Merge pull request #485 from Security-Onion-Solutions/2.4/dev

2.4.30

so-elastic-fleet-package-registry/Dockerfile

@@ -16,6 +16,10 @@ ARG VERSION
 
 FROM docker.elastic.co/package-registry/distribution:$VERSION as original_image
 
+# Remove unsupported packages
+COPY scripts /scripts
+RUN chmod +x /scripts/supported-integrations.sh && bash /scripts/supported-integrations.sh && rm -rf /scripts
+
 # Cleanup unneeded packages, keeping the two most recent versons of each one
 # Except for endpoint packages, keep all versions
 RUN cd /packages/package-storage/ \

so-elastic-fleet-package-registry/scripts/supported-integrations.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# This script removes unsupported packages from our self-hosted Elastic Package Repo container image.
+# It is meant to be used during the image build process.
+
+cd /packages/package-storage/
+for file in *
+do
+    PATTERN=$(echo $file | cut -d "-" -f 1)-
+    [[ ! $(grep -x "$PATTERN" /scripts/supported-integrations.txt) ]] && rm "$file" && echo "Deleted: $file..."
+done
+
+exit 0

so-elastic-fleet-package-registry/scripts/supported-integrations.txt

@@ -0,0 +1,64 @@
+apache-
+auditd-
+auth0-
+aws-
+azure-
+barracuda-
+carbonblack_edr-
+checkpoint-
+cisco_asa-
+cisco_duo-
+cisco_meraki-
+cisco_umbrella-
+cloudflare-
+crowdstrike-
+darktrace-
+elasticsearch-
+endpoint-
+f5_bigip-
+fim-
+fireeye-
+fleet_server-
+fortinet-
+fortinet_fortigate-
+gcp-
+github-
+google_workspace-
+http_endpoint-
+httpjson-
+juniper-
+juniper_srx-
+kafka_log-
+lastpass-
+log-
+m365_defender-
+microsoft_defender_endpoint-
+microsoft_dhcp-
+mimecast-
+netflow-
+o365-
+okta-
+osquery_manager-
+panw-
+pfsense-
+pulse_connect_secure-
+redis-
+sentinel_one-
+snyk-
+sonicwall_firewall-
+sophos-
+sophos_central-
+symantec_endpoint-
+system-
+tcp-
+tenable_sc-
+ti_abusech-
+ti_misp-
+ti_otx-
+ti_recordedfuture-
+udp-
+vsphere-
+windows-
+zscaler_zia-
+zscaler_zpa-
+1password-

so-influxdb/Dockerfile

@@ -1,12 +1,12 @@
-ARG INFLUX_VERSION=2.6.1
+ARG INFLUX_VERSION=2.7.1
 
-FROM ghcr.io/security-onion-solutions/ubuntu:22.04 as builder
+FROM ghcr.io/security-onion-solutions/ubuntu:23.04 as builder
 
 ARG INFLUX_VERSION
-ARG NODE_VERSION=v18.14.0
+ARG NODE_VERSION=v20.8.1
 ARG NODE_ARCH=linux-x64
 
-RUN apt update -y && apt install -y git wget xz-utils 
+RUN apt update -y && apt install -y git wget xz-utils
 RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION
 RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz
 RUN tar -xJf /node.xz
@@ -34,7 +34,7 @@ RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb
 
 COPY --from=builder /ui/build /ui
 
-RUN apt update -y && apt install netcat -y && apt clean -y
+RUN apt update -y && apt install netcat-traditional -y && apt clean -y
 
 ENTRYPOINT ["/redirect_to_file.sh"]
 CMD ["/entrypoint.sh", "influxd"]

so-kibana/Dockerfile

@@ -34,6 +34,9 @@ RUN  ln -s /usr/share/kibana /opt/kibana
 
 ENV PATH=/usr/share/kibana/bin:$PATH
 
+# Disable hardcoded Integrations from showing up
+RUN sed -i 's/"server": true,/"server": false,/g' /usr/share/kibana/node_modules/@kbn/custom-integrations-plugin/kibana.jsonc
+
 # Copy over the dashboards
 RUN mkdir /usr/share/kibana/dashboards
 

so-soctopus/so-soctopus/playbook/securityonion-baseline.yml

@@ -232,8 +232,8 @@ fieldmappings:
     username: user.name
     uid: user.uid
     sid: rule.uuid
-    query: query
     answer: answers
+    query: dns.query.name
     src_ip: destination.ip.keyword
     src_port: source.port
     dst_ip: destination.ip.keyword

so-suricata/Dockerfile

@@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \
                lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \
                python3-devel python3-sphinx python3-yaml sudo which cargo \
                zlib-devel luajit-devel cargo && cargo install --force cbindgen
-ENV SURIVERSION=6.0.14
+ENV SURIVERSION=7.0.2
 RUN mkdir /suricata
 
