CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8784 from Security-Onion-Solutions/2.4/zeek

Browse Source 
2.4/zeek
This commit is contained in:
Josh Patterson
2022-09-20 16:28:40 -04:00
committed by GitHub
parent 8a537204d6 e1ea3c2031
commit f0ddfecd42
10 changed files with 152 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
pillar/zeek/init.sls
View File

@@ -1,55 +1 @@
zeek: zeek:
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
MinDiskSpace: 5
MailHostUpDown: 1
LogRotationInterval: 3600
LogExpireInterval: 0
StatsLogEnable: 1
StatsLogExpireInterval: 0
StatusCmdShowAll: 0
CrashExpireInterval: 0
SitePolicyScripts: local.zeek
LogDir: /nsm/zeek/logs
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;

10
salt/vars/sensor.map.jinja
View File

@@ -1,8 +1,10 @@
{% set ROLE_GLOBALS = {} %} {% set ROLE_GLOBALS = {} %}
{% set SENSOR_GLOBALS = [] {% set SENSOR_GLOBALS = {
'sensor': {
'interface': pillar.sensor.interface
}
}
%} %}
{% for sg in SENSOR_GLOBALS %} {% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %}
{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
{% endfor %}

6
salt/zeek/config.map.jinja
View File

@@ -1,3 +1,9 @@
{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
{% set ZEEKOPTIONS = {} %} {% set ZEEKOPTIONS = {} %}
{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

140
salt/zeek/defaults.yaml
View File

@@ -1,9 +1,10 @@
zeek: zeek:
config: config:
node: node:
lb_procs: 1 lb_procs: 0
zeek_pins_enabled: False pins_enabled: False
zeek_pins: [] pins: []
buffer: 128*1024*1024
zeekctl: zeekctl:
MailTo: root@localhost MailTo: root@localhost
MailConnectionSummary: 1 MailConnectionSummary: 1
@@ -20,68 +21,71 @@ zeek:
SpoolDir: /nsm/zeek/spool SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc CfgDir: /opt/zeek/etc
CompressLogs: 1 CompressLogs: 1
policy: local:
file_extraction: '@load':
- application/x-dosexec: exe - misc/loaded-scripts
- application/pdf: pdf - tuning/defaults
- application/msword: doc - misc/capture-loss
- application/vnd.ms-powerpoint: doc - misc/stats
- application/rtf: doc - frameworks/software/vulnerable
- application/vnd.ms-word.document.macroenabled.12: doc - frameworks/software/version-changes
- application/vnd.ms-word.template.macroenabled.12: doc - protocols/ftp/software
- application/vnd.ms-powerpoint.template.macroenabled.12: doc - protocols/smtp/software
- application/vnd.ms-excel: doc - protocols/ssh/software
- application/vnd.ms-excel.addin.macroenabled.12: doc - protocols/http/software
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - protocols/dns/detect-external-names
- application/vnd.ms-excel.template.macroenabled.12: doc - protocols/ftp/detect
- application/vnd.ms-excel.sheet.macroenabled.12: doc - protocols/conn/known-hosts
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - protocols/conn/known-services
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc - protocols/ssl/known-certs
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - protocols/ssl/validate-certs
- application/vnd.openxmlformats-officedocument.presentationml.template: doc - protocols/ssl/log-hostcerts-only
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - protocols/ssh/geo-data
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - protocols/ssh/detect-bruteforcing
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - protocols/ssh/interesting-hostnames
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - protocols/http/detect-sqli
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc - frameworks/files/hash-all-files
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc - frameworks/files/detect-MHR
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - policy/frameworks/notice/extend-email/hostnames
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - ja3
- application/vnd.openxmlformats-officedocument: doc - hassh
load: - intel
- misc/loaded-scripts - cve-2020-0601
- tuning/defaults - securityonion/bpfconf
- misc/capture-loss - securityonion/communityid
- misc/stats - securityonion/file-extraction
- frameworks/software/vulnerable '@load-sigs':
- frameworks/software/version-changes - frameworks/signatures/detect-windows-shells
- protocols/ftp/software redef:
- protocols/smtp/software - LogAscii::use_json = T;
- protocols/ssh/software - CaptureLoss::watch_interval = 5 mins;
- protocols/http/software networks:
- protocols/dns/detect-external-names HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
- protocols/ftp/detect file_extraction:
- protocols/conn/known-hosts - application/x-dosexec: exe
- protocols/conn/known-services - application/pdf: pdf
- protocols/ssl/known-certs - application/msword: doc
- protocols/ssl/validate-certs - application/vnd.ms-powerpoint: doc
- protocols/ssl/log-hostcerts-only - application/rtf: doc
- protocols/ssh/geo-data - application/vnd.ms-word.document.macroenabled.12: doc
- protocols/ssh/detect-bruteforcing - application/vnd.ms-word.template.macroenabled.12: doc
- protocols/ssh/interesting-hostnames - application/vnd.ms-powerpoint.template.macroenabled.12: doc
- protocols/http/detect-sqli - application/vnd.ms-excel: doc
- frameworks/files/hash-all-files - application/vnd.ms-excel.addin.macroenabled.12: doc
- frameworks/files/detect-MHR - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- policy/frameworks/notice/extend-email/hostnames - application/vnd.ms-excel.template.macroenabled.12: doc
- ja3 - application/vnd.ms-excel.sheet.macroenabled.12: doc
- hassh - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- intel - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- cve-2020-0601 - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- securityonion/bpfconf - application/vnd.openxmlformats-officedocument.presentationml.template: doc
- securityonion/communityid - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- securityonion/file-extraction - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
load-sigs: - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- frameworks/signatures/detect-windows-shells - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
redef: - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- LogAscii::use_json = T; - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- CaptureLoss::watch_interval = 5 mins; - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
bpf: []

