From d2a74c80e2aaa309d3660232fcbd28490b4dc50a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 Feb 2021 16:37:31 -0500 Subject: [PATCH 01/10] Update .security analyzer --- .../templates/so/so-common-template.json | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 74ff3748a..062838670 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -12,20 +12,18 @@ "analyzer": { "es_security_analyzer": { "type": "custom", - "filter": [ "path_hierarchy_pattern_filter", "lowercase" ], - "tokenizer": "whitespace" - }, - "es_security_search_analyzer": { - "type": "custom", - "filter": [ "lowercase" ], - "tokenizer": "whitespace" - }, - "es_security_search_quote_analyzer": { - "type": "custom", - "filter": [ "lowercase" ], - "tokenizer": "whitespace" + "char_filter": [ "whitespace_no_way" ], + "filter": [ "lowercase", "trim" ], + "tokenizer": "keyword" } }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, "filter" : { "path_hierarchy_pattern_filter": { "type" : "pattern_capture", @@ -35,6 +33,12 @@ "((?:[^/]*/)*)(.*)" ] } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } } } }, @@ -67,13 +71,12 @@ "type": "text", "fields": { "keyword": { + "ignore_above": 32765, "type": "keyword" }, "security": { "type": "text", - "analyzer": "es_security_analyzer", - "search_analyzer": "es_security_search_analyzer", - "search_quote_analyzer": "es_security_search_quote_analyzer" + "analyzer": "es_security_analyzer" } } } From 88eb5b1d617ad1455ae39e015ade003d7d28ae41 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 19 Feb 2021 08:02:32 -0500 Subject: [PATCH 02/10] Update syslog ingest parser to accomodate pfSense filterlog changes #3033 --- salt/elasticsearch/files/ingest/syslog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index b08a62187..367dcebe7 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -17,7 +17,7 @@ { "field": "message", "patterns": [ - "^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}$", + "^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}(\\[%{DATA:pid}\\])?: %{GREEDYDATA:real_message}$", "^%{SYSLOGTIMESTAMP:syslog.timestamp} %{SYSLOGHOST:syslog.host} %{SYSLOGPROG:syslog.program}: CEF:0\\|%{DATA:vendor}\\|%{DATA:product}\\|%{GREEDYDATA:message2}$" ], "ignore_failure": true From b4b449aa14d28220ec40e9ec60a127871f056537 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 19 Feb 2021 11:01:15 -0500 Subject: [PATCH 03/10] Pull in Suricata changes --- .../files/ingest/suricata.common | 4 +- salt/elasticsearch/files/ingest/suricata.dns | 11 +- .../files/ingest/suricata.fileinfo | 12 +- salt/elasticsearch/files/ingest/suricata.krb5 | 9 +- salt/elasticsearch/files/ingest/suricata.rdp | 22 +++- salt/elasticsearch/files/ingest/suricata.smb | 26 ++++- salt/elasticsearch/files/ingest/suricata.snmp | 4 +- salt/elasticsearch/files/ingest/suricata.tftp | 6 +- salt/elasticsearch/files/ingest/suricata.tls | 16 ++- salt/idstools/etc/rulecat.conf | 13 ++- salt/idstools/init.sls | 5 +- salt/idstools/sorules/extraction.rules | 26 +++++ salt/idstools/sorules/filer.rules | 3 + salt/strelka/init.sls | 14 ++- salt/suricata/defaults.yaml | 4 +- salt/suricata/init.sls | 29 +---- salt/suricata/suricata_config.map.jinja | 11 ++ salt/suricata/suricata_meta.yaml | 20 +++- setup/so-setup | 103 +++++++++--------- 19 files changed, 237 insertions(+), 101 deletions(-) create mode 100644 salt/idstools/sorules/extraction.rules create mode 100644 salt/idstools/sorules/filer.rules diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 2bc727012..8e286d2b5 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -15,6 +15,6 @@ { "set": { "field": "ingest.timestamp", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, { "remove":{ "field": "agent", "ignore_failure": true } }, - { "pipeline": { "name": "suricata.{{dataset}}" } } + { "pipeline": { "if": "ctx?.dataset != null", "name": "suricata.{{dataset}}" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index 0a2e1b2ae..a40107819 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -7,8 +7,13 @@ { "rename": { "field": "message2.dns.tx_id", "target_field": "dns.id", "ignore_missing": true } }, { "rename": { "field": "message2.dns.version", "target_field": "dns.version", "ignore_missing": true } }, { "rename": { "field": "message2.dns.rrname", "target_field": "dns.query.name", "ignore_missing": true } }, - { "rename": { "field": "message2.grouped.A", "target_field": "dns.answers", "ignore_missing": true } }, - + { "rename": { "field": "message2.dns.flags", "target_field": "dns.