Merge pull request #12693 from Security-Onion-Solutions/dev

2.3.300

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -1,20 +1,17 @@
 body:
   - type: markdown
     attributes:
-      value: >
+      value: |
         ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
+
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
   - type: dropdown
     attributes:
       label: Version
       description: Which version of Security Onion 2.4.x are you asking about?
       options:
         -
-        - 2.4.0
-        - 2.4.1
-        - 2.4.2
-        - 2.4.3
-        - 2.4.4
-        - 2.4.5
+        - 2.4 Pre-release (Beta, Release Candidate)
         - 2.4.10
         - 2.4.20
         - 2.4.30
@@ -178,33 +175,16 @@ body:
   - type: textarea
     attributes:
       label: Detail
-      description: Please read the placeholder and then provide detailed information to help us help you.
-      placeholder: >-
-        STOP! Please read these guidelines in their entirety before typing!
-        
-        Community Support is considered best effort and there are no guarantees and no SLAs. If you need private, priority, or enterprise support, please consider purchasing support from Security Onion Solutions.
-        
-        Please review the Github Community Guidelines (see link on the right side of the page).
-        
-        Please be patient, courteous, and respectful. Disrespectful messages can result in being banned.
-        
-        Before posting for help, check the Help, FAQ, and other sections of the documentation (https://docs.securityonion.net/) to see if your question has already been answered there.
-        
-        Please do not tag an individual in a discussion unless that individual has already volunteered to help you in that discussion.
-        
-        When creating your discussion, please put a relevant and descriptive title in the Title field and avoid generic titles like Help. When copying text from your Security Onion deployment to the discussion, please copy as plain text when possible rather than taking a screenshot of the text. This allows others to search for and find your text.
-        
-        Avoid typing in ALL CAPS as this looks like YELLING!
-        
-        If you need to include a large section of output, please do so as an attached file or Github gist rather than including the output directly in the reply itself. 
-        
-        If you attach files, please make sure they are plain text format. No Word docs or PDFs please.
+      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
+      placeholder: |-
+        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
 
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
     validations:
       required: true
   - type: checkboxes
     attributes:
       label: Guidelines
       options:
-        - label: I have read the above statement and can confirm my post is relevant to Security Onion 2.4.
+        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
           required: true

.github/workflows/close-threads.yml

@@ -0,0 +1,32 @@
+name: 'Close Threads'
+
+on:
+  schedule:
+    - cron: '50 1 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+  discussions: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  close-threads:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v5
+        with:
+          days-before-issue-stale: -1
+          days-before-issue-close: 60
+          stale-issue-message: "This issue is stale because it has been inactive for an extended period. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution."
+          close-issue-message: "This issue was closed because it has been stale for an extended period. It will be automatically locked in 30 days, after which no further commenting will be available."
+          days-before-pr-stale: 45
+          days-before-pr-close: 60
+          stale-pr-message: "This PR is stale because it has been inactive for an extended period. The longer a PR remains stale the more out of date with the main branch it becomes."
+          close-pr-message: "This PR was closed because it has been stale for an extended period. It will be automatically locked in 30 days. If there is still a commitment to finishing this PR re-open it before it is locked."

.github/workflows/lock-threads.yml

@@ -0,0 +1,25 @@
+name: 'Lock Threads'
+
+on:
+  schedule:
+    - cron: '50 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+  discussions: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  lock-threads:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jertel/lock-threads@main
+        with:
+          include-discussion-currently-open: true
+          discussion-inactive-days: 90
+          issue-inactive-days: 30
+          pr-inactive-days: 30

README.md

@@ -2,6 +2,20 @@
 
 Security Onion 2.3 is here!
 