12
salt/zeek/files/networks.cfg.jinja
View File

@@ -1,9 +1,5 @@
{%- if salt['pillar.get']('sensor:hnsensor') %} {%- if NETWORKS.HOME_NET %}
{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %} {%- for HN in NETWORKS.HOME_NET.split(',') %}
{%- else %}
{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
{%- endif %}
{%- set HNLIST = HOME_NET.split(',') %}
{%- for HN in HNLIST %}
{{ HN }} {{ HN }}
{%- endfor %} {%- endfor %}
{%- endif %}

45
salt/zeek/files/node.cfg
View File

@@ -1,45 +0,0 @@
{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
{%- if salt['pillar.get']('sensor:zeek_proxies') %}
{%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %}
{%- else %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
{%- else %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
{%- endif %}
{%- endif %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ interface }}
lb_method=custom
{%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
{%- else %}
lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
{%- endif %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ interface }}
{%- endif %}

35
salt/zeek/files/node.cfg.jinja Normal file
View File

@@ -0,0 +1,35 @@
{%- if NODE.pins or NODE.lb_procs %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
lb_procs={{ NODE.pins | length }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ NODE.buffer }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ NODE.interface }}
{%- endif %}

29
salt/zeek/init.sls
View File

@@ -6,16 +6,11 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS with context %}
{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %}
{% set BPF_STATUS = 0 %} {% set BPF_STATUS = 0 %}
{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
{% set ZEEK = salt['pillar.get']('zeek', {}) %}
# Zeek Salt State # Zeek Salt State
@@ -77,6 +72,8 @@ zeekpolicysync:
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
# Ensure the zeek spool tree (and state.db) ownership is correct # Ensure the zeek spool tree (and state.db) ownership is correct
zeekspoolownership: zeekspoolownership:
@@ -107,16 +104,18 @@ zeekctlcfg:
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults: - defaults:
ZEEKCTL: {{ ZEEK.zeekctl | tojson }} ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
# Sync node.cfg # Sync node.cfg
nodecfg: nodecfg:
file.managed: file.managed:
- name: /opt/so/conf/zeek/node.cfg - name: /opt/so/conf/zeek/node.cfg
- source: salt://zeek/files/node.cfg - source: salt://zeek/files/node.cfg.jinja
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
NODE: {{ ZEEKMERGED.zeek.config.node }}
networkscfg: networkscfg:
file.managed: file.managed:
@@ -125,6 +124,8 @@ networkscfg:
- user: 937 - user: 937
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults:
NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
#zeekcleanscript: #zeekcleanscript:
# file.managed: # file.managed:
@@ -158,8 +159,8 @@ zeekpacketlosscron:
- dayweek: '*' - dayweek: '*'
