mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-28 23:47:55 +02:00
Compare commits
39 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Mike Reeves
|
2ca2724a4c | ||
|
Mike Reeves
|
884883a225 | ||
|
Mike Reeves
|
5c8ba3af65 | ||
 Josh Brower
|
4b5d314adf | ||
|
Josh Brower
|
6e637f559c | ||
 Doug Burks
|
cc5304e9f7 | ||
|
Doug Burks
|
002403055d | ||
|
Doug Burks
|
b80b80e825 | ||
|
Josh Brower
|
c539d53a02 | ||
|
Josh Brower
|
3a22978c2b | ||
|
Doug Burks
|
5b1461e9a1 | ||
|
Doug Burks
|
69f889dbd9 | ||
|
Josh Brower
|
aefe1cceb8 | ||
|
Josh Brower
|
b7e97eceb3 | ||
|
Josh Brower
|
450e02e874 | ||
|
Josh Brower
|
09bebf08d6 | ||
|
Josh Brower
|
4dd54cea6c | ||
|
Josh Brower
|
e07f4bd0ed | ||
|
Mike Reeves
|
6adb586bb4 | ||
|
Mike Reeves
|
2f99821736 | ||
|
Mike Reeves
|
db27c22158 | ||
|
Mike Reeves
|
2ff284fc7f | ||
|
Mike Reeves
|
5d0a3ef205 | ||
|
Mike Reeves
|
ac9c10dd3a | ||
 weslambert
|
d4d67b545d | ||
|
weslambert
|
2dced35800 | ||
 Josh Patterson
|
c2a04a79c5 | ||
|
m0duspwnens
|
d43346a084 | ||
|
m0duspwnens
|
0c4a27d120 | ||
|
Doug Burks
|
b4530ffffe | ||
|
Doug Burks
|
d12aa0ed56 | ||
|
Doug Burks
|
17bcf50ccb | ||
|
Doug Burks
|
48401f6a3f | ||
|
Doug Burks
|
a96825f43e | ||
|
Doug Burks
|
2d48ae7bca | ||
|
Doug Burks
|
0ff519ed2f | ||
|
Doug Burks
|
127533492f | ||
|
Mike Reeves
|
7d4b4a8bd4 | ||
|
Mike Reeves
|
e9fa84d71b |
+11
-11
@@ -1,18 +1,18 @@
|
|||||||
### 2.3.200-20230113 ISO image built on 2023/01/13
|
### 2.3.220-20230224 ISO image built on 2023/02/24
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Download and Verify
|
### Download and Verify
|
||||||
|
|
||||||
2.3.200-20230113 ISO image:
|
2.3.220-20230224 ISO image:
|
||||||
https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
|
https://download.securityonion.net/file/securityonion/securityonion-2.3.220-20230224.iso
|
||||||
|
|
||||||
MD5: 70291FFE925E2751559589E749B12164
|
MD5: 74CDCE07BC5787567E07C1CAC64DC381
|
||||||
SHA1: EFD3C7BA6F4EF6774F4F18ECD667A13F7FDF5CFF
|
SHA1: 8DA0E8541C46CBDCFA0FB9B60F3C95D027D4BB37
|
||||||
SHA256: 7794C1325F9B72856FC2A47691F7E0292CA28976711A18F550163E3B58E7A401
|
SHA256: E5EDB011693AC33C40CAB483400F72FAF9615053867FD9C80DDD1AACAD9100B3
|
||||||
|
|
||||||
Signature for ISO image:
|
Signature for ISO image:
|
||||||
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
|
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.220-20230224.iso.sig
|
||||||
|
|
||||||
Signing key:
|
Signing key:
|
||||||
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
|
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
|
||||||
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
|
|||||||
|
|
||||||
Download the signature file for the ISO:
|
Download the signature file for the ISO:
|
||||||
```
|
```
|
||||||
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
|
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.220-20230224.iso.sig
|
||||||
```
|
```
|
||||||
|
|
||||||
Download the ISO image:
|
Download the ISO image:
|
||||||
```
|
```
|
||||||
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.200-20230113.iso
|
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.220-20230224.iso
|
||||||
```
|
```
|
||||||
|
|
||||||
Verify the downloaded ISO image using the signature file:
|
Verify the downloaded ISO image using the signature file:
|
||||||
```
|
```
|
||||||
gpg --verify securityonion-2.3.200-20230113.iso.sig securityonion-2.3.200-20230113.iso
|
gpg --verify securityonion-2.3.220-20230224.iso.sig securityonion-2.3.220-20230224.iso
|
||||||
```
|
```
|
||||||
|
|
||||||
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
|
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
|
||||||
```
|
```
|
||||||
gpg: Signature made Fri 13 Jan 2023 11:11:11 AM EST using RSA key ID FE507013
|
gpg: Signature made Fri 24 Feb 2023 02:32:08 PM EST using RSA key ID FE507013
|
||||||
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
|
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
|
||||||
gpg: WARNING: This key is not certified with a trusted signature!
