CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into delta

Browse Source
This commit is contained in:
Josh Brower
2021-03-08 12:56:47 -05:00
parent 19b3c7bb07 49db2a016a
commit fe8788c09a
25 changed files with 311 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
VERIFY_ISO.md
View File

@@ -1,16 +1,16 @@
### 2.3.20 ISO image built on 2020/12/20 ### 2.3.30 ISO image built on 2021/03/01
### Download and Verify ### Download and Verify
2.3.20 ISO image: 2.3.30 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso
MD5: E348FA65A46FD3FBA0D574D9C1A0582D MD5: 65202BA0F7661A5E27087F097B8E571E
SHA1: 4A6E6D4E0B31ECA1B72E642E3DB2C186B59009D6 SHA1: 14E842E39EDBB55A104263281CF25BF88A2E9D67
SHA256: 25DE77097903640771533FA13094D0720A032B70223875F8C77A92F5C44CA687 SHA256: 210B37B9E3DFC827AFE2940E2C87B175ADA968EDD04298A5926F63D9269847B7
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.20.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.30.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.20.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.3.30.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.3.20.iso.sig securityonion-2.3.20.iso gpg --verify securityonion-2.3.30.iso.sig securityonion-2.3.30.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Sun 20 Dec 2020 11:11:28 AM EST using RSA key ID FE507013 gpg: Signature made Mon 01 Mar 2021 02:15:28 PM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.3.30 2.3.40

2
salt/common/files/99-reserved-ports.conf
View File

@@ -1 +1 @@
net.ipv4.ip_local_reserved_ports="55000,57314" net.ipv4.ip_local_reserved_ports=55000,57314

2
salt/common/tools/sbin/so-analyst-install
View File

@@ -84,7 +84,7 @@ while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
echo "## ##" echo "## ##"
echo "## Installing the Security Onion ##" echo "## Installing the Security Onion ##"
echo "## analyst node on this device will ##" echo "## analyst node on this device will ##"
echo "## make permanenet changes to ##" echo "## make permanent changes to ##"
echo "## the system. ##" echo "## the system. ##"
echo "## ##" echo "## ##"
echo "###########################################" echo "###########################################"

2
salt/common/tools/sbin/so-common
View File

@@ -333,7 +333,7 @@ valid_ip4() {
valid_int() { valid_int() {
local num=$1 local num=$1
local min=${2:-1} local min=${2:-1}
local max=${3:-1000} local max=${3:-1000000000}
[[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1 [[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1
} }

7
salt/common/tools/sbin/so-playbook-sigma-refresh
View File

@@ -17,4 +17,11 @@
. /usr/sbin/so-common . /usr/sbin/so-common
# Regenerate ElastAlert & update Plays
docker exec so-soctopus python3 playbook_play-update.py docker exec so-soctopus python3 playbook_play-update.py
# Delete current Elastalert Rules
rm /opt/so/rules/elastalert/playbook/*.yaml
# Regenerate Elastalert Rules
so-playbook-sync

41
salt/elasticsearch/files/elasticsearch.yml
View File

@@ -1,6 +1,5 @@
{%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} {%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %}
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip') %} {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip') %}
{%- set FEATURES = salt['pillar.get']('elastic:features', False) %}
{%- set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {%- set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
{%- if TRUECLUSTER is sameas true %} {%- if TRUECLUSTER is sameas true %}
{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name') %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name') %}
@@ -25,26 +24,28 @@ cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.low: 95%
cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.high: 98%
cluster.routing.allocation.disk.watermark.flood_stage: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98%
{%- if FEATURES is sameas true %}
xpack.ml.enabled: false xpack.ml.enabled: false
#xpack.security.enabled: false {%- if grains['role'] in ['so-node','so-heavynode'] %}
#xpack.security.transport.ssl.enabled: true xpack.security.enabled: true
#xpack.security.transport.ssl.verification_mode: none {%- else %}
#xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.enabled: false
#xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt {%- endif %}
#xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ] xpack.security.transport.ssl.enabled: true
#{%- if grains['role'] in ['so-node','so-heavynode'] %} xpack.security.transport.ssl.verification_mode: none
#xpack.security.http.ssl.enabled: true xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
#xpack.security.http.ssl.client_authentication: none xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
#xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/ca.crt" ]
#xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt {%- if grains['role'] in ['so-node','so-heavynode'] %}
#xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt xpack.security.http.ssl.enabled: true
#{%- endif %} xpack.security.http.ssl.client_authentication: none
#xpack.security.authc: xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
# anonymous: xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
# username: anonymous_user xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
# roles: superuser xpack.security.authc:
# authz_exception: true anonymous:
username: anonymous_user
roles: superuser
authz_exception: true
{%- endif %} {%- endif %}
node.name: {{ grains.host }} node.name: {{ grains.host }}
script.max_compilations_rate: 1000/1m script.max_compilations_rate: 1000/1m

