CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

initial quick OCD pass

Browse Source
This commit is contained in:
doug
2022-09-23 16:29:55 -04:00
parent e3f4a58989
commit fee5a7bea9
11 changed files with 96 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/elastalert/soc_elastalert.yaml
View File

@@ -24,7 +24,7 @@ elastalert:
global: True
helpLink: elastalert.html
max_query_size:
description: The maximum number of documents that will be downloaded from Elasticsearch in a single query.
description: The maximum number of documents that will be returned from Elasticsearch in a single query.
global: True
helpLink: elastalert.html
alert_time_limit:
@@ -34,10 +34,10 @@ elastalert:
helpLink: elastalert.html
index_settings:
shards:
description: The amount of shards to use for elastalert.
description: The number of shards for elastalert indices.
global: True
helpLink: elastalert.html
replicas:
description: The amount of replicas for the Elastalert index.
description: The number of replicas for elastalert indices.
global: True
helpLink: elastalert.html

2
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -72,7 +72,7 @@ elasticsearch:
global: True
helpLink: elasticsearch.html
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs.
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
global: True
helpLink: elasticsearch.html
so-azure: *indexSettings

34
salt/firewall/soc_firewall.yaml
View File

@@ -1,109 +1,109 @@
firewall:
hostgroups:
analyst_workstations:
description: List of IP Addresses or CIDR blocks to allow analyst workstations.
description: List of IP addresses or CIDR blocks to allow analyst workstations.
file: True
global: True
title: Analyst Workstations
helpLink: firewall.html#host-groups
analyst:
description: List of IP Addresses or CIDR blocks to allow analyst connections.
description: List of IP addresses or CIDR blocks to allow analyst connections.
file: True
global: True
title: Analyst
helpLink: firewall.html#host-groups
beats_endpoint:
description: List of IP Addresses or CIDR blocks of standard beats without encryption.
description: List of IP addresses or CIDR blocks of standard beats without encryption.
file: True
global: True
title: Beats Endpoints
helpLink: firewall.html#host-groups
beats_endpoint_ssl:
description: List of IP Addresses or CIDR blocks of standard beats with encryption.
description: List of IP addresses or CIDR blocks of standard beats with encryption.
file: True
global: True
title: Beats Endpoints SSL
helplink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP Addresses or CIDR blocks for Elastic Agent connections.
description: List of IP addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helplink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch.
description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helplink: firewall.html#host-groups
endgame:
description: List of IP Addresses or CIDR blocks to allow endgame access.
description: List of IP addresses or CIDR blocks to allow Endgame access.
file: True
global: True
title: Endgame
advanced: True
helplink: firewall.html#host-groups
strelka_frontend:
description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end.
description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helplink: firewall.html#host-groups
syslog:
description: List of IP Addresses or CIDR blocks to allow syslog.
description: List of IP addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helplink: firewall.html#host-groups
standalone:
description: List of IP Addresses or CIDR blocks to allow standalone connections.
description: List of IP addresses or CIDR blocks to allow standalone connections.
file: True
global: True
title: Standalone
advanced: True
helpLink: firewall.html#host-groups
eval:
description: List of IP Addresses or CIDR blocks to allow eval connections.
description: List of IP addresses or CIDR blocks to allow eval connections.
file: True
global: True
title: Eval
advanced: True
helpLink: firewall.html#host-groups
idh:
description: List of IP Addresses or CIDR blocks to allow idh connections.
description: List of IP addresses or CIDR blocks to allow idh connections.
file: True
global: True
title: IDH Nodes
helpLink: firewall.html#host-groups
manager:
description: List of IP Addresses or CIDR blocks to allow manager connections.
description: List of IP addresses or CIDR blocks to allow manager connections.
file: True
global: True
title: Manager
advanced: True
helpLink: firewall.html#host-groups
heavynodes:
description: List of IP Addresses or CIDR blocks to allow heavynode connections.
description: List of IP addresses or CIDR blocks to allow heavynode connections.
file: True
global: True
title: Heavy Nodes
helpLink: firewall.html#host-groups
searchnodes:
description: List of IP Addresses or CIDR blocks to allow searchnode connections.
description: List of IP addresses or CIDR blocks to allow searchnode connections.
file: True
global: True
title: Search Nodes
helpLink: firewall.html#host-groups
sensors:
description: List of IP Addresses or CIDR blocks to allow Sensor connections.
description: List of IP addresses or CIDR blocks to allow Sensor connections.
file: True
global: True
title: Sensors
helpLink: firewall.html#host-groups
receivers:
description: List of IP Addresses or CIDR blocks to allow receiver connections.
description: List of IP addresses or CIDR blocks to allow receiver connections.
file: True
global: True
title: Receivers