|
gpg: WARNING: This key is not certified with a trusted signature!
|
||||||
gpg: There is no indication that the signature belongs to the owner.
|
gpg: There is no indication that the signature belongs to the owner.
|
||||||
|
|||||||
@@ -110,7 +110,6 @@ commonpkgs:
|
|||||||
- libssl-dev
|
- libssl-dev
|
||||||
- python3-dateutil
|
- python3-dateutil
|
||||||
- python3-m2crypto
|
- python3-m2crypto
|
||||||
- python3-mysqldb
|
|
||||||
- python3-packaging
|
- python3-packaging
|
||||||
- python3-lxml
|
- python3-lxml
|
||||||
- git
|
- git
|
||||||
@@ -153,7 +152,6 @@ commonpkgs:
|
|||||||
- python36-docker
|
- python36-docker
|
||||||
- python36-dateutil
|
- python36-dateutil
|
||||||
- python36-m2crypto
|
- python36-m2crypto
|
||||||
- python36-mysql
|
|
||||||
- python36-packaging
|
- python36-packaging
|
||||||
- python36-lxml
|
- python36-lxml
|
||||||
- yum-utils
|
- yum-utils
|
||||||
@@ -170,6 +168,7 @@ heldpackages:
|
|||||||
- docker-ce: 3:20.10.5-3.el7
|
- docker-ce: 3:20.10.5-3.el7
|
||||||
- docker-ce-cli: 1:20.10.5-3.el7
|
- docker-ce-cli: 1:20.10.5-3.el7
|
||||||
- docker-ce-rootless-extras: 20.10.5-3.el7
|
- docker-ce-rootless-extras: 20.10.5-3.el7
|
||||||
|
- python36-mysql: 1.3.12-2.el7
|
||||||
- hold: True
|
- hold: True
|
||||||
- update_holds: True
|
- update_holds: True
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@@ -53,8 +53,10 @@ if [[ $? -ne 0 ]]; then
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
TEMPPW=$FLEET_SA_PW!