9
salt/elasticsearch/init.sls
View File

@@ -18,17 +18,10 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
{% set MANAGERIP = salt['pillar.get']('global:managerip') %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %}
{% if FEATURES is sameas true %}
{% set FEATUREZ = "-features" %}
{% else %}
{% set FEATUREZ = '' %}
{% endif %}
{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %}
{% set esclustername = salt['pillar.get']('manager:esclustername') %} {% set esclustername = salt['pillar.get']('manager:esclustername') %}
{% set esheap = salt['pillar.get']('manager:esheap') %} {% set esheap = salt['pillar.get']('manager:esheap') %}
@@ -186,7 +179,7 @@ eslogdir:
so-elasticsearch: so-elasticsearch:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATUREZ }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}
- hostname: elasticsearch - hostname: elasticsearch
- name: so-elasticsearch - name: so-elasticsearch
- user: elasticsearch - user: elasticsearch

8
salt/filebeat/init.sls
View File

@@ -21,12 +21,6 @@
{% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
{%- if FEATURES is sameas true %}
{% set FEATURES = "-features" %}
{% else %}
{% set FEATURES = '' %}
{% endif %}
filebeatetcdir: filebeatetcdir:
file.directory: file.directory:
- name: /opt/so/conf/filebeat/etc - name: /opt/so/conf/filebeat/etc
@@ -64,7 +58,7 @@ filebeatconfsync:
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
so-filebeat: so-filebeat:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}
- hostname: so-filebeat - hostname: so-filebeat
- user: root - user: root
- extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }} - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }},{{ LOCALHOSTNAME }}:{{ LOCALHOSTIP }}

5
salt/kibana/files/saved_objects.ndjson
View File

@@ -459,10 +459,7 @@
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NSwxXQ=="} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NSwxXQ=="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NiwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NiwxXQ=="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NywxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1NywxXQ=="}
{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.6.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1OCwxXQ=="} {"attributes":{"buildNum":33984,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.11.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T17:09:42.724Z","version":"WzcyNCwyXQ=="}
{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.7.1","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ1OSwxXQ=="}
{"attributes":{"buildNum":33813,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.9.0","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MCwxXQ=="}
{"attributes":{"buildNum":33984,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"id":"7.9.2","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2020-10-13T17:09:42.724Z","version":"WzcyNCwyXQ=="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MSwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MSwxXQ=="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MiwxXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.8.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MiwxXQ=="}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MywxXQ=="} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-10-13T16:41:02.447Z","version":"WzQ2MywxXQ=="}

8
salt/kibana/init.sls
View File

@@ -4,12 +4,6 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
{%- if FEATURES is sameas true %}
{% set FEATURES = "-features" %}
{% else %}
{% set FEATURES = '' %}
{% endif %}
# Add ES Group # Add ES Group
kibanasearchgroup: kibanasearchgroup:
@@ -73,7 +67,7 @@ kibanabin:
# Start the kibana docker # Start the kibana docker
so-kibana: so-kibana:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}
- hostname: kibana - hostname: kibana
- user: kibana - user: kibana
- environment: - environment:

9
salt/logstash/init.sls
View File

@@ -19,13 +19,6 @@
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set MANAGERIP = salt['pillar.get']('global:managerip') %} {% set MANAGERIP = salt['pillar.get']('global:managerip') %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
{%- if FEATURES is sameas true %}
{% set FEATURES = "-features" %}
{% else %}
{% set FEATURES = '' %}
{% endif %}
# Logstash Section - Decide which pillar to use # Logstash Section - Decide which pillar to use
{% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %}
@@ -146,7 +139,7 @@ lslogdir:
so-logstash: so-logstash:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}
- hostname: so-logstash - hostname: so-logstash
- name: so-logstash - name: so-logstash
- user: logstash - user: logstash

