diff --git a/so-grafana/Dockerfile b/so-grafana/Dockerfile index d669912f..6e04eb76 100644 --- a/so-grafana/Dockerfile +++ b/so-grafana/Dockerfile @@ -1,8 +1,8 @@ -FROM ghcr.io/security-onion-solutions/ubuntu:18.04 +FROM ghcr.io/security-onion-solutions/ubuntu:23.04 LABEL maintainer "Security Onion Solutions, LLC" LABEL description="Grafana running in Docker container for use with Security Onion" -ARG GRAFANA_URL="https://dl.grafana.com/oss/release/grafana-9.2.20.linux-amd64.tar.gz" +ARG GRAFANA_URL="https://dl.grafana.com/oss/release/grafana-10.1.5.linux-amd64.tar.gz" ARG GF_UID="939" ARG GF_GID="939" @@ -53,4 +53,4 @@ RUN chmod +x /run.sh USER socore WORKDIR / -ENTRYPOINT [ "/run.sh" ] +ENTRYPOINT [ "/run.sh" ] diff --git a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml index 0e15517f..f4f16b6d 100644 --- a/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml +++ b/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml @@ -65,6 +65,11 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-sysmon: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-msexchange-management: product: windows service: msexchange-management @@ -138,6 +143,7 @@ fieldmappings: TargetFilename: file.target TargetImage: winlog.event_data.TargetImage TargetObject: winlog.event_data.TargetObject + TargetUserName: winlog.event_data.TargetUserName TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions User: user.name @@ -165,4 +171,4 @@ fieldmappings: c-uri: http.uri c-useragent: http.useragent cs-version: http.version - IpAddress: winlog.event_data.IpAddress \ No newline at end of file + IpAddress: winlog.event_data.IpAddress diff --git a/so-strelka-backend/Dockerfile b/so-strelka-backend/Dockerfile index f454000b..53aadb48 100644 --- a/so-strelka-backend/Dockerfile +++ b/so-strelka-backend/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/security-onion-solutions/ubuntu:22.04 +FROM ghcr.io/security-onion-solutions/ubuntu:23.04 LABEL maintainer "Security Onion Solutions, LLC" ARG DEBIAN_FRONTEND=noninteractive @@ -9,17 +9,23 @@ ARG USERNAME=strelka ARG USER_UID=1001 ARG USER_GID=$USER_UID +ENV PYTHONUNBUFFERED 1 +ENV PYTHONDONTWRITEBYTECODE 1 +ENV PIP_BREAK_SYSTEM_PACKAGES 1 + # Create the user RUN groupadd --gid $USER_GID $USERNAME \ && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME -ARG YARA_VERSION=4.2.3 -ARG YARA_PYTHON_VERSION=4.2.3 +ARG YARA_VERSION=4.3.0 +ARG YARA_PYTHON_VERSION=4.3.0 ARG CAPA_VERSION=5.0.0 ARG EXIFTOOL_VERSION=12.52 +RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache + # SO - Pin to release tag, download from GitHub, and prepare container dirs -ARG STRELKA_RELEASE_VERSION=0.23.05.22 +ARG STRELKA_RELEASE_VERSION=0.23.09.12 RUN mkdir /strelka && \ mkdir /etc/strelka && \ mkdir /tmp/strelka && \ @@ -30,7 +36,7 @@ RUN mkdir /strelka && \ cp -fr /tmp/strelka/src/python/* /strelka/ && \ cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \ cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \ - cp -fr /tmp/strelka/build/python/backend/kinetic.list /etc/apt/sources.list.d/ && \ + cp -fr /tmp/strelka/build/python/backend/lunar.list /etc/apt/sources.list.d/ && \ rm -fr /tmp/strelka && \ chown -R ${USER_UID}:${USER_GID} /var/log/strelka/ diff --git a/so-strelka-backend/lunar.list b/so-strelka-backend/lunar.list new file mode 100644 index 00000000..baaa3ea9 --- /dev/null +++ b/so-strelka-backend/lunar.list @@ -0,0 +1,2 @@ +deb [arch=amd64] http://archive.ubuntu.com/ubuntu lunar main restricted universe multiverse +deb [arch=arm64] http://ports.ubuntu.com/ lunar main restricted universe multiverse diff --git a/so-strelka-backend/pin.pref b/so-strelka-backend/pin.pref new file mode 100644 index 00000000..8fae477d --- /dev/null +++ b/so-strelka-backend/pin.pref @@ -0,0 +1,7 @@ +Package: 7zip +Pin: release n=jammy +Pin-Priority: 100 + +Package: * +Pin: release n=lunar +Pin-Priority: 200 diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile index 9b9d63ec..b10a87d5 100644 --- a/so-suricata/Dockerfile +++ b/so-suricata/Dockerfile @@ -18,7 +18,7 @@ FROM ghcr.io/security-onion-solutions/centos:7 as builder RUN yum -y install epel-release RUN yum -y install jansson-devel libpcap-devel python3 libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel kernel-devel kernel-headers libjansson libgeoip liblua5.1 curl wget make gcc pkg-config libhiredis libevent pcre-devel libpcre libmagic zlib libyaml rustc cargo libyaml-devel libcap-ng-devel file-devel nss-devel nspr-devel python3-yaml luajit-devel luajit -ENV SURIVERSION=6.0.14 +ENV SURIVERSION=6.0.15 RUN mkdir /suricata WORKDIR /suricata diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index a0d7c3fe..842927dc 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FROM ghcr.io/security-onion-solutions/rockylinux:8 as builder +FROM ghcr.io/security-onion-solutions/rockylinux:8 as builder RUN dnf -y install dnf-plugins-core && dnf config-manager --set-enabled powertools && dnf update -y && \ dnf -y install epel-release bash libpcap iproute wget cmake swig && \ dnf -y install jemalloc numactl libnl3 libdnet gdb GeoIP git && \ @@ -22,7 +22,7 @@ RUN dnf -y install dnf-plugins-core && dnf config-manager --set-enabled powertoo pip3 install GitPython semantic-version requests && \ dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf -ENV ZEEKVER=5.0.10 +ENV ZEEKVER=6.0.2 ARG BUILD_TYPE=Release RUN mkdir /zeekbuild @@ -32,13 +32,10 @@ WORKDIR /zeekbuild RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz RUN cd zeek-$ZEEKVER && \ ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE && \ - make -j4 && make install + make -j4 && make install RUN yum install -y glibc-common RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force hassh && \ - /opt/zeek/bin/zkg install --force https://github.com/TOoSmOotH/zeek-af_packet-plugin --version=master && \ - /opt/zeek/bin/zkg install --force zeek-community-id && \ - #/opt/zeek/bin/zkg install --force bzar && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \ @@ -50,11 +47,9 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \ git clone https://github.com/cisagov/icsnpp-s7comm && \ /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \ - git clone https://github.com/amzn/zeek-plugin-profinet && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \ - git clone https://github.com/amzn/zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \ - /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version master && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version master && \ + /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \ /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \ @@ -64,11 +59,11 @@ RUN groupadd --gid 937 zeek && \ adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek && \ chown -R 937:937 /opt/zeek && \ chown -R 937:937 /nsm/zeek - -FROM ghcr.io/security-onion-solutions/rockylinux:8 + +FROM ghcr.io/security-onion-solutions/rockylinux:8 LABEL maintainer "Security Onion Solutions, LLC" -LABEL description="Zeek running in a docker with AF_Packet 3.2.0 for use with Security Onion." +LABEL description="Zeek running in docker for use with Security Onion." # Common CentOS layer RUN dnf update -y && \ @@ -77,15 +72,15 @@ RUN dnf update -y && \ dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf && \ groupadd --gid 937 zeek && \ adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek - + COPY --from=builder /nsm/zeek /nsm/zeek COPY --from=builder /opt/zeek /opt/zeek # Copy over the entry script. COPY files/zeek.sh /usr/local/sbin/zeek.sh RUN chmod +x /usr/local/sbin/zeek.sh -RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm +RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm -HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) +HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1)) ENTRYPOINT ["/usr/local/sbin/zeek.sh"]