if wait_for_web_response $THEHIVE_URL "TheHive"; then
        # Migrate DB
-        curl -sk -XPOST -L "https://$THEHIVE_API_URL/maintenance/migrate"
+        curl -sk -XPOST -L "$THEHIVE_API_URL/maintenance/migrate"

        # Create intial TheHive user
-        curl -sk -L "https://$THEHIVE_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}"
+        curl -sk -L "$THEHIVE_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}"
   
        # Pre-load custom fields
        #
        # reputation
-        curl -sk -L "https://$THEHIVE_API_URL/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}"
+        curl -sk -L "$THEHIVE_API_URL/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}"
   
        touch /opt/so/state/thehive.txt
    else