 WORKDIR /suricata
@@ -55,6 +55,6 @@ RUN yum -y install epel-release bash libpcap iproute && \
 ADD files/so-suricata.sh /usr/local/sbin/so-suricata.sh
 
 RUN chmod +x /usr/local/sbin/so-suricata.sh
-RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm
+RUN rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm
 
 ENTRYPOINT ["/usr/local/sbin/so-suricata.sh"]

so-telegraf/Dockerfile

@@ -1,10 +1,10 @@
-FROM ghcr.io/security-onion-solutions/telegraf:1.25.1-alpine
+FROM ghcr.io/security-onion-solutions/telegraf:1.28.2-alpine
 LABEL maintainer "Security Onion Solutions, LLC"
 LABEL description="Telegraf running in Docker container for use with Security Onion"
 
 USER root
 
-RUN apk add --no-cache redis curl jq
+RUN apk add --no-cache redis curl jq bash
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

so-zeek/Dockerfile

@@ -13,11 +13,11 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder 
+FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder
 
 RUN dnf -y install dnf-plugins-core && \
     dnf config-manager --enable ol9_codeready_builder && \
-    dnf update -y && \ 
+    dnf update -y && \
     dnf -y install epel-release bash libpcap iproute wget cmake swig && \
     dnf -y install jemalloc numactl libnl3 libdnet gdb git && \
     dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel kernel-devel kernel-headers && \
@@ -32,16 +32,14 @@ RUN wget https://www.openssl.org/source/old/3.0/openssl-3.0.1.tar.gz && tar zxvf
 
 WORKDIR /opensslbuild/openssl-3.0.1
 RUN dnf -y install perl && \
-    echo 'yes' | cpan && \
-    cpan Test::More && \
     ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-fips && \
     time make -j4 && \
     time make install && \
     /usr/local/ssl/bin/openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/ssl/lib64/ossl-modules/fips.so
 
 WORKDIR /
 
-ENV ZEEKVER=5.0.10
+ENV ZEEKVER=6.0.2
 ARG BUILD_TYPE=Release
 
 RUN mkdir /zeekbuild
@@ -51,12 +49,9 @@ WORKDIR /zeekbuild
 RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz
 RUN cd zeek-$ZEEKVER && \
     ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE --with-openssl=/usr/local/ssl && \
-    time make -j4 && time make install && \
-    fips-mode-setup --enable
+    time make -j4 && time make install
 RUN /opt/zeek/bin/zkg install --force ja3 && \
     /opt/zeek/bin/zkg install --force hassh && \
-    /opt/zeek/bin/zkg install --force https://github.com/TOoSmOotH/zeek-af_packet-plugin --version=master && \
-    /opt/zeek/bin/zkg install --force zeek-community-id && \
     /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \
@@ -68,11 +63,9 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \
     git clone https://github.com/cisagov/icsnpp-s7comm && \
     /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \
-    git clone https://github.com/amzn/zeek-plugin-profinet && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-profinet && \
-    git clone https://github.com/amzn/zeek-plugin-tds && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-plugin-tds && \
-    /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ 
+    /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version=master && \
+    /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version=master && \
+    /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \
     /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \
     /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \
@@ -84,11 +77,11 @@ RUN groupadd --gid 937 zeek  && \
     chown -R 937:937 /opt/zeek && \
     chown -R 937:937 /nsm/zeek && \
     chown -R 937:937 /usr/local/ssl
-    
+
 FROM ghcr.io/security-onion-solutions/oraclelinux:9
 
 LABEL maintainer "Security Onion Solutions, LLC"
-LABEL description="Zeek running in a docker with AF_Packet 3.2.0 for use with Security Onion"
+LABEL description="Zeek running in docker for use with Security Onion"
 
 # Common CentOS layer
 RUN dnf update -y && \
@@ -106,8 +99,8 @@ COPY --from=builder /usr/local/ssl/ /usr/local/ssl
 # Copy over the entry script.
 COPY files/zeek.sh /usr/local/sbin/zeek.sh
 RUN chmod +x /usr/local/sbin/zeek.sh
-RUN rpm -Uvh --nofiledigest --nodigest https://github.com/axellioinc/fx-libpcap/releases/download/fxlibpcap-1.9.1/fx-libpcap-1.9.1-1.el7.x86_64.rpm
+RUN rpm -Uvh https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el7_9.x86_64.rpm
 
-HEALTHCHECK --interval=10m --timeout=2m CMD /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))
+HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))
 
 ENTRYPOINT ["/usr/local/sbin/zeek.sh"]