+## End Of Life Warning
+
+Security Onion 2.3 reaches End Of Life (EOL) on April 6, 2024:
+
+https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html
+
+For new installations, please see the 2.4 branch of this repo:
+
+https://github.com/Security-Onion-Solutions/securityonion/tree/2.4/main
+
+If you have an existing 2.3 installation and would like to migrate to 2.4, please see:
+
+https://docs.securityonion.net/en/2.4/appendix.html
+
 ## Screenshots
 
 Alerts

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.270-20231006 ISO image built on 2023/10/06
+### 2.3.300-20240401 ISO image built on 2024/04/01
 
 
 
 ### Download and Verify
 
-2.3.270-20231006 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.270-20231006.iso
+2.3.300-20240401 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.300-20240401.iso
 
-MD5: 3FC7A37EA402A5F0C6609D7431387575  
-SHA1: 979851603E431EE9670A1576E5DCCD838CEDA294  
-SHA256: 34F72EDEA9A62E1545347A31DEDEDD099D824466EC52B8674ACC7DB6D7E8B943 
+MD5: 5CBDA8012D773C5EC362D21C4EA3B7FB  
+SHA1: 7A34FAA0E11F09F529FF38EC3239211CD87CB1A7  
+SHA256: 123066DAFBF6F2AA0E1924296CFEFE1213002D7760E8797AB74F1FC1D683C6D7 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.270-20231006.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.300-20240401.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.270-20231006.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.300-20240401.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.270-20231006.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.300-20240401.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.270-20231006.iso.sig securityonion-2.3.270-20231006.iso
+gpg --verify securityonion-2.3.300-20240401.iso.sig securityonion-2.3.300-20240401.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 21 Sep 2023 10:43:13 AM EDT using RSA key ID FE507013
+gpg: Signature made Wed 27 Mar 2024 05:09:33 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.270
+2.3.300

pillar/zeek/init.sls

@@ -42,12 +42,13 @@ zeek:
       - frameworks/files/hash-all-files
       - frameworks/files/detect-MHR
       - policy/frameworks/notice/extend-email/hostnames
+      - policy/frameworks/notice/community-id
+      - policy/protocols/conn/community-id-logging
       - ja3
       - hassh
       - intel
       - cve-2020-0601
       - securityonion/bpfconf
-      - securityonion/communityid
       - securityonion/file-extraction
       - oui-logging
       - icsnpp-modbus

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment, digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/common/tools/sbin/soup

@@ -580,6 +580,9 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.240 ]] && up_to_2.3.250
     [[ "$INSTALLEDVERSION" == 2.3.250 ]] && up_to_2.3.260
     [[ "$INSTALLEDVERSION" == 2.3.260 ]] && up_to_2.3.270
+    [[ "$INSTALLEDVERSION" == 2.3.270 ]] && up_to_2.3.280
+    [[ "$INSTALLEDVERSION" == 2.3.280 ]] && up_to_2.3.290
+    [[ "$INSTALLEDVERSION" == 2.3.290 ]] && up_to_2.3.300
     
     true
 }
@@ -612,6 +615,9 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.240 ]] && post_to_2.3.250
     [[ "$POSTVERSION" == 2.3.250 ]] && post_to_2.3.260
     [[ "$POSTVERSION" == 2.3.260 ]] && post_to_2.3.270
+    [[ "$POSTVERSION" == 2.3.270 ]] && post_to_2.3.280
+    [[ "$POSTVERSION" == 2.3.280 ]] && post_to_2.3.290
+    [[ "$POSTVERSION" == 2.3.290 ]] && post_to_2.3.300
 
     true
 }
@@ -772,6 +778,26 @@ post_to_2.3.270() {
   POSTVERSION=2.3.270
 }
 
+post_to_2.3.280() {
+  salt-call state.apply ca queue=True
+  stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+  systemctl_func "start" "salt-minion"
+  enable_highstate
+  POSTVERSION=2.3.280
+}
+
+post_to_2.3.290() {
+  echo "Nothing to do for .290"
+  POSTVERSION=2.3.290
+}
+
+post_to_2.3.300() {
+  echo "Nothing to do for .300"
+  POSTVERSION=2.3.300
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -1137,6 +1163,21 @@ up_to_2.3.270() {
   INSTALLEDVERSION=2.3.270
 }
 
