├── .github
└── workflows
│ ├── contrib.yml
│ └── leaktest.yml
├── .gitignore
├── README.md
├── baseimages.txt
├── so-elastalert
├── Dockerfile
├── README.md
└── files
│ ├── create_index.py
│ └── es_mappings
│ ├── 7
│ ├── elastalert.json
│ └── past_elastalert.json
│ └── 8
│ ├── elastalert.json
│ └── past_elastalert.json
├── so-elastic-agent-builder
├── .dockerignore
├── Dockerfile
├── msi
│ ├── so-elastic-agent.wxs
│ └── wixca.dll
└── source
│ ├── constants_darwin_amd64.go
│ ├── constants_darwin_arm64.go
│ ├── constants_linux.go
│ ├── constants_windows.go
│ ├── go.mod
│ ├── go.sum
│ ├── so-elastic-agent.go
│ ├── test_resources
│ ├── sample
│ │ └── test.txt
│ └── test.tar.gz
│ └── utils
│ ├── utils.go
│ └── utils_test.go
├── so-elastic-agent
└── Dockerfile
├── so-elastic-fleet-package-registry
├── Dockerfile
├── scripts
│ ├── maintained-integrations.txt
│ ├── maintained-versions.sh
│ ├── unsupported-integrations.sh
│ └── unsupported-integrations.txt
└── versions
│ ├── 8.10.4.txt
│ ├── 8.14.3.txt
│ ├── 8.17.3.txt
│ ├── 8.18.4.txt
│ ├── 8.18.6.txt
│ └── 8.18.8.txt
├── so-elasticsearch
├── Dockerfile
├── bin
│ ├── build-plugins
│ └── es-docker
├── elasticsearch.yml
└── log4j2.properties
├── so-idh
├── Dockerfile
└── supervise-opencanary.conf
├── so-idstools
├── Dockerfile
├── README.md
└── entrypoint.sh
├── so-influxdb
├── Dockerfile
└── entrypoint.sh
├── so-kafka
├── Dockerfile
└── files
│ └── jolokia.xml
├── so-kibana
├── Dockerfile
└── bin
│ ├── kibana-docker
│ └── so-kibana.sh
├── so-logstash
├── Dockerfile
├── bin
│ └── docker-entrypoint
├── config
│ ├── log4j2.properties
│ └── logstash.yml
├── env2yaml
│ └── env2yaml.go
├── files
│ ├── dictionaries
│ │ ├── iana_protocols.yaml
│ │ ├── iana_services.yaml
│ │ ├── services.yaml
│ │ └── tcp_flags.yaml
│ ├── domainstats
│ │ ├── 8007_postprocess_dns_top1m_tagging.conf
│ │ └── 8008_postprocess_dns_whois_age.conf
│ └── freq
│ │ ├── 8502_postprocess_freq_analysis_bro_dns.conf
│ │ ├── 8503_postprocess_freq_analysis_bro_http.conf
│ │ ├── 8504_postprocess_freq_analysis_bro_ssl.conf
│ │ └── 8505_postprocess_freq_analysis_bro_x509.conf
└── pipeline
│ └── default.conf
├── so-nginx
├── Dockerfile
└── README.md
├── so-pcaptools
├── Dockerfile
├── evtx_calc_timestamps.sh
└── timeshift.py
├── so-redis
├── Dockerfile
└── files
│ └── docker-entrypoint.sh
├── so-steno
├── Dockerfile
├── README.md
└── files
│ └── so-steno.sh
├── so-strelka-backend
├── Dockerfile
├── mantic.list
└── pin.pref
├── so-strelka-filestream
└── Dockerfile
├── so-strelka-frontend
└── Dockerfile
├── so-strelka-manager
└── Dockerfile
├── so-suricata
├── Dockerfile
├── README.md
└── files
│ └── so-suricata.sh
├── so-tcpreplay
├── Dockerfile
└── files
│ └── tcpreplay
├── so-telegraf
├── Dockerfile
└── entrypoint.sh
└── so-zeek
├── Dockerfile
├── LICENSE-JA4
├── LICENSE.JA4+
├── README.md
└── files
├── oui.py
└── zeek.sh
/.github/workflows/contrib.yml:
--------------------------------------------------------------------------------
1 | name: contrib
2 | on:
3 | issue_comment:
4 | types: [created]
5 | pull_request_target:
6 | types: [opened,closed,synchronize]
7 |
8 | jobs:
9 | CLAssistant:
10 | runs-on: ubuntu-latest
11 | steps:
12 | - name: "Contributor Check"
13 | if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
14 | uses: cla-assistant/github-action@v2.3.1
15 | env:
16 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
17 | PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
18 | with:
19 | path-to-signatures: 'signatures_v1.json'
20 | path-to-document: 'https://securityonionsolutions.com/cla'
21 | allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens
22 | remote-organization-name: Security-Onion-Solutions
23 | remote-repository-name: licensing
24 |
25 |
--------------------------------------------------------------------------------
/.github/workflows/leaktest.yml:
--------------------------------------------------------------------------------
1 | name: leak-test
2 |
3 | on: [pull_request]
4 |
5 | jobs:
6 | build:
7 | runs-on: ubuntu-latest
8 |
9 | steps:
10 | - uses: actions/checkout@v2
11 | with:
12 | fetch-depth: '0'
13 |
14 | - name: Gitleaks
15 | uses: gitleaks/gitleaks-action@v1.6.0
16 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | # Created by https://www.gitignore.io/api/macos,python,windows
3 | # Edit at https://www.gitignore.io/?templates=macos,python,windows
4 |
5 | ### macOS ###
6 | # General
7 | .DS_Store
8 | .AppleDouble
9 | .LSOverride
10 |
11 | # Icon must end with two \r
12 | Icon
13 |
14 | # Thumbnails
15 | ._*
16 |
17 | # Files that might appear in the root of a volume
18 | .DocumentRevisions-V100
19 | .fseventsd
20 | .Spotlight-V100
21 | .TemporaryItems
22 | .Trashes
23 | .VolumeIcon.icns
24 | .com.apple.timemachine.donotpresent
25 |
26 | # Directories potentially created on remote AFP share
27 | .AppleDB
28 | .AppleDesktop
29 | Network Trash Folder
30 | Temporary Items
31 | .apdisk
32 |
33 | ### Python ###
34 | # Byte-compiled / optimized / DLL files
35 | __pycache__/
36 | *.py[cod]
37 | *$py.class
38 |
39 | # C extensions
40 | *.so
41 |
42 | # Distribution / packaging
43 | .Python
44 | build/
45 | develop-eggs/
46 | dist/
47 | downloads/
48 | eggs/
49 | .eggs/
50 | lib/
51 | lib64/
52 | parts/
53 | sdist/
54 | var/
55 | wheels/
56 | pip-wheel-metadata/
57 | share/python-wheels/
58 | *.egg-info/
59 | .installed.cfg
60 | *.egg
61 | MANIFEST
62 |
63 | # PyInstaller
64 | # Usually these files are written by a python script from a template
65 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
66 | *.manifest
67 | *.spec
68 |
69 | # Installer logs
70 | pip-log.txt
71 | pip-delete-this-directory.txt
72 |
73 | # Unit test / coverage reports
74 | htmlcov/
75 | .tox/
76 | .nox/
77 | .coverage
78 | .coverage.*
79 | .cache
80 | nosetests.xml
81 | coverage.xml
82 | *.cover
83 | .hypothesis/
84 | .pytest_cache/
85 |
86 | # Translations
87 | *.mo
88 | *.pot
89 |
90 | # Scrapy stuff:
91 | .scrapy
92 |
93 | # Sphinx documentation
94 | docs/_build/
95 |
96 | # PyBuilder
97 | target/
98 |
99 | # pyenv
100 | .python-version
101 |
102 | # pipenv
103 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
104 | # However, in case of collaboration, if having platform-specific dependencies or dependencies
105 | # having no cross-platform support, pipenv may install dependencies that don't work, or not
106 | # install all needed dependencies.
