CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9355 from Security-Onion-Solutions/fix/2.4-ics

Browse Source 
Fix ICS and other issues in 2.4
This commit is contained in:
Doug Burks
2022-12-12 09:18:14 -05:00
committed by GitHub
parent c4ea39d1ba e1d200e6ce
commit ed8bf884eb
5 changed files with 77 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -20,7 +20,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle
printf "\n\n"
# Create Logstash Output payload
mkdir /opt/so/conf/elastic-fleet/certs
mkdir -p /opt/so/conf/elastic-fleet/certs
cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt)

4
salt/common/tools/sbin/so-import-evtx
View File

@@ -158,11 +158,11 @@ cat << EOF
Import complete!
You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
https://{{ URLBASE }}/#/hunt?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
or you can manually set your Time Range to be (in UTC):
From: $START_OLDEST_FORMATTED To: $END_NEWEST
Please note that it may take 30 seconds or more for events to appear in Hunt.
Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
EOF
fi

4
salt/common/tools/sbin/so-import-pcap
View File

@@ -206,11 +206,11 @@ cat << EOF
Import complete!
You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
or you can manually set your Time Range to be (in UTC):
From: $START_OLDEST To: $END_NEWEST
Please note that it may take 30 seconds or more for events to appear in Hunt.
Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
EOF
fi

131
salt/soc/defaults.yaml
View File

@@ -212,6 +212,24 @@ soc:
- destination.port
- dnp3.fc_reply
- log.id.uid
'::dnp3_control':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.block_type
- log.id.uid
'::dnp3_objects':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.object_type
- log.id.uid
'::dns':
- soc_timestamp
- source.ip
@@ -1119,22 +1137,6 @@ soc:
description: Show all Osquery Live Query results
query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
showSubtitle: true
- name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 5 or higher grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
showSubtitle: true
- name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 4 or lower grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name'
showSubtitle: true
- name: Wazuh/OSSEC Users and Commands
description: Show all Wazuh alerts grouped by username and command line
query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line'
showSubtitle: true
- name: Wazuh/OSSEC Processes
description: Show all Wazuh alerts grouped by process name
query: 'event.module:ossec AND event.dataset:alert | groupby process.name'
showSubtitle: true
- name: Sysmon Events
description: Show all Sysmon logs grouped by event type
query: 'event.module:sysmon | groupby event.dataset'
@@ -1415,6 +1417,24 @@ soc:
- destination.port
- dnp3.fc_reply
- log.id.uid
'::dnp3_control':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.block_type
- log.id.uid
'::dnp3_objects':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.object_type
- log.id.uid
'::dns':
- soc_timestamp
- source.ip
@@ -2298,20 +2318,17 @@ soc:
description: Overview of all events
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SOC Auth
description: Show all SOC authentication logs
description: SOC (Security Onion Console) authentication logs
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
- name: Elastalerts
description: Elastalert logs
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts
description: Show all alerts
description: Overview of all alerts
query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NIDS Alerts
description: NIDS alerts
description: NIDS (Network Intrusion Detection System) alerts
query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Wazuh/OSSEC
description: Wazuh/OSSEC HIDS alerts and logs
query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
- name: Sysmon Overview
description: Overview of all Sysmon data types
query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
@@ -2331,116 +2348,104 @@ soc:
description: Network activity captured by Sysmon
query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Strelka
description: Strelka logs
description: Strelka file analysis
query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
- name: Zeek Notice
description: Zeek Notice logs
description: Zeek notice logs
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Connections
description: Connection logs
description: Network connection metadata
query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
- name: DCE_RPC
description: DCE_RPC logs
description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DHCP
description: Dynamic Host Configuration Protocol leases
description: DHCP (Dynamic Host Configuration Protocol) leases
query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
- name: DNP3
description: DNP3 logs
query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DNS
description: Domain Name System queries
description: DNS (Domain Name System) queries
query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DPD
description: Dynamic Protocol Detection errors
description: DPD (Dynamic Protocol Detection) errors
query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
- name: Files
description: Files seen in network traffic
query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
- name: FTP
description: File Transfer Protocol logs
description: FTP (File Transfer Protocol) network metadata
query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: HTTP
description: Hyper Text Transport Protocol logs
description: HTTP (Hyper Text Transport Protocol) network metadata
query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Intel
description: Zeek Intel framework hits
query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: IRC
description: Internet Relay Chat logs
description: IRC (Internet Relay Chat) network metadata
query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Kerberos
description: Kerberos logs
description: Kerberos network metadata
query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: MODBUS
description: MODBUS logs
query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: MYSQL
description: MYSQL logs
- name: MySQL
description: MySQL network metadata
query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NOTICE
description: Zeek notice logs
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NTLM
description: NTLM logs
description: NTLM (New Technology LAN Manager) network metadata
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: PE
description: PE files list
description: PE (Portable Executable) files transferred via network traffic
query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
- name: RADIUS
description: RADIUS logs
description: RADIUS (Remote Authentication Dial-In User Service) network metadata
query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: RDP
description: RDP logs
description: RDP (Remote Desktop Protocol) network metadata
query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: RFB
description: RFB logs
description: RFB (Remote Frame Buffer) network metadata
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Signatures
description: Zeek signatures
query: 'event.dataset:signatures | groupby signature_id'
- name: SIP
description: SIP logs
description: SIP (Session Initiation Protocol) network metadata
query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMB_Files
description: SMB files
description: Files transferred via SMB (Server Message Block)
query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMB_Mapping
description: SMB mapping logs
description: SMB (Server Message Block) mapping network metadata
query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMTP
description: SMTP logs
description: SMTP (Simple Mail Transfer Protocol) network metadata
query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SNMP
description: SNMP logs
description: SNMP (Simple Network Management Protocol) network metadat
query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Software
description: List of software seen on the network by Zeek
description: Software seen by Zeek via network traffic
query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
- name: SSH
description: SSH connections seen by Zeek
description: SSH (Secure Shell) connections seen by Zeek
query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SSL
description: SSL logs
description: SSL/TLS network metadata
query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: STUN
description: STUN (Session Traversal Utilities for NAT) network metadata
query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
- name: SYSLOG
description: SYSLOG logs
- name: Syslog
description: Syslog logs
query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: TDS
description: TDS (Tabular Data Stream) network metadata
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
- name: Tunnel
description: Tunnels seen by Zeek
query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Weird
description: Weird network traffic seen by Zeek
query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
- name: TDS
description: TDS (Tabular Data Stream) network metadata
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
- name: WireGuard
description: WireGuard VPN network metadata
query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'

6
setup/so-whiptail
View File

@@ -14,9 +14,9 @@ whiptail_airgap() {
[[ $is_manager || $is_import ]] && node_str='manager'
INTERWEBS=$(whiptail --title "$whiptail_title" --menu \
"How should this $node_str be installed?" 10 60 2 \
"Standard " "This $node_str has internet accesss" \
"Airgap " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 )
"How should this $node_str be installed?" 10 70 2 \
"Standard " "This $node_str has access to the Internet" \
"Airgap " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus