From 315a7ca2bce59e18bd042ae4795d1ed3c0735da5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Oct 2023 10:59:52 -0400 Subject: [PATCH 01/19] Upgrade Suricata --- so-suricata/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile index 8e7eeef8..fdd51a71 100644 --- a/so-suricata/Dockerfile +++ b/so-suricata/Dockerfile @@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \ lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \ python3-devel python3-sphinx python3-yaml sudo which cargo \ zlib-devel luajit-devel cargo && cargo install --force cbindgen -ENV SURIVERSION=6.0.14 +ENV SURIVERSION=7.0.1 RUN mkdir /suricata WORKDIR /suricata @@ -55,6 +55,6 @@ RUN yum -y install epel-release bash libpcap iproute && \ ADD files/so-suricata.sh /usr/local/sbin/so-suricata.sh RUN chmod +x /usr/local/sbin/so-suricata.sh -RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm ENTRYPOINT ["/usr/local/sbin/so-suricata.sh"] From 8dfdf5326e9f78b10db8306e152548e59d06f3de Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Mon, 16 Oct 2023 13:22:39 -0400 Subject: [PATCH 02/19] Remove unsupported integrations --- so-elastic-fleet-package-registry/Dockerfile | 6 ++- .../scripts/supported-integrations.sh | 10 ++++ .../scripts/supported-integrations.txt | 50 +++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 so-elastic-fleet-package-registry/scripts/supported-integrations.sh create mode 100644 so-elastic-fleet-package-registry/scripts/supported-integrations.txt diff --git a/so-elastic-fleet-package-registry/Dockerfile b/so-elastic-fleet-package-registry/Dockerfile index a93c82a0..4447faee 100644 --- a/so-elastic-fleet-package-registry/Dockerfile +++ b/so-elastic-fleet-package-registry/Dockerfile @@ -12,10 +12,14 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -ARG VERSION +ARG VERSION=8.8.2 FROM docker.elastic.co/package-registry/distribution:$VERSION as original_image +COPY scripts /scripts + +RUN chmod +x /scripts/supported-integrations.sh && bash /scripts/supported-integrations.sh + # Cleanup unneeded packages, keeping the two most recent versons of each one # Except for endpoint packages, keep all versions RUN cd /packages/package-storage/ \ diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.sh b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh new file mode 100644 index 00000000..56d3faae --- /dev/null +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh @@ -0,0 +1,10 @@ +#/bin/bash + +cd /packages/package-storage/ +for file in * +do + PATTERN=$(echo $file | cut -d "-" -f 1)- + [[ ! $(grep -x "$PATTERN" /scripts/supported-integrations.txt) ]] && rm "$file" && echo "Deleted: $file..." +done + +exit 0 \ No newline at end of file diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt new file mode 100644 index 00000000..544d8ff6 --- /dev/null +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt @@ -0,0 +1,50 @@ +apache- +auditd- +aws- +azure- +barracuda- +cisco_asa- +cloudflare- +crowdstrike- +darktrace- +elasticsearch- +endpoint- +f5_bigip- +fleet_server- +fim- +fortinet- +fortinet_fortigate- +gcp- +github- +google_workspace- +http_endpoint- +httpjson- +juniper- +juniper_srx- +kafka_log- +lastpass- +log- +m365_defender- +microsoft_defender_endpoint- +microsoft_dhcp- +netflow- +o365- +okta- +osquery_manager- +panw- +pfsense- +redis- +sentinel_one- +sonicwall_firewall- +symantec_endpoint- +system- +tcp- +ti_abusech- +ti_misp- +ti_otx- +ti_recordedfuture- +udp- +windows- +zscaler_zia- +zscaler_zpa- +1password- \ No newline at end of file From 730c068cfbab84e5db0838c2d9b5f0c766d74307 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:27:05 -0400 Subject: [PATCH 03/19] Zeek 6 upgrade. Removes external af_packet & zeek-community-id plugins (Replaced by built-in functionality). Removes plugin-tds & plugin-profinet due to failing to build on Zeek 6. Pending two PRs for patch Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-zeek/Dockerfile | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index 65f452cf..1a9e3d41 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -13,11 +13,11 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder +FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder RUN dnf -y install dnf-plugins-core && \ dnf config-manager --enable ol9_codeready_builder && \ - dnf update -y && \ + dnf update -y && \ dnf -y install epel-release bash libpcap iproute wget cmake swig && \ dnf -y install jemalloc numactl libnl3 libdnet gdb git && \ dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel kernel-devel kernel-headers && \ @@ -41,7 +41,7 @@ RUN dnf -y install perl && \ WORKDIR / -ENV ZEEKVER=5.0.10 +ENV ZEEKVER=6.0.1 ARG BUILD_TYPE=Release RUN mkdir /zeekbuild @@ -51,12 +51,9 @@ WORKDIR /zeekbuild RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz RUN cd zeek-$ZEEKVER && \ ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE --with-openssl=/usr/local/ssl && \ - time make -j4 && time make install && \ - fips-mode-setup --enable + time make -j4 && time make install RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force hassh && \ - /opt/zeek/bin/zkg install --force https://github.com/TOoSmOotH/zeek-af_packet-plugin --version=master && \ - /opt/zeek/bin/zkg install --force zeek-community-id && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \ @@ -68,11 +65,11 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \ git clone https://github.com/cisagov/icsnpp-s7comm && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \ - git clone https://github.com/amzn/zeek-plugin-profinet && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \ - git clone https://github.com/amzn/zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ + #git clone https://github.com/amzn/zeek-plugin-profinet && \ + #/opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \ + #git clone https://github.com/amzn/zeek-plugin-tds && \ + #/opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \ + /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \ /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \ @@ -84,11 +81,11 @@ RUN groupadd --gid 937 zeek && \ chown -R 937:937 /opt/zeek && \ chown -R 937:937 /nsm/zeek && \ chown -R 937:937 /usr/local/ssl - + FROM ghcr.io/security-onion-solutions/oraclelinux:9 LABEL maintainer "Security Onion Solutions, LLC" -LABEL description="Zeek running in a docker with AF_Packet 3.2.0 for use with Security Onion" +LABEL description="Zeek running in docker for use with Security Onion" # Common CentOS layer RUN dnf update -y && \ @@ -106,7 +103,7 @@ COPY --from=builder /usr/local/ssl/ /usr/local/ssl # Copy over the entry script. COPY files/zeek.sh /usr/local/sbin/zeek.sh RUN chmod +x /usr/local/sbin/zeek.sh -RUN rpm -Uvh --nofiledigest --nodigest https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) From 4c9d848e095df38b0f563df50b99101cc56f12c8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 16 Oct 2023 16:31:20 -0400 Subject: [PATCH 04/19] Update fx-libpcap Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-zeek/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index 1a9e3d41..b3a903ff 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -103,7 +103,7 @@ COPY --from=builder /usr/local/ssl/ /usr/local/ssl # Copy over the entry script. COPY files/zeek.sh /usr/local/sbin/zeek.sh RUN chmod +x /usr/local/sbin/zeek.sh -RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) From f97ca608b8fe22ab3ebf03f24aa36f1f95e845b2 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 17 Oct 2023 15:09:35 -0400 Subject: [PATCH 05/19] Cleanup --- so-elastic-fleet-package-registry/Dockerfile | 6 +++--- .../scripts/supported-integrations.sh | 10 +++++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/so-elastic-fleet-package-registry/Dockerfile b/so-elastic-fleet-package-registry/Dockerfile index 4447faee..7a873906 100644 --- a/so-elastic-fleet-package-registry/Dockerfile +++ b/so-elastic-fleet-package-registry/Dockerfile @@ -12,13 +12,13 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -ARG VERSION=8.8.2 +ARG VERSION FROM docker.elastic.co/package-registry/distribution:$VERSION as original_image +# Remove unsupported packages COPY scripts /scripts - -RUN chmod +x /scripts/supported-integrations.sh && bash /scripts/supported-integrations.sh +RUN chmod +x /scripts/supported-integrations.sh && bash /scripts/supported-integrations.sh && rm -rf /scripts # Cleanup unneeded packages, keeping the two most recent versons of each one # Except for endpoint packages, keep all versions diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.sh b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh index 56d3faae..9181fca9 100644 --- a/so-elastic-fleet-package-registry/scripts/supported-integrations.sh +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.sh @@ -1,4 +1,12 @@ -#/bin/bash +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# This script removes unsupported packages from our self-hosted Elastic Package Repo container image. +# It is meant to be used during the image build process. cd /packages/package-storage/ for file in * From