107 | #Pipfile.lock
108 |
109 | # celery beat schedule file
110 | celerybeat-schedule
111 |
112 | # SageMath parsed files
113 | *.sage.py
114 |
115 | # Spyder project settings
116 | .spyderproject
117 | .spyproject
118 |
119 | # Rope project settings
120 | .ropeproject
121 |
122 | # Mr Developer
123 | .mr.developer.cfg
124 | .project
125 | .pydevproject
126 |
127 | # mkdocs documentation
128 | /site
129 |
130 | # mypy
131 | .mypy_cache/
132 | .dmypy.json
133 | dmypy.json
134 |
135 | # Pyre type checker
136 | .pyre/
137 |
138 | ### Windows ###
139 | # Windows thumbnail cache files
140 | Thumbs.db
141 | Thumbs.db:encryptable
142 | ehthumbs.db
143 | ehthumbs_vista.db
144 |
145 | # Dump file
146 | *.stackdump
147 |
148 | # Folder config file
149 | [Dd]esktop.ini
150 |
151 | # Recycle Bin used on file shares
152 | $RECYCLE.BIN/
153 |
154 | # Windows Installer files
155 | *.cab
156 | *.msi
157 | *.msix
158 | *.msm
159 | *.msp
160 |
161 | # Windows shortcuts
162 | *.lnk
163 |
164 | # End of https://www.gitignore.io/api/macos,python,windows
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # securityonion-image
--------------------------------------------------------------------------------
/baseimages.txt:
--------------------------------------------------------------------------------
1 | alpine:3.22.1
2 | apache/kafka:3.9.1
3 | golang:1.25.1
4 | golang:1.25.1-alpine
5 | influxdb:2.7.12
6 | nginx:1.29.1-alpine
7 | node:24.9.0-alpine
8 | oraclelinux:9
9 | python:3.13.7-slim
10 | python:3.13.4-slim
11 | redis:7.2.11-alpine
12 | registry:3.0.0
13 | telegraf:1.36.1-alpine
14 | ubuntu:24.04
15 |
--------------------------------------------------------------------------------
/so-elastalert/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/jertel/elastalert2/elastalert2:2.26.0
2 | LABEL maintainer "Security Onion Solutions, LLC"
3 |
4 | ARG GID=933
5 | ARG UID=933
6 | ARG USERNAME=so-elastalert
7 |
8 | USER root
9 |
10 | RUN groupadd -g ${GID} ${USERNAME} && \
11 | useradd -u ${UID} -g ${GID} -M -b /opt/elastalert -s /sbin/nologin \
12 | -c "ElastAlert 2 User" ${USERNAME}
13 |
14 | COPY ./files /custom
15 |
16 | RUN cp -fr /custom/* $(find /usr -name elastalert -type d) && rm -fr /custom
17 |
18 | RUN sed -i 's|\"enabled\": \"false\"|\"enabled\": "true"|' /usr/local/lib/*/site-packages/elastalert/es_mappings/8/*elastalert.json
19 |
20 | RUN sed -i -e '$s,$, >> /var/log/elastalert/stdout.log 2>> /var/log/elastalert/stderr.log,' /opt/elastalert/run.sh
21 |
22 | USER ${USERNAME}
23 | ENTRYPOINT ["/opt/elastalert/run.sh", "--verbose"]
24 |
--------------------------------------------------------------------------------
/so-elastalert/README.md:
--------------------------------------------------------------------------------
1 | Docker image for Elastalert, based on CentOS 7, for use with Security Onion
2 |
--------------------------------------------------------------------------------
/so-elastalert/files/create_index.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | import argparse
4 | import getpass
5 | import json
6 | import os
7 | import time
8 |
9 | import elasticsearch.helpers
10 | import yaml
11 | from elasticsearch import RequestsHttpConnection
12 | from elasticsearch.client import Elasticsearch
13 | from elasticsearch.client import IndicesClient
14 | from elasticsearch.exceptions import NotFoundError
15 | from envparse import Env
16 |
17 | from elastalert.auth import Auth
18 |
19 | env = Env(ES_USE_SSL=bool)
20 |
21 |
22 | def create_index_mappings(es_client, ea_index, recreate=False, old_ea_index=None, index_settings=None):
23 | if index_settings is not None:
24 | settings = {'settings': {'index': {}}}
25 | if index_settings["shards"] is not None:
26 | settings["settings"]["index"]["number_of_shards"] = index_settings["shards"]
27 | if index_settings["replicas"] is not None:
28 | settings["settings"]["index"]["number_of_replicas"] = index_settings["replicas"]
29 | else:
30 | settings = None
31 |
32 | esinfo = es_client.info()['version']
33 | if esinfo.get('distribution') == "opensearch":
34 | # OpenSearch is based on Elasticsearch 7.10.2, currently only v1.0.0 exists
35 | # https://opensearch.org/
36 | esversion = "7.10.2"
37 | else:
38 | esversion = esinfo['number']
39 |
40 | es_index_mappings = {}
41 | if is_atleasteight(esversion):
42 | es_index_mappings = read_es_index_mappings()
43 | elif is_atleastseven(esversion):
44 | es_index_mappings = read_es_index_mappings(7)
45 | else:
46 | print('FATAL - Unsupported Elasticsearch version: ' + esversion + '. Aborting.')
47 | exit(1)
48 |
49 | es_index = IndicesClient(es_client)
50 | if not recreate:
51 | if es_index.exists(ea_index):
52 | print('Index ' + ea_index + ' already exists. Skipping index creation.')
53 | return None
54 |
55 | # (Re-)Create indices.
56 | if is_atleastseven(esversion):
57 | index_names = (
58 | ea_index,
59 | ea_index + '_status',
60 | ea_index + '_silence',
61 | ea_index + '_error',
62 | ea_index + '_past',
63 | )
64 | else:
65 | index_names = (
66 | ea_index,
67 | )
68 | for index_name in index_names:
69 | if es_index.exists(index_name):
70 | print('Deleting index ' + index_name + '.')
71 | try:
72 | es_index.delete(index_name)
73 | except NotFoundError:
74 | # Why does this ever occur?? It shouldn't. But it does.
75 | pass
76 | es_index.create(index_name, body=settings)
77 |
78 | # To avoid a race condition. TODO: replace this with a real check
79 | time.sleep(2)
80 | if is_atleasteight(esversion):
81 | es_client.indices.put_mapping(index=ea_index,
82 | body=es_index_mappings['elastalert'])
83 | es_client.indices.put_mapping(index=ea_index + '_status',
84 | body=es_index_mappings['elastalert_status'])
85 | es_client.indices.put_mapping(index=ea_index + '_silence',
86 | body=es_index_mappings['silence'])
87 | es_client.indices.put_mapping(index=ea_index + '_error',
88 | body=es_index_mappings['elastalert_error'])
89 | es_client.indices.put_mapping(index=ea_index + '_past',
90 | body=es_index_mappings['past_elastalert'])
91 | elif is_atleastseven(esversion):
92 | es_client.indices.put_mapping(index=ea_index, doc_type='_doc',
93 | body=es_index_mappings['elastalert'], include_type_name=True)
94 | es_client.indices.put_mapping(index=ea_index + '_status', doc_type='_doc',
95 | body=es_index_mappings['elastalert_status'], include_type_name=True)
96 | es_client.indices.put_mapping(index=ea_index + '_silence', doc_type='_doc',
97 | body=es_index_mappings['silence'], include_type_name=True)
98 | es_client.indices.put_mapping(index=ea_index + '_error', doc_type='_doc',
99 | body=es_index_mappings['elastalert_error'], include_type_name=True)
100 | es_client.indices.put_mapping(index=ea_index + '_past', doc_type='_doc',
101 | body=es_index_mappings['past_elastalert'], include_type_name=True)
102 |
103 | print('New index %s created' % ea_index)
104 | if old_ea_index:
105 | print("Copying all data from old index '{0}' to new index '{1}'".format(old_ea_index, ea_index))
106 | # Use the defaults for chunk_size, scroll, scan_kwargs, and bulk_kwargs
107 | elasticsearch.helpers.reindex(es_client, old_ea_index, ea_index)
108 |
109 | print('Done!')
