Merge pull request #55 from Security-Onion-Solutions/dev

2.3.10

.github/workflows/leaktest.yml

@@ -0,0 +1,15 @@
+name: leak-test
+
+on: [push,pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: '0'
+
+    - name: Gitleaks
+      uses: zricethezav/gitleaks-action@master

so-acng/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04
+FROM ghcr.io/security-onion-solutions/ubuntu:18.04
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="apt-cacher running in Docker container for use with Security Onion"

so-curator/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM bobrik/curator
+FROM ghcr.io/security-onion-solutions/curator
 
 LABEL maintainer "Security Onion Solutions, LLC"
 

so-domainstats/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM python:3-alpine
+FROM ghcr.io/security-onion-solutions/python:3-alpine
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Domainstats running in Docker container for use with Security Onion"

so-elastalert/Dockerfile

@@ -1,4 +1,4 @@
-FROM jertel/elastalert-docker:latest-alt
+FROM ghcr.io/security-onion-solutions/elastalert-docker:latest-alt
 LABEL maintainer "Security Onion Solutions, LLC"
 
 ARG GID=933

so-fleet-launcher/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04
+FROM ghcr.io/security-onion-solutions/ubuntu:18.04
 
 # Common Ubuntu layer
 RUN apt-get update && \
@@ -25,7 +25,7 @@ RUN gem install --no-ri --no-rdoc fpm && \
     rm -rf /var/lib/apt/lists/*
 
 # Download tar that includes: generate-packages.sh, config files & base packages
-RUN curl -L https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/launcher-packages-2.1.0/launcher.tar.gz  -o /tmp/launcher.tgz
+RUN curl -L https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/launcher-2.3.10/launcher.tar.gz  -o /tmp/launcher.tgz
 RUN tar xf /tmp/launcher.tgz -C /var && \
     cp -fr /var/launcher/src/tools/* /usr/local/bin/
 

so-fleet/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM alpine
+FROM ghcr.io/security-onion-solutions/alpine:3.12.1
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Fleet running in Docker container for use with Security Onion"
 

so-freqserver/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3-alpine
+FROM ghcr.io/security-onion-solutions/python:3-alpine
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Freqserver running in Docker container for use with Security Onion"

so-grafana/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04
+FROM ghcr.io/security-onion-solutions/ubuntu:18.04
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Grafana running in Docker container for use with Security Onion"
 

so-idstools/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM python:3-alpine
+FROM ghcr.io/security-onion-solutions/python:3-alpine
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="IDSTools for downloading rules"

so-influxdb/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.7
+FROM ghcr.io/security-onion-solutions/alpine
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="InfluxDB running in Docker container for use with Security Onion"
 

so-logstash/Dockerfile

@@ -57,9 +57,11 @@ RUN chmod 0755 /usr/local/bin/docker-entrypoint && \
 
 USER logstash
 
-RUN cd /usr/share/logstash && LOGSTASH_PACK_URL=https://artifacts.elastic.co/downloads/logstash-plugins logstash-plugin install logstash-filter-translate && \
+RUN cd /usr/share/logstash && LOGSTASH_PACK_URL=https://artifacts.elastic.co/downloads/logstash-plugins && \
+  logstash-plugin install logstash-filter-translate && \
   logstash-plugin install logstash-filter-tld && \
   logstash-plugin install logstash-filter-elasticsearch && \
-  logstash-plugin install logstash-filter-rest
+  logstash-plugin install logstash-filter-rest && \
+  logstash-plugin install logstash-output-syslog
 
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]

so-minio/Dockerfile

@@ -1,4 +1,4 @@
-FROM minio/minio:latest
+FROM ghcr.io/security-onion-solutions/minio:latest
 LABEL maintainer "Security Onion Solutions, LLC"
 
 ARG GID=939

so-mysql/Dockerfile

@@ -12,7 +12,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
-FROM oraclelinux:7-slim
+FROM ghcr.io/security-onion-solutions/oraclelinux:7-slim
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="MySQL Server running in Docker container for use with Security Onion"

so-nginx/Dockerfile

@@ -14,9 +14,9 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Navigator build stage
-FROM node:14-alpine as navigator-builder
+FROM ghcr.io/security-onion-solutions/node:14-alpine as navigator-builder
 
-ARG NAVIGATOR_VERSION=2.3.2
+ARG NAVIGATOR_VERSION=3.1
 
 RUN apk add git && \
     git config --global advice.detachedHead false && \
@@ -31,7 +31,7 @@ RUN sed -i '/<base href="\/">/d' ./dist/index.html
 