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.qr", "target_field": "dns.qr", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, + { "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } }, + { "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.fileinfo b/salt/elasticsearch/files/ingest/suricata.fileinfo index c319b4a3c..7b5bff14c 100644 --- a/salt/elasticsearch/files/ingest/suricata.fileinfo +++ b/salt/elasticsearch/files/ingest/suricata.fileinfo @@ -1,8 +1,18 @@ { "description" : "suricata.fileinfo", "processors" : [ + { "set": { "field": "dataset", "value": "file" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.filename", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.gaps", "target_field": "file.bytes.missing", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.magic", "target_field": "file.mime_type", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.md5", "target_field": "hash.md5", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.sha1", "target_field": "hash.sha1", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.sid", "target_field": "rule.uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.size", "target_field": "file.size", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.state", "target_field": "file.state", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.stored", "target_field": "file.saved", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.krb5 b/salt/elasticsearch/files/ingest/suricata.krb5 index 83e950128..1e3039830 100644 --- a/salt/elasticsearch/files/ingest/suricata.krb5 +++ b/salt/elasticsearch/files/ingest/suricata.krb5 @@ -1,8 +1,15 @@ { "description" : "suricata.krb5", "processors" : [ + { "set": { "field": "dataset", "value": "kerberos" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.rdp b/salt/elasticsearch/files/ingest/suricata.rdp index 229c5bd86..3f6e28c48 100644 --- a/salt/elasticsearch/files/ingest/suricata.rdp +++ b/salt/elasticsearch/files/ingest/suricata.rdp @@ -3,6 +3,26 @@ "processors" : [ { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.tx_id", "target_field": "rdp.tx_id", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.event_type", "target_field": "rdp.event_type", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.cookie", "target_field": "rdp.cookie", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.version", "target_field": "rdp.client_version", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.desktop_width", "target_field": "rdp.desktop__width", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.desktop__height", "target_field": "rdp.desktop__height", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.color_depth", "target_field": "rdp.requested_color_depth", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.keyboard_layout", "target_field": "rdp.keyboard_layout", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.build", "target_field": "rdp.client_build", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.client_name", "target_field": "client.name", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.keyboard_type", "target_field": "rdp.keyboard_type", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.function_keys", "target_field": "rdp.function_keys", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.product_id", "target_field": "rdp.product_id", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.capabilities", "target_field": "rdp.client_capabilities", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.client.id", "target_field": "rdp.client_id", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.channels", "target_field": "rdp.channels", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.server_supports", "target_field": "rdp.server_supports", "ignore_missing": true } }, + { "rename": { "field": "message2.rdp.x509_serials", "target_field": "rdp.x509_serials", "ignore_missing": true } }, + + { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.smb b/salt/elasticsearch/files/ingest/suricata.smb index c84dc8136..faf10755e 100644 --- a/salt/elasticsearch/files/ingest/suricata.smb +++ b/salt/elasticsearch/files/ingest/suricata.smb @@ -3,6 +3,30 @@ "processors" : [ { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.id", "target_field": "smb.id", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.dialect", "target_field": "smb.dialect", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.command", "target_field": "smb.command", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.status", "target_field": "smb.status", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.status_code", "target_field": "smb.