c7a2457cce6756510c525ae018963ca1ae1585e5 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 17 Oct 2023 15:40:16 -0400 Subject: [PATCH 06/19] Disable unsupported integrations --- so-kibana/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/so-kibana/Dockerfile b/so-kibana/Dockerfile index 8ed38ebe..610573cd 100644 --- a/so-kibana/Dockerfile +++ b/so-kibana/Dockerfile @@ -34,6 +34,9 @@ RUN ln -s /usr/share/kibana /opt/kibana ENV PATH=/usr/share/kibana/bin:$PATH +# Disable hardcoded Integrations from showing up +RUN sed -i 's/"server": true,/"server": false,/g' /usr/share/kibana/node_modules/@kbn/custom-integrations-plugin/kibana.jsonc + # Copy over the dashboards RUN mkdir /usr/share/kibana/dashboards From 68203586a300fa55b0f7ab2213dd97e5118f12e0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 18 Oct 2023 15:26:38 -0400 Subject: [PATCH 07/19] Fix for Zeek state.db being created as root, expected zeek:zeek. Use patched versions of profinet / tds plugins for Zeek 6. Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-zeek/Dockerfile | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index b3a903ff..f05a41ef 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -65,10 +65,8 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \ git clone https://github.com/cisagov/icsnpp-s7comm && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \ - #git clone https://github.com/amzn/zeek-plugin-profinet && \ - #/opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \ - #git clone https://github.com/amzn/zeek-plugin-tds && \ - #/opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version=master && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version=master && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \ @@ -105,6 +103,6 @@ COPY files/zeek.sh /usr/local/sbin/zeek.sh RUN chmod +x /usr/local/sbin/zeek.sh RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm -HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) +HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) ENTRYPOINT ["/usr/local/sbin/zeek.sh"] From 88d0ae1ffd0acb7ac4ad0237e0afb8fa02f44800 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 19 Oct 2023 14:16:41 -0400 Subject: [PATCH 08/19] Update Dockerfile --- so-suricata/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile index fdd51a71..8baa3f75 100644 --- a/so-suricata/Dockerfile +++ b/so-suricata/Dockerfile @@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \ lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \ python3-devel python3-sphinx python3-yaml sudo which cargo \ zlib-devel luajit-devel cargo && cargo install --force cbindgen -ENV SURIVERSION=7.0.1 +ENV SURIVERSION=7.0.2 RUN mkdir /suricata WORKDIR /suricata From ae960da0cd7de7d3fae592840e04c841b99b5f4f Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 23 Oct 2023 14:51:06 -0400 Subject: [PATCH 09/19] UPGRADE: influxDB v2.7.1 & telegraf v1.28.2 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-influxdb/Dockerfile | 10 +++++----- so-telegraf/Dockerfile | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/so-influxdb/Dockerfile b/so-influxdb/Dockerfile index a38363d4..9ebde4ad 100644 --- a/so-influxdb/Dockerfile +++ b/so-influxdb/Dockerfile @@ -1,12 +1,12 @@ -ARG INFLUX_VERSION=2.6.1 +ARG INFLUX_VERSION=2.7.1 -FROM ghcr.io/security-onion-solutions/ubuntu:22.04 as builder +FROM ghcr.io/security-onion-solutions/ubuntu:23.04 as builder ARG INFLUX_VERSION -ARG NODE_VERSION=v18.14.0 +ARG NODE_VERSION=v20.8.1 ARG NODE_ARCH=linux-x64 -RUN apt update -y && apt install -y git wget xz-utils +RUN apt update -y && apt install -y git wget xz-utils RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz RUN tar -xJf /node.xz @@ -34,7 +34,7 @@ RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb COPY --from=builder /ui/build /ui -RUN apt update -y && apt install netcat -y && apt clean -y +RUN apt update -y && apt install netcat-traditional -y && apt clean -y ENTRYPOINT ["/redirect_to_file.sh"] CMD ["/entrypoint.sh", "influxd"] \ No newline at end of file diff --git a/so-telegraf/Dockerfile b/so-telegraf/Dockerfile index 9b909a90..fb316652 100644 --- a/so-telegraf/Dockerfile +++ b/so-telegraf/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/security-onion-solutions/telegraf:1.25.1-alpine +FROM ghcr.io/security-onion-solutions/telegraf:1.28.2-alpine LABEL maintainer "Security Onion Solutions, LLC" LABEL description="Telegraf running in Docker container for use with Security Onion" From 068f1a609e60abf0b262f9a83c80531e84fbb330 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 