 ###################################
 
-FROM nginx:1.17-alpine
+FROM ghcr.io/security-onion-solutions/nginx:1.17-alpine
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Security Onion Core Functions Docker"

so-nodered/Dockerfile

@@ -3,7 +3,7 @@ ARG NODE_VERSION=10
 ARG OS=alpine
 
 #### Stage BASE ########################################################################################################
-FROM ${ARCH}/node:${NODE_VERSION}-${OS} AS base
+FROM ghcr.io/security-onion-solutions/node:${NODE_VERSION}-${OS} AS base
 
 # Copy scripts
 COPY scripts/*.sh /tmp/

so-pcaptools/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:latest AS builder
+FROM ghcr.io/security-onion-solutions/alpine:latest AS builder
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Tools for use with PCAP files"
@@ -12,7 +12,7 @@ RUN wget http://f00l.de/pcapfix/pcapfix-${PCAPFIX_VERSION}.tar.gz && \
     make && \
     make install
 
-FROM alpine:latest
+FROM ghcr.io/security-onion-solutions/alpine:latest
 
 RUN apk add wireshark-common 
 

so-playbook/Dockerfile

@@ -1,4 +1,4 @@
-FROM redmine:4.1.1-passenger
+FROM ghcr.io/security-onion-solutions/redmine:4.1.1-passenger
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Playbook running in Docker container for use with Security Onion"

so-redis/Dockerfile

@@ -1,4 +1,4 @@
-FROM redis:6-alpine
+FROM ghcr.io/security-onion-solutions/redis:6-alpine
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="REDIS running in Docker container for use with Security Onion"
 RUN addgroup -g 939 socore && adduser -D --uid 939 --ingroup socore socore

so-soctopus/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM python:3-slim
+FROM ghcr.io/security-onion-solutions/python:3-slim
 
 LABEL maintainer="Security Onion Solutions, LLC"
 LABEL description="API for automating SOC-related functions"
@@ -37,4 +37,4 @@ RUN pip install bcrypt
 
 COPY ./so-soctopus /SOCtopus
 
-ENTRYPOINT ["gunicorn", "-b", "0.0.0.0:7000", "wsgi:app"]
+ENTRYPOINT ["gunicorn", "-b", "0.0.0.0:7000", "wsgi:app", "--log-file", "/var/log/SOCtopus/soctopus.log"]

so-soctopus/so-soctopus/playbook.py

@@ -45,18 +45,47 @@ def navigator_update():
             if custom_field['id'] == 15 and (custom_field['value']):
                 technique_id = custom_field['value'][0]
                 technique_payload.append(
-                    {"techniqueID": technique_id, "color": "#5AADFF", "comment": "", "enabled": "true", "metadata": []})
-
-    payload = {"name": "Playbook", "version": "2.2", "domain": "mitre-enterprise",
-               "description": f"Current Coverage of Playbook - Updated {strftime('%Y-%m-%d %H:%M', gmtime())}",
-               "filters": {"stages": ["act"], "platforms": ["windows"]}, "sorting": 0, "viewMode": 0,
-               "hideDisabled": "false", "techniques": technique_payload,
-               "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100},
-               "metadata": [], "showTacticRowBackground": "false", "tacticRowBackground": "#dddddd",
-               "selectTechniquesAcrossTactics": "true"}
-    nav_layer = open('/etc/playbook/nav_layer_playbook.json', 'w')
-    print(json.dumps(payload), file=nav_layer)
-    nav_layer.close()
+                    {"techniqueID": technique_id, "color": "#5AADFF", "comment": "", "enabled": True, "metadata": []})
+
+    try:
+        with open('/etc/playbook/nav_layer_playbook.json') as nav_layer_r:
+            curr_json = json.load(nav_layer_r)
+        curr_json['version'] = "3.0"
+        curr_json['description'] = f'Current Coverage of Playbook - Updated {strftime("%Y-%m-%d %H:%M", gmtime())}'
+        curr_json['techniques'] = technique_payload
+
+    except FileNotFoundError as e:
+        curr_json = \
+            {
+                "name": "Playbook",
+                "version": "3.0",
+                "domain": "mitre-enterprise",
+                "description": f'Current Coverage of Playbook - Updated {strftime("%Y-%m-%d %H:%M", gmtime())}',
+                "filters": {
+                    "stages": ["act"],
+                    "platforms": [
+                        "windows",
+                        "linux",
+                        "mac"
+                    ]
+                },
+                "sorting": 0,
+                "viewMode": 0,
+                "hideDisabled": False,
+                "techniques": technique_payload,
+                "gradient": {
+                    "colors": ["#ff6666", "#ffe766", "#8ec843"],
+                    "minValue": 0,
+                    "maxValue": 100
+                },
+                "metadata": [],
+                "showTacticRowBackground": False,
+                "tacticRowBackground": "#dddddd",
+                "selectTechniquesAcrossTactics": False
+            }
+
+    with open('/etc/playbook/nav_layer_playbook.json', 'w+') as nav_layer_w:
+        json.dump(curr_json, nav_layer_w)
 
