Merge pull request #10406 from Security-Onion-Solutions/dev

2.3.250

HOTFIX

@@ -0,0 +1 @@
+

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.210-20230202 ISO image built on 2023/02/02
+### 2.3.250-20230519 ISO image built on 2023/05/19
 
 
 
 ### Download and Verify
 
-2.3.210-20230202 ISO image:  
+2.3.250-20230519 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.250-20230519.iso
 
-MD5: ED38C36DBE40509FC5E87D82B07141C0  
+MD5: EBECF635FB8CFDDD5C0559D01C14E215  
-SHA1: EDEBDBE75FF34DAD87E141CA8F8614295ED23FB5  
+SHA1: 1C2BD45D080D6D99FD84C120827EA39817FCB078  
-SHA256: 30068D4B910E83B63287EAB98E49497A584BAE07854367716813E5D610D3E5E3 
+SHA256: 748E9740077BCCAFDC67D15BA2D6A4B0539A29E4527715973E5BDDE5DCF565AD 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.250-20230519.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.210-20230202.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.250-20230519.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.210-20230202.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.250-20230519.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.210-20230202.iso.sig securityonion-2.3.210-20230202.iso
+gpg --verify securityonion-2.3.250-20230519.iso.sig securityonion-2.3.250-20230519.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 02 Feb 2023 08:31:18 PM EST using RSA key ID FE507013
+gpg: Signature made Sat 20 May 2023 09:16:02 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.210
+2.3.250

pillar/zeek/init.sls

@@ -15,6 +15,7 @@ zeek:
     SpoolDir: /nsm/zeek/spool
     CfgDir: /opt/zeek/etc
     CompressLogs: 1
+    ZeekPort: 27760
   local:
     '@load':
       - misc/loaded-scripts

salt/common/tools/sbin/so-fleet-user-add

@@ -53,8 +53,10 @@ if [[ $? -ne 0 ]]; then
     exit 2
 fi
 
+TEMPPW=$FLEET_SA_PW!
+
 # Create New User
-CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1)
+CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $TEMPPW --global-role admin 2>&1)
 
 if [[ $? -eq 0 ]]; then
     echo "Successfully added user to Fleet"
@@ -64,6 +66,9 @@ else
     exit 2
 fi
 
+# Reset New User Password to user supplied password
+echo "$USER_PASS" | so-fleet-user-update "$USER_EMAIL"
+
 # Disable forced password reset
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
 "UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)

salt/common/tools/sbin/soup

@@ -212,7 +212,7 @@ check_local_mods() {
     if [[ -f $default_file ]]; then
       file_diff=$(diff "$default_file" "$local_file" )
       if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then
-        if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
+        if [[ $(echo "$file_diff" | grep -Ec "^[<>]") -gt 0 ]]; then
           local_mod_arr+=( "$local_file" )
         fi
       fi
@@ -553,6 +553,11 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
     [[ "$INSTALLEDVERSION" == 2.3.190 ]] && up_to_2.3.200
     [[ "$INSTALLEDVERSION" == 2.3.200 ]] && up_to_2.3.210
+    [[ "$INSTALLEDVERSION" == 2.3.210 ]] && up_to_2.3.220
+    [[ "$INSTALLEDVERSION" == 2.3.220 ]] && up_to_2.3.230
+    [[ "$INSTALLEDVERSION" == 2.3.230 ]] && up_to_2.3.240
+    [[ "$INSTALLEDVERSION" == 2.3.240 ]] && up_to_2.3.250
+    
     true
 }
 
@@ -578,6 +583,10 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
     [[ "$POSTVERSION" == 2.3.190 ]] && post_to_2.3.200
     [[ "$POSTVERSION" == 2.3.200 ]] && post_to_2.3.210
+    [[ "$POSTVERSION" == 2.3.210 ]] && post_to_2.3.220
+    [[ "$POSTVERSION" == 2.3.220 ]] && post_to_2.3.230
+    [[ "$POSTVERSION" == 2.3.230 ]] && post_to_2.3.240
+    [[ "$POSTVERSION" == 2.3.240 ]] && post_to_2.3.250
 
     true
 }
@@ -706,6 +715,26 @@ post_to_2.3.210() {
   POSTVERSION=2.3.210
 }
 
+post_to_2.3.220() {
+  echo "Nothing to do for .220"
+  POSTVERSION=2.3.220
+}
+
+post_to_2.3.230() {
+  echo "Nothing to do for .230"
+  POSTVERSION=2.3.230
+}
+
+post_to_2.3.240() {
+  echo "Nothing to do for .240"
+  POSTVERSION=2.3.240
+}
+
+post_to_2.3.250() {
+  echo "Nothing to do for .250"
+  POSTVERSION=2.3.250
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -1041,6 +1070,26 @@ up_to_2.3.210() {
   INSTALLEDVERSION=2.3.210
 }
 
