Commit Graph
100 Commits
Author SHA1 Message Date
weslambertandGitHub 18d81352c6 Merge pull request #5537 from Security-Onion-Solutions/delta
Add improved ignore functionality for YARA rules used by Strelka and add default ignored rules that break compilation
2021-09-16 10:38:49 -04:00
weslambertandGitHub 2affaf07a2 Merge pull request #5521 from Security-Onion-Solutions/fix/strelka-yara
Fix/strelka yara
2021-09-15 11:33:44 -04:00
weslambertandGitHub 39e5ded58d Refactor ignore list and only ignore for signature-base for now 2021-09-15 11:32:29 -04:00
weslambertandGitHub 4d41d3aee1 Ignore these rules by default because they are causing issues with YARA compilation with Strelka 2021-09-15 10:29:11 -04:00
weslambertandGitHub 5c8067728e Remove unnecessary logic 2021-09-15 10:22:17 -04:00
weslambertandGitHub 03b45512fa Merge pull request #5436 from Security-Onion-Solutions/fix/kibana_server_url
Incude server.publicBaseUrl
2021-09-08 12:13:48 -04:00
weslambertandGitHub b8600be0f1 Incude server.publicBaseUrl 2021-09-08 12:12:09 -04:00
weslambertandGitHub 72542322ca Merge pull request #4857 from Security-Onion-Solutions/fix/beats_output_fb_modules
Check if Filebeat modules are being used for incoming (external) Beats
2021-07-19 13:11:06 -04:00
weslambertandGitHub fea4f3f973 Check if Filebeat modules are being used for incoming Beats 2021-07-19 12:57:42 -04:00
weslambertandGitHub bde86e0383 Use http_auth instead of username/password until Curator is upgraded to next version 2021-07-19 12:42:46 -04:00
weslambertandGitHub 7e1be8a3a4 Merge pull request #4798 from Security-Onion-Solutions/fix/strelka_filepath_mapping
Replace staging with processed in Strelka file path mapping
2021-07-14 11:16:15 -04:00
Wes Lambert 05aad07bfc Replace staging path with processed path for analyzed files 2021-07-14 15:04:46 +00:00
weslambertandGitHub 42ba9888d7 Merge pull request #4797 from Security-Onion-Solutions/fix/wazuh_data_port
Change field name and mapping for Wazuh's data.port
2021-07-14 10:14:53 -04:00
Wes Lambert 723172bc1f Add path_unmatch for data.port so it is not mapped as integer 2021-07-14 13:45:09 +00:00
Wes Lambert 323b5d6694 Add dynamic mapping for wazuh 2021-07-14 13:43:34 +00:00
Wes Lambert 441cd3fc59 Move Wazuh-specific data to wazuh.data 2021-07-14 13:42:51 +00:00
weslambertandGitHub 7cdb967810 Only route to FB module pipeline if filebeat in metadata 2021-07-13 11:36:18 -04:00
weslambertandGitHub c0f3c5b3db Merge pull request #4773 from Security-Onion-Solutions/feature/filebeat-logging-level
Allow setting Filebeat logging level in pillar
2021-07-12 10:55:43 -04:00
weslambertandGitHub a895270bc8 Allow setting Filebeat logging level in pillar 2021-07-12 10:27:43 -04:00
weslambertandGitHub ce0b064972 Add conditional for heavynode for redis and elasticsearch 2021-07-06 14:21:29 -04:00
weslambertandGitHub 2f3f04e4ca Change from nodename to host 2021-07-06 14:18:39 -04:00
weslambertandGitHub 2e91f27336 Add conditional for heavynode 2021-07-06 14:17:49 -04:00
weslambertandGitHub 10b1829830 Add conditional for heavynode 2021-07-06 14:16:34 -04:00
weslambertandGitHub 4946f32d88 Add extra_hosts entry for local instance when running as heavy node 2021-07-06 14:14:58 -04:00