# BPF compilation and configuration # BPF compilation and configuration
{% if BPF_ZEEK %} {% if ZEEKMERGED.zeek.bpf %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %} {% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %} {% set BPF_STATUS = 1 %}
{% else %} {% else %}
@@ -177,7 +178,7 @@ zeekbpf:
- user: 940 - user: 940
- group: 940 - group: 940
{% if BPF_STATUS %} {% if BPF_STATUS %}
- contents_pillar: zeek:bpf - contents: {{ ZEEKMERGED.bpf }}
{% else %} {% else %}
- contents: - contents:
- "ip or not ip" - "ip or not ip"
@@ -192,12 +193,12 @@ localzeek:
- group: 939 - group: 939
- template: jinja - template: jinja
- defaults: - defaults:
LOCAL: {{ ZEEK.local | tojson }} LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
so-zeek: so-zeek:
docker_container.{{ ZEEKOPTIONS.status }}: docker_container.{{ ZEEKOPTIONS.status }}:
{% if ZEEKOPTIONS.status == 'running' %} {% if ZEEKOPTIONS.status == 'running' %}
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: {{ ZEEKOPTIONS.start }} - start: {{ ZEEKOPTIONS.start }}
- privileged: True - privileged: True
- ulimits: - ulimits:

4
salt/zeek/policy/securityonion/file-extraction/extract.zeek
View File

@@ -1,5 +1,3 @@
{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
# Directory to stage Zeek extracted files before processing # Directory to stage Zeek extracted files before processing
redef FileExtract::prefix = "/nsm/zeek/extracted/"; redef FileExtract::prefix = "/nsm/zeek/extracted/";
# Set a limit to the file size # Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
# These are the mimetypes we want to rip off the networks # These are the mimetypes we want to rip off the networks
export { export {
global _mime_whitelist: table[string] of string = { global _mime_whitelist: table[string] of string = {
{%- for li in zeek.policy.file_extraction %} {%- for li in FILE_EXTRACTION %}
{%- if not loop.last %} {%- if not loop.last %}
{%- for k,v in li.items() %} {%- for k,v in li.items() %}
["{{ k }}"] = "{{ v }}", ["{{ k }}"] = "{{ v }}",

23
salt/zeek/soc_zeek.yaml
View File

@@ -3,16 +3,23 @@ zeek:
enabled: enabled:
description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
config: config:
local:
'@load':
description: List of Zeek policies to load
'@load-sigs':
description: List of Zeek signatures to load
node: node:
lb_procs: lb_procs:
description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
node: True node: True
zeek_pins_enabled: pins_enabled:
description: description: Enabled CPU pinning
node: True node: True
zeek_pins: advanced: True
description: List of CPUs you want to pins:
description: List of CPUs you want to pin to
node: True node: True
advanced: True
zeekctl: zeekctl:
CompressLogs: CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
@@ -24,10 +31,6 @@ zeek:
file: True file: True
global: True global: True
advanced: True advanced: True
file_extraction: file_extraction:
description: This is a list of mime types Zeek will extract from the network streams. description: This is a list of mime types Zeek will extract from the network streams.
load:
description: List of Zeek policies to load
load-sigs:
description: List of Zeek signatures to load