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.session_id", "target_field": "smb.session_id", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.tree_id", "target_field": "smb.tree_id", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.filename", "target_field": "smb.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.disposition", "target_field": "smb.disposition", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.access", "target_field": "smb.access", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.created", "target_field": "smb.created", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.accessed", "target_field": "smb.accessed", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.modified", "target_field": "smb.modified ", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.changed", "target_field": "smb.changed", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.size", "target_field": "smb.size", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.share", "target_field": "smb.share", "ignore_missing": true } }, + { "rename": { "field": "message2.smb.share_type", "target_field": "smb.share_type", "ignore_missing": true } }, + { "rename": { "field": "message2.client_dialects", "target_field": "smb.client_dialects", "ignore_missing": true } }, + { "rename": { "field": "message2.client_guid", "target_field": "smb.client_guid", "ignore_missing": true } }, + { "rename": { "field": "message2.server_guid", "target_field": "smb.server_guid", "ignore_missing": true } }, + { "rename": { "field": "message2.request.native_us", "target_field": "smb.request.native_us", "ignore_missing": true } }, + { "rename": { "field": "message2.request.native_lm", "target_field": "smb.request.native_lm", "ignore_missing": true } }, + { "rename": { "field": "message2.response.native_os", "target_field": "smb.response.native_os", "ignore_missing": true } }, + { "rename": { "field": "message2.response.native_lm", "target_field": "smb.response.native_lm", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.snmp b/salt/elasticsearch/files/ingest/suricata.snmp index bda17f6eb..5c3f5d4d7 100644 --- a/salt/elasticsearch/files/ingest/suricata.snmp +++ b/salt/elasticsearch/files/ingest/suricata.snmp @@ -5,6 +5,8 @@ { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.snmp.version", "target_field": "snmp.version", "ignore_missing": true } }, { "rename": { "field": "message2.snmp.community", "target_field": "snmp.community", "ignore_missing": true } }, + { "rename": { "field": "message2.snmp.pdu_type", "target_field": "snmp.pdu_type", "ignore_missing": true } }, + { "rename": { "field": "message2.snmp.vars", "target_field": "snmp.vars", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.tftp b/salt/elasticsearch/files/ingest/suricata.tftp index cb148e9d7..91db12046 100644 --- a/salt/elasticsearch/files/ingest/suricata.tftp +++ b/salt/elasticsearch/files/ingest/suricata.tftp @@ -3,6 +3,10 @@ "processors" : [ { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.tftp.packet", "target_field": "tftp.packet", "ignore_missing": true } }, + { "rename": { "field": "message2.tftp.file", "target_field": "tftp.file", "ignore_missing": true } }, + { "rename": { "field": "message2.tftp.mode", "target_field": "tftp.mode", "ignore_missing": true } }, + { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.tls b/salt/elasticsearch/files/ingest/suricata.tls index e6b6081d3..0dfc06eaa 100644 --- a/salt/elasticsearch/files/ingest/suricata.tls +++ b/salt/elasticsearch/files/ingest/suricata.tls @@ -1,8 +1,22 @@ { "description" : "suricata.tls", "processors" : [ + { "set": { "field": "dataset", "value": "ssl" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.serial", "target_field": "ssl.certificate.serial", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.fingerprint", "target_field": "ssl.certificate.fingerprint", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.version", "target_field": "ssl.certificate.version", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.ja3.hash", "target_field": "hash.ja3", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.ja3.hash.string", "target_field": "hash.ja3_string", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.ja3s.hash", "target_field": "hash.ja3s", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.ja3s.hash.string", "target_field": "hash.ja3s_string", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.notbefore", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.notafter", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.sni", "target_field": "ssl.server_name", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.issuerdn", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, + { "rename": { "field": "message2.tls.session_resumed", "target_field": "ssl.session_resumed", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index