|
||||||
|
|
||||||
# Create New User
|
# Create New User
|
||||||
CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1)
|
CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $TEMPPW --global-role admin 2>&1)
|
||||||
|
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
echo "Successfully added user to Fleet"
|
echo "Successfully added user to Fleet"
|
||||||
@@ -64,6 +66,9 @@ else
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Reset New User Password to user supplied password
|
||||||
|
echo "$USER_PASS" | so-fleet-user-update "$USER_EMAIL"
|
||||||
|
|
||||||
# Disable forced password reset
|
# Disable forced password reset
|
||||||
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
|
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
|
||||||
"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)
|
"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)
|
||||||
|
|||||||
@@ -552,6 +552,8 @@ preupgrade_changes() {
|
|||||||
[[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
|
[[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
|
||||||
[[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
|
[[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
|
||||||
[[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
|
[[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
|
||||||
|
[[ "$INSTALLEDVERSION" == 2.3.200 ]] && up_to_2.3.210
|
||||||
|
[[ "$INSTALLEDVERSION" == 2.3.210 ]] && up_to_2.3.220
|
||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -576,6 +578,8 @@ postupgrade_changes() {
|
|||||||
[[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
|
[[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
|
||||||
[[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
|
[[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
|
||||||
[[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
|
[[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
|
||||||
|
[[ "$POSTVERSION" == 2.3.200 ]] && post_to_2.3.210
|
||||||
|
[[ "$POSTVERSION" == 2.3.210 ]] && post_to_2.3.220
|
||||||
|
|
||||||
true
|
true
|
||||||
}
|
}
|
||||||
@@ -699,6 +703,16 @@ post_to_2.3.200() {
|
|||||||
POSTVERSION=2.3.200
|
POSTVERSION=2.3.200
|
||||||
}
|
}
|
||||||
|
|
||||||
|
post_to_2.3.210() {
|
||||||
|
echo "Nothing to do for .210"
|
||||||
|
POSTVERSION=2.3.210
|
||||||
|
}
|
||||||
|
|
||||||
|
post_to_2.3.220() {
|
||||||
|
echo "Nothing to do for .220"
|
||||||
|
POSTVERSION=2.3.220
|
||||||
|
}
|
||||||
|
|
||||||
stop_salt_master() {
|
stop_salt_master() {
|
||||||
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
|
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
|
||||||
set +e
|
set +e
|
||||||
@@ -1029,6 +1043,16 @@ up_to_2.3.200() {
|
|||||||
INSTALLEDVERSION=2.3.200
|
INSTALLEDVERSION=2.3.200
|
||||||
}
|
}
|
||||||
|
|
||||||
|
up_to_2.3.210() {
|
||||||
|
echo "Upgrading to 2.3.210"
|
||||||
|
INSTALLEDVERSION=2.3.210
|
||||||
|
}
|
||||||
|
|
||||||
|
up_to_2.3.220() {
|
||||||
|
echo "Upgrading to 2.3.220"
|
||||||
|
INSTALLEDVERSION=2.3.220
|
||||||
|
}
|
||||||
|
|
||||||
verify_upgradespace() {
|
verify_upgradespace() {
|
||||||
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
|
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
|
||||||
if [ "$CURRENTSPACE" -lt "10" ]; then
|
if [ "$CURRENTSPACE" -lt "10" ]; then
|
||||||
|
|||||||
@@ -1,15 +1,17 @@
|
|||||||
{
|
{
|
||||||
"description" : "suricata.dhcp",
|
"description" : "suricata.dhcp",
|
||||||
"processors" : [
|
"processors" : [
|
||||||
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
|
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
|
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } },
|
{ "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } },
|
||||||
|
{ "set": { "if": "ctx.dhcp?.type == 'request'", "field": "server.address", "value": "{{destination.ip}}" } },
|
||||||
|
{ "set": { "if": "ctx.dhcp?.type == 'reply'", "field": "server.address", "value": "{{source.ip}}" } },
|
||||||
{ "pipeline": { "name": "common" } }
|
{ "pipeline": { "name": "common" } }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -26,9 +26,6 @@ spec:
|
|||||||
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
|
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
|
||||||
enable_windows_events_publisher: true
|
enable_windows_events_publisher: true
|
||||||
enable_windows_events_subscriber: true
|
enable_windows_events_subscriber: true
|
||||||
logger_plugin: tls
|
|
||||||
logger_tls_endpoint: /api/v1/osquery/log
|
|
||||||
logger_tls_period: 10
|
|
||||||
pack_delimiter: _
|
pack_delimiter: _
|
||||||
host_settings:
|
host_settings:
|
||||||
enable_software_inventory: false
|
enable_software_inventory: false
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ update() {