+up_to_2.3.220() {
+  echo "Upgrading to 2.3.220"
+  INSTALLEDVERSION=2.3.220
+}
+
+up_to_2.3.230() {
+  echo "Upgrading to 2.3.230"
+  INSTALLEDVERSION=2.3.230
+}
+
+up_to_2.3.240() {
+  echo "Upgrading to 2.3.240"
+  INSTALLEDVERSION=2.3.240
+}
+
+up_to_2.3.250() {
+  echo "Upgrading to 2.3.250"
+  INSTALLEDVERSION=2.3.250
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then

salt/curator/files/curator.yml

@@ -14,22 +14,25 @@
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
 # not a Python "NoneType"
-client:
+elasticsearch:
-  hosts:
+  client:
-    - {{elasticsearch}}
+    hosts:
-  port: 9200
+      - https://{{elasticsearch}}:9200
+    cloud_id:
+    ca_certs:
+    client_cert:
+    client_key:
+    verify_certs: False
+    request_timeout: 30
+  other_settings:
+    api_key:
+      id:
+      api_key:
+    master_only: False
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-  username: "{{ ES_USER }}"
+    username: "{{ ES_USER }}"
-  password: "{{ ES_PASS }}"
+    password: "{{ ES_PASS }}"
 {%- endif %}
-  url_prefix:
-  use_ssl: True
-  certificate:
-  client_cert:
-  client_key:
-  ssl_no_validate: True
-  timeout: 30
-  master_only: False
 
 logging:
   loglevel: INFO

salt/curator/init.sls

@@ -139,6 +139,8 @@ so-curator:
       - file: actionconfs
       - file: curconf
       - file: curlogdir
+    - watch:
+      - file: curconf
   {% else %}
     - force: True
   {% endif %}

salt/elasticsearch/files/ingest/suricata.dns

@@ -1,21 +1,21 @@
 {
   "description" : "suricata.dns",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.type", 	"target_field": "dns.query.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.query.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.tx_id",	"target_field": "dns.id",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.version", 	"target_field": "dns.version",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rrname", 	"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rrtype", 	"target_field": "dns.query.type_name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrtype", 		"target_field": "dns.query.type_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.flags", 	"target_field": "dns.flags",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.flags", 		"target_field": "dns.flags",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.qr", 		"target_field": "dns.qr",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.qr", 			"target_field": "dns.qr",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rd", 			"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.ra", 			"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code_name",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rcode", 		"target_field": "dns.response.code_name",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.A", 	"target_field": "dns.answers.data",		"ignore_missing": true 	} },
+    { "rename":		{ "field": "message2.dns.grouped.A", 		"target_field": "dns.answers.data",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.CNAME", 	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
+    { "rename":		{ "field": "message2.dns.grouped.CNAME",	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
-    { "pipeline": 	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"			} },
+    { "pipeline":	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"				} },
-    { "pipeline": { "name": "common" } }
+    { "pipeline": 	{ "name": "common"													} }
   ]
 }

salt/fleet/files/packs/osquery-config.conf

@@ -26,9 +26,6 @@ spec:
         distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
         enable_windows_events_publisher: true
         enable_windows_events_subscriber: true
-        logger_plugin: tls
-        logger_tls_endpoint: /api/v1/osquery/log
-        logger_tls_period: 10
         pack_delimiter: _
   host_settings:
     enable_software_inventory: false

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/nginx/etc/nginx.conf

@@ -319,7 +319,7 @@ http {
 		{%- if fleet_node %}
 
 		location /fleet/ {
-			return 307 https://{{ fleet_ip }}/fleet;
+			return 307 https://{{ fleet_ip }}/fleet/dashboard;
 		}
 
 		{%- else %}

salt/sensoroni/files/analyzers/whoislookup/requirements.txt

@@ -1 +1,2 @@
+requests==2.27.1
 whoisit>=2.5.3

salt/soc/files/soc/tools.json

@@ -3,6 +3,6 @@
   { "name": "toolGrafana",   "description": "toolGrafanaHelp",   "icon": "fa-external-link-alt", "target": "so-grafana",   "link": "/grafana/d/so_overview" },
   { "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
   { "name": "toolPlaybook",  "description": "toolPlaybookHelp",  "icon": "fa-external-link-alt", "target": "so-playbook",  "link": "/playbook/projects/detection-playbooks/issues/" },
-  { "name": "toolFleet",     "description": "toolFleetHelp",     "icon": "fa-external-link-alt", "target": "so-fleet",     "link": "/fleet/" },
+  { "name": "toolFleet",     "description": "toolFleetHelp",     "icon": "fa-external-link-alt", "target": "so-fleet",     "link": "/fleet/dashboard" },
   { "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
-]
+]

salt/strelka/defaults.yaml

@@ -17,3 +17,5 @@ strelka:
     - gen_susp_xor.yar
     - gen_webshells_ext_vars.yar
     - configured_vulns_ext_vars.yar
+    - expl_outlook_cve_2023_23397.yar
+    - gen_mal_3cx_compromise_mar23.yar

setup/so-functions

@@ -1123,8 +1123,17 @@ create_repo() {
 }
 
 detect_cloud() {
-  echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log"
+	echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log"
-  if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi
+	if dmidecode -s bios-version | grep -q amazon || \
+		dmidecode -s bios-vendor | grep -q Amazon || \
+		dmidecode -s bios-vendor | grep -q Google || \
+		[ -f /var/log/waagent.log ]; then 
+
+		echo "Detected a cloud installation." | tee -a "$setup_log"
+		export is_cloud="true"
+	else
+		echo "This does not appear to be a cloud installation." | tee -a "$setup_log"
+	fi
 }
 
 detect_os() {
@@ -1511,7 +1520,7 @@ generate_passwords(){
   PLAYBOOKADMINPASS=$(get_random_value)
   PLAYBOOKAUTOMATIONPASS=$(get_random_value)
   FLEETPASS=$(get_random_value)
-  FLEETSAPASS=$(get_random_value)
+  FLEETSAPASS="$(get_random_value)!1"
   FLEETJWT=$(get_random_value)
   GRAFANAPASS=$(get_random_value)
   SENSORONIKEY=$(get_random_value)