CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8784 from Security-Onion-Solutions/2.4/zeek

Browse Source 
2.4/zeek
This commit is contained in:
Josh Patterson
2022-09-20 16:28:40 -04:00
committed by GitHub
parent 8a537204d6 e1ea3c2031
commit f0ddfecd42
10 changed files with 152 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
pillar/zeek/init.sls
View File

@@ -1,55 +1 @@
zeek:
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
MinDiskSpace: 5
MailHostUpDown: 1
LogRotationInterval: 3600
LogExpireInterval: 0
StatsLogEnable: 1
StatsLogExpireInterval: 0
StatusCmdShowAll: 0
CrashExpireInterval: 0
SitePolicyScripts: local.zeek
LogDir: /nsm/zeek/logs
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;

10
salt/vars/sensor.map.jinja
View File

@@ -1,8 +1,10 @@
{% set ROLE_GLOBALS = {} %}
{% set SENSOR_GLOBALS = []
{% set SENSOR_GLOBALS = {
'sensor': {
'interface': pillar.sensor.interface
}
}
%}
{% for sg in SENSOR_GLOBALS %}
{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
{% endfor %}
{% do salt['defaults.merge'](ROLE_GLOBALS, SENSOR_GLOBALS, merge_lists=False, in_place=True) %}

6
salt/zeek/config.map.jinja
View File

@@ -1,3 +1,9 @@
{% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
{% set ZEEKOPTIONS = {} %}
{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

140
salt/zeek/defaults.yaml
View File

@@ -1,9 +1,10 @@
zeek:
config:
node:
lb_procs: 1
zeek_pins_enabled: False
zeek_pins: []
lb_procs: 0
pins_enabled: False
pins: []
buffer: 128*1024*1024
zeekctl:
MailTo: root@localhost
MailConnectionSummary: 1
@@ -20,68 +21,71 @@ zeek:
SpoolDir: /nsm/zeek/spool
CfgDir: /opt/zeek/etc
CompressLogs: 1
policy:
file_extraction:
- application/x-dosexec: exe
- application/pdf: pdf
- application/msword: doc
- application/vnd.ms-powerpoint: doc
- application/rtf: doc
- application/vnd.ms-word.document.macroenabled.12: doc
- application/vnd.ms-word.template.macroenabled.12: doc
- application/vnd.ms-powerpoint.template.macroenabled.12: doc
- application/vnd.ms-excel: doc
- application/vnd.ms-excel.addin.macroenabled.12: doc
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- application/vnd.ms-excel.template.macroenabled.12: doc
- application/vnd.ms-excel.sheet.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- application/vnd.openxmlformats-officedocument.presentationml.template: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
load:
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
load-sigs:
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;
local:
'@load':
- misc/loaded-scripts
- tuning/defaults
- misc/capture-loss
- misc/stats
- frameworks/software/vulnerable
- frameworks/software/version-changes
- protocols/ftp/software
- protocols/smtp/software
- protocols/ssh/software
- protocols/http/software
- protocols/dns/detect-external-names
- protocols/ftp/detect
- protocols/conn/known-hosts
- protocols/conn/known-services
- protocols/ssl/known-certs
- protocols/ssl/validate-certs
- protocols/ssl/log-hostcerts-only
- protocols/ssh/geo-data
- protocols/ssh/detect-bruteforcing
- protocols/ssh/interesting-hostnames
- protocols/http/detect-sqli
- frameworks/files/hash-all-files
- frameworks/files/detect-MHR
- policy/frameworks/notice/extend-email/hostnames
- ja3
- hassh
- intel
- cve-2020-0601
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:
- LogAscii::use_json = T;
- CaptureLoss::watch_interval = 5 mins;
networks:
HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
file_extraction:
- application/x-dosexec: exe
- application/pdf: pdf
- application/msword: doc
- application/vnd.ms-powerpoint: doc
- application/rtf: doc
- application/vnd.ms-word.document.macroenabled.12: doc
- application/vnd.ms-word.template.macroenabled.12: doc
- application/vnd.ms-powerpoint.template.macroenabled.12: doc
- application/vnd.ms-excel: doc
- application/vnd.ms-excel.addin.macroenabled.12: doc
- application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
- application/vnd.ms-excel.template.macroenabled.12: doc
- application/vnd.ms-excel.sheet.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
- application/vnd.openxmlformats-officedocument.presentationml.slide: doc
- application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
- application/vnd.openxmlformats-officedocument.presentationml.template: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
- application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
- application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
- application/vnd.ms-powerpoint.addin.macroenabled.12: doc
- application/vnd.ms-powerpoint.slide.macroenabled.12: doc
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
bpf: []

12
salt/zeek/files/networks.cfg.jinja
View File

@@ -1,9 +1,5 @@
{%- if salt['pillar.get']('sensor:hnsensor') %}
{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %}
{%- else %}
{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
{%- endif %}
{%- set HNLIST = HOME_NET.split(',') %}
{%- for HN in HNLIST %}
{%- if NETWORKS.HOME_NET %}
{%- for HN in NETWORKS.HOME_NET.split(',') %}
{{ HN }}
{%- endfor %}
{%- endfor %}
{%- endif %}