23 Oct 2023 17:20:08 -0400 Subject: [PATCH 10/19] Add bash to telegraf for scripts/ to function properly Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-telegraf/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-telegraf/Dockerfile b/so-telegraf/Dockerfile index fb316652..3bcc0538 100644 --- a/so-telegraf/Dockerfile +++ b/so-telegraf/Dockerfile @@ -4,7 +4,7 @@ LABEL description="Telegraf running in Docker container for use with Security On USER root -RUN apk add --no-cache redis curl jq +RUN apk add --no-cache redis curl jq bash ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] From 2e4fe25c697cb82296fcfd7aefd26a15f5f35003 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 25 Oct 2023 13:09:11 -0400 Subject: [PATCH 11/19] Add integrations --- .../scripts/supported-integrations.txt | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt index 544d8ff6..c14b7426 100644 --- a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt @@ -1,17 +1,24 @@ apache- auditd- +auth0- aws- azure- barracuda- +carbonblack_edr- +checkpoint- cisco_asa- +cisco_duo- +cisco_meraki- +cisco_umbrella- cloudflare- crowdstrike- darktrace- elasticsearch- endpoint- f5_bigip- -fleet_server- fim- +fireeye- +fleet_server- fortinet- fortinet_fortigate- gcp- @@ -27,18 +34,24 @@ log- m365_defender- microsoft_defender_endpoint- microsoft_dhcp- +mimecast- netflow- o365- okta- osquery_manager- panw- pfsense- +pulse_connect_secure- redis- sentinel_one- +snyk- sonicwall_firewall- +sophos- +sophos_central- symantec_endpoint- system- tcp- +tenable_sc- ti_abusech- ti_misp- ti_otx- @@ -47,4 +60,4 @@ udp- windows- zscaler_zia- zscaler_zpa- -1password- \ No newline at end of file +1password- From 45c7b50b8fd6d00f32e65b18ff688422f7f5ac52 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:30:28 -0400 Subject: [PATCH 12/19] Revert "UPGRADE: influxDB v2.7.1 & telegraf v1.28.2" --- so-influxdb/Dockerfile | 10 +++++----- so-telegraf/Dockerfile | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/so-influxdb/Dockerfile b/so-influxdb/Dockerfile index 9ebde4ad..a38363d4 100644 --- a/so-influxdb/Dockerfile +++ b/so-influxdb/Dockerfile @@ -1,12 +1,12 @@ -ARG INFLUX_VERSION=2.7.1 +ARG INFLUX_VERSION=2.6.1 -FROM ghcr.io/security-onion-solutions/ubuntu:23.04 as builder +FROM ghcr.io/security-onion-solutions/ubuntu:22.04 as builder ARG INFLUX_VERSION -ARG NODE_VERSION=v20.8.1 +ARG NODE_VERSION=v18.14.0 ARG NODE_ARCH=linux-x64 -RUN apt update -y && apt install -y git wget xz-utils +RUN apt update -y && apt install -y git wget xz-utils RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz RUN tar -xJf /node.xz @@ -34,7 +34,7 @@ RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb COPY --from=builder /ui/build /ui -RUN apt update -y && apt install netcat-traditional -y && apt clean -y +RUN apt update -y && apt install netcat -y && apt clean -y ENTRYPOINT ["/redirect_to_file.sh"] CMD ["/entrypoint.sh", "influxd"] \ No newline at end of file diff --git a/so-telegraf/Dockerfile b/so-telegraf/Dockerfile index 3bcc0538..9b909a90 100644 --- a/so-telegraf/Dockerfile +++ b/so-telegraf/Dockerfile @@ -1,10 +1,10 @@ -FROM ghcr.io/security-onion-solutions/telegraf:1.28.2-alpine +FROM ghcr.io/security-onion-solutions/telegraf:1.25.1-alpine LABEL maintainer "Security Onion Solutions, LLC" LABEL description="Telegraf running in Docker container for use with Security Onion" USER root -RUN apk add --no-cache redis curl jq bash +RUN apk add --no-cache redis curl jq ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] From 5e23461c307f8422fa365f8bab7d502a711c2c90 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 25 Oct 2023 13:32:54 -0400 Subject: [PATCH 13/19] Add sphere integration --- .../scripts/supported-integrations.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt index c14b7426..31e72ad7 100644 --- a/so-elastic-fleet-package-registry/scripts/supported-integrations.txt +++ b/so-elastic-fleet-package-registry/scripts/supported-integrations.txt @@ -57,6 +57,7 @@ ti_misp- ti_otx- ti_recordedfuture- udp- +vsphere- windows- zscaler_zia- zscaler_zpa- From 6d7a3edeb9a65a93926dc246bafc62c7cef98e8d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Oct 2023 10:41:30 -0400 Subject: [PATCH 14/19] Remove cpan Test::More Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-zeek/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index f05a41ef..4918990a 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -32,8 +32,8 @@ RUN wget https://www.openssl.org/source/old/3.0/openssl-3.0.1.tar.gz && tar zxvf WORKDIR /opensslbuild/openssl-3.0.1 RUN dnf -y install perl && \ - echo 'yes' | cpan && \ - cpan Test::More && \ + # echo 'yes' | cpan && \ + # cpan Test::More && \ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-fips && \ time make -j4 && \ time make install && \ From b2333ab842928967e44675e7965f166cd1332344 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Oct 2023 10:47:36 -0400 Subject: [PATCH 15/19] Delete instead of comment out lines. Fix typo Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- so-zeek/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index 4918990a..afd81e0c 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -32,8 +32,6 @@ RUN wget https://www.openssl.org/source/old/3.0/openssl-3.0.1.tar.gz && tar zxvf WORKDIR /opensslbuild/openssl-3.0.1 RUN dnf -y install perl && \ - # echo 'yes' | cpan && \ - # cpan Test::More && \ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-fips && \ time make -j4 && \ time make install && \ From f0cdf88fdefc9f4ad984d22f8de1c3c85a619c51 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Oct 2023 13:21:56 -0400 Subject: [PATCH 16/19] Revert "Revert "UPGRADE: influxDB v2.7.1 & telegraf v1.28.2"" --- so-influxdb/Dockerfile | 10 +++++----- so-telegraf/Dockerfile | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/so-influxdb/Dockerfile b/so-influxdb/Dockerfile index a38363d4..9ebde4ad 100644 --- a/so-influxdb/Dockerfile +++ b/so-influxdb/Dockerfile @@ -1,12 +1,12 @@ -ARG INFLUX_VERSION=2.6.1 +ARG INFLUX_VERSION=2.7.1 -FROM ghcr.io/security-onion-solutions/ubuntu:22.04 as builder +FROM ghcr.io/security-onion-solutions/ubuntu:23.04 as builder ARG INFLUX_VERSION -ARG NODE_VERSION=v18.14.0 +ARG NODE_VERSION=v20.8.1 ARG NODE_ARCH=linux-x64 -RUN apt update -y && apt install -y git wget xz-utils +RUN apt update -y && apt install -y git wget xz-utils RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz RUN tar -xJf /node.xz @@ -34,7 +34,7 @@ RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb COPY --from=builder /ui/build /ui -RUN apt update -y && apt install netcat -y && apt clean -y +RUN apt update -y && apt install netcat-traditional -y && apt clean -y ENTRYPOINT ["/redirect_to_file.sh"] CMD ["/entrypoint.sh", "influxd"] \ No newline at end of file diff --git a/so-telegraf/Dockerfile b/so-telegraf/Dockerfile index 9b909a90..3bcc0538 100644 --- a/so-telegraf/Dockerfile +++ b/so-telegraf/Dockerfile @@ -1,10 +1,10 @@ -FROM ghcr.io/security-onion-solutions/telegraf:1.25.1-alpine +FROM ghcr.io/security-onion-solutions/telegraf:1.28.2-alpine LABEL maintainer "Security Onion Solutions, LLC" LABEL description="Telegraf running in Docker container for use with Security Onion" USER root -RUN apk add --no-cache redis curl jq +RUN apk add --no-cache redis curl jq bash ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] From fd779dfba70ea889fe98b0b1772c16bf94260d57 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Oct 2023 16:03:24 -0400 Subject: [PATCH 17/19] Update Dockerfile --- so-zeek/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index afd81e0c..956f0d7c 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -39,7 +39,7 @@ RUN dnf -y install perl && \ WORKDIR / -ENV ZEEKVER=6.0.1 +ENV ZEEKVER=6.0.2 ARG BUILD_TYPE=Release RUN mkdir /zeekbuild From 2f4df8cc5682c0420d2e34a37b883ed50b021b9c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Nov 2023 14:04:58 -0400 Subject: [PATCH 18/19] Fix dns.query.name --- so-soctopus/so-soctopus/playbook/securityonion-baseline.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml index 69180e05..8f985cd4 100644 --- a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml +++ b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml @@ -232,8 +232,7 @@ fieldmappings: username: user.name uid: user.uid sid: rule.uuid - query: query - answer: answers + query: dns.query.name src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword From 9b6110e1870606478092d4b3b4c31c1691f51db2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Nov 2023 14:07:14 -0400 Subject: [PATCH 19/19] Fix dns.query.name --- so-soctopus/so-soctopus/playbook/securityonion-baseline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml index 8f985cd4..3f18bcfd 100644 --- a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml +++ b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml @@ -232,6 +232,7 @@ fieldmappings: username: user.name uid: user.uid sid: rule.uuid + answer: answers query: dns.query.name src_ip: destination.ip.keyword src_port: source.port