98
salt/soc/files/soc/changes.json
View File

@@ -1,54 +1,52 @@
{ {
"title": "Security Onion 2.3.20 is here!", "title": "Security Onion 2.3.30 is here!",
"changes": [ "changes": [
{ "summary": "soup has been refactored. You will need to run it a few times to get all the changes properly. We are working on making this even easier for future releases."}, { "summary": "Zeek is now at version 3.0.13." },
{ "summary": "soup now has awareness of Elastic Features and now downloads the appropriate Docker containers."}, { "summary": "CyberChef is now at version 9.27.2." },
{ "summary": "The Sensors interface has been renamed to Grid. This interface now includes all Security Onion nodes."}, { "summary": "Elastic components are now at version 7.10.2. This is the last version that uses the Apache license." },
{ "summary": "Grid interface now includes the status of the node. The status currently shows either Online (blue) or Offline (orange). If a node does not check-in on time then it will be marked as Offline."}, { "summary": "Suricata is now at version 6.0.1." },
{ "summary": "Grid interface now includes the IP and Role of each node in the grid."}, { "summary": "Salt is now at version 3002.5." },
{ "summary": "Grid interface includes a new Filter search input to filter the visible list of grid nodes to a desired subset. As an example, typing in “sensor” will hide all nodes except those that behave as a sensor."}, { "summary": "Suricata metadata parsing is now vastly improved." },
{ "summary": "The Grid description field can now be customized via the local minion pillar file for each node."}, { "summary": "If you choose Suricata for metadata parsing, it will now extract files from the network and send them to Strelka. You can add additional mime types <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/extraction.rules'>here</a>." },
{ "summary": "SOC will now draw attention to an unhealthy situation within the grid or with the connection between the users browser and the manager node. For example, when the Grid has at least one Offline node the SOC interface will show an exclamation mark in front of the browser tabs title and an exclamation mark next to the Grid menu option in SOC. Additionally, the favicon will show an orange marker in the top-right corner (dynamic favicons not supported in Safari). Additionally, if the users web browser is unable to communicate with the manager the unhealth indicators appear along with a message at the top of SOC that states there is a connection problem."}, { "summary": "It is now possible to filter Suricata events from being written to the logs. This is a new Suricata 6 feature. We have included some examples <a href='https://github.com/Security-Onion-Solutions/securityonion/blob/dev/salt/idstools/sorules/filters.rules'>here</a>." },
{ "summary": "Docker has been upgraded to the latest version."}, { "summary": "The Kratos docker container will now perform DNS lookups locally before reaching out to the network DNS provider." },
{ "summary": "Docker should be more reliable now as Salt is now managing daemon.json."}, { "summary": "Network configuration is now more compatible with manually configured OpenVPN or Wireguard VPN interfaces." },
{ "summary": "You can now install Elastic in a traditional cluster. When setting up the manager select Advanced and follow the prompts. Replicas are controlled in global.sls."}, { "summary": "<code>so-sensor-clean</code> will no longer spawn multiple instances." },
{ "summary": "You can now use Hot and Warm routing with Elastic in a traditional cluster. You can change the box.type in the minions sls file. You will need to create a curator job to re-tag the indexes based on your criteria."}, { "summary": "Suricata eve.json logs will now be cleaned up after 7 days. This can be changed via the pillar setting." },
{ "summary": "Telegraf has been updated to version 1.16.3."}, { "summary": "Fixed a security issue where the backup directory had improper file permissions." },
{ "summary": "Grafana has been updated to 7.3.4 to resolve some XSS vulnerabilities."}, { "summary": "The automated backup script on the manager now backs up all keys along with the salt configurations. Backup retention is now set to 7 days." },
{ "summary": "Grafana graphs have been changed to graphs vs guages so alerting can be set up."}, { "summary": "Strelka logs are now being rotated properly." },
{ "summary": "Grafana is now completely pillarized, allowing users to customize alerts and making it customizable for email, Slack, etc. See the docs <a href=\"https://securityonion.net/docs/grafana\">here</a>."}, { "summary": "Elastalert can now be customized via a pillar." },
{ "summary": "Yara rules now should properly install on non-airgap installs. Previously, users had to wait for an automated job to place them in the correct location."}, { "summary": "Introduced new script <code>so-monitor-add</code> that allows the user to easily add interfaces to the bond for monitoring." },
{ "summary": "Strelka backend will not stop itself any more. Previously, its behavior was to shut itself down after fifteen minutes and wait for Salt to restart it to look for work before shutting down again."}, { "summary": "Setup now validates all user input fields to give up-front feedback if an entered value is invalid." },
{ "summary": "Strelka daily rule updates are now logged to <code>/nsm/strelka/log/yara-update.log</code>"}, { "summary": "There have been several changes to improve install reliability. Many install steps have had their validation processes reworked to ensure that required tasks have been completed before moving on to the next step of the install." },
{ "summary": "Several changes to the setup script to improve install reliability."}, { "summary": "Users are now warned if they try to set <i>securityonion</i> as their hostname." },
{ "summary": "Airgap now supports the import node type."}, { "summary": "The ISO should now identify xvda and nvme devices as install targets." },
{ "summary": "Custom Zeek file extraction values in the pillar now work properly."}, { "summary": "At the end of the first stage of the ISO setup, the ISO device should properly unmount and eject." },
{ "summary": "TheHive has been updated to support Elastic 7."}, { "summary": "The text selection of choosing Suricata vs Zeek for metadata is now more descriptive." },
{ "summary": "Cortex image now includes whois package to correct an issue with the CERTatPassiveDNS analyzer."}, { "summary": "The logic for properly setting the <code>LOG_SIZE_LIMIT</code> variable has been improved." },
{ "summary": "Hunt and Alert quick action menu has been refactored into submenus."}, { "summary": "When installing on Ubuntu, Setup will now wait for cloud init to complete before trying to start the install of packages." },
{ "summary": "New clipboard quick actions now allow for copying fields or entire events to the clipboard."}, { "summary": "The firewall state runs considerably faster now." },
{ "summary": "PCAP Add Job form now retains previous job details for quickly adding additional jobs. A new Clear button now exists at the bottom of this form to clear out these fields and forget the previous job details."}, { "summary": "ICMP timestamps are now disabled." },
{ "summary": "PCAP Add Job form now allows users to perform arbitrary PCAP lookups of imported PCAP data (data imported via the <code>so-import-pcap</code> script)."}, { "summary": "Copyright dates on all Security Onion specific files have been updated." },
{ "summary": "Downloads page now allows direct download of Wazuh agents for Linux, Mac, and Windows from the manager, and shows the version of Wazuh and Elastic installed with Security Onion."}, { "summary": "<code>so-tcpreplay</code> (and indirectly <code>so-test</code>) should now work properly." },
{ "summary": "PCAP job interface now shows additional job filter criteria when expanding the job filter details."}, { "summary": "The Zeek packet loss script is now more accurate." },
{ "summary": "Upgraded authentication backend to Kratos 0.5.5."}, { "summary": "Grafana now includes an estimated EPS graph for events ingested on the manager." },
{ "summary": "SOC tables with the “Rows per Page” dropdown no longer show truncated page counts."}, { "summary": "Updated Elastalert to release 0.2.4-alt2 based on the <a href='https://github.com/jertel/elastalert'>jertel/elastalert</a> alt branch." },
{ "summary": "Several Hunt errors are now more descriptive, particularly those around malformed queries."}, { "summary": "Pivots from Alerts/Hunts to action links will properly URI encode values." },
{ "summary": "SOC Error banner has been improved to avoid showing raw HTML syntax, making connection and server-side errors more readable."}, { "summary": "Hunt timeline graph will properly scale the data point interval based on the search date range." },
{ "summary": "Hunt and Alerts interfaces will now allow pivoting to PCAP from a group of results if the grouped results contain a network.community_id field."}, { "summary": "Grid interface will properly show <i>Search</i> as the node type instead of <i>so-node</i>." },
{ "summary": "New “Correlate” quick action will pivot to a new Hunt search for all events that can be correlated by at least one of various event IDs."}, { "summary": "Import node now supports airgap environments." },
{ "summary": "Fixed bug that caused some Hunt queries to not group correctly without a .keyword suffix. This has been corrected so that the .keyword suffix is no longer necessary on those groupby terms."}, { "summary": "The so-mysql container will now show <i>healthy</i> when viewing the docker ps output." },
{ "summary": "Fixed issue where PCAP interface loses formatting and color coding when opening multiple PCAP tabs."}, { "summary": "The Soctopus configuration now uses private IPs instead of public IPs, allowing network communications to succeed within the grid." },
{ "summary": "Alerts interface now has a Refresh button that allows users to refresh the current alerts view without refreshing the entire SOC application."}, { "summary": "The Correlate action in Hunt now groups the OR filters together to ensure subsequent user-added filters are correctly ANDed to the entire OR group." },
{ "summary": "Hunt and Alerts interfaces now have an auto-refresh dropdown that will automatically refresh the current view at the selected frequency."}, { "summary": "Add support to <code>so-firewall</code> script to display existing port groups and host groups." },
{ "summary": "The <code>so-elastalert-test</code> script has been refactored to work with Security Onion 2.3."}, { "summary": "TheHive initialization during Security Onion setup will now properly check for a running ES instance and will retry connectivity checks to TheHive before proceeding." },
{ "summary": "The included Logstash image now includes Kafka plugins."}, { "summary": "Changes to the <i>.security</i> analyzer yields more accurate query results when using Playbook." },
{ "summary": "Wazuh agent registration process has been improved to support slower hardware and networks."}, { "summary": "Several Hunt queries have been updated." },
{ "summary": "An Elasticsearch ingest pipeline has been added for suricata.ftp_data."}, { "summary": "The pfSense firewall log parser has been updated to improve compatibility." },
{ "summary": "Elasticsearchs indices.query.bool.max_clause_count value has been increased to accommodate a slightly larger number of fields (1024 -> 1500) when querying using a wildcard."}, { "summary": "Kibana dashboard hyperlinks have been updated for faster navigation." },
{ "summary": "On nodes being added to an existing grid, setup will compare the version currently being installed to the manager (>=2.3.20), pull the correct Security Onion version from the manager if there is a mismatch, and run that version."}, { "summary": "Added a new <code>so-rule</code> script to make it easier to disable, enable, and modify SIDs." },
{ "summary": "Setup will gather any errors found during a failed install into <code>/root/errors.log</code> for easy copy/paste and debugging."}, { "summary": "ISO now gives the option to just configure the network during setup." }
{ "summary": "Selecting Suricata as the metadata engine no longer results in the install failing."},
{ "summary": "<code>so-rule-update</code> now accepts arguments to idstools. For example, <code>so-rule-update -f</code> will force idstools to pull rules, ignoring the default 15-minute pull limit."}
] ]
} }