110 |
111 |
112 | def read_es_index_mappings(es_version=8):
113 | print('Reading Elastic {0} index mappings:'.format(es_version))
114 | return {
115 | 'silence': read_es_index_mapping('silence', es_version),
116 | 'elastalert_status': read_es_index_mapping('elastalert_status', es_version),
117 | 'elastalert': read_es_index_mapping('elastalert', es_version),
118 | 'past_elastalert': read_es_index_mapping('past_elastalert', es_version),
119 | 'elastalert_error': read_es_index_mapping('elastalert_error', es_version)
120 | }
121 |
122 |
123 | def read_es_index_mapping(mapping, es_version=7):
124 | base_path = os.path.abspath(os.path.dirname(__file__))
125 | mapping_path = 'es_mappings/{0}/{1}.json'.format(es_version, mapping)
126 | path = os.path.join(base_path, mapping_path)
127 | with open(path, 'r') as f:
128 | print("Reading index mapping '{0}'".format(mapping_path))
129 | return json.load(f)
130 |
131 | def is_atleastseven(es_version):
132 | return int(es_version.split(".")[0]) >= 7
133 |
134 | def is_atleasteight(es_version):
135 | return int(es_version.split(".")[0]) >= 8
136 |
137 | def main():
138 | parser = argparse.ArgumentParser()
139 | parser.add_argument('--host', default=os.environ.get('ES_HOST', None), help='Elasticsearch host')
140 | parser.add_argument('--port', default=os.environ.get('ES_PORT', None), type=int, help='Elasticsearch port')
141 | parser.add_argument('--username', default=os.environ.get('ES_USERNAME', None), help='Elasticsearch username')
142 | parser.add_argument('--password', default=os.environ.get('ES_PASSWORD', None), help='Elasticsearch password')
143 | parser.add_argument('--bearer', default=os.environ.get('ES_BEARER', None), help='Elasticsearch bearer token')
144 | parser.add_argument('--api-key', default=os.environ.get('ES_API_KEY', None), help='Elasticsearch api-key token')
145 | parser.add_argument('--url-prefix', help='Elasticsearch URL prefix')
146 | parser.add_argument('--no-auth', action='store_const', const=True, help='Suppress prompt for basic auth')
147 | parser.add_argument('--ssl', action='store_true', default=env('ES_USE_SSL', None), help='Use TLS')
148 | parser.add_argument('--no-ssl', dest='ssl', action='store_false', help='Do not use TLS')
149 | parser.add_argument('--verify-certs', action='store_true', default=None, help='Verify TLS certificates')
150 | parser.add_argument('--no-verify-certs', dest='verify_certs', action='store_false',
151 | help='Do not verify TLS certificates')
152 | parser.add_argument('--index', help='Index name to create')
153 | parser.add_argument('--old-index', help='Old index name to copy')
154 | parser.add_argument('--send_get_body_as', default='GET',
155 | help='Method for querying Elasticsearch - POST, GET or source')
156 | parser.add_argument(
157 | '--profile',
158 | default=None,
159 | help='AWS profile to use for signing requests. Optionally use the AWS_DEFAULT_PROFILE environment variable')
160 | parser.add_argument(
161 | '--aws-region',
162 | default=None,
163 | help='AWS Region to use for signing requests. Optionally use the AWS_DEFAULT_REGION environment variable')
164 | parser.add_argument('--timeout', default=60, type=int, help='Elasticsearch request timeout')
165 | parser.add_argument('--config', default='config.yaml', help='Global config file (default: config.yaml)')
166 | parser.add_argument('--recreate', type=bool, default=False,
167 | help='Force re-creation of the index (this will cause data loss).')
168 | args = parser.parse_args()
169 |
170 | if os.path.isfile(args.config):
171 | filename = args.config
172 | elif os.path.isfile('../config.yaml'):
173 | filename = '../config.yaml'
174 | else:
175 | filename = ''
176 |
177 | if filename:
178 | with open(filename) as config_file:
179 | data = yaml.load(config_file, Loader=yaml.FullLoader)
180 | host = args.host if args.host else data.get('es_host')
181 | port = args.port if args.port else data.get('es_port')
182 | username = args.username if args.username else data.get('es_username')
183 | password = args.password if args.password else data.get('es_password')
184 | bearer = args.bearer if args.bearer else data.get('es_bearer')
185 | api_key = args.api_key if args.api_key else data.get('es_api_key')
186 | url_prefix = args.url_prefix if args.url_prefix is not None else data.get('es_url_prefix', '')
187 | use_ssl = args.ssl if args.ssl is not None else data.get('use_ssl')
188 | verify_certs = args.verify_certs if args.verify_certs is not None else data.get('verify_certs') is not False
189 | aws_region = data.get('aws_region', None)
190 | send_get_body_as = data.get('send_get_body_as', 'GET')
191 | ca_certs = data.get('ca_certs')
192 | client_cert = data.get('client_cert')
193 | client_key = data.get('client_key')
194 | index = args.index if args.index is not None else data.get('writeback_index')
195 | old_index = args.old_index if args.old_index is not None else None
196 | index_settings = data.get('index_settings')
197 | else:
198 | username = args.username if args.username else None
199 | password = args.password if args.password else None
200 | bearer = args.bearer if args.bearer else None
201 | api_key = args.api_key if args.api_key else None
202 | aws_region = args.aws_region
203 | host = args.host if args.host else input('Enter Elasticsearch host: ')
204 | port = args.port if args.port else int(input('Enter Elasticsearch port: '))
205 | use_ssl = (args.ssl if args.ssl is not None
206 | else input('Use SSL? t/f: ').lower() in ('t', 'true'))
207 | if use_ssl:
208 | verify_certs = (args.verify_certs if args.verify_certs is not None
209 | else input('Verify TLS certificates? t/f: ').lower() not in ('f', 'false'))
210 | else:
211 | verify_certs = True
212 | if args.no_auth is None and username is None:
213 | username = input('Enter optional basic-auth username (or leave blank): ')
214 | password = getpass.getpass('Enter optional basic-auth password (or leave blank): ')
215 | url_prefix = (args.url_prefix if args.url_prefix is not None
216 | else input('Enter optional Elasticsearch URL prefix (prepends a string to the URL of every request): '))
217 | send_get_body_as = args.send_get_body_as
218 | ca_certs = None
219 | client_cert = None
220 | client_key = None
221 | index = args.index if args.index is not None else input('New index name? (Default elastalert_status) ')
222 | index_settings = None
223 | if not index:
224 | index = 'elastalert_status'
225 | old_index = (args.old_index if args.old_index is not None
226 | else input('Name of existing index to copy? (Default None) '))
227 |
228 | timeout = args.timeout
229 |
230 | auth = Auth()
231 | http_auth = auth(host=host,
232 | username=username,
233 | password=password,
234 | aws_region=aws_region,
235 | profile_name=args.profile)
236 |
237 | headers = {}
238 | if bearer is not None:
239 | headers.update({'Authorization': f'Bearer {bearer}'})
240 | if api_key is not None:
241 | headers.update({'Authorization': f'ApiKey {api_key}'})
242 |
243 | es = Elasticsearch(
244 | host=host,
245 | port=port,
246 | timeout=timeout,
247 | use_ssl=use_ssl,
248 | verify_certs=verify_certs,
249 | connection_class=RequestsHttpConnection,
250 | http_auth=http_auth,
251 | headers=headers,
252 | url_prefix=url_prefix,
253 | send_get_body_as=send_get_body_as,
254 | client_cert=client_cert,
255 | ca_certs=ca_certs,
256 | client_key=client_key)
257 |
258 | create_index_mappings(es_client=es, ea_index=index, recreate=args.recreate, old_ea_index=old_index, index_settings=index_settings)
259 |
260 |
261 | if __name__ == '__main__':
262 | main()
263 |
--------------------------------------------------------------------------------
/so-elastalert/files/es_mappings/7/elastalert.json:
--------------------------------------------------------------------------------
1 | {
2 | "properties": {
3 | "rule_name": {
4 | "type": "keyword"
5 | },
6 | "@timestamp": {
7 | "type": "date",
8 | "format": "date_optional_time"
9 | },
10 | "alert_time": {
11 | "type": "date",
12 | "format": "date_optional_time"
13 | },
14 | "match_time": {
15 | "type": "date",
16 | "format": "date_optional_time"
17 | },
18 | "match_body": {
19 | "type": "object",
20 | "enabled": "true"
21 | },
22 | "aggregate_id": {
23 | "type": "keyword"
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/so-elastalert/files/es_mappings/7/past_elastalert.json:
--------------------------------------------------------------------------------
1 | {
2 | "properties": {
3 | "rule_name": {
4 | "type": "keyword"
5 | },
6 | "match_body": {
7 | "type": "object",
8 | "enabled": "true"
9 | },
10 | "@timestamp": {
11 | "type": "date",
12 | "format": "dateOptionalTime"
13 | },
14 | "aggregate_id": {
15 | "type": "keyword"
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/so-elastalert/files/es_mappings/8/elastalert.json:
--------------------------------------------------------------------------------
1 | {
2 | "numeric_detection": true,
3 | "date_detection": false,
4 | "dynamic_templates": [
5 | {
6 | "strings_as_keyword": {
7 | "mapping": {
8 | "ignore_above": 1024,
9 | "type": "keyword"
10 | },
11 | "match_mapping_type": "string"
12 | }
13 | }
14 | ],
15 | "properties": {
16 | "rule_name": {
17 | "type": "keyword"
18 | },
19 | "@timestamp": {
20 | "type": "date",
21 | "format": "date_optional_time"
22 | },
23 | "alert_time": {
24 | "type": "date",
25 | "format": "date_optional_time"
26 | },
27 | "match_time": {
28 | "type": "date",
29 | "format": "date_optional_time"
30 | },
31 | "match_body": {
32 | "enabled": "true",
33 | "type": "object",
34 | "properties": {
35 | "host" : {
36 | "properties": {
37 | "os": {
38 | "properties": {
39 | "version" : {
40 | "type": "keyword"
41 | }
