From 6b8e2e2643542a5540aaf3df148348b7084cd903 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Oct 2025 19:58:07 -0400 Subject: [PATCH 1/8] Add Filters --- .claude/settings.local.json | 9 +++++ salt/zeek/policy/custom/filters/dns | 30 +++++++++++++++++ salt/zeek/policy/custom/filters/files | 1 + salt/zeek/policy/custom/filters/httphost | 20 +++++++++++ salt/zeek/policy/custom/filters/httpuri | 14 ++++++++ salt/zeek/policy/custom/filters/ssl | 29 ++++++++++++++++ salt/zeek/policy/custom/filters/tunnel | 17 ++++++++++ salt/zeek/soc_zeek.yaml | 42 ++++++++++++++++++++++++ 8 files changed, 162 insertions(+) create mode 100644 .claude/settings.local.json create mode 100644 salt/zeek/policy/custom/filters/dns create mode 100644 salt/zeek/policy/custom/filters/files create mode 100644 salt/zeek/policy/custom/filters/httphost create mode 100644 salt/zeek/policy/custom/filters/httpuri create mode 100644 salt/zeek/policy/custom/filters/ssl create mode 100644 salt/zeek/policy/custom/filters/tunnel diff --git a/.claude/settings.local.json b/.claude/settings.local.json new file mode 100644 index 000000000..9f305e068 --- /dev/null +++ b/.claude/settings.local.json @@ -0,0 +1,9 @@ +{ + "permissions": { + "allow": [ + "Bash(grep:*)" + ], + "deny": [] + }, + "enableAllProjectMcpServers": false +} \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/dns b/salt/zeek/policy/custom/filters/dns new file mode 100644 index 000000000..e79032c19 --- /dev/null +++ b/salt/zeek/policy/custom/filters/dns @@ -0,0 +1,30 @@ +hook DNS::log_policy(rec: DNS::Info, id: Log::ID, filter: Log::Filter) + { + # Only put a single name per line otherwise there will be memory issues! + # If the query comes back blank don't log + if (!rec?$query) + break; + + # If the query comes back with one of these don't log + if (rec?$query && /google.com$/ in rec$query) + break; + + # If the query comes back with one of these don't log + if (rec?$query && /.apple.com$/ in rec$query) + break; + + # Don't log reverse lookups + if (rec?$query && /.in-addr.arpa/ in to_lower(rec$query)) + break; + + # Don't log netbios lookups. This generates a cray amount of logs + if (rec?$qtype_name && /NB/ in rec$qtype_name) + break; + } + +event zeek_init() +{ + Log::remove_default_filter(DNS::LOG); + local filter: Log::Filter = [$name="dns-filter"]; + Log::add_filter(DNS::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/files b/salt/zeek/policy/custom/filters/files new file mode 100644 index 000000000..867e2c849 --- /dev/null +++ b/salt/zeek/policy/custom/filters/files @@ -0,0 +1 @@ +# Placeholder \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/httphost b/salt/zeek/policy/custom/filters/httphost new file mode 100644 index 000000000..29c682d33 --- /dev/null +++ b/salt/zeek/policy/custom/filters/httphost @@ -0,0 +1,20 @@ +### HTTP filter by host entries by string ##### + +module Filterhttp; + +export { + global remove_host_entries: set[string] = {"www.genevalab.com", "www.google.com"}; + } + +hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter) + { + # Remove HTTP host entries + if ( ! rec?$host || rec$host in remove_host_entries ) + break; + } +event zeek_init() +{ + Log::remove_default_filter(HTTP::LOG); + local filter: Log::Filter = [$name="http-filter"]; + Log::add_filter(HTTP::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/httpuri b/salt/zeek/policy/custom/filters/httpuri new file mode 100644 index 000000000..9a57cc5ff --- /dev/null +++ b/salt/zeek/policy/custom/filters/httpuri @@ -0,0 +1,14 @@ +### HTTP filter by uri using pattern #### + +hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter) + { + # Remove HTTP uri entries by regex + if ( rec?$uri && /^\/kratos\// in rec$uri ) + break; + } +event zeek_init() +{ + Log::remove_default_filter(HTTP::LOG); + local filter: Log::Filter = [$name="http-filter"]; + Log::add_filter(HTTP::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/ssl b/salt/zeek/policy/custom/filters/ssl new file mode 100644 index 000000000..e7be0f768 --- /dev/null +++ b/salt/zeek/policy/custom/filters/ssl @@ -0,0 +1,29 @@ +### Log filter by JA3S md5 hash: +hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter) + { + # SSL log filter Ja3s by md5 + if (rec?c$ssl$ja3s_cipher && ( /623de93db17d313345d7ea481e7443cf/ )in rec$c$ssl$ja3s_cipher) + break; + } + +event zeek_init() +{ + Log::remove_default_filter(SSL::LOG); + local filter: Log::Filter = [$name="ssl-filter"]; + Log::add_filter(SSL::LOG, filter); +} + +### Log filter by server name: +hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter) + { + # SSL log filter by server name + if (rec?$server_name && ( /api.github.com$/ ) in rec$server_name) + break; + } + +event zeek_init() +{ + Log::remove_default_filter(SSL::LOG); + local filter: Log::Filter = [$name="ssl-filter"]; + Log::add_filter(SSL::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/policy/custom/filters/tunnel b/salt/zeek/policy/custom/filters/tunnel new file mode 100644 index 000000000..dd58caa4d --- /dev/null +++ b/salt/zeek/policy/custom/filters/tunnel @@ -0,0 +1,17 @@ +global tunnel_subnet: set[subnet]={ + + 10.19.0.0/24 + +}; + +hook Tunnel::log_policy(rec: Tunnel::Info, id: Log::ID, Filter: Log::Filter) + { + if (rec$id$orig_h in tunnel_subnet || rec$id$resp_h in tunnel_subnet) + break; + } +event zeek_init() +{ + Log::remove_default_filter(Tunnel::LOG); + local filter: Log::Filter = [$name="tunnel-filter"]; + Log::add_filter(Tunnel::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index b3b655083..929b9debd 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -61,6 +61,48 @@ zeek: global: True advanced: True duplicates: True + dns: + description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True + files: + description: Files Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True + httphost: + description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True + httpuri: + description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True + ssl: + description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True + tunnel: + description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html + file: True + global: True + advanced: True + duplicates: True file_extraction: description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} forcedType: "[]{}" From 9752d6169916271c7dce7b630dfa81d1ee162cf7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Oct 2025 19:59:28 -0400 Subject: [PATCH 2/8] Add Filters --- .claude/settings.local.json | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 .claude/settings.local.json diff --git a/.claude/settings.local.json b/.claude/settings.local.json deleted file mode 100644 index 9f305e068..000000000 --- a/.claude/settings.local.