Merge pull request #10601 from Security-Onion-Solutions/cogburn/10413

Cogburn/10413
2025-12-06 17:22:49 +01:00 · 2023-06-20 11:08:53 -06:00
parent b60cf29598 ad28ea275f
commit fb81c6e2e3
2 changed files with 111 additions and 3 deletions
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -106,6 +106,13 @@ socusersroles:
    - require:
      - sls: manager.sync_es_users

+socuploaddir:
+  file.directory:
+    - name: /nsm/soc/uploads
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -172,6 +172,101 @@ function manage_salt() {
  fi
 }

+function send_file() {
+  request=$1
+  from=$(echo "$request" | jq -r .from)
+  to=$(echo "$request" | jq -r .to)
+  node=$(echo "$request" | jq -r .node)
+  [ $(echo "$request" | jq -r .cleanup) != "true" ] ; cleanup=$?
+
+  log "From: $from"
+  log "To: $to"
+  log "Node: $node"
+  log "Cleanup: $cleanup"
+
+  log "encrypting..."
+  gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"
+
+  fromgpg="$from.gpg"
+  filename=$(basename "$fromgpg")
+
+  log "sending..."
+  response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to")
+  # salt-cp returns 0 even if the file transfer fails, so we need to check the response.
+  # Remove the node and filename from the response on the off-chance they contain
+  # the word "True" in them
+  echo $response | sed "s/$node//" | sed "s/$filename//" | grep True
+  exit_code=$?
+
+  rm -f "$fromgpg"
+
+  log Response:$'\n'"$response"
+  log "Exit Code: $exit_code"
+
+  if [[ $cleanup -eq 1 ]]; then
+    log "Cleaning up file $from"
+    rm -f "$from"
+  fi
+
+  if [[ exit_code -eq 0 ]]; then
+    $(echo "true" > "${SOC_PIPE}")
+  else
+    $(echo "false" > "${SOC_PIPE}")
+  fi
+}
+
+function import_file() {
+  request=$1
+  node=$(echo "$request" | jq -r .node)
+  file=$(echo "$request" | jq -r .file)
+  importer=$(echo "$request" | jq -r .importer)
+
+  log "Node: $node"
+  log "File: $file"
+  log "Importer: $importer"
+
+  filegpg="$file.gpg"
+
+  log "decrypting..."
+  $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
+  decrypt_code=$?
+
+  if [[ $decrypt_code -eq 0 ]]; then
+    log "importing..."
+    case $importer in
+      pcap)
+        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
+        exit_code=$?
+        ;;
+      evtx)
+        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
+        exit_code=$?
+        ;;
+      *)
+        response="Unsupported importer: $importer"
+        exit_code=1
+        ;;
+    esac
+  else
+    response="Failed to decrypt file: $file"
+    exit_code=$decrypt_code
+  fi
+
+  rm -f "$file" "$filegpg"
+
+  log Response:$'\n'"$response"
+  log "Exit Code: $exit_code"
+
+  if [[ exit_code -eq 0 ]]; then
+    # trim off the node header ("manager_standalone:\n") and parse out the URL
+    url=$(echo "$response" | tail -n +2 | jq -r .url)
+    $(echo "$url" > "${SOC_PIPE}")
+  else
+    log "false"
+    $(echo "false" > "${SOC_PIPE}")
+  fi
+}
+
 while true; do
  log "Listening for request"
  request=$(cat ${SOC_PIPE})
@@ -191,6 +286,12 @@ while true; do
      manage-salt)
        manage_salt "${request}"
        ;;
+      send-file)
+        send_file "${request}"
+        ;;
+      import-file)
+        import_file "${request}"
+        ;;
      *)
        log "Unsupported command: $command"
        $(echo "false" > "${SOC_PIPE}")