diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 5eeb273b9..c06759744 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -1,55 +1 @@ zeek: - zeekctl: - MailTo: root@localhost - MailConnectionSummary: 1 - MinDiskSpace: 5 - MailHostUpDown: 1 - LogRotationInterval: 3600 - LogExpireInterval: 0 - StatsLogEnable: 1 - StatsLogExpireInterval: 0 - StatusCmdShowAll: 0 - CrashExpireInterval: 0 - SitePolicyScripts: local.zeek - LogDir: /nsm/zeek/logs - SpoolDir: /nsm/zeek/spool - CfgDir: /opt/zeek/etc - CompressLogs: 1 - local: - '@load': - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - '@load-sigs': - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja index 477761d7c..425d72969 100644 --- a/salt/vars/sensor.map.jinja +++ b/salt/vars/sensor.map.jinja @@ -1,8 +1,10 @@ {% set ROLE_GLOBALS = {} %} -{% set SENSOR_GLOBALS = [] +{% set SENSOR_GLOBALS = { + 'sensor': { + 'interface': pillar.sensor.interface + } + } %} -{% for sg in SENSOR_GLOBALS %} -{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} -{% endfor %} +{% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %} diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index a0f92463e..ced2175e7 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,3 +1,9 @@ +{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %} +{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} +{% set zeek_pillar = salt['pillar.get']('zeek', []) %} +{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} + {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 8d2a96444..681f29df0 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -1,9 +1,10 @@ zeek: config: node: - lb_procs: 1 - zeek_pins_enabled: False - zeek_pins: [] + lb_procs: 0 + pins_enabled: False + pins: [] + buffer: 128*1024*1024 zeekctl: MailTo: root@localhost MailConnectionSummary: 1 @@ -20,68 +21,71 @@ zeek: SpoolDir: /nsm/zeek/spool CfgDir: /opt/zeek/etc CompressLogs: 1 - policy: - file_extraction: - - application/x-dosexec: exe - - application/pdf: pdf - - application/msword: doc - - application/vnd.ms-powerpoint: doc - - application/rtf: doc - - application/vnd.ms-word.document.macroenabled.12: doc - - application/vnd.ms-word.template.macroenabled.12: doc - - application/vnd.ms-powerpoint.template.macroenabled.12: doc - - application/vnd.ms-excel: doc - - application/vnd.ms-excel.addin.macroenabled.12: doc - - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - - application/vnd.ms-excel.template.macroenabled.12: doc - - application/vnd.ms-excel.sheet.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - - application/vnd.openxmlformats-officedocument.presentationml.template: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument: doc - load: - - misc/loaded-scripts - - tuning/defaults - - misc/capture-loss - - misc/stats - - frameworks/software/vulnerable - - frameworks/software/version-changes - - protocols/ftp/software - - protocols/smtp/software - - protocols/ssh/software - - protocols/http/software - - protocols/dns/detect-external-names - - protocols/ftp/detect - - protocols/conn/known-hosts - - protocols/conn/known-services - - protocols/ssl/known-certs - - protocols/ssl/validate-certs - - protocols/ssl/log-hostcerts-only - - protocols/ssh/geo-data - - protocols/ssh/detect-bruteforcing - - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli - - frameworks/files/hash-all-files - - frameworks/files/detect-MHR - - policy/frameworks/notice/extend-email/hostnames - - ja3 - - hassh - - intel - - cve-2020-0601 - - securityonion/bpfconf - - securityonion/communityid - - securityonion/file-extraction - load-sigs: - - frameworks/signatures/detect-windows-shells - redef: - - LogAscii::use_json = T; - - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file + local: + '@load': + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + '@load-sigs': + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - CaptureLoss::watch_interval = 5 mins; + networks: + HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc + bpf: [] diff --git a/salt/zeek/files/networks.cfg.jinja b/salt/zeek/files/networks.cfg.jinja index f1ee065de..5818380ce 100644 --- a/salt/zeek/files/networks.cfg.jinja +++ b/salt/zeek/files/networks.cfg.jinja @@ -1,9 +1,5 @@ -{%- if salt['pillar.get']('sensor:hnsensor') %} -{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %} -{%- else %} -{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %} -{%- endif %} -{%- set HNLIST = HOME_NET.split(',') %} -{%- for HN in HNLIST %} +{%- if NETWORKS.HOME_NET %} +{%- for HN in NETWORKS.HOME_NET.split(',') %} {{ HN }} -{%- endfor %} +{%- endfor %} +{%- endif %} diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg deleted file mode 100644 index 55f77982c..000000000 --- a/salt/zeek/files/node.cfg +++ /dev/null @@ -1,45 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} - {%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} - {%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} - {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} - {%- endif %} - {%- endif %} -[manager] -type=manager -host=localhost - -[logger] -type=logger -host=localhost - -[proxy] -type=proxy -host=localhost - -[worker-1] -type=worker -host=localhost -interface=af_packet::{{ interface }} -lb_method=custom - {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} - {%- else %} -lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} - {%- endif %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} - {%- endif %} -af_packet_fanout_id=23 -af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} -{%- else %} -[zeeksa] -type=standalone -host=localhost -interface={{ interface }} -{%- endif %} diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja new file mode 100644 index 000000000..9ef06bd5a --- /dev/null +++ b/salt/zeek/files/node.cfg.jinja @@ -0,0 +1,35 @@ +{%- if NODE.pins or NODE.lb_procs %} +[manager] +type=manager +host=localhost + +[logger] +type=logger +host=localhost + +[proxy] +type=proxy +host=localhost + +[worker-1] +type=worker +host=localhost +interface=af_packet::{{ NODE.interface }} +lb_method=custom + {%- if NODE.lb_procs %} +lb_procs={{ NODE.lb_procs }} + {%- else %} +lb_procs={{ NODE.pins | length }} + {%- endif %} + {%- if NODE.pins %} +pin_cpus={{ NODE.pins | join(", ") }} + {%- endif %} +af_packet_fanout_id=23 +af_packet_fanout_mode=AF_Packet::FANOUT_HASH +af_packet_buffer_size={{ NODE.buffer }} +{%- else %} +[zeeksa] +type=standalone +host=localhost +interface={{ NODE.interface }} +{%- endif %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5f904bf7d..b292a20a3 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -6,16 +6,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS with context %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} +{% from "zeek/config.map.jinja" import ZEEKMERGED with context %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %} {% set BPF_STATUS = 0 %} -{% set INTERFACE = salt['pillar.get']('sensor:interface') %} - -{% set ZEEK = salt['pillar.get']('zeek', {}) %} # Zeek Salt State @@ -77,6 +72,8 @@ zeekpolicysync: - user: 937 - group: 939 - template: jinja + - defaults: + FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -107,16 +104,18 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEK.zeekctl | tojson }} + ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }} # Sync node.cfg nodecfg: file.managed: - name: /opt/so/conf/zeek/node.cfg - - source: salt://zeek/files/node.cfg + - source: salt://zeek/files/node.cfg.jinja - user: 937 - group: 939 - template: jinja + - defaults: + NODE: {{ ZEEKMERGED.zeek.config.node }} networkscfg: file.managed: @@ -125,6 +124,8 @@ networkscfg: - user: 937 - group: 939 - template: jinja + - defaults: + NETWORKS: {{ ZEEKMERGED.zeek.config.networks }} #zeekcleanscript: # file.managed: @@ -158,8 +159,8 @@ zeekpacketlosscron: - dayweek: '*' # BPF compilation and configuration -{% if BPF_ZEEK %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %} +{% if ZEEKMERGED.zeek.bpf %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -177,7 +178,7 @@ zeekbpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents_pillar: zeek:bpf + - contents: {{ ZEEKMERGED.bpf }} {% else %} - contents: - "ip or not ip" @@ -192,12 +193,12 @@ localzeek: - group: 939 - template: jinja - defaults: - LOCAL: {{ ZEEK.local | tojson }} + LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }} so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: {% if ZEEKOPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: {{ ZEEKOPTIONS.start }} - privileged: True - ulimits: diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index 8cdaf42dd..d4ba0551e 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,5 +1,3 @@ -{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%} -{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - {%- for li in zeek.policy.file_extraction %} + {%- for li in FILE_EXTRACTION %} {%- if not loop.last %} {%- for k,v in li.items() %} ["{{ k }}"] = "{{ v }}", diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index a48ec20dc..7da21aa41 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -3,16 +3,23 @@ zeek: enabled: description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. config: + local: + '@load': + description: List of Zeek policies to load + '@load-sigs': + description: List of Zeek signatures to load node: lb_procs: description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. node: True - zeek_pins_enabled: - description: + pins_enabled: + description: Enabled CPU pinning node: True - zeek_pins: - description: List of CPUs you want to + advanced: True + pins: + description: List of CPUs you want to pin to node: True + advanced: True zeekctl: CompressLogs: description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. @@ -24,10 +31,6 @@ zeek: file: True global: True advanced: True - file_extraction: - description: This is a list of mime types Zeek will extract from the network streams. - load: - description: List of Zeek policies to load - load-sigs: - description: List of Zeek signatures to load + file_extraction: + description: This is a list of mime types Zeek will extract from the network streams. \ No newline at end of file