+up_to_2.3.280() {
+  echo "Upgrading to 2.3.280"
+  INSTALLEDVERSION=2.3.280
+}
+
+up_to_2.3.290() {
+  echo "Upgrading to 2.3.290"
+  INSTALLEDVERSION=2.3.290
+}
+
+up_to_2.3.300() {
+  echo "Upgrading to 2.3.300"
+  INSTALLEDVERSION=2.3.300
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -1720,8 +1761,12 @@ if [[ -z $UNATTENDED ]]; then
 
 SOUP - Security Onion UPdater
 
+**WARNING** Security Onion 2.3 reaches End Of Life (EOL) on April 6, 2024.
+Please make plans to migrate to Security Onion 2.4:
+https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html
+
 Please review the following for more information about the update process and recent updates:
-https://docs.securityonion.net/soup
+https://docs.securityonion.net/en/2.3/soup.html
 https://blog.securityonion.net
 
 EOF

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.10.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.4","id": "8.10.4","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/nginx/init.sls

@@ -118,6 +118,10 @@ so-nginx:
     - watch:
       - file: nginxconf
       - file: nginxconfdir
+  {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %}
+      - x509: managerssl_key
+      - x509: managerssl_crt
+  {% endif %}
     - require:
       - file: nginxconf
   {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %}

salt/strelka/defaults.yaml

@@ -1,12 +1,43 @@
 strelka:
   ignore:
     - apt_flame2_orchestrator.yar
+    - apt_apt32.yar
+    - apt_aa19_024a.yar
+    - apt_apt15.yar
+    - apt_barracuda_esg_unc4841_jun23.yar
+    - apt_bluetermite_emdivi.yar
+    - apt_danti_svcmondr.yar
+    - apt_eqgrp.yar
+    - apt_eqgrp_apr17.yar
+    - apt_greenbug.yar
+    - apt_grizzlybear_uscert.yar
+    - apt_lazarus_jun18.yar
+    - apt_mal_gopuram_apr23.yar
+    - apt_moonlightmaze.yar
+    - apt_oilrig.yar
+    - apt_oilrig_oct17.yar
+    - apt_passthehashtoolkit.yar
+    - apt_poisonivy.yar
+    - apt_winnti_burning_umbrella.yar
+    - cn_pentestset_webshells.yar
+    - crime_emotet.yar
+    - gen_fake_amsi_dll.yar
+    - gen_onenote_phish.yar
+    - apt_laudanum_webshells.yar
+    - apt_sandworm_cyclops_blink.yar
+    - cn_pentestset_scripts.yar
+    - expl_connectwise_screenconnect_vuln_feb24.yar
+    - mal_fortinet_coathanger_feb24.yar
+    - thor-hacktools.yar
+    - thor-webshells.yar
     - apt_tetris.yar
     - gen_susp_js_obfuscatorio.yar
     - gen_webshells.yar
+    - gen_vcruntime140_dll_sideloading.yar
     - generic_anomalies.yar
     - general_cloaking.yar
     - thor_inverse_matches.yar
+    - yara-rules_vuln_drivers_strict_renamed.yar
     - yara_mixed_ext_vars.yar
     - apt_apt27_hyperbro.yar
     - apt_turla_gazer.yar
@@ -18,4 +49,5 @@ strelka:
     - gen_webshells_ext_vars.yar
     - configured_vulns_ext_vars.yar
     - expl_outlook_cve_2023_23397.yar
+    - expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
     - gen_mal_3cx_compromise_mar23.yar

salt/suricata/afpacket.map.jinja

@@ -1,6 +1,6 @@
 {% load_yaml as afpacket %}
 af-packet:
-  - interface: {{ salt['pillar.get']('sensor:interface', 'bond0') }}
+  - interface: {{ None if grains.role == 'so-import' else salt['pillar.get']('sensor:interface', 'bond0') }}
     cluster-id: 59
     cluster-type: cluster_flow
     defrag: yes
@@ -8,8 +8,4 @@ af-packet:
     threads: {{ salt['pillar.get']('sensor:suriprocs', salt['pillar.get']('sensor:suripins') | length) }}
     tpacket-v3: yes
     ring-size: {{ salt['pillar.get']('sensor:suriringsize', '5000') }}
-  - interface: default
-    #threads: auto
-    #use-mmap: no
-    #tpacket-v3: yes
 {% endload %}