14
salt/grafana/soc_grafana.yaml
View File

@@ -10,20 +10,20 @@ grafana:
global: True
helpLink: grafana.html
user:
description: User used to authenticate SMTP.
description: Username for the SMTP server.
global: True
helpLink: grafana.html
password:
description: Password used to authenticate SMTP.
description: Password for the SMTP server.
global: True
sensitive: True
helpLink: grafana.html
cert_file:
description: Location of cert file for SMTP.
description: Location of cert file for the SMTP server.
global: True
helpLink: grafana.html
key_file:
description: Location of key file for SMTP.
description: Location of key file for the SMTP server.
global: True
helpLink: grafana.html
skip_verify:
@@ -31,15 +31,15 @@ grafana:
global: True
helpLink: grafana.html
from_address:
description: The email address you would like in the from field.
description: The email address you would like in the From field.
global: True
helpLink: grafana.html
from_name:
description: The name displayed for the from email address.
description: The name displayed for the From email address.
global: True
helpLink: grafana.html
ehlo_identity:
description: Used with servers with SMTP service extensions.
description: Used for servers with SMTP service extensions.
global: True
helpLink: grafana.html
enterprise:

20
salt/idstools/soc_idstools.yaml
View File

@@ -3,18 +3,18 @@ idstools:
oinkcode:
description: Enter your registration code for paid rulesets.
global: True
helpLink: managing-alerts.html
helpLink: managing-rules.html
ruleset:
description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
global: True
helpLink: managing-alerts.html
helpLink: managing-rules.html
urls:
description: This is a list of additional rule download locations.
global: True
helpLink: managing-alerts.html
helpLink: managing-rules.html
sids:
disabled:
description: List of disables SIDS.
description: List of SIDS that you want to disable.
global: True
helpLink: managing-alerts.html
enabled:
@@ -22,7 +22,7 @@ idstools:
global: True
helpLink: managing-alerts.html
modify:
description: List of SIDS that are modified.
description: List of SIDS that you want to modify.
global: True
helpLink: managing-alerts.html
rules:
@@ -32,18 +32,18 @@ idstools:
global: True
advanced: True
title: Local Rules
helpLink: managing-alerts.html
helpLink: local-rules.html
filters__rules:
description: You can set custom filters for Suricata when using it for meta data creation.
description: If you are using Suricata for metadata, then you can set custom filters for that metadata here.
file: True
global: True
advanced: True
title: Filter Rules
helpLink: managing-alerts.html
helpLink: suricata.html
extraction__rules:
description: This is a list of mime types for file extraction when Suricata is used for meta data creation.
description: If you are using Suricata for metadata, then you can set a list of MIME types for file extraction here.
file: True
global: True
advanced: True
title: Extraction Rules
helpLink: managing-alerts.html
helpLink: suricata.html

2
salt/kibana/soc_kibana.yaml
View File

@@ -2,6 +2,6 @@ kibana:
config:
elasticsearch:
requestTimeout:
description: Request timeout length.
description: The length of time before the request reaches timeout.
global: True
helpLink: kibana.html

6
salt/nginx/soc_nginx.yaml
View File

@@ -1,20 +1,20 @@
nginx:
config:
replace_cert:
description: Replace the Security Onion Certificate with your own?
description: Enable this if you would like to replace the Security Onion Certificate with your own.
global: True
advanced: True
title: Replace Default Cert
helpLink: nginx.html
ssl__key:
description: Paste your .key file here
description: If you enabled the replace_cert option, paste your .key file here.
file: True
title: SSL Key File
advanced: True
global: True
helpLink: nginx.html
ssl__crt:
description: Paste your .crt file here
description: If you enabled the replace_cert option, paste your .crt file here.
file: True
title: SSL Cert File
advanced: True

10
salt/pcap/soc_pcap.yaml
View File

@@ -1,20 +1,20 @@
pcap:
enabled:
description: Enable or Disable Stenographer on all sensors or a single sensor
description: You can enable or disable Stenographer on all sensors or a single sensor.
helpLink: pcap.html
config:
maxdirectoryfiles:
description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space.
description: The maximum number of packet/index files to create before deleting old files.
helpLink: pcap.html
diskfreepercentage:
description: The disk space percent to always keep free for pcap
description: The disk space percent to always keep free for PCAP
helpLink: pcap.html
blocks:
description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
preallocate_file_mb:
description: File size to pre-allocate for individual pcap files. You shouldn't need to change this.
description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
aiops:
@@ -26,7 +26,7 @@ pcap:
advanced: True
helpLink: pcap.html
cpus_to_pin_to:
description: CPU to pin PCAP to. Currently only a single CPU is supported
description: CPU to pin PCAP to. Currently only a single CPU is supported.
advanced: True
helpLink: pcap.html
disks:

