Merge pull request #4411 from Security-Onion-Solutions/hotfix-0528

2.3.52
2025-12-06 17:22:49 +01:00 · 2021-06-07 13:55:51 -04:00 · 2021-06-07 09:34:22 -04:00 · 2021-06-04 11:03:08 -04:00 · 2021-06-04 10:59:18 -04:00 · 2021-06-03 13:53:11 -04:00
19 changed files with 52 additions and 234 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-GRIDFIX
+
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.3.50
+## Security Onion 2.3.52
-Security Onion 2.3.50 is here!
+Security Onion 2.3.52 is here!
 ## Screenshots
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.3.50 ISO image built on 2021/04/27
+### 2.3.52 ISO image built on 2021/04/27
 ### Download and Verify
-2.3.50 ISO image:  
+2.3.52 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.52.iso
-MD5: C39CEA68B5A8AFC5CFFB2481797C0374  
+MD5: DF0CCCB0331780F472CC167AEAB55652  
-SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6  
+SHA1: 71FAE87E6C0AD99FCC27C50A5E5767D3F2332260  
-SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E 
+SHA256: 30E7C4206CC86E94D1657CBE420D2F41C28BC4CC63C51F27C448109EBAF09121 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.52.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.52.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.52.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
+gpg --verify securityonion-2.3.52.iso.sig securityonion-2.3.52.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
+gpg: Signature made Sat 05 Jun 2021 06:56:04 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.3.50
+2.3.52
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,208 +0,0 @@
 {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 eval:
  containers:
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-dockerregistry
    - so-soc
    - so-kratos
    - so-idstools
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-steno
    - so-suricata
    - so-zeek
    - so-curator
    - so-elastalert
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 heavy_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-steno
    - so-suricata
    - so-wazuh
    - so-filebeat
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
 helix:
  containers:
    - so-nginx
    - so-telegraf
    - so-idstools
    - so-steno
    - so-zeek
    - so-redis
    - so-logstash
    - so-filebeat
 hot_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
 manager_search:
  containers:
    - so-nginx
    - so-telegraf
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-kibana
    - so-elastalert
    - so-filebeat
    - so-soctopus
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 manager:
  containers:
    - so-dockerregistry
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-elastalert
    - so-filebeat
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 parser_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
 search_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-filebeat
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
 sensor:
  containers:
    - so-nginx
    - so-telegraf
    - so-steno
    - so-suricata
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
    - so-wazuh
    - so-filebeat
 warm_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-elasticsearch
 fleet:
  containers:
    {% if FLEETNODE %}
    - so-mysql
    - so-fleet
    - so-redis
    - so-filebeat
    - so-nginx
    - so-telegraf
    {% endif %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -487,6 +487,7 @@ wait_for_web_response() {
 	expected=$2
 	maxAttempts=${3:-300}
 	logfile=/root/wait_for_web_response.log
 	truncate -s 0 "$logfile"
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do
 		attempt=$((attempt+1))
--- a/salt/common/tools/sbin/so-zeek-stats
+++ b/salt/common/tools/sbin/so-zeek-stats
@@ -24,11 +24,11 @@ show_stats() {
  echo
  echo "Average throughput:"
  echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl capstats
  echo
  echo "Average packet loss:"
  echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats
  echo
 }
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -217,7 +217,7 @@ generate_and_clean_tarballs() {
  local new_version
  new_version=$(cat $UPDATE_DIR/VERSION)
  [ -d /opt/so/repo ] || mkdir -p /opt/so/repo
-  tar -czf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR"
+  tar -czf "/opt/so/repo/$new_version.tar.gz" -C "$UPDATE_DIR" .
  find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \;
 }
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -11,7 +11,7 @@
 {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %}
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
 # Grafana all the things
 grafanadir:
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -6,7 +6,7 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
 # Influx DB
 influxconfdir:
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -43,12 +43,24 @@ hold_salt_packages:
 {% endfor %}
 {% endif %}
 remove_info_log_level_logfile:
  file.line:
    - name: /etc/salt/minion
    - match: "log_level_logfile: info"
    - mode: delete
 remove_info_log_level:
  file.line:
    - name: /etc/salt/minion
    - match: "log_level: info"
    - mode: delete
 set_log_levels:
  file.append:
    - name: /etc/salt/minion
    - text:
-      - "log_level: info"
+      - "log_level: error"
-      - "log_level_logfile: info"
+      - "log_level_logfile: error"
    - listen_in:
      - service: salt_minion_service
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -54,7 +54,7 @@
        "verifyCert": false
      },
      "influxdb": {
-{%- if grains['role'] in ['so-import'] %}
+{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %}
        "hostUrl": "",
 {%- else %}
        "hostUrl": "https://{{ MANAGERIP }}:8086",
--- a/salt/zeek/cron/packetloss.sh
+++ b/salt/zeek/cron/packetloss.sh
@@ -1,2 +1,2 @@
 #!/bin/bash
-/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1
+/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -78,6 +78,7 @@ zeekspoolownership:
  file.directory:
    - name: /nsm/zeek/spool
    - user: 937
    - max_depth: 0
    - recurse:
      - user
--- a/setup/automation/distributed-iso-sensor
+++ b/setup/automation/distributed-iso-sensor
@@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK
 # HELIXAPIKEY=
 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 HNSENSOR=inherit
-HOSTNAME=distributed-sensor
+HOSTNAME=Distributed-Sensor
 install_type=SENSOR
 # LSINPUTBATCHCOUNT=
 # LSINPUTTHREADS=
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1425,7 +1425,7 @@ generate_passwords(){
 generate_repo_tarball() {
 	mkdir /opt/so/repo
-	tar -czf /opt/so/repo/"$SOVERSION".tar.gz ../.