45
salt/zeek/files/node.cfg
View File

@@ -1,45 +0,0 @@
{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
{%- if salt['pillar.get']('sensor:zeek_proxies') %}
{%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %}
{%- else %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
{%- else %}
{%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
{%- endif %}
{%- endif %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ interface }}
lb_method=custom
{%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
{%- else %}
lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
{%- endif %}
{%- if salt['pillar.get']('sensor:zeek_pins') %}
pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ interface }}
{%- endif %}

35
salt/zeek/files/node.cfg.jinja Normal file
View File

@@ -0,0 +1,35 @@
{%- if NODE.pins or NODE.lb_procs %}
[manager]
type=manager
host=localhost
[logger]
type=logger
host=localhost
[proxy]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::{{ NODE.interface }}
lb_method=custom
{%- if NODE.lb_procs %}
lb_procs={{ NODE.lb_procs }}
{%- else %}
lb_procs={{ NODE.pins | length }}
{%- endif %}
{%- if NODE.pins %}
pin_cpus={{ NODE.pins | join(", ") }}
{%- endif %}
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ NODE.buffer }}
{%- else %}
[zeeksa]
type=standalone
host=localhost
interface={{ NODE.interface }}
{%- endif %}

29
salt/zeek/init.sls
View File

@@ -6,16 +6,11 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS with context %}
{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %}
{% set BPF_STATUS = 0 %}
{% set INTERFACE = salt['pillar.get']('sensor:interface') %}
{% set ZEEK = salt['pillar.get']('zeek', {}) %}
# Zeek Salt State
@@ -77,6 +72,8 @@ zeekpolicysync:
- user: 937
- group: 939
- template: jinja
- defaults:
FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
# Ensure the zeek spool tree (and state.db) ownership is correct
zeekspoolownership:
@@ -107,16 +104,18 @@ zeekctlcfg:
- group: 939
- template: jinja
- defaults:
ZEEKCTL: {{ ZEEK.zeekctl | tojson }}
ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
# Sync node.cfg
nodecfg:
file.managed:
- name: /opt/so/conf/zeek/node.cfg
- source: salt://zeek/files/node.cfg
- source: salt://zeek/files/node.cfg.jinja
- user: 937
- group: 939
- template: jinja
- defaults:
NODE: {{ ZEEKMERGED.zeek.config.node }}
networkscfg:
file.managed:
@@ -125,6 +124,8 @@ networkscfg:
- user: 937
- group: 939
- template: jinja
- defaults:
NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
#zeekcleanscript:
# file.managed:
@@ -158,8 +159,8 @@ zeekpacketlosscron:
- dayweek: '*'
# BPF compilation and configuration
{% if BPF_ZEEK %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" "),cwd='/root') %}
{% if ZEEKMERGED.zeek.bpf %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
@@ -177,7 +178,7 @@ zeekbpf:
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents_pillar: zeek:bpf
- contents: {{ ZEEKMERGED.bpf }}
{% else %}
- contents:
- "ip or not ip"
@@ -192,12 +193,12 @@ localzeek:
- group: 939
- template: jinja
- defaults:
LOCAL: {{ ZEEK.local | tojson }}
LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
so-zeek:
docker_container.{{ ZEEKOPTIONS.status }}:
{% if ZEEKOPTIONS.status == 'running' %}
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
- image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: {{ ZEEKOPTIONS.start }}
- privileged: True
- ulimits:

4
salt/zeek/policy/securityonion/file-extraction/extract.zeek
View File

@@ -1,5 +1,3 @@
{% import_yaml "zeek/fileextraction_defaults.yaml" as zeek_default -%}
{% set zeek = salt['grains.filter_by'](zeek_default, default='zeek', merge=salt['pillar.get']('zeek', {})) -%}
# Directory to stage Zeek extracted files before processing
redef FileExtract::prefix = "/nsm/zeek/extracted/";
# Set a limit to the file size
@@ -7,7 +5,7 @@ redef FileExtract::default_limit = 9000000;
# These are the mimetypes we want to rip off the networks
export {
global _mime_whitelist: table[string] of string = {
{%- for li in zeek.policy.file_extraction %}
{%- for li in FILE_EXTRACTION %}
{%- if not loop.last %}
{%- for k,v in li.items() %}
["{{ k }}"] = "{{ v }}",

23
salt/zeek/soc_zeek.yaml
View File

@@ -3,16 +3,23 @@ zeek:
enabled:
description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
config:
local:
'@load':
description: List of Zeek policies to load
'@load-sigs':
description: List of Zeek signatures to load
node:
lb_procs:
description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
node: True
zeek_pins_enabled:
description:
pins_enabled:
description: Enabled CPU pinning
node: True
zeek_pins:
description: List of CPUs you want to
advanced: True
pins:
description: List of CPUs you want to pin to
node: True
advanced: True
zeekctl:
CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
@@ -24,10 +31,6 @@ zeek:
file: True
global: True
advanced: True
file_extraction:
description: This is a list of mime types Zeek will extract from the network streams.
load:
description: List of Zeek policies to load
load-sigs:
description: List of Zeek signatures to load
file_extraction:
description: This is a list of mime types Zeek will extract from the network streams.