weslambertandGitHub fcbacd473d Add ELK, redis 2021-06-30 09:34:56 -04:00
weslambertandGitHub 06d77d9972 Update so-common-template.json 2021-06-30 09:31:32 -04:00
weslambertandJason Ertel c5b81f2f4b Fix output so that it can be redirected to local file with appropriate syntax 2021-06-23 14:41:38 -04:00
weslambertandGitHub d411a9e1ff Merge pull request #4597 from Security-Onion-Solutions/fix/pipeline-view-output
Fix output so that it can be redirected to local file with appropriat…
2021-06-23 09:24:41 -04:00
weslambertandGitHub 3fbc850774 Fix output so that it can be redirected to local file with appropriate syntax 2021-06-23 09:17:37 -04:00
weslambertandGitHub 1bef1d5652 Update to apply to any so-prefixed index 2021-06-10 08:16:00 -04:00
weslambertandGitHub cba719b3a0 Remove extra comma 2021-06-02 16:42:09 -04:00
weslambertandGitHub 4241bb08b8 Add suricata/zeek until we migrate templates 2021-06-02 16:37:43 -04:00
weslambertandGitHub 4c74e7f308 Add event.kind and set name to module[dot]dataset 2021-06-02 15:35:26 -04:00
weslambertandGitHub db48c15f1d Create event.kind field and rename dataset to be module[dot]dataset 2021-06-02 15:33:18 -04:00
weslambertandGitHub a1b34e7a88 Fix Suricata index name 2021-06-02 15:30:14 -04:00
Wes Lambert 728d1f7540 Make Zeek and Suricata great again 2021-05-06 14:06:17 +00:00
Wes Lambert ee92ba20b0 Add modules path reference 2021-05-06 13:56:39 +00:00
Wes Lambert 1b749cf004 Additional config 2021-05-06 13:55:07 +00:00
Wes Lambert 37929dbd7d Add additional config for Filebeat modules 2021-05-06 13:54:28 +00:00
Wes Lambert 865ba912f8 Merge remote-tracking branch 'remotes/origin/dev' into pipeline 2021-05-06 13:19:31 +00:00
weslambertandGitHub c867d6648a Merge pull request #4098 from Security-Onion-Solutions/delta
Add ignore above for message keyword field
2021-05-05 08:53:39 -04:00
Wes Lambert a1a79719fc Add ignore above for message keyword field 2021-05-05 12:07:30 +00:00
weslambertandGitHub d4e8ea8e72 Merge pull request #4079 from Security-Onion-Solutions/delta
Add event_data to common template so elastalert/playbook event_data f…
2021-05-03 13:45:17 -04:00
Wes Lambert 619402cc67 Add event_data to common template so elastalert/playbook event_data fields can be indexed and searchable 2021-05-03 17:03:30 +00:00
weslambertandGitHub 427dd31fcb Merge pull request #3876 from Security-Onion-Solutions/delta
FIX:Remove ESUSER/ESPASS for now to prevent issues with attempting Elasti…
2021-04-15 08:11:15 -04:00
Wes Lambert f61bf73f97 Remove ESUSER/ESPASS for now to prevent issues with attempting Elastic Auth when connecting to ES. 2021-04-15 11:59:34 +00:00
weslambertandGitHub 5eb0137c21 Merge pull request #3705 from Security-Onion-Solutions/delta
Enforce date type for ingest.timestamp
2021-03-31 08:40:41 -04:00
Wes Lambert 942de130ca Enforce date type for ingest.timestamp 2021-03-31 12:24:51 +00:00
weslambertandGitHub ff317cdcf1 Merge pull request #3684 from Security-Onion-Solutions/delta
Add Elastic scripts
2021-03-30 12:06:00 -04:00
Wes Lambert 7049383ba6 Add Elastic scripts 2021-03-30 15:47:05 +00:00