42 | }
43 | }
44 | }
45 | }
46 | }
47 | },
48 | "aggregate_id": {
49 | "type": "keyword"
50 | }
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/so-elastalert/files/es_mappings/8/past_elastalert.json:
--------------------------------------------------------------------------------
1 | {
2 | "properties": {
3 | "rule_name": {
4 | "type": "keyword"
5 | },
6 | "match_body": {
7 | "type": "object",
8 | "enabled": "true",
9 | "properties": {
10 | "host" : {
11 | "properties": {
12 | "os": {
13 | "properties": {
14 | "version" : {
15 | "type": "keyword"
16 | }
17 | }
18 | }
19 | }
20 | }
21 | }
22 | },
23 | "@timestamp": {
24 | "type": "date",
25 | "format": "date_optional_time"
26 | },
27 | "aggregate_id": {
28 | "type": "keyword"
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/.dockerignore:
--------------------------------------------------------------------------------
1 | source/test_resources/
2 | **/*_test.go
3 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
2 | # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
3 | # this file except in compliance with the Elastic License 2.0.
4 |
5 | ARG MSITOOLS_VERSION=v0.103
6 |
7 | FROM ghcr.io/security-onion-solutions/alpine:3.22.1 AS msibuilder
8 |
9 | # Re-declare ARG to make it available in this stage
10 | ARG MSITOOLS_VERSION
11 |
12 | # Install build dependencies
13 | RUN apk add --no-cache \
14 | git build-base autoconf automake libtool pkgconfig \
15 | glib-dev libgsf-dev util-linux-dev libxml2-dev \
16 | gobject-introspection-dev meson ninja vala bison \
17 | libgcab-dev g++ \
18 | && rm -rf /var/cache/apk/*
19 |
20 | # Clone and build msitools
21 | RUN git clone https://github.com/GNOME/msitools.git /build/msitools \
22 | && cd /build/msitools \
23 | && git checkout ${MSITOOLS_VERSION} \
24 | && git submodule update --init \
25 | && meson setup builddir \
26 | && ninja -C builddir install
27 |
28 | # Final stage with Go
29 | FROM ghcr.io/security-onion-solutions/golang:1.25.1-alpine
30 |
31 | # Install runtime dependencies for wixl
32 | RUN apk add --no-cache \
33 | glib libgsf libxml2 util-linux \
34 | gobject-introspection libgcab make
35 |
36 | # Copy msitools files from builder
37 | COPY --from=msibuilder /usr/local/bin/wixl* /usr/local/bin/
38 | COPY --from=msibuilder /usr/local/lib/libmsi* /usr/local/lib/
39 | COPY --from=msibuilder /usr/local/share/wixl-0.103 /usr/local/share/wixl-0.103
40 |
41 | # Set up workspace:
42 | # source is go code
43 | # msi is config & lib for wixl
44 | RUN mkdir /workspace
45 | ADD source /workspace
46 | ADD msi /workspace
47 | WORKDIR /workspace
48 | RUN go get .
--------------------------------------------------------------------------------
/so-elastic-agent-builder/msi/so-elastic-agent.wxs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 | REMOVE="ALL"
30 | REMOVE="ALL"
31 | Not Installed
32 | Not Installed AND (DELAYENROLL = "true")
33 | Not Installed
34 |
35 |
36 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/msi/wixca.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-elastic-agent-builder/msi/wixca.dll
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/constants_darwin_amd64.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | _ "embed"
5 | )
6 |
7 | //go:embed files/elastic-agent/darwin-x86_64.tar.gz
8 | var agentFiles []byte
9 |
10 | const installPath = "/Library/Elastic/SO/"
11 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/constants_darwin_arm64.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | _ "embed"
5 | )
6 |
7 | //go:embed files/elastic-agent/darwin-aarch64.tar.gz
8 | var agentFiles []byte
9 |
10 | const installPath = "/Library/Elastic/SO/"
11 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/constants_linux.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | _ "embed"
5 | )
6 |
7 | //go:embed files/elastic-agent/linux-x86_64.tar.gz
8 | var agentFiles []byte
9 |
10 | const installPath = "/opt/Elastic/SO/"
11 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/constants_windows.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | _ "embed"
5 | )
6 |
7 | //go:embed files/elastic-agent/windows-x86_64.tar.gz
8 | var agentFiles []byte
9 |
10 | const installPath = "C:\\Program Files\\Elastic\\SO\\"
11 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/go.mod:
--------------------------------------------------------------------------------
1 | module so-elastic-agent-builder
2 |
3 | go 1.25.1
4 |
5 | require github.com/apex/log v1.9.0
6 |
7 | require (
8 | github.com/go-logfmt/logfmt v0.6.0 // indirect
9 | github.com/pkg/errors v0.9.1 // indirect
10 | )
11 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/go.sum:
--------------------------------------------------------------------------------
1 | github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
2 | github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA=
3 | github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
4 | github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
5 | github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
6 | github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
7 | github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
8 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
9 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
10 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
11 | github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
12 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
13 | github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
14 | github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
15 | github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
16 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
17 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
18 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
19 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
20 | github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
21 | github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
22 | github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
23 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
24 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
25 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
26 | github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
27 | github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
28 | github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
29 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
30 | github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
31 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
32 | github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
33 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
34 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
35 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
36 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
37 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
38 | github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
39 | github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
40 | github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
41 | github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
42 | github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
43 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
44 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
45 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
46 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
47 | github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0=
48 | github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
49 | github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
50 | github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj52Uc=
51 | github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
52 | github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
53 | github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
54 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
55 | golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
56 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
57 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
58 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
59 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
60 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
61 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
62 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
63 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
64 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
65 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
66 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
67 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
68 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
69 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
70 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
71 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
72 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
73 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
74 | gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c h1:grhR+C34yXImVGp7EzNk+DTIk+323eIUWOmEevy6bDo=
75 | gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
76 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/so-elastic-agent.go:
--------------------------------------------------------------------------------
1 | // Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
2 | // or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
3 | // this file except in compliance with the Elastic License 2.0.
