From 9d33d6ae62e504d827dd2f1408433027491432e6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 15:18:07 -0400 Subject: [PATCH 01/21] pin salt repo to 2019.2.5 for centos - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/668 --- setup/so-functions | 4 ++-- setup/yum_repos/salt-2019-2-5.repo | 6 ++++++ setup/yum_repos/salt-2019-2.repo | 6 ------ 3 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 setup/yum_repos/salt-2019-2-5.repo delete mode 100644 setup/yum_repos/salt-2019-2.repo diff --git a/setup/so-functions b/setup/so-functions index d769e72ad..2e7c6f12a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1017,7 +1017,7 @@ saltify() { set_progress_str 5 'Installing Salt repo' { sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/2019.2/SALTSTACK-GPG-KEY.pub; - cp ./yum_repos/salt-2019-2.repo /etc/yum.repos.d/salt-2019-2.repo; + cp ./yum_repos/salt-2019-2-5.repo /etc/yum.repos.d/salt-2019-2-5.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' yum -y install wget nmap >> "$setup_log" 2>&1 @@ -1044,7 +1044,7 @@ saltify() { # Copy repo files over cp ./yum_repos/salt-latest.repo /etc/yum.repos.d/salt-latest.repo; - cp ./yum_repos/salt-2019-2.repo /etc/yum.repos.d/salt-2019-2.repo; + cp ./yum_repos/salt-2019-2-5.repo /etc/yum.repos.d/salt-2019-2-5.repo; } >> "$setup_log" 2>&1 fi ;; diff --git a/setup/yum_repos/salt-2019-2-5.repo b/setup/yum_repos/salt-2019-2-5.repo new file mode 100644 index 000000000..e456fdd87 --- /dev/null +++ b/setup/yum_repos/salt-2019-2-5.repo @@ -0,0 +1,6 @@ +[saltstack-repo] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/2019.2.5/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub diff --git a/setup/yum_repos/salt-2019-2.repo b/setup/yum_repos/salt-2019-2.repo deleted file mode 100644 index 1826e0101..000000000 --- a/setup/yum_repos/salt-2019-2.repo +++ /dev/null @@ -1,6 +0,0 @@ -[saltstack-repo] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/2019.2 -enabled=1 -gpgcheck=1 -gpgkey=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/2019.2/SALTSTACK-GPG-KEY.pub From c4ba7b30248d65ed4ae3eb8a2e777c8200f30db7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 16:03:22 -0400 Subject: [PATCH 02/21] fix the missed changes for 2019.2.5 salt upgrade - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/668 --- setup/so-functions | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2e7c6f12a..52f85e265 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1016,7 +1016,7 @@ saltify() { if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' { - sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/2019.2/SALTSTACK-GPG-KEY.pub; + sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub; cp ./yum_repos/salt-2019-2-5.repo /etc/yum.repos.d/salt-2019-2-5.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1033,7 +1033,7 @@ saltify() { wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - yum -y install salt-master-2019.2.4 >> "$setup_log" 2>&1 + yum -y install salt-master- 2019.2.5 >> "$setup_log" 2>&1 systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) @@ -1054,7 +1054,7 @@ saltify() { set_progress_str 8 'Installing salt-minion & python modules' { yum -y install epel-release - yum -y install salt-minion-2019.2.4\ + yum -y install salt-minion- 2019.2.5\ python3\ python36-docker\ python36-dateutil\ @@ -1098,7 +1098,7 @@ saltify() { # Add saltstack repo(s) wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1119,7 +1119,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - apt-get -y salt-master=2019.2.4+ds-1 >> "$setup_log" 2>&1 + apt-get -y salt-master= 2019.2.5+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) @@ -1130,14 +1130,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 ;; esac apt-get update >> "$setup_log" 2>&1 set_progress_str 8 'Installing salt-minion & python modules' - apt-get -y install salt-minion=2019.2.4+ds-1\ - salt-common=2019.2.4+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-minion= 2019.2.5+ds-1\ + salt-common= 2019.2.5+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1 if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1 From 8c8e0bf0e453adb430074622e530699ea359b49e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 May 2020 16:15:41 -0400 Subject: [PATCH 03/21] [fix] Set hostname correctly so salt picks it up before reboot --- setup/so-functions | 10 ++++------ setup/so-whiptail | 2 ++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d769e72ad..7a6463a89 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1282,12 +1282,9 @@ set_hostname() { set_hostname_iso - HOSTNAME=$(cat /etc/hostname) if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then - if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then - if ! grep -q "$MSRVIP" /etc/hosts; then - echo "$MSRVIP $MSRV" >> /etc/hosts - fi + if ! getent hosts "$MSRV"; then + echo "$MSRVIP $MSRV" >> /etc/hosts fi fi @@ -1297,9 +1294,10 @@ set_hostname_iso() { hostnamectl set-hostname --static "$HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts - echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts + echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname + hostname -F /etc/hostname } diff --git a/setup/so-whiptail b/setup/so-whiptail index 6de8e6fdd..fe9c4c7b1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -905,6 +905,8 @@ whiptail_set_hostname() { [ -n "$TESTING" ] && return + HOSTNAME=$(cat /etc/hostname) + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) From d7f5246dc40372671c352347d4805fe3554b3f86 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 May 2020 16:19:06 -0400 Subject: [PATCH 04/21] [feat] Add quiet flag to wget --- setup/so-functions | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7a6463a89..08a940ef3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1028,9 +1028,9 @@ saltify() { yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 # Download Ubuntu Keys in case master updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' yum -y install salt-master-2019.2.4 >> "$setup_log" 2>&1 @@ -1097,7 +1097,7 @@ saltify() { if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) - wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo @@ -1106,9 +1106,9 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 From 6e4ee26a58c7cb9b24d233aade9e4fd745adc3be Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 16:34:35 -0400 Subject: [PATCH 05/21] Elastalert --> TheHive fixes --- salt/elastalert/files/elastalert_config.yaml | 2 +- salt/elastalert/files/rules/so/nids2hive.yaml | 6 +++--- salt/elastalert/init.sls | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index e71f41bf8..2ecf08ffa 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -2,7 +2,7 @@ {% set esport = salt['pillar.get']('master:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule -rules_folder: /etc/elastalert/rules/ +rules_folder: /opt/elastalert/rules/ # Sets whether or not ElastAlert should recursively descend # the rules directory - true or false diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index b7593b1d2..ee17cce38 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -23,13 +23,13 @@ filter: query_string: query: "event.module: suricata" -alert: modules.so.thehive.TheHiveAlerter +alert: hivealerter hive_connection: hive_host: http://{{hivehost}} - hive_port: 9000 + hive_port: 9000/thehive hive_apikey: {{hivekey}} - + hive_proxies: http: '' https: '' diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 83e7b5655..08cb0836d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -118,7 +118,7 @@ so-elastalert: - user: elastalert - detach: True - binds: - - /opt/so/rules/elastalert:/opt/rules/:ro + - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro From 64cddfeed3c63641757dfa0cf3640f4120df2e56 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 16:42:49 -0400 Subject: [PATCH 06/21] remove space in package install --- setup/so-functions | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 52f85e265..4d2817505 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1033,7 +1033,7 @@ saltify() { wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - yum -y install salt-master- 2019.2.5 >> "$setup_log" 2>&1 + yum -y install salt-master-2019.2.5 >> "$setup_log" 2>&1 systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) @@ -1054,7 +1054,7 @@ saltify() { set_progress_str 8 'Installing salt-minion & python modules' { yum -y install epel-release - yum -y install salt-minion- 2019.2.5\ + yum -y install salt-minion-2019.2.5\ python3\ python36-docker\ python36-dateutil\ @@ -1119,7 +1119,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - apt-get -y salt-master= 2019.2.5+ds-1 >> "$setup_log" 2>&1 + apt-get -y salt-master=2019.2.5+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) @@ -1136,8 +1136,8 @@ saltify() { esac apt-get update >> "$setup_log" 2>&1 set_progress_str 8 'Installing salt-minion & python modules' - apt-get -y install salt-minion= 2019.2.5+ds-1\ - salt-common= 2019.2.5+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-minion=2019.2.5+ds-1\ + salt-common=2019.2.5+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1 if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1 From c3627c38e3fc3145a3cc629e07c80b450d620010 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 17:03:14 -0400 Subject: [PATCH 07/21] Elastalert - NIDS fix --- salt/elastalert/files/rules/so/nids2hive.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index ee17cce38..dc67119e4 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -15,7 +15,7 @@ timeframe: buffer_time: minutes: 10 allow_buffer_time_overlap: true -query_key: ["rule.signature_id"] +query_key: ["rule.uuid"] realert: days: 1 filter: @@ -40,7 +40,7 @@ hive_alert_config: source: 'SecurityOnion' description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 - tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}'] + tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 status: 'New' follow: True From 1499a0c5fdda5257e05ff3236676f47af433c5ae Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 17:16:15 -0400 Subject: [PATCH 08/21] point gpg key to archive/2019.2.5 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 4d2817505..74c50af52 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1097,7 +1097,7 @@ saltify() { if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) - wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo From f3ff8dc18c6a2dc93c6f3b7c64cbc8f3eb26d11e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 17:22:24 -0400 Subject: [PATCH 09/21] add quiet option back to wget --- setup/so-functions | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 74c50af52..c577e4b7e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1028,9 +1028,9 @@ saltify() { yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 # Download Ubuntu Keys in case master updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' yum -y install salt-master-2019.2.5 >> "$setup_log" 2>&1 @@ -1097,7 +1097,7 @@ saltify() { if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) - wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo @@ -1106,9 +1106,9 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 From 367f99bf6e5a4ff6d419270dfa53317364643853 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 May 2020 17:38:11 -0400 Subject: [PATCH 10/21] add missing install for apt-get --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 288053ffb..0248c0150 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1119,7 +1119,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 set_progress_str 7 'Installing salt-master' - apt-get -y salt-master=2019.2.5+ds-1 >> "$setup_log" 2>&1 + apt-get -y install salt-master=2019.2.5+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) From 8a68e6adb3eb3d37318a6993824e50a198e76b53 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 19:27:14 -0400 Subject: [PATCH 11/21] Playbook hivealert fixes --- salt/soctopus/files/templates/generic.template | 7 ++++--- salt/soctopus/files/templates/osquery.template | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 80dd1a762..68dc040fc 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,12 +1,13 @@ {% set es = salt['pillar.get']('static:masterip', '') %} {% set hivehost = salt['pillar.get']('static:masterip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} -alert: modules.so.thehive.TheHiveAlerter +alert: hivealerter hive_connection: - hive_host: https://{{hivehost}}/thehive/ + hive_host: http://{{hivehost}} + hive_port: 9000/thehive hive_apikey: {{hivekey}} - + hive_proxies: http: '' https: '' diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index 5f1c6961a..28ea29ee9 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -1,12 +1,13 @@ {% set es = salt['pillar.get']('static:masterip', '') %} {% set hivehost = salt['pillar.get']('static:masterip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} -alert: modules.so.thehive.TheHiveAlerter +alert: hivealerter hive_connection: - hive_host: https://{{hivehost}}/thehive/ + hive_host: http://{{hivehost}} + hive_port: 9000/thehive hive_apikey: {{hivekey}} - + hive_proxies: http: '' https: '' From 3db67de27a31f33c9dc5f491be16f40f70b8f84c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 13 May 2020 20:39:56 -0400 Subject: [PATCH 12/21] osquery packages fix --- salt/elastalert/files/rules/so/nids2hive.yaml | 2 +- salt/reactor/fleet.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index dc67119e4..0696d84d7 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -38,7 +38,7 @@ hive_alert_config: title: '{match[rule][name]}' type: 'NIDS' source: 'SecurityOnion' - description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" + description: "`Hunting Pivot:` \n\n \n\n `Kibana Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 215d69942..d841d54d6 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -55,7 +55,7 @@ def run(): # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.2.2", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \ f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) From c7b4ab116fbd7a8da6672eb10f447de9c97198af Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 14 May 2020 10:57:44 -0400 Subject: [PATCH 13/21] fix rfb typo --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 3dc2946aa..158b2446b 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -127,7 +127,7 @@ { "name": "PE", "description": "PE files list", "query": "event.module:zeek AND event.dataset:pe | groupby file.machine,file.os,file.subsystem"}, { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module:zeek AND event.dataset:radius | groupby user.name"}, { "name": "RDP", "description": "RDP grouped by client name", "query": "event.module:zeek AND event.dataset:rdp | groupby client.name"}, - { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module:zeek AND event.dataset:rfb | groupby rfp.desktop.name"}, + { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module:zeek AND event.dataset:rfb | groupby rfb.desktop.name"}, { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.module:zeek AND event.dataset:signatures | groupby signature_id"}, { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.module:zeek AND event.dataset:sip | groupby client.user_agent"}, { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.module:zeek AND event.dataset:smb_files | groupby file.action"}, @@ -146,4 +146,4 @@ } } } -} \ No newline at end of file +} From 937f488a8f503ebbf4c65da4983f0f1b669dca25 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 14 May 2020 11:13:43 -0400 Subject: [PATCH 14/21] Update static pillar --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 0248c0150..0a6281fff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -881,6 +881,8 @@ master_static() { " fleet_hostname: N/A"\ " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ + " strelka: $STRELKA"\ + " wazuh: $WAZUH"\ " masterupdate: $MASTERUPDATES" > "$static_pillar" echo "elastic:" >> /opt/so/saltstack/pillar/static.sls echo " features: False" >> /opt/so/saltstack/pillar/static.sls From 554612d25f1d625990bdbf5f7a2f9224f12d527d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 14 May 2020 11:19:07 -0400 Subject: [PATCH 15/21] Navigator top.sls fix --- salt/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 42203b13e..68e05959c 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -261,6 +261,9 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} + {%- if NAVIGATOR != 0 %} + - navigator + {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} From 6112322bce607fd9206d7e7577b7aee6d9193ce5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 14 May 2020 11:20:11 -0400 Subject: [PATCH 16/21] change file.path to smb.path --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 158b2446b..20f2cc9cf 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -131,7 +131,7 @@ { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.module:zeek AND event.dataset:signatures | groupby signature_id"}, { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.module:zeek AND event.dataset:sip | groupby client.user_agent"}, { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.module:zeek AND event.dataset:smb_files | groupby file.action"}, - { "name": "SMB_Mapping", "description": "SMB mapping grouped by path", "query": "event.module:zeek AND event.dataset:smb_mapping | groupby file.path"}, + { "name": "SMB_Mapping", "description": "SMB mapping grouped by path", "query": "event.module:zeek AND event.dataset:smb_mapping | groupby smb.path"}, { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.module:zeek AND event.dataset:smtp | groupby smtp.subject"}, { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.module:zeek AND event.dataset:snmp | groupby snmp.community,snmp.version"}, { "name": "Software", "description": "List of software seen on the network", "query": "event.module:zeek AND event.dataset:software | groupby software.type,software.name"}, From 5c3e7acc6d9e2d795f71fbac16f092eb96a43a9f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 14 May 2020 11:21:32 -0400 Subject: [PATCH 17/21] change resp_mime_types to file.resp_mime_types --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 20f2cc9cf..336a2410b 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -115,7 +115,7 @@ { "name": "HTTP", "description": "HTTP grouped by status message", "query": "event.module:zeek AND event.dataset:http | groupby http.status_message"}, { "name": "HTTP", "description": "HTTP grouped by user agent", "query": "event.module:zeek AND event.dataset:http | groupby http.useragent"}, { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.module:zeek AND event.dataset:http | groupby http.virtual_host"}, - { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.module:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby http.virtual_host"}, + { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.module:zeek AND event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"}, { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.module:zeek AND event.dataset:intel | groupby intel.indicator"}, { "name": "IRC", "description": "IRC grouped by command", "query": "event.module:zeek AND event.dataset:irc | groupby irc.command.type"}, { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.module:zeek AND event.dataset:kerberos | groupby kerberos.service"}, From 6991900ceb696359275a3cfcb485b24bd197675e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 14 May 2020 11:34:10 -0400 Subject: [PATCH 18/21] Update Query for geo --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 336a2410b..6cbcdd5d8 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -95,7 +95,7 @@ { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note,notice.message"}, { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module:zeek AND event.dataset:conn | groupby source.ip,destination.ip,network.protocol,destination.port"}, { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module:zeek AND event.dataset:conn | groupby network.protocol,destination.port"}, - { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module:zeek AND event.dataset:conn | groupby destination_geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source Geo", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname,host.domain,destination.ip"}, From 2642968089d3a705c9988b396aa3f9b450bfc421 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 14 May 2020 11:50:16 -0400 Subject: [PATCH 19/21] [fix] Correct wazuh + suricata pillar placement --- setup/so-functions | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 0a6281fff..d2c45f2f9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -823,11 +823,9 @@ master_pillar() { " cur_close_days: $CURCLOSEDAYS"\ " grafana: $GRAFANA"\ " osquery: $OSQUERY"\ - " wazuh: $WAZUH"\ " thehive: $THEHIVE"\ " playbook: $PLAYBOOK"\ " navigator: $NAVIGATOR"\ - " strelka: $STRELKA"\ ""\ "kratos:" >> "$pillar_file" @@ -882,10 +880,10 @@ master_static() { " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ " strelka: $STRELKA"\ - " wazuh: $WAZUH"\ - " masterupdate: $MASTERUPDATES" > "$static_pillar" - echo "elastic:" >> /opt/so/saltstack/pillar/static.sls - echo " features: False" >> /opt/so/saltstack/pillar/static.sls + " wazuh: $WAZUH"\ + " masterupdate: $MASTERUPDATES"\ + "elastic:"\ + " features: False" > "$static_pillar" printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$static_pillar" >> "$setup_log" 2>&1 From dbef2e2832d2563a770fad4bfc881e909631fce5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 14 May 2020 11:56:18 -0400 Subject: [PATCH 20/21] Update soc.json --- salt/soc/files/soc/soc.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6cbcdd5d8..eb53c77ac 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -83,6 +83,7 @@ }, "queries": [ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, + { "name": "Log Type", "description": "Show all events grouped by type", "query": "* | groupby event.module"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name"}, From 80cd40882143104e71662e8c55c20ba1622d9ab8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 14 May 2020 12:33:28 -0400 Subject: [PATCH 21/21] [fix] Only install nc, not full nmap --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d2c45f2f9..aa28d2e8a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1020,7 +1020,7 @@ saltify() { cp ./yum_repos/salt-2019-2-5.repo /etc/yum.repos.d/salt-2019-2-5.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' - yum -y install wget nmap >> "$setup_log" 2>&1 + yum -y install wget nmap-ncat >> "$setup_log" 2>&1 case "$install_type" in 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'FLEET' | 'HELIXSENSOR') reserve_group_ids >> "$setup_log" 2>&1