Commit Graph
100 Commits
Author SHA1 Message Date
weslambertandGitHub 13827f3be5 Merge pull request #9209 from Security-Onion-Solutions/fix/add_missing_opcua_activate_session_pipelines
Add Missing OPCUA Activate Session Pipelines
2022-11-22 16:01:33 -05:00
weslambertandGitHub 3a64362887 Remove extra space used during testing 2022-11-22 15:47:16 -05:00
Wes e77a60bcbf Add missing OPCUA 'activate_session' pipelines 2022-11-22 20:44:48 +00:00
weslambertandGitHub e560edf493 Merge pull request #9206 from Security-Onion-Solutions/fix/ingest_typos
Fix spelling of 'wireguard.responses' field name
2022-11-22 15:35:55 -05:00
weslambertandGitHub 3c054fd133 Fix spelling of 'wireguard.responses' field name 2022-11-22 13:02:43 -05:00
weslambertandGitHub 0bbe642d20 Merge pull request #9203 from Security-Onion-Solutions/fix/ics_ingest_field_names
Fix ICS Ingest Field Names
2022-11-22 12:30:10 -05:00
weslambertandGitHub 8e17c23659 Fix format/speliing for 'enip.status_code' field name 2022-11-22 12:05:03 -05:00
weslambertandGitHub 92170941f0 Fix spelling for 'stun.class' field name 2022-11-22 12:04:07 -05:00
weslambertandGitHub 2170d498c5 Merge pull request #9195 from Security-Onion-Solutions/fix/missing_ics_pipelines
Add COTP and TDS ingest pipelines
2022-11-22 08:44:02 -05:00
Wes 95a6f9aa7d Add COTP and TDS ingest pipelines 2022-11-22 13:35:19 +00:00
weslambertandGitHub ba65b351a2 Merge pull request #9193 from Security-Onion-Solutions/fix/ics_tag_syntax_error
Fix syntax error for 'ics' tag logic
2022-11-22 07:32:40 -05:00
weslambertandGitHub 4c09c8856b Fix syntax error for 'ics' tag logic 2022-11-22 07:23:56 -05:00
weslambertandGitHub 3afa8bd9da Merge pull request #9188 from Security-Onion-Solutions/feature/filebeat_config_ics_event_tag
Add 'ics' tag to events generated from ICS protocol logs
2022-11-21 17:06:25 -05:00
weslambertandGitHub 72eccd2649 Fix indentation 2022-11-21 17:01:16 -05:00
weslambertandGitHub 310ea633b6 Add 'ics' tag to events generated from ICS protocol logs 2022-11-21 16:43:43 -05:00
weslambertandGitHub 089b403a3b Merge pull request #9166 from Security-Onion-Solutions/foxtrot
Merge final protocol analyzers into dev
2022-11-18 08:41:43 -05:00
weslambertandGitHub 78bc2a95e5 Add icsnpp-bsap to enabled plugins 2022-11-17 11:20:24 -05:00
weslambertandGitHub 5bb0e6e8c0 Merge pull request #9160 from Security-Onion-Solutions/feature/additional_ics_scada_ingest_node_pipelines
Add additional ICS/SCADA ingest node pipelines
2022-11-17 11:18:15 -05:00
Wes a278194037 Add additional ICS/SCADA ingest node pipelines 2022-11-17 16:16:33 +00:00
weslambertandGitHub 7319cb07e2 Merge pull request #9153 from Security-Onion-Solutions/fix/ics_scada_ingest_pipeline_updates_2_3
Update ingest node pipelines for ICS/SCADA protocols
2022-11-16 16:17:08 -05:00
Wes 35e131b888 Update ingest node pipelines for ICS/SCADA protocols 2022-11-16 21:09:30 +00:00
weslambertandGitHub 8e4d0db738 Merge pull request #9002 from Security-Onion-Solutions/fix/remove_ja3er_references
Remove JA3er references
2022-10-26 10:21:54 -04:00
weslambertandGitHub a170c194c8 Remove JA3er references 2022-10-26 10:18:10 -04:00
weslambertandGitHub 0d71006f40 Merge pull request #8997 from Security-Onion-Solutions/fix/sensoroni_analyzers_pyyaml_wheel_name
Fix PyYAML .whl file name and remove JA3er analyzer
2022-10-25 14:57:35 -04:00
Wes a91e3b601c Remove JA3er since it is no longer a valid service 2022-10-25 18:48:37 +00:00
Wes 4940421297 Add PyYAML .whl files back since they were 'deleted' in the previous commit 2022-10-25 18:47:51 +00:00
Wes 58b4a8fbab Change PyYAML .whl file name to comply with Joliet's 240-character limit 2022-10-25 18:47:02 +00:00
weslambertandGitHub 292f66138b Merge pull request #8983 from Security-Onion-Solutions/revert-8982-fix/sensoroni_analyzers_pyyaml_wheel_name
Revert "Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold"
2022-10-24 16:49:19 -04:00
weslambertandGitHub 0087768946 Revert "Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold" 2022-10-24 16:47:30 -04:00
