Merge pull request #41 from Security-Onion-Solutions/dev

2.3.0
Security-Onion-Solutions · Oct 16, 2020 · a0e8371 · a0e8371
2 parents 49ce39f + 62a51d6
commit a0e8371
Show file tree

Hide file tree

Showing 12 changed files with 102 additions and 25 deletions.
diff --git a/so-elasticsearch/plugins-src/ingest-community-id/plugin-descriptor.properties b/so-elasticsearch/plugins-src/ingest-community-id/plugin-descriptor.properties
@@ -3,6 +3,6 @@ version=1.0.1
 name=ingest-community-id
 classname=com.securityonionsolutions.elastic.ingestcommunityid.IngestCommunityIdPlugin
 java.version=1.8
-elasticsearch.version=7.9.0
+elasticsearch.version=7.9.2
 extended.plugins=
 has.native.controller=false
diff --git a/so-elasticsearch/plugins-src/sotls/plugin-descriptor.properties b/so-elasticsearch/plugins-src/sotls/plugin-descriptor.properties
@@ -3,4 +3,4 @@ description=Enables TLS support for ES connections in Security Onion.
 version=1.0.0
 classname=com.securityonionsolutions.elastic.sotls.SoTlsPlugin
 java.version=1.8
-elasticsearch.version=7.9.0
+elasticsearch.version=7.9.2
diff --git a/so-influxdb/Dockerfile b/so-influxdb/Dockerfile
@@ -32,6 +32,8 @@ EXPOSE 8086
 
 VOLUME /var/lib/influxdb
 
+RUN mkdir -p /log
+
 COPY entrypoint.sh /entrypoint.sh
 COPY init-influxdb.sh /init-influxdb.sh
 RUN chmod +x /entrypoint.sh && chmod +x /init-influxdb.sh

diff --git a/so-influxdb/entrypoint.sh b/so-influxdb/entrypoint.sh
@@ -9,4 +9,4 @@ if [ "$1" = 'influxd' ]; then
 	/init-influxdb.sh "${@:2}"
 fi
 
-exec "$@"
+exec "$@" &>/log/influxdb.log
diff --git a/so-playbook/Dockerfile b/so-playbook/Dockerfile
@@ -1,18 +1,29 @@
-FROM redmine:4-passenger
+FROM redmine:4.1.1-passenger
 
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Playbook running in Docker container for use with Security Onion"
 
-WORKDIR /usr/src/redmine
+ARG GID=939
+ARG UID=939
+ARG USERNAME=socore
 
-ADD playbook/circle_theme.tar.bz2   /usr/src/redmine/public/themes
+RUN groupadd --gid ${GID} ${USERNAME} && \
+    useradd --uid ${UID} --gid ${GID} \
+    --home-dir /opt/so --no-create-home ${USERNAME}
+RUN usermod -aG socore redmine
 
+WORKDIR /usr/src/redmine
+ADD playbook/circle_theme.tar.bz2   /usr/src/redmine/public/themes
 RUN git clone https://github.com/suer/redmine_webhook.git /usr/src/redmine/plugins/redmine_webhook
-
 RUN git clone https://github.com/Security-Onion-Solutions/securityonion-playbook-plugin.git /usr/src/redmine/plugins/redmine_playbook
-
 RUN bundle install --gemfile /usr/src/redmine/Gemfile
-
 COPY playbook/passenger-nginx-config-template.erb /passenger-nginx-config-template.erb
 
-CMD ["passenger", "start", "--nginx-config-template", "/passenger-nginx-config-template.erb"]
+RUN mkdir -p /playbook/log && \
+    chown -R socore:socore /playbook && \
+    chmod -R 0770 /playbook
+
+# Add redirect to /dev/null of the CMD output to prevent logging to docker logs
+RUN sed -i '$s/$/ \&>\/dev\/null/' /docker-entrypoint.sh
+
+CMD ["passenger", "start", "--nginx-config-template", "/passenger-nginx-config-template.erb", "--log-file", "/playbook/log/playbook.log"]
diff --git a/so-soctopus/so-soctopus/SOCtopus.py b/so-soctopus/so-soctopus/SOCtopus.py
@@ -2,9 +2,9 @@
 # -*- coding: utf-8 -*-
 from flask import Flask, render_template, request, redirect
 from flask_bootstrap import Bootstrap
-from destinations import createHiveAlert, createMISPEvent, createSlackAlert, createFIREvent, createGRRFlow, \
+from destinations import createHiveAlert, createHiveCase, createMISPEvent, createSlackAlert, createFIREvent, createGRRFlow, \
     createRTIRIncident, showESResult, playbookWebhook, eventModifyFields, eventUpdateFields, \
-    sendHiveAlert, processHiveReq, playbookSigmac, playbookCreatePlay
+    sendHiveAlert, sendHiveCase, processHiveReq, playbookSigmac, playbookCreatePlay
 import ruamel.yaml
 import sys
 import random
@@ -30,12 +30,15 @@ def sendGRR(esid, flow_name):
 
