Merge pull request #9355 from Security-Onion-Solutions/fix/2.4-ics

Fix ICS and other issues in 2.4

salt/common/tools/sbin/so-elastic-fleet-setup

@@ -20,7 +20,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle
 printf "\n\n"
 
 # Create Logstash Output payload
-mkdir /opt/so/conf/elastic-fleet/certs
+mkdir -p /opt/so/conf/elastic-fleet/certs
 cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
 cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
 LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt)

salt/common/tools/sbin/so-import-evtx

@@ -158,11 +158,11 @@ cat << EOF
 Import complete!
 
 You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
-https://{{ URLBASE }}/#/hunt?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
 
 or you can manually set your Time Range to be (in UTC):
 From: $START_OLDEST_FORMATTED    To: $END_NEWEST
 
-Please note that it may take 30 seconds or more for events to appear in Hunt.
+Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
 EOF
 fi

salt/common/tools/sbin/so-import-pcap

@@ -206,11 +206,11 @@ cat << EOF
 Import complete!
 
 You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
-https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
 
 or you can manually set your Time Range to be (in UTC):
 From: $START_OLDEST    To: $END_NEWEST
 
-Please note that it may take 30 seconds or more for events to appear in Hunt.
+Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
 EOF
 fi

salt/soc/defaults.yaml

@@ -212,6 +212,24 @@ soc:
             - destination.port
             - dnp3.fc_reply
             - log.id.uid
+          '::dnp3_control':
+            - soc_timestamp
+            - source.ip
+            - source.port
+            - destination.ip
+            - destination.port
+            - dnp3.function_code
+            - dnp3.block_type
+            - log.id.uid
+          '::dnp3_objects':
+            - soc_timestamp
+            - source.ip
+            - source.port
+            - destination.ip
+            - destination.port
+            - dnp3.function_code
+            - dnp3.object_type
+            - log.id.uid
           '::dns':
             - soc_timestamp
             - source.ip
@@ -1119,22 +1137,6 @@ soc:
             description: Show all Osquery Live Query results
             query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
             showSubtitle: true
-          - name: Wazuh/OSSEC Alerts
-            description: Show all Wazuh alerts at Level 5 or higher grouped by category
-            query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
-            showSubtitle: true
-          - name: Wazuh/OSSEC Alerts
-            description: Show all Wazuh alerts at Level 4 or lower grouped by category
-            query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name'
-            showSubtitle: true
-          - name: Wazuh/OSSEC Users and Commands
-            description: Show all Wazuh alerts grouped by username and command line
-            query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line'
-            showSubtitle: true
-          - name: Wazuh/OSSEC Processes
-            description: Show all Wazuh alerts grouped by process name
-            query: 'event.module:ossec AND event.dataset:alert | groupby process.name'
-            showSubtitle: true
           - name: Sysmon Events
             description: Show all Sysmon logs grouped by event type
             query: 'event.module:sysmon | groupby event.dataset'
@@ -1415,6 +1417,24 @@ soc:
             - destination.port
             - dnp3.fc_reply
             - log.id.uid
+          '::dnp3_control':
+            - soc_timestamp
+            - source.ip
+            - source.port
+            - destination.ip
+            - destination.port
+            - dnp3.function_code
+            - dnp3.block_type
+            - log.id.uid
+          '::dnp3_objects':
+            - soc_timestamp
+            - source.ip
+            - source.port
+            - destination.ip
+            - destination.port
+            - dnp3.function_code
+            - dnp3.object_type
+            - log.id.uid
           '::dns':
             - soc_timestamp
             - source.ip
@@ -2298,20 +2318,17 @@ soc:
             description: Overview of all events
             query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SOC Auth
-            description: Show all SOC authentication logs
+            description: SOC (Security Onion Console) authentication logs
             query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
           - name: Elastalerts
             description: Elastalert logs
             query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
           - name: Alerts
-            description: Show all alerts
+            description: Overview of all alerts
             query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: NIDS Alerts
-            description: NIDS alerts
+            description: NIDS (Network Intrusion Detection System) alerts
             query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
-          - name: Wazuh/OSSEC
-            description: Wazuh/OSSEC HIDS alerts and logs
-            query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
           - name: Sysmon Overview
             description: Overview of all Sysmon data types
             query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
@@ -2331,116 +2348,104 @@ soc:
             description: Network activity captured by Sysmon
             query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
           - name: Strelka
-            description: Strelka logs
+            description: Strelka file analysis
             query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
           - name: Zeek Notice
-            description: Zeek Notice logs
+            description: Zeek notice logs
             query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Connections
-            description: Connection logs
+            description: Network connection metadata
             query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
           - name: DCE_RPC
-            description: DCE_RPC logs
+            description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
             query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: DHCP
-            description: Dynamic Host Configuration Protocol leases
+            description: DHCP (Dynamic Host Configuration Protocol) leases
             query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