weslambertandGitHub 712340a027 Merge pull request #8982 from Security-Onion-Solutions/fix/sensoroni_analyzers_pyyaml_wheel_name
Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold
2022-10-24 14:14:45 -04:00
Wes 1caac3f0b0 Add PyYAML .whl files back since they were 'deleted' in the previous commit. 2022-10-24 18:06:19 +00:00
Wes 54a5dd6cbd Change name of PyYAML .whl file to remain under Joliet's 240-character limit/threshold 2022-10-24 18:05:15 +00:00
weslambertandGitHub 930620fce6 Merge pull request #8971 from lock-wire/patch-2
Add Ingest pipeline for Modbus and DNP3 extensions
2022-10-21 16:28:52 -04:00
weslambertandGitHub a54fc4cead Merge pull request #8942 from Security-Onion-Solutions/master
Update Foxtrot to .180
2022-10-18 16:39:21 -04:00
weslambertandGitHub 5c9c95ba1f Merge pull request #8622 from Security-Onion-Solutions/fix/strelka_yara_gen_webshells_ignore
Ignore gen_webshells.yar
2022-08-29 09:40:51 -04:00
weslambertandGitHub 8a0e92cc6f Add 'gen_webshells.yar' and re-arrange to put ignored rules in alphabetical order 2022-08-29 09:37:29 -04:00
weslambertandGitHub 616bc40412 Merge pull request #8558 from Security-Onion-Solutions/fix/soup_local_mods_check_skip_prompt
Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function
2022-08-19 16:11:23 -04:00
weslambertandGitHub f00d9074ff Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function 2022-08-19 16:07:14 -04:00
weslambertandGitHub c17f0081ef Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8
SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater
2022-08-18 09:45:00 -04:00
weslambertandGitHub fbf0803906 Update verbiage around major Elasticsearch version and not requiring Elastalert index maintenance 2022-08-18 09:16:22 -04:00
weslambertandGitHub 5deda45b66 Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8. Also clean up the output to only emit one notification regarding index deletion, and additional verbiage around function operation.
2022-08-18 09:11:38 -04:00
weslambertandGitHub e950d865d8 Merge pull request #8485 from Security-Onion-Solutions/foxtrot
Improve local file modification check in SOUP
2022-08-08 10:06:13 -04:00
weslambertandGitHub fd7a118664 Invoke check_local_mods() function earlier so we don't have to wait for Docker image downloads or OS updates before checking and potentially exiting SOUP 2022-08-08 08:58:19 -04:00
weslambertandGitHub d7906945df Add extra set of brackets for comparison of integers 2022-08-08 08:24:38 -04:00
weslambertandGitHub cb384ae024 Ensure check_local_mods() runs at the beginning of SOUP, in addition to the end, and also that it prompts (forces) the user to accept/review local modifications. 2022-08-05 11:25:33 -04:00
weslambertandGitHub 7caead2387 Merge pull request #8476 from Security-Onion-Solutions/dev
Merge dev into foxtrot
2022-08-05 11:11:51 -04:00
weslambertandGitHub ee654f767a Merge pull request #8453 from Security-Onion-Solutions/fix/elasticsearch_geoip_local
Configure Elasticsearch to use local GeoLite2 databases by default
2022-08-03 09:40:23 -04:00
weslambertandGitHub 8c694a7ca3 Disable ingest.geoip.downloader by default 2022-08-03 09:21:40 -04:00
weslambertandGitHub 9ac640fa67 Remove airgap-specific logic for ingest.geoip.downloader 2022-08-03 09:21:03 -04:00
weslambertandGitHub 811063268f Merge pull request #8447 from Security-Onion-Solutions/feature/kibana_version_8_3_3
Update Kibana version to 8.3.3
2022-08-02 15:27:22 -04:00
weslambertandGitHub f2b10a5a86 Update Kibana version to 8.3.3 2022-08-02 11:32:01 -04:00
weslambertandGitHub c69cac0e5f Update Kibana version to 8.3.3 2022-08-02 11:31:35 -04:00
weslambertandGitHub fed4433088 Merge pull request #8446 from Security-Onion-Solutions/fix/airgap_elasticsearch_geoip
Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled
2022-08-02 11:20:35 -04:00
Wes Lambert 839cfcaefa Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled 2022-08-02 14:32:17 +00:00