10
salt/telegraf/etc/telegraf.conf
View File

@@ -684,8 +684,10 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
"/scripts/zeekloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh", "/scripts/zeekcaptureloss.sh",
{% endif %}
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/raid.sh" "/scripts/raid.sh"
] ]
@@ -697,8 +699,10 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
"/scripts/zeekloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh", "/scripts/zeekcaptureloss.sh",
{% endif %}
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/eps.sh", "/scripts/eps.sh",
"/scripts/raid.sh" "/scripts/raid.sh"
@@ -713,8 +717,10 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
"/scripts/zeekloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh", "/scripts/zeekcaptureloss.sh",
{% endif %}
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/eps.sh", "/scripts/eps.sh",
"/scripts/raid.sh" "/scripts/raid.sh"
@@ -728,8 +734,10 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
"/scripts/zeekloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh", "/scripts/zeekcaptureloss.sh",
{% endif %}
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh", "/scripts/influxdbsize.sh",
"/scripts/raid.sh" "/scripts/raid.sh"
@@ -742,8 +750,10 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
"/scripts/zeekloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh", "/scripts/zeekcaptureloss.sh",
{% endif %}
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/helixeps.sh" "/scripts/helixeps.sh"
] ]

3
salt/telegraf/init.sls
View File

@@ -29,6 +29,9 @@ tgrafsyncscripts:
- file_mode: 700 - file_mode: 700
- template: jinja - template: jinja
- source: salt://telegraf/scripts - source: salt://telegraf/scripts
{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
- exclude_pat: zeekcaptureloss.sh
{% endif %}
tgrafconf: tgrafconf:
file.managed: file.managed:

2
setup/automation/distributed-iso-search
View File

@@ -55,7 +55,7 @@ MSRVIP=10.66.166.42
# NODE_ES_HEAP_SIZE= # NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE= # NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC NODESETUP=NODEBASIC
NSMSETUP=BASIC NSMSETUP=ADVANCED
NODEUPDATES=MANAGER NODEUPDATES=MANAGER
# OINKCODE= # OINKCODE=
# OSQUERY=1 # OSQUERY=1