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "permissions": { - "allow": [ - "Bash(grep:*)" - ], - "deny": [] - }, - "enableAllProjectMcpServers": false -} \ No newline at end of file From 8675193d1f3d05b3e408bade186ae6cdea189cc7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:56:31 -0500 Subject: [PATCH 3/8] elasticsearch upgrade 8.18.8 --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 6ed55a936..23eee8df0 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.18.6 + version: 8.18.8 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 645821b6c..078f826a0 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.18.6" + discardCorruptObjects: "8.18.8" telemetry: enabled: False security: From 7af95317db79e0babc32d1d9d68fe3c1cb80be7c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Oct 2025 16:23:22 -0500 Subject: [PATCH 4/8] es upgrade 8.18.8 pipeline updates --- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 8132f4a09..dd95e6337 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.5.4\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.5.4\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.5.4\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.6.1\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.6.1\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.6.1\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] From 39432198cccdf7115fc64cd9f7d1bdfe36aa6e62 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Oct 2025 16:25:52 -0500 Subject: [PATCH 5/8] Elastic 8.18.8 elastic agent build --- salt/manager/tools/sbin/soup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index e49be133f..6da34aa75 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -874,14 +874,14 @@ up_to_2.4.170() { } up_to_2.4.180() { - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade - + echo "Nothing to do for 2.4.180" INSTALLEDVERSION=2.4.180 } up_to_2.4.190() { - echo "Nothing to do for 2.4.190" + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade + INSTALLEDVERSION=2.4.190 } From 564374a8fb67c1c4bcca5edb84ac45edcd4d185c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 7 Oct 2025 12:21:26 -0500 Subject: [PATCH 6/8] generate new elastic agents in post soup --- salt/manager/tools/sbin/soup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6da34aa75..3d1a7504a 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -600,9 +600,6 @@ post_to_2.4.170() { } post_to_2.4.180() { - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - # Force update to Kafka output policy /usr/sbin/so-kafka-fleet-output-policy --force @@ -610,6 +607,9 @@ post_to_2.4.180() { } post_to_2.4.190() { + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers + # Only need to update import / eval nodes if [[ "$MINION_ROLE" == "import" ]] || [[ "$MINION_ROLE" == "eval" ]]; then update_import_fleet_output From c16bf50493f673c50695dc1168fb4501e8a3504f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 7 Oct 2025 14:20:25 -0400 Subject: [PATCH 7/8] Update files --- salt/zeek/policy/custom/filters/files | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/salt/zeek/policy/custom/filters/files b/salt/zeek/policy/custom/filters/files index 867e2c849..311f37cc2 100644 --- a/salt/zeek/policy/custom/filters/files +++ b/salt/zeek/policy/custom/filters/files @@ -1 +1,13 @@ -# Placeholder \ No newline at end of file +hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter) + { + # Turn off a specific mimetype + if (rec?$mime_type && ( /soap+xml/ | /json/ | /xml/ | /x509/ )in rec$mime_type) + break; + } + +event zeek_init() +{ + Log::remove_default_filter(Files::LOG); + local filter: Log::Filter = [$name="files-filter"]; + Log::add_filter(Files::LOG, filter); +} From bad9a16ebbca0308f99f6eaa6a0c7d1649e4a85b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Oct 2025 13:02:44 -0400 Subject: [PATCH 8/8] support non-async state apply --- salt/soc/files/bin/salt-relay.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 16c387f86..4fc7d8d3d 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -237,10 +237,22 @@ function manage_salt() { case "$op" in state) - log "Performing '$op' for '$state' on minion '$minion'" state=$(echo "$request" | jq -r .state) - response=$(salt --async "$minion" state.apply "$state" queue=2) + async=$(echo "$request" | jq -r .async) + if [[ $async == "true" ]]; then + log "Performing async '$op' on minion $minion with state '$state'" + response=$(salt --async "$minion" state.apply "$state" queue=2) + else + log "Performing '$op' on minion $minion with state '$state'" + response=$(salt "$minion" state.apply "$state") + fi + exit_code=$? + if [[ $exit_code -ne 0 && "$response" =~ "is running as PID" ]]; then + log "Salt already running: $response ($exit_code)" + respond "$id" "ERROR_SALT_ALREADY_RUNNING" + return + fi ;; highstate) log "Performing '$op' on minion $minion" @@ -259,7 +271,7 @@ function manage_salt() { ;; esac - if [[ exit_code -eq 0 ]]; then + if [[ $exit_code -eq 0 ]]; then log "Successful command execution: $response" respond "$id" "true" else