12
salt/soc/soc_soc.yaml
View File

@@ -7,25 +7,25 @@ soc:
file: True
global: True
syntax: md
helpLink: soc.html
helpLink: soc-customization.html
motd__md:
title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser.
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
file: True
global: True
syntax: md
helpLink: soc.html
helpLink: soc-customization.html
custom__js:
title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True
global: True
advanced: True
helpLink: soc.html
helpLink: soc-customization.html
custom_roles:
title: Custom Roles
description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system.
description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
file: True
global: True
advanced: True
helpLink: soc.html
helpLink: soc-customization.html

50
salt/suricata/soc_suricata.yaml
View File

@@ -10,80 +10,80 @@ suricata:
vars:
address-groups:
HOME_NET:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
EXTERNAL_NET:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
HTTP_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
SMTP_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
SQL_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
DNS_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
TELNET_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
AIM_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
DC_SERVERS:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
DNP3_SERVER:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
DNP3_CLIENT:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
MODBUS_CLIENT:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
MODBUS_SERVER:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
ENIP_CLIENT:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
ENIP_SERVER:
description: List of hosts or netowrks.
description: List of hosts or networks.
helpLink: suricata.html
port-groups:
HTTP_PORTS:
description: List of HTTP ports to look for HTTP traffic on.
description: List of ports to look for HTTP traffic on.
helpLink: suricata.html
SHELLCODE_PORTS:
description: List of SHELLCODE ports to look for SHELLCODE traffic on.
description: List of ports to look for SHELLCODE traffic on.
helpLink: suricata.html
ORACLE_PORTS:
description: List of ORACLE ports to look for ORACLE traffic on.
description: List of ports to look for ORACLE traffic on.
helpLink: suricata.html
SSH_PORTS:
description: List of SSH ports to look for SSH traffic on.
description: List of ports to look for SSH traffic on.
helpLink: suricata.html
DNP3_PORTS:
description: List of DNP3 ports to look for DNP3 traffic on.
description: List of ports to look for DNP3 traffic on.
helpLink: suricata.html
MODBUS_PORTS:
description: List of MODBUS ports to look for MODBUS traffic on.
description: List of ports to look for MODBUS traffic on.
helpLink: suricata.html
FILE_DATA_PORTS:
description: List of FILE_DATA ports to look for FILE_DATA traffic on.
description: List of ports to look for FILE_DATA traffic on.
helpLink: suricata.html
FTP_PORTS:
description: List of FTP ports to look for FTP traffic on.
description: List of ports to look for FTP traffic on.
helpLink: suricata.html
VXLAN_PORTS:
description: List of VXLAN ports to look for VXLAN traffic on.
description: List of ports to look for VXLAN traffic on.
helpLink: suricata.html
TEREDO_PORTS:
description: List of TEREDO ports to look for TEREDO traffic on.
description: List of ports to look for TEREDO traffic on.
helpLink: suricata.html
outputs:
eve-log:

22
salt/zeek/soc_zeek.yaml
View File

@@ -1,36 +1,44 @@
zeek:
logging:
enabled:
description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
helpLink: zeek.html
config:
local:
'@load':
description: List of Zeek policies to load
helpLink: zeek.html
'@load-sigs':
description: List of Zeek signatures to load
helpLink: zeek.html
node:
lb_procs:
description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
helpLink: zeek.html
node: True
pins_enabled:
description: Enabled CPU pinning
description: Enabling this setting allows you to pin Zeek to specific CPUs.
helpLink: zeek.html
node: True
advanced: True
pins:
description: List of CPUs you want to pin to
description: This is a list of CPUs you want to pin Zeek to.
helpLink: zeek.html
node: True
advanced: True
zeekctl:
CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
helpLink: zeek.html
policy:
custom:
filters:
conn:
description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
file: True
global: True
advanced: True
file_extraction:
description: This is a list of mime types Zeek will extract from the network streams.
description: This is a list of MIME types that Zeek will extract from the network streams.
helpLink: zeek.html