2
setup/automation/distributed-iso-sensor
View File

@@ -55,7 +55,7 @@ MSRVIP=10.66.166.42
# NODE_ES_HEAP_SIZE= # NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE= # NODE_LS_HEAP_SIZE=
# NODESETUP=NODEBASIC # NODESETUP=NODEBASIC
NSMSETUP=BASIC NSMSETUP=ADVANCED
NODEUPDATES=MANAGER NODEUPDATES=MANAGER
# OINKCODE= # OINKCODE=
# OSQUERY=1 # OSQUERY=1

0
setup/automation/distributed-net-ubuntu-manager-suricata → setup/automation/distributed-net-ubuntu-suricata-manager
View File

78
setup/automation/distributed-net-ubuntu-suricata-search Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
# BASICZEEK=7
# BASICSURI=7
# BLOGS=
# BNICS=eth1
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-search
install_type=SEARCHNODE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=ens18
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.66
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=ADVANCED
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=1
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

78
setup/automation/distributed-net-ubuntu-suricata-sensor Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=ens19
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# GRAFANA=1
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-sensor
install_type=SENSOR
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=ens18
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.66
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
# NODESETUP=NODEBASIC
NSMSETUP=ADVANCED
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=1
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

44
setup/so-functions
View File

@@ -271,7 +271,7 @@ collect_adminuser_inputs() {
collect_cur_close_days() { collect_cur_close_days() {
whiptail_cur_close_days "$CURCLOSEDAYS" whiptail_cur_close_days "$CURCLOSEDAYS"
while ! valid_int "$CURCLOSEDAYS" "1"; do while ! valid_int "$CURCLOSEDAYS"; do
whiptail_invalid_input whiptail_invalid_input
whiptail_cur_close_days "$CURCLOSEDAYS" whiptail_cur_close_days "$CURCLOSEDAYS"
done done
@@ -322,7 +322,7 @@ collect_es_cluster_name() {
collect_es_space_limit() { collect_es_space_limit() {
whiptail_log_size_limit "$log_size_limit" whiptail_log_size_limit "$log_size_limit"
while ! valid_int "$log_size_limit" "1"; do # Upper/lower bounds? while ! valid_int "$log_size_limit"; do # Upper/lower bounds?
whiptail_invalid_input whiptail_invalid_input
whiptail_log_size_limit "$log_size_limit" whiptail_log_size_limit "$log_size_limit"
done done
@@ -331,7 +331,7 @@ collect_es_space_limit() {
collect_fleet_custom_hostname_inputs() { collect_fleet_custom_hostname_inputs() {
whiptail_fleet_custom_hostname whiptail_fleet_custom_hostname
while ! valid_fqdn "$FLEETCUSTOMHOSTNAME" || [[ $FLEETCUSTOMHOSTNAME != "" ]]; do while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do
whiptail_invalid_input whiptail_invalid_input
whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME" whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME"
done done
@@ -368,7 +368,7 @@ collect_gateway() {
} }
collect_helix_key() { collect_helix_key() {
whiptail_helix_apikey # validate? whiptail_helix_apikey
} }
collect_homenet_mngr() { collect_homenet_mngr() {
@@ -398,7 +398,6 @@ collect_hostname() {
whiptail_set_hostname "$HOSTNAME" whiptail_set_hostname "$HOSTNAME"
if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once
if ! (whiptail_avoid_default_hostname); then if ! (whiptail_avoid_default_hostname); then
whiptail_set_hostname whiptail_set_hostname
@@ -446,7 +445,7 @@ collect_mngr_hostname() {
collect_mtu() { collect_mtu() {
whiptail_bond_nics_mtu "1500" whiptail_bond_nics_mtu "1500"
while ! valid_int "$MTU" "68"; do while ! valid_int "$MTU" "68" "10000"; do
whiptail_invalid_input whiptail_invalid_input
whiptail_bond_nics_mtu "$MTU" whiptail_bond_nics_mtu "$MTU"
done done
@@ -454,20 +453,10 @@ collect_mtu() {
collect_node_es_heap() { collect_node_es_heap() {
whiptail_node_es_heap "$ES_HEAP_SIZE" whiptail_node_es_heap "$ES_HEAP_SIZE"
while ! valid_int "$NODE_ES_HEAP_SIZE"; do
whiptail_invalid_input
whiptail_node_es_heap "$NODE_ES_HEAP_SIZE"
done
} }
collect_node_ls_heap() { collect_node_ls_heap() {
whiptail_node_ls_heap "$LS_HEAP_SIZE" whiptail_node_ls_heap "$LS_HEAP_SIZE"
while ! valid_int "$NODE_LS_HEAP_SIZE"; do
whiptail_invalid_input
whiptail_node_ls_heap "$NODE_LS_HEAP_SIZE"
done
} }
collect_node_ls_input() { collect_node_ls_input() {
@@ -500,7 +489,7 @@ collect_node_ls_pipeline_worker_count() {
collect_oinkcode() { collect_oinkcode() {
whiptail_oinkcode whiptail_oinkcode
while ! valid_string "$OINKCODE" "" "128"; do #TODO: verify max length here while ! valid_string "$OINKCODE" "" "128"; do
whiptail_invalid_input whiptail_invalid_input
whiptail_oinkcode "$OINKCODE" whiptail_oinkcode "$OINKCODE"
done done
@@ -569,6 +558,7 @@ collect_so_allow() {
collect_soremote_inputs() { collect_soremote_inputs() {
whiptail_create_soremote_user whiptail_create_soremote_user
SCMATCH=no SCMATCH=no
while [[ $SCMATCH != yes ]]; do while [[ $SCMATCH != yes ]]; do
whiptail_create_soremote_user_password1 whiptail_create_soremote_user_password1
whiptail_create_soremote_user_password2 whiptail_create_soremote_user_password2
@@ -596,11 +586,11 @@ collect_webuser_inputs() {
WPMATCH=no WPMATCH=no
while [[ $WPMATCH != yes ]]; do while [[ $WPMATCH != yes ]]; do
whiptail_create_web_user_password1 whiptail_create_web_user_password1
while ! check_password "$WEBPASSWD1"; do while ! check_password "$WEBPASSWD1"; do
whiptail_invalid_pass_characters_warning whiptail_invalid_pass_characters_warning
whiptail_create_web_user_password1 whiptail_create_web_user_password1
done done
if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then
whiptail_create_web_user_password2 whiptail_create_web_user_password2
check_web_pass check_web_pass
@@ -1802,6 +1792,16 @@ reserve_group_ids() {
groupadd -g 946 cyberchef groupadd -g 946 cyberchef
} }
reserve_ports() {
# These are also set via salt but need to be set pre-install to avoid conflicts before salt runs
if ! sysctl net.ipv4.ip_local_reserved_ports | grep 55000 | grep 57314; then
echo "Reserving ephemeral ports used by Security Onion components to avoid collisions"
sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"
else
echo "Ephemeral ports already reserved"
fi
}
reinstall_init() { reinstall_init() {
info "Putting system in state to run setup again" info "Putting system in state to run setup again"