Wes Lambert b481cf885b Update saved objects and remove index patterns because this is now handled by Field Caps API 2021-03-19 18:30:42 +00:00
weslambertandGitHub 8d29f757b1 Merge pull request #3471 from Security-Onion-Solutions/kilo
Reverse Zeek index close/delete count for Curator
2021-03-16 14:34:46 -04:00
Wes Lambert 7a02150389 Reverse Zeek index close/delete count for Curator 2021-03-16 17:16:55 +00:00
weslambertandGitHub 5fd483a99d Merge pull request #3466 from Security-Onion-Solutions/soup2340
Soup for 2.3.40
2021-03-16 13:03:33 -04:00
Wes Lambert 038c58f3d5 Ignore TIME_WAIT when checking for Strelka frontend port reservation 2021-03-16 14:51:16 +00:00
Wes Lambert f142b754dc Add Strelka files.processed directory so files will be moved from staging to processed 2021-03-15 15:43:31 +00:00
Wes Lambert b6a785395d Add Strelka staging directory for state 2021-03-15 15:42:13 +00:00
Wes Lambert 6ea8eab9af Modify soup to add Strelka rule repo in pillar 2021-02-24 20:32:47 +00:00
weslambertandGitHub 583b65e952 Fix syntax 2021-01-21 11:52:23 -05:00
weslambertandGitHub d6043d091b Merge pull request #2701 from Security-Onion-Solutions/feature/filebeat_events
Allow for Filebeat queue/output adjustments via pillar
2021-01-21 10:36:33 -05:00
Wes Lambert 19d22e1f8a Allow for Filebeat queue/output adjustments via pillar 2021-01-21 15:34:54 +00:00
weslambertandGitHub a99246c600 Merge pull request #2698 from Security-Onion-Solutions/fix/reserved_ports
Fix/reserved ports
2021-01-21 08:39:35 -05:00
Wes Lambert 0039877779 Check for port availability for Wazuh and Strelka 2021-01-21 13:29:09 +00:00
Wes Lambert 9a91674688 Add reserved ports file for sysctl 2021-01-21 13:18:22 +00:00
Wes Lambert 74e315841a Modify common to reserve Docker proxy ports 2021-01-21 13:17:16 +00:00
Wes LambertandWilliam Wernert 7f64d57111 Reserve port for Wazuh API and check if port is already in use 2021-01-06 14:37:28 -05:00
Wes LambertandWilliam Wernert e7db1a99bd Set @timestamp to winlog.systemTime 2021-01-06 14:37:28 -05:00
weslambertandWilliam Wernert c864cc607f Remove multiple old so-yara-update cron jobs, if needed 2021-01-06 14:37:27 -05:00
weslambertandWilliam Wernert 958635b012 Remove old Strelka cron job 2021-01-06 14:37:27 -05:00
weslambertandGitHub 36ae09ac4a Merge pull request #2545 from Security-Onion-Solutions/fix/wazuh_port_reservation
Reserve port for Wazuh API and check if port is already in use
2021-01-06 11:49:23 -05:00
weslambertandGitHub 55344725e7 Merge pull request #2544 from Security-Onion-Solutions/fix/winlog_timestamp
Set @timestamp to winlog.systemTime
2021-01-06 11:49:01 -05:00
Wes Lambert 875908dc90 Set @timestamp to winlog.systemTime 2021-01-06 16:47:35 +00:00
Wes Lambert f2b677bfcb Reserve port for Wazuh API and check if port is already in use 2021-01-06 15:52:10 +00:00
weslambertandGitHub 707528d7e8 Merge pull request #2530 from Security-Onion-Solutions/fix/strelka_cron_2
Remove multiple old so-yara-update cron jobs, if needed
2021-01-04 16:30:22 -05:00
weslambertandGitHub c1e245043e Remove multiple old so-yara-update cron jobs, if needed 2021-01-04 16:29:32 -05:00