4 |
5 | package main
6 |
7 | import (
8 | "context"
9 | "crypto/tls"
10 | _ "embed"
11 | "flag"
12 | "fmt"
13 | "net/http"
14 | "os"
15 | "os/exec"
16 | "strings"
17 | "time"
18 |
19 | "github.com/apex/log"
20 | "github.com/apex/log/handlers/logfmt"
21 | "github.com/apex/log/handlers/text"
22 |
23 | "so-elastic-agent-builder/utils"
24 | )
25 |
26 | //go:embed files/cert/intca.crt
27 | var caCRT []byte
28 |
29 | var fleetHostURLsList = ""
30 | var fleetHostFlag string
31 |
32 | var enrollmentToken, enrollmentTokenFlag string
33 | var delayEnrollFlag bool
34 | var forceFlag bool
35 | var timeoutFlag time.Duration
36 |
37 | func check(err error, context string) {
38 | if err != nil {
39 | fmt.Fprintf(os.Stderr, "\n\n%s: %v\n", context, err)
40 | log.WithFields(log.Fields{
41 | "Context": context,
42 | "Error Details": err,
43 | }).Error("Installation Progress")
44 | cleanupInstall()
45 | os.Exit(1)
46 | }
47 | }
48 |
49 | func cleanupInstall() {
50 | statusLogs("Starting cleanup of installation files")
51 | err := os.Remove("./so-elastic-agent_source.tar.gz")
52 | if err != nil {
53 | log.WithFields(log.Fields{
54 | "Context": "Unable to delete so-elastic-agent_source.tar.gz - it can be deleted manually.",
55 | "Error Details": err,
56 | }).Error("Installation Progress")
57 | }
58 |
59 | err = os.RemoveAll("./so-elastic-agent_source")
60 | if err != nil {
61 | log.WithFields(log.Fields{
62 | "Context": "Unable to delete so-elastic-agent_source folder - it can be deleted manually.",
63 | "Error Details": err,
64 | }).Error("Installation Progress")
65 | }
66 | }
67 |
68 | func statusLogs(status string) {
69 | log.WithFields(log.Fields{
70 | "Status": status,
71 | }).Info("Installation Progress")
72 | }
73 |
74 | func extractTarGz(sourceFile string, destDir string) error {
75 | return utils.ExtractTarGz(sourceFile, destDir)
76 | }
77 |
78 | func InitLogging(logFilename string, logLevel string) (*os.File, error) {
79 | logFile, err := os.OpenFile(logFilename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
80 | if err == nil {
81 | log.SetHandler(logfmt.New(logFile))
82 | } else {
83 | log.WithError(err).WithField("logfile", logFilename).Error("Failed to create log file, using console only")
84 | log.SetHandler(text.New(os.Stdout))
85 | }
86 | log.SetLevelFromString(logLevel)
87 | return logFile, err
88 | }
89 |
90 | func main() {
91 |
92 | fmt.Println("\nInstallation initiated, view install log for further details.")
93 |
94 | logFile, _ := InitLogging("SO-Elastic-Agent_Installer.log", "info")
95 | defer logFile.Close()
96 |
97 | log.WithFields(log.Fields{
98 | "Wrapper Version": "2.4.2",
99 | "Elastic Agent Version": "8.7.0",
100 | }).Info("Version Information")
101 |
102 | // Allow runtime configuration
103 | flag.StringVar(&enrollmentTokenFlag, "token", "", "Override default Enrollment Token")
104 | flag.StringVar(&fleetHostFlag, "fleet", "", "Override default Fleet Host")
105 | flag.BoolVar(&delayEnrollFlag, "delay-enroll", false, "Add delay enroll flag")
106 | flag.BoolVar(&forceFlag, "force", false, "Add force flag")
107 | flag.DurationVar(&timeoutFlag, "timeout", 5*time.Minute, "Set the timeout duration (default: 5 minutes)")
108 | flag.Parse()
109 |
110 | if enrollmentTokenFlag != "" {
111 | enrollmentToken = enrollmentTokenFlag
112 | }
113 |
114 | if fleetHostFlag != "" {
115 | fleetHostURLsList = fleetHostFlag
116 | }
117 |
118 | log.WithFields(log.Fields{
119 | "Fleet URL/s": fleetHostURLsList,
120 | "Enrollment Token": enrollmentToken,
121 | }).Info("Runtime Data")
122 |
123 | statusLogs("Starting Installation Precheck")
124 |
125 | // Check to make sure that control plane is accessible
126 |
127 | tr := &http.Transport{
128 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
129 | }
130 | client := &http.Client{Transport: tr, Timeout: 3 * time.Second}
131 |
132 | fleetHostURLs := strings.Split(fleetHostURLsList, ",")
133 | var fleetURLReachable bool
134 | var fleetHostURL = ""
135 | // Iterate through Fleet Host URLs - the first one that responds will be used for enrollment
136 | for i := 0; i < len(fleetHostURLs); i++ {
137 |
138 | req, err := http.NewRequest("GET", fleetHostURLs[i], nil)
139 | check(err, "Error creating constructing FleetHostURL HTTP Request")
140 |
141 | resp, err := client.Do(req)
142 |
143 | if (err != nil) || (resp.StatusCode != http.StatusNotFound) {
144 | // Cannot access Fleet Host URL
145 | // fmt.Println("Not Accessible")
146 | log.WithFields(log.Fields{
147 | "Fleet Host Connectivity Check": "Failed",
148 | "Fleet Host URL": fleetHostURLs[i],
149 | }).Warn("Installation Progress")
150 |
151 | } else {
152 | // Break out of loop here and use this fleetURL for enrollment
153 | log.WithFields(log.Fields{
154 | "Fleet Host Connectivity Check": "Success",
155 | "Fleet Host URL": fleetHostURLs[i],
156 | }).Info("Installation Progress")
157 | fleetHostURL = fleetHostURLs[i]
158 | fleetURLReachable = true
159 | break
160 | }
161 | }
162 |
163 | if fleetURLReachable {
164 | statusLogs("Fleet Host is accessible - Continuing installation")
165 | } else {
166 | statusLogs("No Fleet Hosts are accessible - Check connectivity to Fleet Host.")
167 | statusLogs("Exiting Installer...")
168 | os.Exit(1)
169 | }
170 |
171 | statusLogs("Installation Precheck Complete")
172 |
173 | statusLogs("Extracting Elastic Agent files")
174 |
175 | // Create Elastic Agent install dir & copy SO CA Cert to it
176 | crtPath := installPath + "soca.crt"
177 |
178 | err := os.MkdirAll(installPath, 0755)
179 | check(err, "Error creating Elastic Agent directories.")
180 |
181 | err = os.WriteFile(crtPath, caCRT, 0755)
182 | check(err, "Error copying over the SO ca.crt.")
183 |
184 | // Copy over embedded tar & extract it to the local system
185 | _ = os.WriteFile("so-elastic-agent_source.tar.gz", agentFiles, 0755)
186 |
187 | // Extract the tar.gz file
188 | err = extractTarGz("./so-elastic-agent_source.tar.gz", "so-elastic-agent_source")
189 | check(err, "Failed to extract archive")
190 |
191 | // Install Elastic Agent
192 | statusLogs("Executing Elastic Agent installer")
193 | prg := "./so-elastic-agent_source/elastic-agent/elastic-agent"
194 |
195 | arg1 := "install"
196 | arg2 := "--url=" + fleetHostURL
197 | arg3 := "--enrollment-token=" + enrollmentToken
198 | arg4 := "--certificate-authorities=" + installPath + "soca.crt"
199 | arg5 := "-n"
200 |
201 | args := []string{arg1, arg2, arg3, arg4, arg5}
202 | if delayEnrollFlag {
203 | args = append(args, "--delay-enroll")
204 | }
205 | if forceFlag {
206 | args = append(args, "--force")
207 | }
208 |
209 | ctx, cancel := context.WithTimeout(context.Background(), timeoutFlag)
210 | defer cancel()
211 |
212 | cmd := exec.CommandContext(ctx, prg, args...)
213 |
214 | statusLogs("Executing the following: " + prg + " " + strings.Join(args, " "))
215 |
216 | output, err := cmd.CombinedOutput()
217 | check(err, string(output))
218 | statusLogs(string(output))
219 | cleanupInstall()
220 |
221 | statusLogs("Elastic Agent installation completed")
222 | fmt.Println("\n\nInstallation completed successfully.")
223 | }
224 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/test_resources/sample/test.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-elastic-agent-builder/source/test_resources/sample/test.txt
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/test_resources/test.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-elastic-agent-builder/source/test_resources/test.tar.gz
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/utils/utils.go:
--------------------------------------------------------------------------------
1 | package utils
2 |
3 | import (
4 | "archive/tar"
5 | "compress/gzip"
6 | "fmt"
7 | "io"
8 | "os"
9 | "path/filepath"
10 | )
11 |
12 | // ExtractTarGz extracts a tar.gz archive to the specified destination directory
13 | func ExtractTarGz(sourceFile string, destDir string) error {
14 | // Open the tar.gz file
15 | gzipFile, err := os.Open(sourceFile)
16 | if err != nil {
17 | return fmt.Errorf("failed to open archive file: %v", err)
18 | }
19 | defer gzipFile.Close()
20 |
21 | // Create a gzip reader
22 | gzipReader, err := gzip.NewReader(gzipFile)
23 | if err != nil {
24 | return fmt.Errorf("failed to create gzip reader: %v", err)
25 | }
26 | defer gzipReader.Close()
27 |
28 | // Create a tar reader
29 | tarReader := tar.NewReader(gzipReader)
30 |
31 | // Extract each file
32 | for {
33 | header, err := tarReader.Next()
34 | if err == io.EOF {
35 | break
36 | }
37 | if err != nil {
38 | return fmt.Errorf("error reading tar: %v", err)
39 | }
40 |
41 | target := filepath.Join(destDir, header.Name)
42 |
43 | switch header.Typeflag {
44 | case tar.TypeSymlink:
45 | // First remove any existing file/symlink
46 | _ = os.Remove(target)
47 | if err := os.Symlink(header.Linkname, target); err != nil {
48 | return fmt.Errorf("failed to create symlink: %v", err)
49 | }
50 | case tar.TypeDir:
51 | if err := os.MkdirAll(target, 0755); err != nil {
52 | return fmt.Errorf("failed to create directory: %v", err)
53 | }
54 | case tar.TypeReg:
55 | // Ensure the parent directory exists
56 | if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
57 | return fmt.Errorf("failed to create parent directory: %v", err)
58 | }
59 |
60 | // Create the file
61 | f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
62 | if err != nil {
63 | return fmt.Errorf("failed to create file: %v", err)
64 | }
65 |
66 | // Copy the contents
67 | if _, err := io.Copy(f, tarReader); err != nil {
68 | f.Close()
69 | return fmt.Errorf("failed to copy file contents: %v", err)
70 | }
71 | f.Close()
72 | }
73 | }
74 | return nil
75 | }
76 |
--------------------------------------------------------------------------------
/so-elastic-agent-builder/source/utils/utils_test.go:
--------------------------------------------------------------------------------
1 | package utils
2 |
3 | import (
4 | "os"
5 | "path/filepath"
6 | "strings"
7 | "testing"
8 | )
9 |
10 | func TestExtractTarGz(t *testing.T) {
11 | // Test setup
12 | testTarGz := "../test_resources/test.tar.gz"
13 | testExtractDir := "/tmp/agent_builder.tmp339"
14 |
15 | // Clean up the test directory if it exists
16 | os.RemoveAll(testExtractDir)
17 |
18 | // Create the test directory
19 | err := os.MkdirAll(testExtractDir, 0755)
20 | if err != nil {
21 | t.Fatalf("Failed to create test directory: %v", err)
22 | }
23 | defer os.RemoveAll(testExtractDir) // Clean up after test
24 |
25 | // Test the extraction
26 | err = ExtractTarGz(testTarGz, testExtractDir)
27 | if err != nil {
28 | t.Fatalf("ExtractTarGz failed: %v", err)
29 | }
30 |
31 | // Verify the extracted file exists and has correct content
32 | extractedFile := filepath.Join(testExtractDir, "test.txt")
33 | if _, err := os.Stat(extractedFile); os.IsNotExist(err) {
34 | t.Error("Extracted file does not exist")
35 | }
36 |
37 | content, err := os.ReadFile(extractedFile)
38 | if err != nil {
39 | t.Fatalf("Failed to read extracted file: %v", err)
40 | }
41 |
42 | expectedContent := "This is a test file for tar.gz extraction"
43 | gotContent := strings.TrimSpace(string(content))
44 | expectedContent = strings.TrimSpace(expectedContent)
45 |
46 | if gotContent != expectedContent {
47 | t.Errorf("Extracted file content mismatch.\nExpected (%d bytes): %q\nGot (%d bytes): %q",
48 | len(expectedContent), expectedContent,
49 | len(gotContent), gotContent)
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/so-elastic-agent/Dockerfile:
--------------------------------------------------------------------------------
1 | # This Dockerfile was based on the official Elastic Agent Docker image:
2 | # https://hub.docker.com/r/elastic/elastic-agent
3 |
4 | # Copyright Security Onion Solutions, LLC
5 |
6 | # This program is free software: you can redistribute it and/or modify
7 | # it under the terms of the GNU General Public License as published by
8 | # the Free Software Foundation, either version 3 of the License, or
9 | # (at your option) any later version.
10 | #
11 | # This program is distributed in the hope that it will be useful,
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | # GNU General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see .
18 | ARG VERSION
19 |
20 | FROM docker.elastic.co/beats/elastic-agent:$VERSION
21 |
22 | ARG GID=947
23 | ARG UID=947
24 | ARG USERNAME=elastic-agent
25 |
26 | USER root
27 | RUN groupmod -g ${GID} ${USERNAME} && \
28 | usermod -u ${UID} -g ${GID} ${USERNAME} && \
29 | chown ${USERNAME}:${USERNAME} /usr/share/elastic-agent/data/elastic-agent-*/components/*
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 | ARG VERSION
16 |
17 | FROM docker.elastic.co/package-registry/distribution:$VERSION AS original_image
18 |
19 | # Add bash because it is not included in the new default base image of wolfi-base (default sh shell)
20 | RUN apk add --no-cache bash
21 |
22 | # Remove unsupported packages
23 | COPY scripts /scripts
24 | COPY versions /versions
25 | # Keep copy of integrations listed in ./versions/$VERSION. Helps avoid issues during the ES upgrade process.
26 | # in the future this will also allow for downgrading integration versions.
27 | RUN bash /scripts/maintained-versions.sh && bash /scripts/unsupported-integrations.sh && rm -rf /scripts
28 |
29 | # Cleanup unneeded packages, keeping the most recent verson of each one
30 | # Except for endpoint packages, keep all versions
31 | RUN cd /packages/package-storage/ \
32 | && rm -rf suricata-* zeek-* dga-* endpoint*dev* endpoint*next* *preview* *beta* \
33 | && cd /packages/package-storage/ && LIST=$(ls | grep -v "^endpoint-" | awk -F'[-]' '{print $1}' | sort | uniq ) \
34 | && for item in $LIST; do ls $item-*.zip | cut -d '-' -f 2 | tr - \~ | sort -V | tr \~ - | head -n-1 | xargs -I {} echo "$item-"{} | xargs -r rm -fr; done \
35 | && for item in $LIST; do ls $item-*.zip.sig | cut -d '-' -f 2 | tr - \~ | sort -V | tr \~ - | head -n-1 | xargs -I {} echo "Removing signature file: $item-"{} | xargs -r rm -fr; done \
36 | && mv /packages/saved-packages/* /packages/package-storage/
37 |
38 | FROM scratch
39 |
40 | COPY --from=original_image / /
41 | WORKDIR /package-registry
42 |
43 | EXPOSE 8080
44 | ENTRYPOINT ["./package-registry"]
45 |
46 | ENV EPR_ADDRESS=0.0.0.0:8080
47 |
48 | HEALTHCHECK --interval=1m --retries=30 CMD curl --silent --fail localhost:8080/health || exit 1
49 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/scripts/maintained-integrations.txt:
--------------------------------------------------------------------------------
1 | apache-
2 | auditd-
3 | auth0-
4 | aws-
5 | azure-
6 | barracuda-
7 | barracuda_cloudgen_firewall-
8 | carbonblack_edr-
9 | cef-
10 | checkpoint-
11 | cisco_asa-
12 | cisco_duo-
13 | cisco_ftd-
14 | cisco_ios-
15 | cisco_ise-
16 | cisco_meraki-
17 | cisco_secure_email_gateway-
18 | cisco_umbrella-
19 | citrix_adc-
20 | citrix_waf-
21 | cloudflare-
22 | cloudflare_logpush-
23 | crowdstrike-
24 | darktrace-
25 | elasticsearch-
26 | endpoint-
27 | f5_bigip-
28 | fim-
29 | fireeye-
30 | fleet_server-
31 | fortinet-
32 | fortinet_fortigate-
33 | gcp-
34 | github-
35 | google_workspace-
36 | http_endpoint-
37 | httpjson-
38 | iis-
39 | imperva_cloud_waf-
40 | journald-
41 | juniper-
42 | juniper_srx-
43 | kafka_log-
44 | lastpass-
45 | log-
46 | m365_defender-
47 | microsoft_defender_endpoint-
48 | microsoft_dhcp-
49 | microsoft_sqlserver-
50 | mimecast-
51 | mysql-
52 | netflow-
53 | nginx-
54 | o365-
55 | okta-
56 | osquery_manager-
57 | panw-
58 | pfsense-
59 | proofpoint_tap-
60 | pulse_connect_secure-
61 | redis-
62 | sentinel_one-
63 | squid-
64 | snort-
65 | snyk-
66 | sonicwall_firewall-
67 | sophos-
68 | sophos_central-
69 | symantec_endpoint-
70 | system-
71 | tcp-
72 | tenable_io-
73 | tenable_sc-
74 | ti_abusech-
75 | ti_anomali-
76 | ti_cybersixgill-
77 | ti_maltiverse-
78 | ti_misp-
79 | ti_opencti-
80 | ti_otx-
81 | ti_rapid7_threat_command-
82 | ti_recordedfuture-
83 | ti_threatq-
84 | trendmicro-
85 | trend_micro_vision_one-
86 | udp-
87 | vsphere-
88 | windows-
89 | winlog-
90 | zscaler_zia-
91 | zscaler_zpa-
92 | 1password-
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/scripts/maintained-versions.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # This script is running at container build time and is used to keep specific versions
4 | # of integration packages available for each version of ES used by previous SO versions
5 |
6 | SOURCE_DIR="/packages/package-storage"
7 | DEST_DIR="/packages/saved-packages"
8 |
9 | VERSION_DIR="/versions"
10 |
11 | mkdir -p "$DEST_DIR"
12 |
13 | for version_file in "$VERSION_DIR"/*.txt; do
14 | echo "Processing version file: $version_file"
15 | while IFS= read -r file || [[ -n "$file" ]]; do
16 | if [[ -f "$SOURCE_DIR/$file" ]]; then
17 | echo "Backing up $file to $DEST_DIR"
18 | cp -fv "$SOURCE_DIR/$file" "$DEST_DIR/"
19 | echo "Backing up signature file for $file to $DEST_DIR"
20 | cp -fv "$SOURCE_DIR/$file.sig" "$DEST_DIR"
21 | fi
22 | done < "$version_file"
23 | echo "Done processing: $version_file"
24 | echo -e "Current integration storage usage: $(du -sh /packages/saved-packages)"
25 | done
26 |
27 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/scripts/unsupported-integrations.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
4 | # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
5 | # https://securityonion.net/license; you may not use this file except in compliance with the
6 | # Elastic License 2.0.
7 |
8 | # This script removes unsupported packages from our self-hosted Elastic Package Repo container image.
9 | # It is meant to be used during the image build process.
10 |
11 | cd /packages/package-storage/
12 | for file in *
13 | do
14 | PATTERN=$(echo $file | cut -d "-" -f 1)
15 | [[ $(grep -x "$PATTERN" /scripts/unsupported-integrations.txt) ]] && rm "$file" && echo "Deleted: $file..."