-          - name: DNP3
-            description: DNP3 logs
-            query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: DNS
-            description: Domain Name System queries
+            description: DNS (Domain Name System) queries
             query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: DPD
-            description: Dynamic Protocol Detection errors
+            description: DPD (Dynamic Protocol Detection) errors
             query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
           - name: Files
             description: Files seen in network traffic
             query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
           - name: FTP
-            description: File Transfer Protocol logs
+            description: FTP (File Transfer Protocol) network metadata
             query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: HTTP
-            description: Hyper Text Transport Protocol logs
+            description: HTTP (Hyper Text Transport Protocol) network metadata
             query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Intel
             description: Zeek Intel framework hits
             query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: IRC
-            description: Internet Relay Chat logs
+            description: IRC (Internet Relay Chat) network metadata
             query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Kerberos
-            description: Kerberos logs
+            description: Kerberos network metadata
             query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
-          - name: MODBUS
+          - name: MySQL
-            description: MODBUS logs
+            description: MySQL network metadata
-            query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
-          - name: MYSQL
-            description: MYSQL logs
             query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
-          - name: NOTICE
-            description: Zeek notice logs
-            query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: NTLM
-            description: NTLM logs
+            description: NTLM (New Technology LAN Manager) network metadata
             query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: PE
-            description: PE files list
+            description: PE (Portable Executable) files transferred via network traffic
             query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
           - name: RADIUS
-            description: RADIUS logs
+            description: RADIUS (Remote Authentication Dial-In User Service) network metadata
             query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: RDP
-            description: RDP logs
+            description: RDP (Remote Desktop Protocol) network metadata
             query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: RFB
-            description: RFB logs
+            description: RFB (Remote Frame Buffer) network metadata
             query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Signatures
             description: Zeek signatures
             query: 'event.dataset:signatures | groupby signature_id'
           - name: SIP
-            description: SIP logs
+            description: SIP (Session Initiation Protocol) network metadata
             query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SMB_Files
-            description: SMB files
+            description: Files transferred via SMB (Server Message Block)
             query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SMB_Mapping
-            description: SMB mapping logs
+            description: SMB (Server Message Block) mapping network metadata
             query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SMTP
-            description: SMTP logs
+            description: SMTP (Simple Mail Transfer Protocol) network metadata
             query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SNMP
-            description: SNMP logs
+            description: SNMP (Simple Network Management Protocol) network metadat
             query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Software
-            description: List of software seen on the network by Zeek
+            description: Software seen by Zeek via network traffic
             query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
           - name: SSH
-            description: SSH connections seen by Zeek
+            description: SSH (Secure Shell) connections seen by Zeek
             query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: SSL
-            description: SSL logs
+            description: SSL/TLS network metadata
             query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: STUN
             description: STUN (Session Traversal Utilities for NAT) network metadata
             query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
-          - name: SYSLOG
+          - name: Syslog
-            description: SYSLOG logs
+            description: Syslog logs
             query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: TDS
             description: TDS (Tabular Data Stream) network metadata
-            query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
+            query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
           - name: Tunnel
             description: Tunnels seen by Zeek
             query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
           - name: Weird
             description: Weird network traffic seen by Zeek
             query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
-          - name: TDS
-            description: TDS (Tabular Data Stream) network metadata
-            query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
           - name: WireGuard
             description: WireGuard VPN network metadata
             query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'

setup/so-whiptail

@@ -14,9 +14,9 @@ whiptail_airgap() {
 	[[ $is_manager || $is_import ]] && node_str='manager'
 
 	INTERWEBS=$(whiptail --title "$whiptail_title" --menu \
-	"How should this $node_str be installed?" 10 60 2 \
+	"How should this $node_str be installed?" 10 70 2 \
-	"Standard    " "This $node_str has internet accesss"  \
+	"Standard    " "This $node_str has access to the Internet"  \
-	"Airgap      " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 )
+	"Airgap      " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 )
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus