Merge pull request #488 from Security-Onion-Solutions/dev

2.3.280
Security-Onion-Solutions · Nov 28, 2023 · 0cab28f · 0cab28f
2 parents a52bf5b + 590065e
commit 0cab28f
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 27 deletions.
diff --git a/so-grafana/Dockerfile b/so-grafana/Dockerfile
@@ -1,8 +1,8 @@
-FROM ghcr.io/security-onion-solutions/ubuntu:18.04
+FROM ghcr.io/security-onion-solutions/ubuntu:23.04
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Grafana running in Docker container for use with Security Onion"
 
-ARG GRAFANA_URL="https://dl.grafana.com/oss/release/grafana-9.2.20.linux-amd64.tar.gz"
+ARG GRAFANA_URL="https://dl.grafana.com/oss/release/grafana-10.1.5.linux-amd64.tar.gz"
 ARG GF_UID="939"
 ARG GF_GID="939"
 
@@ -53,4 +53,4 @@ RUN chmod +x /run.sh
 
 USER socore
 WORKDIR /
-ENTRYPOINT [ "/run.sh" ] 
+ENTRYPOINT [ "/run.sh" ]
diff --git a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml
@@ -65,6 +65,11 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-sysmon:
+    product: windows
+    service: codeintegrity-operational
+    conditions:
+      log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
   windows-msexchange-management:
     product: windows
     service: msexchange-management
@@ -138,6 +143,7 @@ fieldmappings:
     TargetFilename: file.target
     TargetImage: winlog.event_data.TargetImage
     TargetObject: winlog.event_data.TargetObject
+    TargetUserName: winlog.event_data.TargetUserName
     TicketEncryptionType: winlog.event_data.TicketEncryptionType
     TicketOptions: winlog.event_data.TicketOptions
     User: user.name
@@ -165,4 +171,4 @@ fieldmappings:
     c-uri: http.uri
     c-useragent: http.useragent
     cs-version: http.version
-    IpAddress: winlog.event_data.IpAddress
+    IpAddress: winlog.event_data.IpAddress
diff --git a/so-strelka-backend/Dockerfile b/so-strelka-backend/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/security-onion-solutions/ubuntu:22.04
+FROM ghcr.io/security-onion-solutions/ubuntu:23.04
 LABEL maintainer "Security Onion Solutions, LLC"
 
 ARG DEBIAN_FRONTEND=noninteractive
@@ -9,17 +9,23 @@ ARG USERNAME=strelka
 ARG USER_UID=1001
 ARG USER_GID=$USER_UID
 
+ENV PYTHONUNBUFFERED 1
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PIP_BREAK_SYSTEM_PACKAGES 1
+
 # Create the user
 RUN groupadd --gid $USER_GID $USERNAME \
     && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME
 
-ARG YARA_VERSION=4.2.3
-ARG YARA_PYTHON_VERSION=4.2.3
+ARG YARA_VERSION=4.3.0
+ARG YARA_PYTHON_VERSION=4.3.0
 ARG CAPA_VERSION=5.0.0
 ARG EXIFTOOL_VERSION=12.52
 
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
 # SO - Pin to release tag, download from GitHub, and prepare container dirs
-ARG STRELKA_RELEASE_VERSION=0.23.05.22
+ARG STRELKA_RELEASE_VERSION=0.23.09.12
 RUN mkdir /strelka && \
     mkdir /etc/strelka && \
     mkdir /tmp/strelka && \
@@ -30,7 +36,7 @@ RUN mkdir /strelka && \
     cp -fr /tmp/strelka/src/python/* /strelka/ && \
     cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \
     cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \
-    cp -fr /tmp/strelka/build/python/backend/kinetic.list /etc/apt/sources.list.d/ && \
+    cp -fr /tmp/strelka/build/python/backend/lunar.list /etc/apt/sources.list.d/ && \
     rm -fr /tmp/strelka && \
     chown -R ${USER_UID}:${USER_GID} /var/log/strelka/
 

diff --git a/so-strelka-backend/lunar.list b/so-strelka-backend/lunar.list
@@ -0,0 +1,2 @@
+deb [arch=amd64] http://archive.ubuntu.com/ubuntu lunar main restricted universe multiverse
+deb [arch=arm64] http://ports.ubuntu.com/ lunar main restricted universe multiverse
diff --git a/so-strelka-backend/pin.pref b/so-strelka-backend/pin.pref
@@ -0,0 +1,7 @@
+Package: 7zip
+Pin: release n=jammy
+Pin-Priority: 100
+
+Package: *
+Pin: release n=lunar
+Pin-Priority: 200
diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile
@@ -18,7 +18,7 @@ FROM ghcr.io/security-onion-solutions/centos:7 as builder
 RUN yum -y install epel-release
 RUN yum -y install jansson-devel libpcap-devel python3 libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel kernel-devel kernel-headers libjansson libgeoip liblua5.1 curl wget make gcc pkg-config libhiredis libevent pcre-devel libpcre libmagic zlib libyaml rustc cargo libyaml-devel libcap-ng-devel file-devel nss-devel nspr-devel python3-yaml luajit-devel luajit
 
-ENV SURIVERSION=6.0.14
+ENV SURIVERSION=6.0.15
 RUN mkdir /suricata
 
 WORKDIR /suricata

diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile
@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM ghcr.io/security-onion-solutions/rockylinux:8 as builder 
+FROM ghcr.io/security-onion-solutions/rockylinux:8 as builder
 RUN dnf -y install dnf-plugins-core && dnf config-manager --set-enabled powertools && dnf update -y && \
     dnf -y install epel-release bash libpcap iproute wget cmake swig && \
     dnf -y install jemalloc numactl libnl3 libdnet gdb GeoIP git && \
@@ -22,7 +22,7 @@ RUN dnf -y install dnf-plugins-core && dnf config-manager --set-enabled powertoo
     pip3 install GitPython semantic-version requests && \
     dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf
 
-ENV ZEEKVER=5.0.10
+ENV ZEEKVER=6.0.2
 ARG BUILD_TYPE=Release
 
 RUN mkdir /zeekbuild
@@ -32,13 +32,10 @@ WORKDIR /zeekbuild
 RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz
 RUN cd zeek-$ZEEKVER && \
     ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE && \
-    make -j4 && make install 
+    make -j4 && make install
 RUN yum install -y glibc-common
 RUN /opt/zeek/bin/zkg install --force ja3 && \
     /opt/zeek/bin/zkg install --force hassh && \
-    /opt/zeek/bin/zkg install --force https://github.com/TOoSmOotH/zeek-af_packet-plugin --version=master && \
-    /opt/zeek/bin/zkg install --force zeek-community-id && \
-    #/opt/zeek/bin/zkg install --force bzar && \
     /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \
@@ -50,11 +47,9 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \
     git clone https://github.com/cisagov/icsnpp-s7comm && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \
-    git clone https://github.com/amzn/zeek-plugin-profinet && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \
-    git clone https://github.com/amzn/zeek-plugin-tds && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ 
+    /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version master && \
+    /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version master && \
+    /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \
     /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \
     /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \
@@ -64,11 +59,11 @@ RUN groupadd --gid 937 zeek  && \
     adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek && \
     chown -R 937:937 /opt/zeek && \
     chown -R 937:937 /nsm/zeek
-    
-FROM ghcr.io/security-onion-solutions/rockylinux:8 
+
+FROM ghcr.io/security-onion-solutions/rockylinux:8
 
 LABEL maintainer "Security Onion Solutions, LLC"
-LABEL description="Zeek running in a docker with AF_Packet 3.2.0 for use with Security Onion."
+LABEL description="Zeek running in docker for use with Security Onion."
 
 # Common CentOS layer
 RUN dnf update -y && \
@@ -77,15 +72,15 @@ RUN dnf update -y && \
     dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf && \
     groupadd --gid 937 zeek  && \
     adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek
-    
+
 COPY --from=builder /nsm/zeek /nsm/zeek
 COPY --from=builder /opt/zeek /opt/zeek
 
 # Copy over the entry script.
 COPY files/zeek.sh /usr/local/sbin/zeek.sh
 RUN chmod +x /usr/local/sbin/zeek.sh
-RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm
+RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm
 
-HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))
+HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))
 
 ENTRYPOINT ["/usr/local/sbin/zeek.sh"]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		deb [arch=amd64] http://archive.ubuntu.com/ubuntu lunar main restricted universe multiverse
		deb [arch=arm64] http://ports.ubuntu.com/ lunar main restricted universe multiverse