weslambertandGitHub 3123407ef0 Update Elastic version to 8.3.3 2022-08-01 10:41:39 -04:00
weslambertandGitHub d24125c9e6 Update Elastic version to 8.3.3 2022-08-01 10:40:57 -04:00
weslambertandGitHub 64dc278c95 Merge pull request #8432 from Security-Onion-Solutions/dev
Merge dev into foxtrot
2022-08-01 10:12:35 -04:00
weslambertandGitHub c795a70e9c Merge pull request #8329 from Security-Onion-Solutions/fix/elastalert_stop_check_enabled
Check to ensure Elastalert is enabled and suppress missing container error output
2022-07-19 13:27:35 -04:00
weslambertandGitHub 340dbe8547 Check to see if Elastalert is enabled before trying to run 'so-elastalert-stop'. Also suppress error output for when so-elastalert container is not present. 2022-07-19 13:25:09 -04:00
Wes Lambert 5ceff52796 Move Elastalert indices check to function and call from beginning of soup and during pre-upgrade to 2.3.140 2022-07-19 14:54:39 +00:00
Wes Lambert f3a0ab0b2d Perform Elastalert index check twice 2022-07-19 14:48:19 +00:00
Wes Lambert 4a7c994b66 Revise Elastalert index check deletion logic 2022-07-19 14:31:45 +00:00
weslambertandGitHub 8099b1688b Merge pull request #8319 from Security-Onion-Solutions/fix/elasticsearch_query_missing_query_path
Fix missing query path for so-elasticsearch-query
2022-07-18 09:47:16 -04:00
weslambertandGitHub 2914007393 Add forward slash to fix issue with missing query path 2022-07-18 09:07:34 -04:00
weslambertandGitHub f5e10430ed Add forward slash to fix issue with missing query path 2022-07-18 09:07:13 -04:00
weslambertandGitHub 52ebbf8ff3 Merge pull request #8304 from Security-Onion-Solutions/fix/kibana_space_defaults_web_response_url
Change web_response to evaluate the response from the Spaces API and the default space query
2022-07-14 12:08:02 -04:00
weslambertandGitHub 2443e8b97e Change web_response to evaluate the response from the Spaces API and the default space query 2022-07-14 12:04:56 -04:00
weslambertandGitHub 4241eb4b29 Merge pull request #8298 from Security-Onion-Solutions/fix/kibana_space_defaults_shebang
Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu
2022-07-13 16:50:21 -04:00
weslambertandGitHub 0fd4f34b5b Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu 2022-07-13 16:48:39 -04:00
weslambertandGitHub 4a5664db7b Merge pull request #8289 from Security-Onion-Solutions/fix/soup_unsupported_indices_check
Add missing 'fi' to if/then for unsupported indices check
2022-07-13 09:15:22 -04:00
weslambertandGitHub 513c7ae56c Add missing 'fi' to if/then for unsupported indices check 2022-07-13 09:13:28 -04:00
weslambertandGitHub fa894cf83b Merge pull request #8288 from Security-Onion-Solutions/fix/soup_elastalert_indices_deletion_check
Ensure Elastalert indices are deleted before continuing with SOUP
2022-07-13 08:44:04 -04:00
weslambertandGitHub 8e92060c29 Ensure Elastalert indices are deleted before continuing with SOUP -- if they are not, generate a failure condition 2022-07-13 08:38:55 -04:00
weslambertandGitHub d7eb8b9bcb Merge pull request #8281 from Security-Onion-Solutions/fix/soup_elasticsearch8_index_compatibility
SOUP - Check for indices created by Elasticsearch 6
2022-07-12 16:20:47 -04:00
weslambertandGitHub d0a0ca8458 Update exit code for ES checks 2022-07-12 16:15:44 -04:00
weslambertandGitHub 4502182b53 Typo - Ensure Elasticsearch version 6 indices are checked 2022-07-12 15:35:46 -04:00
weslambertandGitHub 0fc6f7b022 Add check for Elasticsearch 6 indices 2022-07-12 15:34:24 -04:00
weslambertandGitHub e9a22d0aff Merge pull request #8275 from Security-Onion-Solutions/fix/filebeat_es_output_additions
Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
2022-07-11 19:03:07 -04:00
weslambertandGitHub 11d3ed36b7 Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
Add outputs for Elasticsearch and Kibana for Eval/Import Mode, since Logstash is not used in Eval Mode or Import Mode. Otherwise, logs from these inputs end up in a filebeat-prefixed index.
