Merge pull request #1033 from Security-Onion-Solutions/fix/idstools

Fix/idstools

salt/idstools/etc/disable.conf

@@ -1,4 +1,4 @@
-{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
+{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
 # idstools - disable.conf
 
 # Example of disabling a rule by signature ID (gid is optional).

salt/idstools/etc/enable.conf

@@ -1,4 +1,4 @@
-{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
+{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
 # idstools-rulecat - enable.conf
 
 # Example of enabling a rule by signature ID (gid is optional).

salt/idstools/etc/modify.conf

@@ -1,18 +1,10 @@
-{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
+{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
 # idstools-rulecat - modify.conf
 
 # Format: <sid> "<from>" "<to>"
 
 # Example changing the seconds for rule 2019401 to 3600.
 #2019401 "seconds \d+" "seconds 3600"
-
-# Change all trojan-activity rules to drop. Its better to setup a
-# drop.conf for this, but this does show the use of back references.
-#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
-
-# For compatibility, most Oinkmaster modifysid lines should work as
-# well.
-#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
 {%- for sid in modify_sids %}
 {{ sid }}
 {%- endfor %}

salt/idstools/etc/rulecat.conf

@@ -1,6 +1,6 @@
-{% set URLS = salt['pillar.get']('idstools:config:urls, {}') -%}
+{%- set URLS = salt['pillar.get']('idstools:config:urls') -%}
-{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
+{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
-{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%}
+{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%}
 --suricata-version=5.0
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
@@ -14,6 +14,8 @@
 {%- elif RULESET == 'TALOS' %}
 --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
 {%- endif %}
+{%- if URLS != None %}
 {%- for URL in URLS %}
 --url={{ URL }}
 {%- endfor %}
+{%- endif %}

salt/zeek/fileextraction_defaults.yaml

@@ -0,0 +1,29 @@
+zeek:
+  policy:
+    file_extraction:
+      - application/x-dosexec: exe
+      - application/pdf: pdf
+      - application/msword: doc
+      - application/vnd.ms-powerpoint: doc
+      - application/rtf: doc
+      - application/vnd.ms-word.document.macroenabled.12: doc
+      - application/vnd.ms-word.template.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.template.macroenabled.12: doc
+      - application/vnd.ms-excel: doc
+      - application/vnd.ms-excel.addin.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
+      - application/vnd.ms-excel.template.macroenabled.12: doc
+      - application/vnd.ms-excel.sheet.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
+      - application/vnd.openxmlformats-officedocument.presentationml.template: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
+      - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
+      - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
+      - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
+      - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
+      - application/vnd.openxmlformats-officedocument: doc

salt/zeek/init.sls

@@ -43,7 +43,7 @@ zeekspooldir:
   file.directory:
     - name: /nsm/zeek/spool/manager
     - user: 937
-    - makedirs: true
+    - makedirs: True
 
 # Zeek extracted
 zeekextractdir:
@@ -57,7 +57,7 @@ zeekextractcompletedir:
   file.directory:
     - name: /nsm/zeek/extracted/complete
     - user: 937
-    - makedirs: true
+    - makedirs: True
 
 # Sync the policies
 zeekpolicysync:
@@ -68,6 +68,15 @@ zeekpolicysync:
     - group: 939
     - template: jinja
 
+# Sync Intel
+zeekintelloadsync:
+  file.managed:
+    - name: /opt/so/conf/policy/intel/__load__.zeek
+    - source: salt://zeek/policy/intel/__load__.zeek
+    - user: 937
+    - group: 939
+    - makedirs: True
+
 zeekctlcfg:
   file.managed:
     - name: /opt/so/conf/zeek/zeekctl.cfg
@@ -178,3 +187,4 @@ so-zeek:
       - file: /opt/so/conf/zeek/zeekctl.cfg
       - file: /opt/so/conf/zeek/policy
       - file: /opt/so/conf/zeek/bpf
+      

salt/zeek/policy/intel/__load__.zeek

@@ -1 +1,6 @@
-#Intel
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+redef Intel::read_files += {
+        "/opt/zeek/share/zeek/policy/intel/intel.dat"
+};

salt/zeek/policy/securityonion/file-extraction/extract.zeek

@@ -1,3 +1,4 @@
+{%- import_yaml "zeek/fileextraction_defaults.yaml" as zeek with context %}
 # Directory to stage Zeek extracted files before processing
 redef FileExtract::prefix = "/nsm/zeek/extracted/";
 # Set a limit to the file size
@@ -5,33 +6,17 @@ redef FileExtract::default_limit = 9000000;
 # These are the mimetypes we want to rip off the networks
 export {
     global _mime_whitelist: table[string] of string = {
-        ["application/x-dosexec"] = "exe",
+        {%- for li in zeek.zeek.policy.file_extraction %}
-        ["application/pdf"] = "pdf",
+          {%- if not loop.last %}
-        ["application/msword"] = "doc",
+          {%- for k,v in li.items() %}
-        ["application/vnd.ms-powerpoint"] = "doc",
+        ["{{ k }}"] = "{{ v }}",
-        ["application/rtf"] = "doc",
+          {%- endfor %}
-        ["application/vnd.ms-word.document.macroenabled.12"] = "doc",
+          {%- else %}
-        ["application/vnd.ms-word.template.macroenabled.12"] = "doc",
+          {%- for k,v in li.items() %}
-        ["application/vnd.ms-powerpoint.template.macroenabled.12"] = "doc",
+        ["{{ k }}"] = "{{ v }}"
-        ["application/vnd.ms-excel"] = "doc",
+          {%- endfor %}
-        ["application/vnd.ms-excel.addin.macroenabled.12"] = "doc",
+          {%- endif %}
-        ["application/vnd.ms-excel.sheet.binary.macroenabled.12"] = "doc",
+        {%- endfor %}
-        ["application/vnd.ms-excel.template.macroenabled.12"] = "doc",
-        ["application/vnd.ms-excel.sheet.macroenabled.12"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.slide"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.presentationml.template"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "doc",
-        ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "doc",
-        ["application/vnd.ms-powerpoint.addin.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.slide.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.presentation.macroenabled.12"] = "doc",
-        ["application/vnd.ms-powerpoint.slideshow.macroenabled.12"] = "doc",
-        ["application/vnd.openxmlformats-officedocument"] = "doc"
-        # Need to add other types such as zip, ps1, etc
         };
 }
 # Start grabbing the file from the network if it matches the mimetype

setup/files/intel.dat

@@ -0,0 +1,5 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# EXAMPLES:
+#66.32.119.38	Intel::ADDR	Test Address	T
+#www.honeynet.org	Intel::DOMAIN	Test Domain	T
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T

setup/so-functions

@@ -986,6 +986,11 @@ manager_pillar() {
 		"  config:"\
 		"    ruleset: $RULESETUP"\
 		"    oinkcode: $OINKCODE"\
+		"    urls:"\
+		"  sids:"\
+		"    enabled:"\
+		"    disabled:"\
+		"    modify:"\
 		""\
 		"kratos:" >> "$pillar_file"
 		
@@ -1436,9 +1441,11 @@ setup_salt_master_dirs() {
 	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	else
-		cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
+		cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
-		cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	fi
 
 	echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1