+	tar -czf /opt/so/repo/"$SOVERSION".tar.gz -C "$(pwd)/.." .
 }
 generate_sensor_vars() {
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -408,6 +408,7 @@ whiptail_enable_components() {
 	PLAYBOOK=0
 	STRELKA=0
 if [[ $is_eval ]]; then
 	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
 	"Select Components to install:" 20 75 8 \
 	GRAFANA "Enable Grafana for system monitoring" ON \
@@ -416,6 +417,17 @@ whiptail_enable_components() {
 	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
 else
 	COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
 	"Select Components to install:" 20 75 7 \
 	OSQUERY "Enable Fleet with osquery" ON \
 	WAZUH "Enable Wazuh" ON \
 	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
 	export "GRAFANA=1"
 fi
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
--- a/sigs/securityonion-2.3.51.iso.sig
+++ b/sigs/securityonion-2.3.51.iso.sig
--- a/sigs/securityonion-2.3.52.iso.sig
+++ b/sigs/securityonion-2.3.52.iso.sig
Author	SHA1	Message	Date
Mike Reeves	6e92e7283d	Merge pull request #4411 from Security-Onion-Solutions/hotfix-0528 2.3.52	2021-06-07 13:55:51 -04:00
Mike Reeves	e3c16147ce	2.3.52	2021-06-07 09:34:22 -04:00
Mike Reeves	75ff268ecc	2.3.52	2021-06-04 11:03:08 -04:00
Mike Reeves	9f98b8ad2f	2.3.52	2021-06-04 10:59:18 -04:00
Mike Reeves	31365b266a	Update so-zeek-stats	2021-06-03 13:53:11 -04:00
Mike Reeves	2f34e7eeed	Update HOTFIX	2021-06-03 11:04:10 -04:00
Mike Reeves	ff10432124	Update VERSION	2021-06-03 10:57:20 -04:00
William Wernert	91c8a7c65b	Use correct syntax for tar to drop directory structure	2021-06-01 12:16:56 -04:00
Mike Reeves	eac5c604bd	Update packetloss.sh	2021-05-28 12:57:35 -04:00
Mike Reeves	e7d8df499c	Update HOTFIX	2021-05-28 12:55:57 -04:00
Mike Reeves	c5d0286e24	Merge pull request #4254 from Security-Onion-Solutions/2.3.51 2.3.51	2021-05-21 12:15:04 -04:00
Mike Reeves	7aed01658f	Sig file for 2.3.51	2021-05-20 22:10:36 -04:00
Jason Ertel	b440f73336	Truncate wait_for_web_response.log before each wait invocation	2021-05-19 18:37:08 -04:00
Jason Ertel	25e2edc6d2	Reset HOTFIX with new release	2021-05-18 12:31:33 -04:00
Jason Ertel	c207504657	Merge branch '2.3.51' of ssh://github.com/security-onion-solutions/securityonion into 2.3.51	2021-05-18 09:52:07 -04:00
Jason Ertel	fe155222c2	Introduce mixed-case sensor into distributed test	2021-05-18 09:51:54 -04:00
Josh Patterson	9b4325662b	Merge pull request #4218 from Security-Onion-Solutions/issue/4207 Issue/4207	2021-05-18 09:04:26 -04:00
m0duspwnens	0de1c9a669	removing unreference pillar file docker/config.sls	2021-05-18 07:57:00 -04:00
m0duspwnens	ef32bff302	fix up soc.json	2021-05-17 18:29:27 -04:00
m0duspwnens	e50002e0ca	influx and grafana default for manager nodes - https://github.com/Security-Onion-Solutions/securityonion/issues/4207	2021-05-17 16:26:12 -04:00
Mike Reeves	d001597e52	Update README.md	2021-05-17 15:56:46 -04:00
Mike Reeves	4c7cee4ebc	Update VERSION	2021-05-17 15:55:49 -04:00
Mike Reeves	6eed730209	Merge pull request #4213 from Security-Onion-Solutions/zeekhotfix Zeekhotfix	2021-05-17 15:55:17 -04:00
m0duspwnens	fb986b5cff	set both log levels to error	2021-05-06 14:55:14 -04:00
m0duspwnens	a49f2e2d98	change log_level_logfile to error for /opt/so/log/salt/minion	2021-05-06 13:38:16 -04:00
Mike Reeves	90b3462ead	No recurse for you	2021-05-06 13:29:15 -04:00
Mike Reeves	1de768c182	Update HOTFIX	2021-05-06 12:02:05 -04:00
`@@ -1,2 +1,2 @@`
	`#!/bin/bash`	`#!/bin/bash`
	`/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' \| awk '{print $(NF-2),$(NF-1),$NF}' \| awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1`	`/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats \| awk '{print $(NF-2),$(NF-1),$NF}' \| awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1`