ea58c5567..2b1a8cae1 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -3,17 +3,26 @@ {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} +{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} {%- if ISAIRGAP is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules +{%- if ENGINE == "SURICATA" %} +--local=/opt/so/rules/nids/sorules/extraction.rules +--local=/opt/so/rules/nids/sorules/filters.rules +{%- endif %} --url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf {%- else -%} ---suricata-version=5.0 +--suricata-version=6.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules +{%- if ENGINE == "SURICATA" %} +--local=/opt/so/rules/nids/sorules/extraction.rules +--local=/opt/so/rules/nids/sorules/filters.rules +{%- endif %} --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf @@ -29,4 +38,4 @@ {%- for URL in URLS %} --url={{ URL }} {%- endfor %} -{%- endif %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index db67ca08d..b04cc625d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -18,6 +18,7 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} # IDSTools Setup idstoolsdir: file.directory: @@ -55,14 +56,12 @@ rulesdir: - group: 939 - makedirs: True -# Don't show changes because all.rules can be large synclocalnidsrules: file.recurse: - name: /opt/so/rules/nids/ - source: salt://idstools/ - user: 939 - group: 939 - - show_changes: False - include_pat: 'E@.rules' so-idstools: @@ -87,4 +86,4 @@ append_so-idstools_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif%} +{% endif%} \ No newline at end of file diff --git a/salt/idstools/sorules/extraction.rules b/salt/idstools/sorules/extraction.rules new file mode 100644 index 000000000..ae18edcb9 --- /dev/null +++ b/salt/idstools/sorules/extraction.rules @@ -0,0 +1,26 @@ +# Extract all PDF mime type +alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;) +alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;) +alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;) +alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;) +# Extract EXE/DLL file types +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:11000007; rev:1;) +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:11000011; rev:1;) + +# Extract all Zip files +alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"Zip"; filestore; sid:11000015; rev:1;) + +# Extract Word Docs +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;) \ No newline at end of file diff --git a/salt/idstools/sorules/filer.rules b/salt/idstools/sorules/filer.rules new file mode 100644 index 000000000..8c761bbab --- /dev/null +++ b/salt/idstools/sorules/filer.rules @@ -0,0 +1,3 @@ +# Start the filters at sid 1200000 +# Example of filtering out google.com from being dns logged. +#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) \ No newline at end of file diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 46d9ef35d..91226701d 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -20,6 +20,7 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} +{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} # Strelka config strelkaconfdir: @@ -188,6 +189,16 @@ strelka_zeek_extracted_sync_old: - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' - minute: '*' +{% if ENGINE == "SURICATA" %} + +strelka_suricata_extracted_sync: + cron.present: + - user: root + - identifier: zeek-extracted-strelka-sync + - name: '[ -d /nsm/suricata/extracted/ ] && find /nsm/suricata/extracted/* -not \( -path /nsm/suricata/extracted/tmp -prune \) -type f -print0 | xargs -0 -I {} mv {} /nsm/strelka/unprocessed/ > /dev/null 2>&1' + - minute: '*' + +{% else %} strelka_zeek_extracted_sync: cron.present: - user: root @@ -195,10 +206,11 @@ strelka_zeek_extracted_sync: - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' +{% endif %} {% else %} {{sls}}_state_not_allowed: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} +{% endif %} \ No newline at end of file diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 49a25917c..695e43f08 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -156,8 +156,6 @@ suricata: mode: extra-data deployment: reverse header: X-Forwarded-For - - file-store: - enabled: "no" - tcp-data: enabled: "no" type: file @@ -588,4 +586,4 @@ suricata: threshold-file: /etc/suricata/threshold.conf #include: include1.yaml #include: include2.yaml - + \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index afc4e02d8..0e5234b32 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -16,7 +16,6 @@ {% if sls in allowed_states %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -64,9 +63,10 @@ surilogdir: suridatadir: file.directory: - - name: /nsm/suricata + - name: /nsm/suricata/extracted - user: 940 - group: 939 + - makedirs: True surirulesync: file.recurse: @@ -74,7 +74,6 @@ surirulesync: - source: salt://suricata/rules/ - user: 940 - group: 940 - - show_changes: False surilogscript: file.managed: @@ -148,6 +147,7 @@ so-suricata: - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw + - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - network_mode: host - watch: @@ -178,31 +178,10 @@ disable_so-suricata_so-status.conf: - month: '*' - dayweek: '*' -so-suricata-eve-clean: - file.managed: - - name: /usr/sbin/so-suricata-eve-clean - - user: root - - group: root - - mode: 755 - - template: jinja - - source: salt://suricata/cron/so-suricata-eve-clean - -# Add eve clean cron -clean_suricata_eve_files: - cron.present: - - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 - - identifier: clean_suricata_eve_files - - user: root - - minute: '10' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% else %} {{sls}}_state_not_allowed: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} +{% endif %} \ No newline at end of file diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 8c11901d0..da14f8d9a 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -3,7 +3,9 @@ {% from 'suricata/afpacket.map.jinja' import afpacket %} {% set suricata_pillar = salt['pillar.get']('suricata:config', {}) %} {% set default_evelog_index = [] %} +{% set default_filestore_index = [] %} {% set surimeta_evelog_index = [] %} +{% set surimeta_filestore_index = [] %} {% if salt['pillar.get']('sensor:hnsensor') %} {% load_yaml as homenet %} @@ -33,19 +35,28 @@ HOME_NET: "[{{salt['pillar.get']('global:hnmanager', '')}}]" {% if 'eve-log' in li.keys() %} {% do default_evelog_index.append(loop.index0) %} {% endif %} + {% if 'file-store' in li.keys() %} + {% do default_filestore_index.append(loop.index0) %} + {% endif %} {% endfor %} {% set default_evelog_index = default_evelog_index[0] %} +{% set default_filestore_index = default_filestore_index[0] %} {# Find the index of eve-log so it can be grabbed later #} {% for li in suricata_meta.suricata.config.outputs %} {% if 'eve-log' in li.keys() %} {% do surimeta_evelog_index.append(loop.index0) %} {% endif %} + {% if 'file-store' in li.keys() %} + {% do surimeta_filestore_index.append(loop.index0) %} + {% endif %} {% endfor %} {% set surimeta_evelog_index = surimeta_evelog_index[0] %} +{% set surimeta_filestore_index = surimeta_filestore_index[0] %} {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} + {% do suricata_defaults.suricata.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_meta.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} {% endif %} {% do suricata_defaults.suricata.config.update(default_packet_size) %} diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml index 4cf2530cd..3b1c55d8b 100644 --- a/salt/suricata/suricata_meta.yaml +++ b/salt/suricata/suricata_meta.yaml @@ -1,6 +1,20 @@ suricata: config: outputs: + - file-store: + version: 2 + enabled: "yes" + dir: /nsm/extracted + #write-fileinfo: "yes" + #force-filestore: "yes" + #stream-depth: 0 + #max-open-files: 1000 + #force-hash: [sha1, md5] + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For - eve-log: types: - anomaly: @@ -19,15 +33,15 @@ suricata: enabled: "yes" #requests: "no" #responses: "no" - #formats: [detailed, grouped] + formats: [grouped] #types: [a, aaaa, cname, mx, ns, ptr, txt] - tls: extended: "yes" #session-resumption: "no" #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - files: - force-magic: "no" - #force-hash: [md5] + force-magic: "yes" + force-hash: [md5,sha1] #- drop: # alerts: "yes" # flows: all diff --git a/setup/so-setup b/setup/so-setup index 614adaf3b..b0dbfed29 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -336,52 +336,52 @@ minion_type=$(get_minion_type) set_default_log_size >> $setup_log 2>&1 if [[ $is_helix ]]; then - RULESETUP=ETOPEN - NSMSETUP=BASIC - HNSENSOR=inherit - MANAGERUPDATES=0 + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} fi if [[ $is_helix || ( $is_manager && $is_node ) ]]; then - RULESETUP=ETOPEN - NSMSETUP=BASIC + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} fi if [[ $is_manager && $is_node ]]; then - LSPIPELINEWORKERS=1 - LSPIPELINEBATCH=125 - LSINPUTTHREADS=1 - LSPIPELINEBATCH=125 - NIDS=Suricata - ZEEKVERSION=ZEEK + LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} + LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} + LSINPUTTHREADS=${LSINPUTTHREADS:-1} + LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} + NIDS=${NIDS:-Suricata} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} fi if [[ $is_node ]]; then - CURCLOSEDAYS=30 + CURCLOSEDAYS=${CURCLOSEDAYS:-30} fi if [[ $is_import ]]; then - PATCHSCHEDULENAME=auto - MTU=1500 - RULESETUP=ETOPEN - NSMSETUP=BASIC - HNSENSOR=inherit - MANAGERUPDATES=0 - MANAGERADV=BASIC - INTERFACE=bond0 - ZEEKVERSION=ZEEK - NIDS=Suricata - RULESETUP=ETOPEN - GRAFANA=0 - OSQUERY=0 - WAZUH=0 - THEHIVE=0 - PLAYBOOK=0 + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} + MTU=${MTU:-1500} + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} + MANAGERADV=${MANAGERADV:-BASIC} + INTERFACE=${INTERFACE:-bond0} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} + NIDS=${NIDS:-Suricata} + RULESETUP=${RULESETUP:-ETOPEN} + GRAFANA=${GRAFANA:-0} + OSQUERY=${OSQUERY:-0} + WAZUH=${WAZUH:-0} + THEHIVE=${THEHIVE:-0} + PLAYBOOK=${PLAYBOOK:-0} fi if [[ $is_airgap ]]; then - PATCHSCHEDULENAME=manual - MANAGERUPDATES=0 + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} + MANAGERUPDATES=${MANAGERUPDATES:-0} fi # Start user prompts @@ -708,31 +708,30 @@ set_redirect >> $setup_log 2>&1 set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 - fi - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - - if [ $OS = 'centos' ]; then - set_progress_str 62 'Installing Yum utilities' - salt-call state.apply -l info yum.packages >> $setup_log 2>&1 - fi - - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - - if [[ ! $is_helix ]]; then - set_progress_str 62 "$(print_salt_state_apply 'nginx')" - salt-call state.apply -l info nginx >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 63 "$(print_salt_state_apply 'idstools')" + set_progress_str 61 "$(print_salt_state_apply 'idstools')" create_local_nids_rules >> $setup_log 2>&1 salt-call state.apply -l info idstools >> $setup_log 2>&1 - set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" + set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 + + fi + + set_progress_str 62 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + + if [ $OS = 'centos' ]; then + set_progress_str 63 'Installing Yum utilities' + salt-call state.apply -l info yum.packages >> $setup_log 2>&1 + fi + + set_progress_str 63 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + + if [[ ! $is_helix ]]; then + set_progress_str 64 "$(print_salt_state_apply 'nginx')" + salt-call state.apply -l info nginx >> $setup_log 2>&1 fi if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then @@ -911,4 +910,4 @@ fi install_cleanup >> "$setup_log" 2>&1 -if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi +if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi \ No newline at end of file From 9302b9302bccc37ec1e5ca2a3292354d78ecf400 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 19 Feb 2021 11:13:31 -0500 Subject: [PATCH 04/10] Clear salt fileserver cache to ensure the new local.rules file gets picked up on the filesync --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 6eb2bc1ed..6c277317a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -891,6 +891,7 @@ create_local_nids_rules() { # Create a local.rules file so it doesn't get blasted on updates mkdir -p /opt/so/saltstack/local/salt/idstools echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules + salt-run fileserver.clear_file_list_cache } create_repo() { From 08abad747d9e9de3d97685a7bb7c0548b4d9f183 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 19 Feb 2021 14:59:27 -0500 Subject: [PATCH 05/10] Fix name and update examples --- salt/idstools/sorules/filer.rules | 3 --- salt/idstools/sorules/filter.rules | 11 +++++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) delete mode 100644 salt/idstools/sorules/filer.rules create mode 100644 salt/idstools/sorules/filter.rules diff --git a/salt/idstools/sorules/filer.rules b/salt/idstools/sorules/filer.rules deleted file mode 100644 index 8c761bbab..000000000 --- a/salt/idstools/sorules/filer.rules +++ /dev/null @@ -1,3 +0,0 @@ -# Start the filters at sid 1200000 -# Example of filtering out google.com from being dns