 
 def thehive_casetemplate_update(issue_id):

so-soctopus/so-soctopus/playbook/securityonion-baseline.yml

@@ -24,6 +24,11 @@ logsources:
     service: sysmon
     conditions:
       log_name: 'Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    conditions:
+      log_name: 'Microsoft-Windows-Powershell/Operational'
   windows-dns-server:
     product: windows
     service: dns-server

so-soctopus/so-soctopus/playbook_bulk-update.py

@@ -136,7 +136,7 @@ def rule_update(rulesets):
 sigma_repo = f"sigma/README.md"
 if os.path.exists(sigma_repo):
     git_status = subprocess.run(
-        ["git", "--git-dir=sigma/.git", "pull"], stdout=subprocess.PIPE, encoding='ascii')
+        ["git", "pull"], stdout=subprocess.PIPE, encoding='ascii',cwd='/SOCtopus/sigma')
 else:
     git_status = subprocess.run(
         ["git", "clone", "https://github.com/Security-Onion-Solutions/sigma.git"], stdout=subprocess.PIPE, encoding='ascii')

so-soctopus/so-soctopus/playbook_play-sync.py

@@ -77,7 +77,7 @@
 
 while offset < inactive_response['total_count']:
     offset += 100
-    url = f"{playbook_url}/issues.json?offset={offset}&tracker_id=1&limit=100&status_id=3"
+    url = f"{playbook_url}/issues.json?offset={offset}&tracker_id=1&limit=100&status_id=4"
     inactive_response = requests.get(url, headers=playbook_headers, verify=False).json()
     print(f"Inactive offset: {offset}")
     for i in inactive_response['issues']:

so-steno/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM centos:7
+FROM ghcr.io/security-onion-solutions/centos:7
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Google Stenographer running in a docker for use with Security Onion."

so-strelka-backend/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04
+FROM ghcr.io/security-onion-solutions/ubuntu:18.04
 LABEL maintainer "Security Onion Solutions, LLC"
 
 ARG YARA_VERSION=3.11.0

so-strelka-filestream/Dockerfile

@@ -1,9 +1,9 @@
-FROM golang AS build
+FROM ghcr.io/security-onion-solutions/golang AS build
 LABEL maintainer "Security Onion Solutions, LLC"
 
 RUN CGO_ENABLED=0 go get github.com/target/strelka/src/go/cmd/strelka-filestream
 
-FROM alpine
+FROM ghcr.io/security-onion-solutions/alpine
 COPY --from=build /go/bin/strelka-filestream /usr/local/bin/
 RUN addgroup -g 939 strelka && \
     adduser -u 939 -G strelka strelka --disabled-password \

so-strelka-frontend/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang AS build
+FROM ghcr.io/security-onion-solutions/golang AS build
 LABEL maintainer "Security Onion Solutions, LLC"
 
 RUN mkdir -p src/github.com/target/strelka && \
@@ -8,7 +8,7 @@ RUN mkdir -p src/github.com/target/strelka && \
     sed -i 's/go-redis\/redis/go-redis\/redis\/v8/' src/go/cmd/strelka-frontend/main.go && \
     CGO_ENABLED=0 go build -o /go/bin/strelka-frontend src/go/cmd/strelka-frontend/main.go
 
-FROM alpine
+FROM ghcr.io/security-onion-solutions/alpine
 COPY --from=build /go/bin/strelka-frontend /usr/local/bin/
 RUN addgroup -g 939 strelka && \
     adduser -u 939 -G strelka strelka --disabled-password \

so-strelka-manager/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang AS build
+FROM ghcr.io/security-onion-solutions/golang AS build
 LABEL maintainer "Security Onion Solutions, LLC"
 
 RUN mkdir -p src/github.com/target/strelka && \
@@ -8,7 +8,7 @@ RUN mkdir -p src/github.com/target/strelka && \
     sed -i 's/go-redis\/redis/go-redis\/redis\/v8/' src/go/cmd/strelka-manager/main.go && \
     CGO_ENABLED=0 go build -o /go/bin/strelka-manager src/go/cmd/strelka-manager/main.go
 
-FROM alpine
+FROM ghcr.io/security-onion-solutions/alpine
 COPY --from=build /go/bin/strelka-manager /usr/local/bin/
 RUN addgroup -g 939 strelka && \
     adduser -u 939 -G strelka strelka --disabled-password \

so-suricata/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM centos:7
+FROM ghcr.io/security-onion-solutions/centos:7
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Suricata 5.0.4 running in a docker for use with Security Onion."

so-tcpreplay/Dockerfile

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM centos:7
+FROM ghcr.io/security-onion-solutions/centos:7
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Replay PCAPs to sniffing interface(s)"

so-telegraf/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.6
+FROM ghcr.io/security-onion-solutions/alpine
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Telegraf running in Docker container for use with Security Onion"