From 8dc11ea23aebd4ccca4159babb8e283055fca6fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 3 Oct 2022 08:43:39 -0400 Subject: [PATCH 1/8] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c9583b108..8826786d1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.170 +2.3.180 From 44d46b06a2b423ed43b8e0231b8f4d8d66ebcadf Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 06:58:07 -0400 Subject: [PATCH 2/8] increment version to 2.3.180 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a39bcf92f..ed8c481a7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.170 +## Security Onion 2.3.180 -Security Onion 2.3.170 is here! +Security Onion 2.3.180 is here! ## Screenshots From 9991f0cf958466b27acd265fd7946d9120d5f464 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 07:02:24 -0400 Subject: [PATCH 3/8] update Elastic to 8.4.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 83edeba6a..ee0fae3e1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From ab17cbee3143411a5d6ba6f5739286b27c71b3ea Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Oct 2022 07:03:10 -0400 Subject: [PATCH 4/8] Update Elastic to 8.4.3 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 68beb2dab..29bbfd84e 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 454a7a4799da5355dcc3365f74c9052cc37c98e1 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 7 Oct 2022 11:52:49 -0400 Subject: [PATCH 5/8] FEATURE: Add new Sysmon dashboards #8870 --- salt/soc/files/soc/dashboards.queries.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 7169fd472..0384510aa 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -2,10 +2,15 @@ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, - { "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"}, + { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Sysmon Registry", "description": "Registry changes captured by Sysmon", "query": "(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject"}, + { "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"}, + { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, + { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, + { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, From 7401008523f74a6357eed5594ec0469fe7e2d80c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 11 Oct 2022 12:58:37 -0400 Subject: [PATCH 6/8] Update soup for 2.3.180 --- salt/common/tools/sbin/soup | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9fdefad79..1f97113a0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -547,6 +547,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150 [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160 [[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170 + [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180 true } @@ -566,7 +567,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150 [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160 [[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170 - + [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180 true } @@ -662,6 +663,10 @@ post_to_2.3.170() { echo "Nothing to do for .170" } +post_to_2.3.180() { + echo "Nothing to do for .180" +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -951,6 +956,11 @@ up_to_2.3.170() { INSTALLEDVERSION=2.3.170 } +up_to_2.3.180() { + echo "Upgrading to 2.3.180" + INSTALLEDVERSION=2.3.180 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then From f4042263a3305f1ab5bb0046ca0d25a810c98236 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 13 Oct 2022 08:59:10 -0400 Subject: [PATCH 7/8] Remove destination_geo.organization_name from Sysmon Network sankey diagram --- salt/soc/files/soc/dashboards.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 0384510aa..55d269a8b 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -10,7 +10,7 @@ { "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"}, { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, - { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, + { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, From a2a6625f3bb018d0deb7d1fc6d2a5b4ce3e0e66a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 17 Oct 2022 09:39:07 -0400 Subject: [PATCH 8/8] 2.3.180 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.180-20221014.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.180-20221014.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 2d7853050..f14e91122 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.170-20220922 ISO image built on 2022/09/22 +### 2.3.180-20221014 ISO image built on 2022/10/14 ### Download and Verify -2.3.170-20220922 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso +2.3.180-20221014 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.180-20221014.iso -MD5: B45E38F72500CF302AE7CB3A87B3DB4C -SHA1: 06EC41B4B7E55453389952BE91B20AA465E18F33 -SHA256: 634A2E88250DC7583705360EB5AD966D282FAE77AFFAF81676CB6D66D7950A3E +MD5: 83FFF252C70A286860E02B5F2ACE5F16 +SHA1: 27B50B2ECE5B59C2FFF4E60FD10E72589B6D914E +SHA256: 9AE4109C12F3CF77ACD6A9FCFD89CD0AEB4F18C1B72DB7ACE451F9EADA448273 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.180-20221014.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.170-20220922.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.180-20221014.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.170-20220922.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.180-20221014.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.170-20220922.iso.sig securityonion-2.3.170-20220922.iso +gpg --verify securityonion-2.3.180-20221014.iso.sig securityonion-2.3.180-20221014.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 22 Sep 2022 11:48:42 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 14 Oct 2022 09:50:51 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.180-20221014.iso.sig b/sigs/securityonion-2.3.180-20221014.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..6fc2f258b4ff8994c067ad5f50f1c6d20774fdc0 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;G9X*&Q42@re`V7LBIa1$i)5C2NTRRvI+RY=3lGUo2l z7XR*1gcbIE(kwTnit0TDLXlsmU}Vcl3&`DFF)JjW=%+f&5kH|9=D84aA&ih4Hk??8 z7fQ)g?o^`o7oU}BenSHGzdkIR;uIB+PEP9q3@#ldVdeXFD&^~{NLBom$)V`ZC9`EO zHcfx{_D_%S7kR4rXnmYbb%I*%@|xhOpzi~1s0$86cgaWs8ZX{o@j0=pcrn1!IQi*b6Xych_FSqx{swChB|@lO$9Q?%CTagBhFKG z2RA1HiCDHm{#3AQxolhPyLV)4AW$pG=dxX&CH5DS9+IL2oCh?zRgOM@O}&Sq@cQ4!N&nsGvsyK3aYRo~bcB1J0LOA=X2 zU{t074>O&KP1~*;ZXvZeP4h9Jq?BCO$}0@U&drjl$;1&ti1#f9kRaurafReI4=*DM zMDb}8mp|YLbx+?x>epIfpAH