2022-07-11 17:22:09 -04:00
weslambertandGitHub d828bbfe47 Merge pull request #8273 from Security-Onion-Solutions/fix/kibana_space_defaults_cases
Add securitySolutionCases feature to ensure Cases are disabled by default
2022-07-11 16:39:30 -04:00
weslambertandGitHub bd32394560 Add securitySolutionCases feature to ensure Cases are disabled by default 2022-07-11 16:38:05 -04:00
weslambertandGitHub 6f4f050a96 Merge pull request #8272 from Security-Onion-Solutions/fix/soup_kibana_space_defaults
Run so-kibana-space-defaults when upgrading to 2.3.140
2022-07-11 14:47:11 -04:00
weslambertandGitHub f77edaa5c9 Run so-kibana-space-defaults to re-establish the default enabled features since Fleet feature name changed 2022-07-11 14:41:23 -04:00
weslambertandGitHub dd1d5b1a83 Merge pull request #8270 from Security-Onion-Solutions/fix/curator_actions_delete_kratos
Add delete and warm action for Kratos indices in applicable Curator delete/warm scripts
2022-07-11 11:39:43 -04:00
weslambertandGitHub e82b6fcdec Typo - Change 'delete' to 'warm' 2022-07-11 11:34:53 -04:00
weslambertandGitHub 8c8ac41b36 Add action for Kratos indices 2022-07-11 11:32:03 -04:00
weslambertandGitHub b611dda143 Add delete action for Kratos indices 2022-07-11 11:31:22 -04:00
weslambertandGitHub 3f5b98d14d Merge pull request #8269 from Security-Onion-Solutions/fix/curator_actions_kratos
Add Curator actions and adjust Curator close scripts to account for so-kibana and so-kratos indices
2022-07-11 11:21:20 -04:00
Wes Lambert 0b6219d95f Adjust Curator close scripts to include Kibana and Kratos indices 2022-07-11 14:51:33 +00:00
Wes Lambert 2f729e24d9 Add Curator action files for Kratos indices 2022-07-11 14:34:10 +00:00
weslambertandGitHub 992b6e14de Merge pull request #8268 from Security-Onion-Solutions/fix/kibana_disable_fleetv2
Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations'
2022-07-11 10:09:12 -04:00
weslambertandGitHub 09a1d8c549 Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations' 2022-07-11 10:06:24 -04:00
weslambertandGitHub 2903bdbc7e Merge pull request #8260 from Security-Onion-Solutions/fix/kratos_dedicated_index_and_filestream_id_additions
Add dedicated index for Kratos and IDs for all filestream inputs
2022-07-08 12:04:40 -04:00
Wes Lambert 5c90fce3a1 Add Kratos Logstash output to search pipeline for Logstash 2022-07-08 15:58:00 +00:00
Wes Lambert 26698cfd07 Add Logstash output for dedicated Kratos index 2022-07-08 15:55:55 +00:00
Wes Lambert 764e8688b1 Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs 2022-07-08 15:53:55 +00:00
Wes Lambert b06c16f750 Add ingest node pipeline for Kratos 2022-07-08 15:53:00 +00:00
weslambertandGitHub 42cfab4544 Merge pull request #8256 from Security-Onion-Solutions/fix/kibana_restart_after_role_sync
Restart Kibana in case it times out before being able to read role update
2022-07-07 17:44:47 -04:00
weslambertandGitHub 4bbc901860 Restart Kibana in case it times out before being able to read in new role configuration 2022-07-07 17:19:02 -04:00
weslambertandGitHub a343f8ced0 Merge pull request #8255 from Security-Onion-Solutions/fix/so_kibana_user_role
Force so-user to sync roles to ensure so_kibana role change
2022-07-07 16:19:30 -04:00