4
setup/so-setup
View File

@@ -191,7 +191,7 @@ if ! [[ -f $install_opt_file ]]; then
fi fi
if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then
whiptail_first_menu_iso whiptail_first_menu_iso
if [[ $option == "Configure Network" ]]; then if [[ $option == "CONFIGURENETWORK" ]]; then
network_init_whiptail network_init_whiptail
whiptail_management_interface_setup whiptail_management_interface_setup
network_init network_init
@@ -550,6 +550,8 @@ set_redirect >> $setup_log 2>&1
# Show initial progress message # Show initial progress message
set_progress_str 0 'Running initial configuration steps' set_progress_str 0 'Running initial configuration steps'
reserve_ports
set_path set_path
if [[ $is_reinstall ]]; then if [[ $is_reinstall ]]; then

20
setup/so-whiptail
View File

@@ -632,10 +632,22 @@ whiptail_log_size_limit() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
case $install_type in
STANDALONE | EVAL | HEAVYNODE)
percentage=50
;;
*)
percentage=80
;;
esac
log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox \ read -r -d '' message <<- EOM
"Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage: \n\ Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage.
By default, this is set to 80% of the disk space allotted for /nsm." 10 75 "$1" 3>&1 1>&2 2>&3)
By default, this is set to ${percentage}% of the disk space allotted for /nsm.
EOM
log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -652,6 +664,8 @@ whiptail_first_menu_iso() {
) )
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
option=$(echo "${option^^}" | tr -d ' ')
} }
whiptail_make_changes() { whiptail_make_changes() {

BIN
sigs/securityonion-2.3.21.iso.sig Normal file
View File

Binary file not shown.

BIN
sigs/securityonion-2.3.30.iso.sig Normal file
View File

Binary file not shown.