weslambertandGitHub e51f60f7fa Merge pull request #2521 from Security-Onion-Solutions/fix/strelka_rule_cron
Remove old Strelka cron job
2021-01-04 10:19:50 -05:00
weslambertandGitHub 535820bfa7 Remove old Strelka cron job 2021-01-04 10:18:32 -05:00
weslambertandGitHub f6a199156b Merge pull request #2428 from Security-Onion-Solutions/feature/strelka_pillar_repos
Support setting rule repos via pillar
2020-12-22 10:38:01 -05:00
Wes Lambert ac96ded2dc Support setting rule repos via pillar 2020-12-22 15:36:15 +00:00
weslambertandGitHub def08895d5 Merge pull request #2393 from Security-Onion-Solutions/fix/strelka_filestream
Fix/strelka filestream
2020-12-18 15:48:54 -05:00
weslambertandGitHub 2fee2ca143 Change identifier name to be more descriptive 2020-12-18 15:40:54 -05:00
weslambertandGitHub 7453626b06 Add identifier 2020-12-18 15:39:52 -05:00
weslambertandGitHub 1a463bccaf Add cron.absent to remove old cron job if present 2020-12-18 11:25:14 -05:00
weslambertandGitHub 9493aad1a5 Read from dedicated unprocessed dir 2020-12-18 10:53:17 -05:00
weslambertandGitHub bf76c1b58c Create unprocessed dir and move Zeek extracted files there 2020-12-18 10:52:14 -05:00
weslambertandGitHub 24fce27e62 Merge pull request #2297 from Security-Onion-Solutions/feature/idstools_arg
Add ability to supply an arg, for example overriding 15 min limit
2020-12-10 09:31:50 -05:00
Wes Lambert 45faa7fda4 Add ability to supply an arg, for example overriding 15 min limit 2020-12-10 14:30:29 +00:00
weslambertandGitHub c2cf2c4987 Merge pull request #2296 from Security-Onion-Solutions/fix/suricata_ftp_data
Add initial suricata.ftp_data pipeline
2020-12-10 09:17:01 -05:00
Wes Lambert f689722559 Add initial suricata.ftp_data pipeline 2020-12-10 14:14:50 +00:00
weslambertandGitHub d09daef094 Merge pull request #2288 from Security-Onion-Solutions/fix/strelka_rules
Expand STRELKARULES
2020-12-09 17:05:44 -05:00
weslambertandGitHub 0b2e2739bd Expand STRELKARULES 2020-12-09 17:05:11 -05:00
weslambertandGitHub c41d4373b7 Merge pull request #2192 from Security-Onion-Solutions/fix/elasticsearch_bool_query_clause_count
Add indices.query.bool.max_clause_count to allow for wildcard searche…
2020-12-03 09:30:24 -05:00
weslambertandGitHub 95570976a8 Add indices.query.bool.max_clause_count to allow for wildcard searches targeting more than 1024 fields 2020-12-03 09:29:44 -05:00
weslambertandGitHub a84f816eff Merge pull request #2189 from Security-Onion-Solutions/feature/so-elastic-scripts
so-elastic scripts
2020-12-03 09:20:47 -05:00
Wes Lambert 4ce3ec7582 Make scripts executable 2020-12-03 14:18:22 +00:00
Wes Lambert f96365baba Add intial grouped Elastic start/stop/restart scripts 2020-12-03 14:17:32 +00:00
weslambertandGitHub c819729cd6 Don't use max_files or time_to_live for shutdown params 2020-12-02 13:17:19 -05:00
weslambertandGitHub 0e8f547087 Merge pull request #2160 from Security-Onion-Solutions/fix/strelka_mmbot
Remove ScanMmbot
2020-12-01 11:26:14 -05:00
weslambertandGitHub 9517cb2a58 Remove ScanMmbot 2020-12-01 11:25:51 -05:00
weslambertandGitHub 0c4ee94472 Merge pull request #2077 from Security-Onion-Solutions/fix/thehive_upgrade_conf
Fix/thehive upgrade conf
2020-11-24 11:52:51 -05:00