Merge pull request #324 from Security-Onion-Solutions/2.4/dev

2.4/dev

.github/workflows/contrib.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: "Contributor Check"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: cla-assistant/github-action@v2.2.0
+        uses: cla-assistant/github-action@v2.3.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}

.gitignore

@@ -14,4 +14,4 @@ __pycache__
 .coverage
 *.pyc
 
-__debug_bin
+__debug_bin*

Dockerfile

@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-FROM ghcr.io/security-onion-solutions/golang:1.20.1-alpine as builder
+FROM ghcr.io/security-onion-solutions/golang:1.21.5-alpine as builder
 ARG VERSION=0.0.0
 RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv
 COPY . /build
@@ -15,8 +15,6 @@ RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 	git clean -d -f -f && \
 	sed -i "s|'display_github': True|'display_github': False|g" conf.py && \
 	python3 -mvirtualenv /tmp/virtualenv && \
-	/tmp/virtualenv/bin/python -m pip install --upgrade --no-cache-dir pip "setuptools<58.3.0" && \
-	/tmp/virtualenv/bin/python -m pip install --upgrade --no-cache-dir pillow "mock==1.0.1" "alabaster>=0.7,<0.8,!=0.7.5" "commonmark==0.9.1" "recommonmark==0.5.0" "sphinx<2" "sphinx-rtd-theme<0.5" "readthedocs-sphinx-ext<2.2" "jinja2<3.1.0" && \
 	/tmp/virtualenv/bin/python -m pip install --exists-action=w --no-cache-dir -r requirements.txt && \
 	for i in /tmp/virtualenv/lib/python*/site-packages/sphinx_rtd_theme/versions.html; do echo > $i; done && \
 	/tmp/virtualenv/bin/python -m sphinx -T -E -b html -d _build/doctrees -D language=en . _build/html; \
@@ -59,6 +57,5 @@ ENV WAZUH_VERSION=$WAZUH_VERSION
 
 USER socore
 EXPOSE 9822/tcp
-VOLUME /opt/sensoroni/jobs
-VOLUME /opt/sensoroni/logs
+
 ENTRYPOINT ["/opt/sensoroni/sensoroni"]

Dockerfile.kratos

@@ -7,7 +7,7 @@
 FROM ghcr.io/security-onion-solutions/golang:alpine AS builder
 
 ARG OWNER=ory
-ARG VERSION=v0.13.0
+ARG VERSION=v1.0.0
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
@@ -56,6 +56,4 @@ USER kratos
 EXPOSE 4433
 EXPOSE 4434
 
-VOLUME ["/kratos-conf", "/kratos-data", "/kratos-log"]
-
 ENTRYPOINT ["/start-kratos.sh"]

agent/jobmanager.go

@@ -9,8 +9,10 @@ package agent
 import (
 	"errors"
 	"io"
+	"os"
 	"strconv"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/apex/log"
@@ -44,6 +46,7 @@ func NewJobManager(agent *Agent) *JobManager {
 
 func (mgr *JobManager) Start() {
 	mgr.running = true
+	mgr.updateOnlineTime("/nsm/pcapout")
 	for mgr.running {
 		mgr.updateDataEpoch()
 		job, err := mgr.PollPendingJobs()
@@ -116,6 +119,16 @@ func (mgr *JobManager) CleanupJob(job *model.Job) {
 	}
 }
 
+func (mgr *JobManager) updateOnlineTime(src string) {
+	fi, err := os.Stat(src)
+	if err != nil {
+		return
+	}
+	stat := fi.Sys().(*syscall.Stat_t)
+	mgr.node.OnlineTime = time.Unix(int64(stat.Ctim.Sec), int64(stat.Ctim.Nsec))
+	log.WithField("onlineTime", mgr.node.OnlineTime).Info("Updated online time (node installation time)")
+}
+
 func (mgr *JobManager) updateDataEpoch() {
 	epochHasBeenSet := false
 	for _, processor := range mgr.jobProcessors {

agent/jobmanager_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"testing"
@@ -99,6 +100,22 @@ func TestUpdateDataEpoch(t *testing.T) {
 	assert.Equal(t, jm.node.EpochTime, panicProc.GetDataEpoch())
 }
 
+func TestOnlineTime(t *testing.T) {
+	// prep test object
+	jm := &JobManager{
+		node: &model.Node{},
+	}
+
+	tmpFile, _ := os.CreateTemp("", "jobmanager_online_time.tmp")
+
+	// test
+	jm.updateOnlineTime(tmpFile.Name())
+	defer os.Remove(tmpFile.Name())
+
+	// verify
+	assert.GreaterOrEqual(t, jm.node.OnlineTime, time.Now().Add(time.Second*(-2)))
+}
+
 type ClientAuthMock struct{}
 
 func (cam *ClientAuthMock) Authorize(*http.Request) error {

cmd/sensoroni.go

@@ -61,11 +61,10 @@ func main() {
 			"buildTime": cfg.BuildTime,
 		}).Info("Version Information")
 