|
|||||||
|
|
||||||
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
|
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
|
||||||
for i in "${LINES[@]}"; do
|
for i in "${LINES[@]}"; do
|
||||||
RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
|
RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
|
||||||
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
|
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.5.3","id": "8.5.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
|
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
|
||||||
|
|||||||
@@ -319,7 +319,7 @@ http {
|
|||||||
{%- if fleet_node %}
|
{%- if fleet_node %}
|
||||||
|
|
||||||
location /fleet/ {
|
location /fleet/ {
|
||||||
return 307 https://{{ fleet_ip }}/fleet;
|
return 307 https://{{ fleet_ip }}/fleet/dashboard;
|
||||||
}
|
}
|
||||||
|
|
||||||
{%- else %}
|
{%- else %}
|
||||||
|
|||||||
@@ -15,7 +15,7 @@
|
|||||||
{ "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
{ "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
||||||
{ "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"},
|
{ "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"},
|
||||||
{ "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
{ "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
||||||
{ "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address"},
|
{ "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain"},
|
||||||
{ "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
{ "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
||||||
{ "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
{ "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
|
||||||
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"},
|
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"},
|
||||||
|
|||||||
@@ -3,6 +3,6 @@
|
|||||||
{ "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" },
|
{ "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" },
|
||||||
{ "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
|
{ "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
|
||||||
{ "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" },
|
{ "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" },
|
||||||
{ "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/" },
|
{ "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/dashboard" },
|
||||||
{ "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
|
{ "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
|
||||||
]
|
]
|
||||||
|
|||||||
@@ -16,3 +16,4 @@ strelka:
|
|||||||
- gen_sign_anomalies.yar
|
- gen_sign_anomalies.yar
|
||||||
- gen_susp_xor.yar
|
- gen_susp_xor.yar
|
||||||
- gen_webshells_ext_vars.yar
|
- gen_webshells_ext_vars.yar
|
||||||
|
- configured_vulns_ext_vars.yar
|
||||||
|
|||||||
+3
-3
@@ -145,7 +145,7 @@ analyst_salt_local() {
|
|||||||
securityonion_repo
|
securityonion_repo
|
||||||
gpg_rpm_import
|
gpg_rpm_import
|
||||||
# Install salt
|
# Install salt
|
||||||
logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
|
logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
|
||||||
logCmd "yum -y update --exclude=salt*"
|
logCmd "yum -y update --exclude=salt*"
|
||||||
|
|
||||||
salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
|
salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
|
||||||
@@ -1511,7 +1511,7 @@ generate_passwords(){
|
|||||||
PLAYBOOKADMINPASS=$(get_random_value)
|
PLAYBOOKADMINPASS=$(get_random_value)
|
||||||
PLAYBOOKAUTOMATIONPASS=$(get_random_value)
|
PLAYBOOKAUTOMATIONPASS=$(get_random_value)
|
||||||
FLEETPASS=$(get_random_value)
|
FLEETPASS=$(get_random_value)
|
||||||
FLEETSAPASS=$(get_random_value)
|
FLEETSAPASS="$(get_random_value)!1"
|
||||||
FLEETJWT=$(get_random_value)
|
FLEETJWT=$(get_random_value)
|
||||||
GRAFANAPASS=$(get_random_value)
|
GRAFANAPASS=$(get_random_value)
|
||||||
SENSORONIKEY=$(get_random_value)
|
SENSORONIKEY=$(get_random_value)
|
||||||
@@ -2291,7 +2291,7 @@ saltify() {
|
|||||||
fi
|
fi
|
||||||
set_progress_str 8 'Installing salt-minion & python modules'
|
set_progress_str 8 'Installing salt-minion & python modules'
|
||||||
if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then
|
if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then
|
||||||
logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
|
logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql-1.3.12-2.el7.x86_64 python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
|
||||||
logCmd "yum -y update --exclude=salt*"
|
logCmd "yum -y update --exclude=salt*"
|
||||||
fi
|
fi
|
||||||
logCmd "systemctl enable salt-minion"
|
logCmd "systemctl enable salt-minion"
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Reference in New Issue
Block a user