CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 10:12:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13647 from Security-Onion-Solutions/surirules2

Browse Source 
External Support for Detections
This commit is contained in:
Mike Reeves
2024-09-12 13:44:20 -04:00
committed by GitHub
parent 31d190cbf4 cac1539094
commit ff33cb62df
6 changed files with 84 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
salt/firewall/defaults.yaml
View File

@@ -10,6 +10,7 @@ firewall:
elasticsearch_rest: [] elasticsearch_rest: []
endgame: [] endgame: []
eval: [] eval: []
external_suricata: []
fleet: [] fleet: []
heavynode: [] heavynode: []
idh: [] idh: []
@@ -86,6 +87,10 @@ firewall:
tcp: tcp:
- 3765 - 3765
udp: [] udp: []
external_suricata:
tcp:
- 7789
udp: []
influxdb: influxdb:
tcp: tcp:
- 8086 - 8086
@@ -216,6 +221,9 @@ firewall:
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
external_suricata:
portgroups:
- external_suricata
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -462,6 +470,9 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
external_suricata:
portgroups:
- external_suricata
desktop: desktop:
portgroups: portgroups:
- docker_registry - docker_registry
@@ -654,6 +665,9 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
external_suricata:
portgroups:
- external_suricata
desktop: desktop:
portgroups: portgroups:
- docker_registry - docker_registry
@@ -850,6 +864,9 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
external_suricata:
portgroups:
- external_suricata
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
@@ -1216,6 +1233,9 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
external_suricata:
portgroups:
- external_suricata
analyst: analyst:
portgroups: portgroups:
- nginx - nginx

14
salt/firewall/soc_firewall.yaml
View File

@@ -32,6 +32,7 @@ firewall:
elasticsearch_rest: *hostgroupsettingsadv elasticsearch_rest: *hostgroupsettingsadv
endgame: *hostgroupsettingsadv endgame: *hostgroupsettingsadv
eval: *hostgroupsettings eval: *hostgroupsettings
external_suricata: *hostgroupsettings
fleet: *hostgroupsettings fleet: *hostgroupsettings
heavynode: *hostgroupsettings heavynode: *hostgroupsettings
idh: *hostgroupsettings idh: *hostgroupsettings
@@ -117,6 +118,9 @@ firewall:
endgame: endgame:
tcp: *tcpsettings tcp: *tcpsettings
udp: *udpsettings udp: *udpsettings
external_suricata:
tcp: *tcpsettings
udp: *udpsettings
influxdb: influxdb:
tcp: *tcpsettings tcp: *tcpsettings
udp: *udpsettings udp: *udpsettings
@@ -215,6 +219,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
elastic_agent_endpoint: elastic_agent_endpoint:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
external_suricata:
portgroups: *portgroupsdocker
strelka_frontend: strelka_frontend:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
syslog: syslog:
@@ -370,6 +376,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
endgame: endgame:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
external_suricata:
portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
desktop: desktop:
@@ -463,6 +471,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
external_suricata:
portgroups: *portgroupsdocker
desktop: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
@@ -554,6 +564,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
endgame: endgame:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
external_suricata:
portgroups: *portgroupsdocker
strelka_frontend: strelka_frontend:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
syslog: syslog:
@@ -828,6 +840,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
external_suricata:
portgroups: *portgroupsdocker
desktop: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:

1
salt/nginx/defaults.yaml
View File

@@ -1,5 +1,6 @@
nginx: nginx:
enabled: False enabled: False
external_suricata: False
ssl: ssl:
replace_cert: False replace_cert: False
config: config:

3
salt/nginx/enabled.sls
View File

@@ -130,6 +130,9 @@ so-nginx:
- /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro
- /nsm/repo:/opt/socore/html/repo:ro - /nsm/repo:/opt/socore/html/repo:ro
- /nsm/rules:/nsm/rules:ro - /nsm/rules:/nsm/rules:ro
{% if NGINXMERGED.external_suricata %}
- /opt/so/rules/nids/suri:/surirules:ro
{% endif %}
{% endif %} {% endif %}
{% if DOCKER.containers[container_config].custom_bind_mounts %} {% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}

56
salt/nginx/etc/nginx.conf
View File

@@ -84,7 +84,8 @@ http {
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl default_server;
http2 on;
server_name _; server_name _;
return 307 https://{{ GLOBALS.url_base }}$request_uri; return 307 https://{{ GLOBALS.url_base }}$request_uri;
@@ -116,9 +117,34 @@ http {
autoindex_localtime on; autoindex_localtime on;
} }
} }
{%- if NGINXMERGED.external_suricata %}
server {
listen 7789 ssl;
http2 on;
server_name {{ GLOBALS.url_base }};
root /surirules;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
location / {
allow all;
sendfile on;
sendfile_max_chunk 1m;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
}
{%- endif %}
server { server {
listen 443 ssl http2; listen 443 ssl;
http2 on;
server_name {{ GLOBALS.url_base }}; server_name {{ GLOBALS.url_base }};
root /opt/socore/html; root /opt/socore/html;
index index.html; index index.html;
@@ -251,20 +277,20 @@ http {
proxy_cookie_path /api/ /influxdb/api/; proxy_cookie_path /api/ /influxdb/api/;
} }
location /app/dashboards/ { location /app/dashboards/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /app/dashboards/(.*) /app/dashboards/$1 break; rewrite /app/dashboards/(.*) /app/dashboards/$1 break;
proxy_pass http://{{ GLOBALS.manager }}:5601/app/; proxy_pass http://{{ GLOBALS.manager }}:5601/app/;
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
location /kibana/ { location /kibana/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ GLOBALS.manager }}:5601/; proxy_pass http://{{ GLOBALS.manager }}:5601/;

5
salt/nginx/soc_nginx.yaml
View File

@@ -3,6 +3,11 @@ nginx:
description: You can enable or disable Nginx. description: You can enable or disable Nginx.
advanced: True advanced: True
helpLink: nginx.html helpLink: nginx.html
external_suricata:
description: Enable this to allow external access to Suricata Rulesets managed by Detections.
advanced: True
helplink: nginx.html
forcedType: bool
ssl: ssl:
replace_cert: replace_cert:
description: Enable this if you would like to replace the Security Onion Certificate with your own. description: Enable this if you would like to replace the Security Onion Certificate with your own.