 
 @app.route("/thehive/alert/<esid>")
-def createHive(esid):
+def createAlertHive(esid):
     return createHiveAlert(esid)
 
+@app.route("/thehive/case/<esid>")
+def createCaseHive(esid):
+    return createHiveCase(esid)
 
 @app.route("/thehive/alert/send", methods=['POST'])
-def sendHive():
+def sendAlertHive():
     if request.method == 'POST':
         if request.form['submit_button'] == 'Submit':
             result = request.form.to_dict()
@@ -49,6 +52,21 @@ def sendHive():
         else:
             return render_template("cancel.html")
 
+@app.route("/thehive/case/send", methods=['POST'])
+def sendCaseHive():
+    if request.method == 'POST':
+        if request.form['submit_button'] == 'Submit':
+            result = request.form.to_dict()
+            title = result['title']
+            #tlp = result['tlp']
+            description = result['description'].strip('\"')
+            #tags = result['tags']
+            #artifact_string = result['artifact_string']
+            #sourceRef = result['sourceRef']
+            severity = result['severity']
+            return sendHiveCase(title, description, severity)
+        else:
+            return render_template("cancel.html")
 
 @app.route("/misp/event/<esid>")
 def sendMISP(esid):

diff --git a/so-soctopus/so-soctopus/destinations.py b/so-soctopus/so-soctopus/destinations.py
@@ -33,6 +33,31 @@ def hiveInit():
     return TheHiveApi(hive_url, hive_key, cert=hive_verifycert)
 
 
+def createHiveCase(esid):
+    search = get_hits(esid)
+    tlp = int(parser.get('hive', 'hive_tlp'))
+    severity = 2
+    for item in search['hits']['hits']:
+        result = item['_source']
+        es_id = item['_id']
+        try:
+          message = result['message']
+          description = str(message)
+        except:
+          description = str(result)
+        sourceRef = str(uuid.uuid4())[0:6]
+        tags = ["SecurityOnion"]
+        artifacts = []
+        event = result['event']
+        src = srcport = dst = dstport = None
+        if event['dataset'] == 'alert':
+            title = result['rule']['name']
+        else:
+            title = f'New {event["module"].capitalize()} {event["dataset"].capitalize()} Event'
+        form = DefaultForm()
+        #artifact_string = jsonpickle.encode(artifacts)
+        return render_template('hive.html', title=title, description=description, severity=severity, form=form) 
+
 def createHiveAlert(esid):
     search = get_hits(esid)
     # Hive Stuff
@@ -243,6 +268,30 @@ def sendHiveAlert(title, tlp, tags, description, sourceRef, artifact_string):
     return redirect(hive_url + '/index.html#!/alert/list')
 
 
+
+def sendHiveCase(title, description, severity):
+    soc_url = parser.get('soc', 'soc_url')
+    description = str(description.strip('"'))
+
+    headers = {
+      'Content-Type': 'application/json',
+    }
+
+    data = {"title": title, "description": description, "severity": int(severity)}
+
+    response = requests.post(soc_url + '/api/case', headers=headers, json=data, verify=False)
+    if response.status_code == 200:
+        print(json.dumps(response.json(), indent=4, sort_keys=True))
+        print('')
+
+    else:
+        print('ko: {}/{}'.format(response.status_code, response.text))
+        sys.exit(0)
+
+    # Redirect to TheHive instance
+    return redirect(hive_url + '/index.html')
+
+
 def createMISPEvent(esid):
     search = get_hits(esid)
     # MISP Stuff