logged. -#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) \ No newline at end of file diff --git a/salt/idstools/sorules/filter.rules b/salt/idstools/sorules/filter.rules new file mode 100644 index 000000000..9243e0f04 --- /dev/null +++ b/salt/idstools/sorules/filter.rules @@ -0,0 +1,11 @@ +# Start the filters at sid 1200000 +# Example of filtering out *google.com from being in the dns log. +#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) +# Example of filtering out *google.com from being in the http log. +#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) +# Example of filtering out someuseragent from being in the http log. +#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) +# Example of filtering out Google's certificate from being in the ssl log. +#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) +# Example of filtering out a md5 of a file from being in the files log. +#config fileinfo any any -> any any (fileinfo.filemd5; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200004;) From 2a324eac3245db287516f932ce66257aa5050cbf Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 19 Feb 2021 15:12:55 -0500 Subject: [PATCH 06/10] Add sigma refresh script --- salt/common/tools/sbin/so-playbook-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 250e4a3ad..8bf8dc507 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -17,4 +17,4 @@ . /usr/sbin/so-common -docker exec so-soctopus python3 playbook_play-sync.py +docker exec so-soctopus python3 playbook_play-update.py From 8c69e19419adb15824dffc699bf6740f2e6611dd Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 19 Feb 2021 15:14:37 -0500 Subject: [PATCH 07/10] Add sigma refresh script --- .../tools/sbin/so-playbook-sigma-refresh | 20 +++++++++++++++++++ salt/common/tools/sbin/so-playbook-sync | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 salt/common/tools/sbin/so-playbook-sigma-refresh diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh new file mode 100644 index 000000000..10697bc2f --- /dev/null +++ b/salt/common/tools/sbin/so-playbook-sigma-refresh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +docker exec so-soctopus python3 playbook_play-update.py \ No newline at end of file diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 8bf8dc507..250e4a3ad 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -17,4 +17,4 @@ . /usr/sbin/so-common -docker exec so-soctopus python3 playbook_play-update.py +docker exec so-soctopus python3 playbook_play-sync.py From 8ab12c71a1b445a41218497303e4c4d9bc781874 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 19 Feb 2021 15:34:45 -0500 Subject: [PATCH 08/10] Rename filter.rules to filters.rules --- salt/idstools/sorules/{filter.rules => filters.rules} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/idstools/sorules/{filter.rules => filters.rules} (100%) diff --git a/salt/idstools/sorules/filter.rules b/salt/idstools/sorules/filters.rules similarity index 100% rename from salt/idstools/sorules/filter.rules rename to salt/idstools/sorules/filters.rules From 9d3c82a5890c0b709ad220bfd1fb870c50dad461 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 19 Feb 2021 20:14:55 -0500 Subject: [PATCH 09/10] Disable unused features for import installations --- setup/automation/import-airgap | 8 ++++---- setup/automation/import-ami | 8 ++++---- setup/automation/import-iso | 8 ++++---- setup/automation/import-net-centos | 10 +++++----- setup/automation/import-net-ubuntu | 10 +++++----- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 6873cf120..bfd0e3641 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -30,7 +30,7 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 +# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit @@ -58,7 +58,7 @@ NODESETUP=NODEBASIC NSMSETUP=BASIC NODEUPDATES=MANAGER # OINKCODE= -OSQUERY=1 +# OSQUERY=1 # PATCHSCHEDULEDAYS= # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto @@ -71,8 +71,8 @@ RULESETUP=ETOPEN # SOREMOTEPASS1=onionuser # SOREMOTEPASS2=onionuser STRELKA=1 -THEHIVE=1 -WAZUH=1 +# THEHIVE=1 +# WAZUH=1 WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-ami b/setup/automation/import-ami index 6855fee93..88734c352 100644 --- a/setup/automation/import-ami +++ b/setup/automation/import-ami @@ -30,7 +30,7 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 +# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit @@ -57,7 +57,7 @@ NODESETUP=NODEBASIC NSMSETUP=BASIC NODEUPDATES=MANAGER # OINKCODE= -OSQUERY=1 +# OSQUERY=1 # PATCHSCHEDULEDAYS= # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto @@ -70,8 +70,8 @@ RULESETUP=ETOPEN # SOREMOTEPASS1=onionuser # SOREMOTEPASS2=onionuser STRELKA=1 -THEHIVE=1 -WAZUH=1 +# THEHIVE=1 +# WAZUH=1 WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 377d00207..011623091 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -30,7 +30,7 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 +# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit @@ -57,7 +57,7 @@ NODESETUP=NODEBASIC NSMSETUP=BASIC NODEUPDATES=MANAGER # OINKCODE= -OSQUERY=1 +# OSQUERY=1 # PATCHSCHEDULEDAYS= # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto @@ -70,8 +70,8 @@ RULESETUP=ETOPEN # SOREMOTEPASS1=onionuser # SOREMOTEPASS2=onionuser STRELKA=1 -THEHIVE=1 -WAZUH=1 +# THEHIVE=1 +# WAZUH=1 WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index bc8fbaaa0..37ca6ac51 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -30,7 +30,7 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 +# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit @@ -57,11 +57,11 @@ NODESETUP=NODEBASIC NSMSETUP=BASIC NODEUPDATES=MANAGER # OINKCODE= -OSQUERY=1 +# OSQUERY=1 # PATCHSCHEDULEDAYS= # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto -#PLAYBOOK=1 +# PLAYBOOK=1 # REDIRECTHOST= REDIRECTINFO=IP RULESETUP=ETOPEN @@ -70,8 +70,8 @@ RULESETUP=ETOPEN # SOREMOTEPASS1=onionuser # SOREMOTEPASS2=onionuser STRELKA=1 -THEHIVE=1 -WAZUH=1 +# THEHIVE=1 +# WAZUH=1 WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index eb7a4254d..ded17d09f 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -30,7 +30,7 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 +# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit @@ -57,11 +57,11 @@ NODESETUP=NODEBASIC NSMSETUP=BASIC NODEUPDATES=MANAGER # OINKCODE= -OSQUERY=1 +# OSQUERY=1 # PATCHSCHEDULEDAYS= # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto -#PLAYBOOK=1 +# PLAYBOOK=1 # REDIRECTHOST= REDIRECTINFO=IP RULESETUP=ETOPEN @@ -70,8 +70,8 @@ RULESETUP=ETOPEN # SOREMOTEPASS1=onionuser # SOREMOTEPASS2=onionuser STRELKA=1 -THEHIVE=1 -WAZUH=1 +# THEHIVE=1 +# WAZUH=1 WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r From 7222f1faa599dfedce1dc1043280e735476f6afd Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 20 Feb 2021 16:41:12 -0500 Subject: [PATCH 10/10] fix merge issue --- salt/idstools/init.sls | 2 ++ salt/suricata/init.sls | 1 + setup/so-setup | 25 +++++++++++++------------ 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index b04cc625d..2d3128797 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -56,12 +56,14 @@ rulesdir: - group: 939 - makedirs: True +# Don't show changes because all.rules can be large synclocalnidsrules: file.recurse: - name: /opt/so/rules/nids/ - source: salt://idstools/ - user: 939 - group: 939 + - show_changes: False - include_pat: 'E@.rules' so-idstools: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0e5234b32..2adfe17a0 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -74,6 +74,7 @@ surirulesync: - source: salt://suricata/rules/ - user: 940 - group: 940 + - show_changes: False surilogscript: file.managed: diff --git a/setup/so-setup b/setup/so-setup index b0dbfed29..20eeeee08 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -708,32 +708,33 @@ set_redirect >> $setup_log 2>&1 set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 - - set_progress_str 61 "$(print_salt_state_apply 'idstools')" - create_local_nids_rules >> $setup_log 2>&1 - salt-call state.apply -l info idstools >> $setup_log 2>&1 - - set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" - salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 - fi - set_progress_str 62 "$(print_salt_state_apply 'firewall')" + set_progress_str 61 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 if [ $OS = 'centos' ]; then - set_progress_str 63 'Installing Yum utilities' + set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi - set_progress_str 63 "$(print_salt_state_apply 'common')" + set_progress_str 62 "$(print_salt_state_apply 'common')" salt-call state.apply -l info common >> $setup_log 2>&1 if [[ ! $is_helix ]]; then - set_progress_str 64 "$(print_salt_state_apply 'nginx')" + set_progress_str 62 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 fi + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 63 "$(print_salt_state_apply 'idstools')" + create_local_nids_rules >> $setup_log 2>&1 + salt-call state.apply -l info idstools >> $setup_log 2>&1 + + set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 + fi + if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1