-		licensing.Init(cfg.LicenseKey)
-
 		moduleMgr := module.NewModuleManager()
 		var srv *server.Server
 		if cfg.Server != nil {
+			licensing.Init(cfg.LicenseKey)
 			srv = server.NewServer(cfg.Server, cfg.Version)
 			err = moduleMgr.LaunchModules(serverModules.BuildModuleMap(srv), cfg.Server.Modules, cfg.Server.ModuleFailuresIgnored)
 			if err == nil {

config/clientparameters.go

@@ -16,23 +16,24 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams      HuntingParameters `json:"hunt"`
-	AlertingParams     HuntingParameters `json:"alerts"`
-	CasesParams        HuntingParameters `json:"cases"`
-	CaseParams         CaseParameters    `json:"case"`
-	DashboardsParams   HuntingParameters `json:"dashboards"`
-	JobParams          HuntingParameters `json:"job"`
-	DocsUrl            string            `json:"docsUrl"`
-	CheatsheetUrl      string            `json:"cheatsheetUrl"`
-	ReleaseNotesUrl    string            `json:"releaseNotesUrl"`
-	GridParams         GridParameters    `json:"grid"`
-	WebSocketTimeoutMs int               `json:"webSocketTimeoutMs"`
-	TipTimeoutMs       int               `json:"tipTimeoutMs"`
-	ApiTimeoutMs       int               `json:"apiTimeoutMs"`
-	CacheExpirationMs  int               `json:"cacheExpirationMs"`
-	InactiveTools      []string          `json:"inactiveTools"`
-	Tools              []ClientTool      `json:"tools"`
-	CasesEnabled       bool              `json:"casesEnabled"`
+	HuntingParams       HuntingParameters `json:"hunt"`
+	AlertingParams      HuntingParameters `json:"alerts"`
+	CasesParams         HuntingParameters `json:"cases"`
+	CaseParams          CaseParameters    `json:"case"`
+	DashboardsParams    HuntingParameters `json:"dashboards"`
+	JobParams           HuntingParameters `json:"job"`
+	DocsUrl             string            `json:"docsUrl"`
+	CheatsheetUrl       string            `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
+	GridParams          GridParameters    `json:"grid"`
+	WebSocketTimeoutMs  int               `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int               `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int               `json:"apiTimeoutMs"`
+	CacheExpirationMs   int               `json:"cacheExpirationMs"`
+	InactiveTools       []string          `json:"inactiveTools"`
+	Tools               []ClientTool      `json:"tools"`
+	CasesEnabled        bool              `json:"casesEnabled"`
+	EnableReverseLookup bool              `json:"enableReverseLookup"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -81,6 +82,7 @@ type HuntingAction struct {
 	Body                  string                 `json:"body"`
 	Options               map[string]interface{} `json:"options"`
 	Categories            []string               `json:"categories"`
+	JSCall                string                 `json:"jsCall"`
 }
 
 type ToggleFilter struct {
@@ -181,5 +183,6 @@ func (params *CaseParameters) Verify() error {
 }
 
 type GridParameters struct {
-	MaxUploadSize uint64 `json:"maxUploadSize,omitempty"`
+	MaxUploadSize  uint64 `json:"maxUploadSize,omitempty"`
+	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }

config/serverconfig.go

@@ -27,6 +27,7 @@ type ServerConfig struct {
 	BindAddress             string                 `json:"bindAddress"`
 	BaseUrl                 string                 `json:"baseUrl"`
 	DeveloperEnabled        bool                   `json:"developerEnabled"`
+	Dns                     string                 `json:"dns"`
 	HtmlDir                 string                 `json:"htmlDir"`
 	ImportUploadDir         string                 `json:"importUploadDir"`
 	MaxPacketCount          int                    `json:"maxPacketCount"`

go.mod

@@ -4,35 +4,35 @@ go 1.20
 
 require (
 	github.com/apex/log v1.9.0
-	github.com/elastic/go-elasticsearch/v8 v8.7.0
-	github.com/go-chi/chi v1.5.4
+	github.com/elastic/go-elasticsearch/v8 v8.11.1
+	github.com/go-chi/chi/v5 v5.0.10
 	github.com/google/gopacket v1.1.19
-	github.com/google/uuid v1.3.0
-	github.com/gorilla/websocket v1.5.0
-	github.com/influxdata/influxdb-client-go/v2 v2.12.3
+	github.com/google/uuid v1.5.0
+	github.com/gorilla/websocket v1.5.1
+	github.com/influxdata/influxdb-client-go/v2 v2.13.0
 	github.com/kennygrant/sanitize v1.2.4
-	github.com/stretchr/testify v1.8.1
-	github.com/tidwall/gjson v1.14.4
-	golang.org/x/crypto v0.8.0
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	github.com/stretchr/testify v1.8.4
+	github.com/tidwall/gjson v1.17.0
+	golang.org/x/crypto v0.17.0
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/samber/lo v1.38.1
+	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 )
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/deepmap/oapi-codegen v1.12.4 // indirect
-	github.com/elastic/elastic-transport-go/v8 v8.2.0 // indirect
-	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
+	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
+	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
+	github.com/oapi-codegen/runtime v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
-	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
+	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
 )