diff --git a/so-soctopus/so-soctopus/playbook.py b/so-soctopus/so-soctopus/playbook.py
@@ -184,6 +184,7 @@ def elastalert_update(issue_id):
             content = re.sub(r'rule\.category:.*', f"rule.category: \"{rule_category}\"", content.rstrip())
             content = re.sub(r'\/6000', f"/{issue_id}", content.rstrip())
             content = re.sub(r'play_title:.\"\"', f"play_title: \"{sigma_meta['title']}\"", content.rstrip())
+            content = re.sub(r'play_id:.\"\"', f"play_id: \"{play_meta['playid']}\"", content.rstrip())            
             content = re.sub(r'event\.severity:.*', f"event.severity: {event_severity}", content.rstrip())
             content = re.sub(r'sigma_level:.\"\"', f"sigma_level: \"{sigma_meta['level']}\"\n", content.rstrip())
             content = f"{content}\n{sigma_meta['raw_elastalert']}"

diff --git a/so-soctopus/so-soctopus/templates/hive.html b/so-soctopus/so-soctopus/templates/hive.html
@@ -2,19 +2,15 @@
 {% block content %}
 <html lang="en">
 <body>
-    <form method="POST" action="/soctopus/thehive/alert/send">
+    <form method="POST" action="/soctopus/thehive/case/send">
         {{ form.csrf_token }}
         <div class="form-group alert alert-success" role="alert">
             <label for="title">Title</label>
             <input type="text" class="form-control" id="title" name="title" value="{{title}}">
-            <label for="tlp">TLP</label>
-            <input type="text" class="form-control" id="tlp" name="tlp" value="{{tlp}}">
-            <label for="tags">Tags</label>
-            <input type="text" class="form-control" id="tags" name="tags" value="{{tags}}">
+            <label for="severity">Severity</label>
+            <input type="text" class="form-control" id="severity" name="severity" value="{{severity}}">
             <label for="description">Description</label>
             <textarea class="form-control" id="description" name="description" rows="5" >{{description}}"</textarea>
-            <input type="hidden" id="sourceRef" name="sourceRef" value="{{sourceRef}}">
-            <input type="hidden" id="artifact_string" name="artifact_string" value="{{artifact_string}}">
         </div>
         <button class="btn btn-danger" name="submit_button" value="Close" onclick="self.close()">Cancel</button>
         <input type="submit" name="submit_button" class="btn btn-primary" value="Submit">

diff --git a/so-steno/Dockerfile b/so-steno/Dockerfile
@@ -31,7 +31,7 @@ RUN /usr/bin/pip3.6 install
 RUN yum -y erase epel-release && yum clean all && rm -rf /var/cache/yum
 
 # Install the steno package
-RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/stenographer_20180316/stenographer-0-1.20180316git57b88aa.el7.centos.x86_64.rpm
+RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/Stenoupgrade/stenographer-0-1.20200922gite8db1ee.el7.x86_64.rpm
 
 # setcap
 RUN setcap 'CAP_NET_RAW+ep CAP_NET_ADMIN+ep CAP_IPC_LOCK+ep CAP_SETGID+ep' /usr/bin/stenotype

diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile
@@ -16,7 +16,7 @@
 FROM centos:7
 
 LABEL maintainer "Security Onion Solutions, LLC"
-LABEL description="Suricata 5.0.3 running in a docker for use with Security Onion."
+LABEL description="Suricata 5.0.4 running in a docker for use with Security Onion."
 
 # Common CentOS layer
 RUN yum update -y && \
@@ -27,7 +27,7 @@ RUN yum -y install GeoIP luajit libnet jansson libyaml cargo rustc && \
     yum -y erase epel-release && yum clean all && rm -rf /var/cache/yum
 
 # Install the Suricata package
-RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-suricata-5.0.3-0/securityonion-suricata-5.0.3.0.rpm
+RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-suricata-5.0.4-0/securityonion-suricata-5.0.4.0.rpm
 # Create Suricata User.
 RUN groupadd --gid 940 suricata && \
     adduser --uid 940 --gid 940 \

diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile
@@ -27,7 +27,7 @@ RUN yum -y install jemalloc numactl libnl3 libdnet gdb GeoIP python-ipaddress py
     yum -y erase epel-release && yum clean all && rm -rf /var/cache/yum
 
 # Install the Zeek package
-RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-zeek-3.0.10.0/securityonion-zeek-3.0.10.0.rpm
+RUN rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-zeek-3.0.11.0/securityonion-zeek-3.0.11.0.rpm
 
 VOLUME ["/nsm/zeek/logs", "/nsm/zeek/spool", "/opt/zeek/share/bro", "/opt/zeek/etc/"]