16 | done
17 |
18 | exit 0
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/scripts/unsupported-integrations.txt:
--------------------------------------------------------------------------------
1 | apm
2 | cloud_security_posture
3 | hpe_aruba_cx
4 | aws_billing
5 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.10.4.txt:
--------------------------------------------------------------------------------
1 | 1password-1.23.1.zip
2 | apache-1.15.1.zip
3 | auditd-3.15.0.zip
4 | auth0-1.13.0.zip
5 | aws-2.8.3.zip
6 | azure-1.6.0.zip
7 | barracuda-1.9.1.zip
8 | barracuda_cloudgen_firewall-1.8.0.zip
9 | carbonblack_edr-1.15.0.zip
10 | cef-2.15.0.zip
11 | checkpoint-1.27.0.zip
12 | cisco_asa-2.26.0.zip
13 | cisco_duo-1.18.0.zip
14 | cisco_ftd-2.18.2.zip
15 | cisco_ios-1.22.0.zip
16 | cisco_ise-1.18.0.zip
17 | cisco_meraki-1.16.1.zip
18 | cisco_secure_email_gateway-1.16.0.zip
19 | cisco_umbrella-1.19.0.zip
20 | citrix_adc-1.0.1.zip
21 | citrix_waf-1.11.1.zip
22 | cloudflare-2.20.0.zip
23 | cloudflare_logpush-1.14.1.zip
24 | crowdstrike-1.22.1.zip
25 | darktrace-1.11.0.zip
26 | elasticsearch-1.10.0.zip
27 | endpoint-8.11.0.zip
28 | f5_bigip-1.11.0.zip
29 | fim-1.13.0.zip
30 | fireeye-1.19.0.zip
31 | fleet_server-1.4.0.zip
32 | fortinet-1.9.0.zip
33 | fortinet_fortigate-1.19.0.zip
34 | gcp-2.30.1.zip
35 | github-1.24.0.zip
36 | google_workspace-2.16.1.zip
37 | http_endpoint-1.13.0.zip
38 | httpjson-1.16.0.zip
39 | iis-1.15.1.zip
40 | journald-1.1.0.zip
41 | juniper-1.2.0.zip
42 | juniper_srx-1.18.1.zip
43 | kafka_log-1.3.0.zip
44 | lastpass-1.11.0.zip
45 | log-2.3.0.zip
46 | m365_defender-2.3.1.zip
47 | microsoft_defender_endpoint-2.20.0.zip
48 | microsoft_dhcp-1.21.0.zip
49 | microsoft_sqlserver-2.2.2.zip
50 | mimecast-1.19.0.zip
51 | mysql-1.15.0.zip
52 | netflow-2.16.1.zip
53 | nginx-1.15.1.zip
54 | o365-1.24.1.zip
55 | okta-2.3.0.zip
56 | osquery_manager-1.10.1.zip
57 | panw-3.19.0.zip
58 | pfsense-1.16.0.zip
59 | proofpoint_tap-1.13.0.zip
60 | pulse_connect_secure-1.16.0.zip
61 | redis-1.11.1.zip
62 | sentinel_one-1.16.0.zip
63 | snort-1.12.0.zip
64 | snyk-1.16.0.zip
65 | sonicwall_firewall-1.11.0.zip
66 | sophos-3.4.0.zip
67 | sophos_central-1.10.0.zip
68 | squid-0.18.0.zip
69 | symantec_endpoint-2.13.0.zip
70 | system-1.43.0.zip
71 | tcp-1.15.0.zip
72 | tenable_io-2.4.0.zip
73 | tenable_sc-1.17.0.zip
74 | ti_abusech-1.21.0.zip
75 | ti_anomali-1.18.0.zip
76 | ti_cybersixgill-1.22.0.zip
77 | ti_maltiverse-0.5.0.zip
78 | ti_misp-1.24.0.zip
79 | ti_opencti-0.1.0.zip
80 | ti_otx-1.19.0.zip
81 | ti_rapid7_threat_command-1.11.0.zip
82 | ti_recordedfuture-1.17.0.zip
83 | ti_threatq-1.20.0.zip
84 | trend_micro_vision_one-1.12.2.zip
85 | trendmicro-1.6.0.zip
86 | udp-1.15.0.zip
87 | vsphere-1.8.0.zip
88 | windows-1.38.0.zip
89 | winlog-1.20.0.zip
90 | zscaler_zia-2.15.0.zip
91 | zscaler_zpa-1.14.0.zip
92 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.14.3.txt:
--------------------------------------------------------------------------------
1 | 1password-1.29.0.zip
2 | apache-1.21.0.zip
3 | auditd-3.19.2.zip
4 | auth0-1.16.0.zip
5 | aws-2.17.0.zip
6 | azure-1.13.0.zip
7 | barracuda-1.14.0.zip
8 | barracuda_cloudgen_firewall-1.12.0.zip
9 | carbonblack_edr-1.18.0.zip
10 | cef-2.17.1.zip
11 | checkpoint-1.31.0.zip
12 | cisco_asa-2.36.0.zip
13 | cisco_duo-1.25.0.zip
14 | cisco_ftd-3.3.0.zip
15 | cisco_ios-1.26.10.zip
16 | cisco_ise-1.22.1.zip
17 | cisco_meraki-1.23.0.zip
18 | cisco_secure_email_gateway-1.23.2.zip
19 | cisco_umbrella-1.25.0.zip
20 | citrix_adc-1.7.0.zip
21 | citrix_waf-1.15.0.zip
22 | cloudflare-2.27.0.zip
23 | cloudflare_logpush-1.21.0.zip
24 | crowdstrike-1.38.0.zip
25 | darktrace-1.18.0.zip
26 | elasticsearch-1.15.0.zip
27 | endpoint-8.15.0.zip
28 | f5_bigip-1.17.0.zip
29 | fim-1.15.1.zip
30 | fireeye-1.23.0.zip
31 | fleet_server-1.5.0.zip
32 | fortinet-1.9.0.zip
33 | fortinet_fortigate-1.25.4.zip
34 | gcp-2.35.0.zip
35 | github-1.29.0.zip
36 | google_workspace-2.23.0.zip
37 | http_endpoint-2.2.1.zip
38 | httpjson-1.21.0.zip
39 | iis-1.20.0.zip
40 | imperva_cloud_waf-1.1.1.zip
41 | journald-1.1.0.zip
42 | juniper-1.2.0.zip
43 | juniper_srx-1.21.0.zip
44 | kafka_log-1.7.0.zip
45 | lastpass-1.17.0.zip
46 | log-2.3.1.zip
47 | m365_defender-2.14.1.zip
48 | microsoft_defender_endpoint-2.25.0.zip
49 | microsoft_dhcp-1.24.2.zip
50 | microsoft_sqlserver-2.7.0.zip
51 | mimecast-1.26.1.zip
52 | mysql-1.22.0.zip
53 | netflow-2.18.0.zip
54 | nginx-1.22.0.zip
55 | o365-2.5.1.zip
56 | okta-2.11.0.zip
57 | osquery_manager-1.12.0.zip
58 | panw-3.26.2.zip
59 | pfsense-1.19.1.zip
60 | proofpoint_tap-1.22.0.zip
61 | pulse_connect_secure-2.1.0.zip
62 | redis-1.17.0.zip
63 | sentinel_one-1.25.0.zip
64 | snort-1.15.0.zip
65 | snyk-1.24.0.zip
66 | sonicwall_firewall-1.16.0.zip
67 | sophos-3.9.0.zip
68 | sophos_central-1.15.0.zip
69 | squid-0.19.3.zip
70 | symantec_endpoint-2.16.0.zip
71 | system-1.59.0.zip
72 | tcp-1.19.0.zip
73 | tenable_io-3.2.0.zip
74 | tenable_sc-1.23.0.zip
75 | ti_abusech-2.3.0.zip
76 | ti_anomali-1.22.0.zip
77 | ti_cybersixgill-1.30.0.zip
78 | ti_maltiverse-1.2.0.zip
79 | ti_misp-1.35.0.zip
80 | ti_opencti-2.3.1.zip
81 | ti_otx-1.25.0.zip
82 | ti_rapid7_threat_command-2.0.0.zip
83 | ti_recordedfuture-1.26.0.zip
84 | ti_threatq-1.28.0.zip
85 | trend_micro_vision_one-1.20.0.zip
86 | trendmicro-2.3.0.zip
87 | udp-1.19.0.zip
88 | vsphere-1.13.0.zip
89 | windows-1.45.1.zip
90 | winlog-2.1.2.zip
91 | zscaler_zia-3.0.0.zip
92 | zscaler_zpa-1.18.0.zip
93 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.17.3.txt:
--------------------------------------------------------------------------------
1 | 1password-1.32.0.zip
2 | abnormal_security-1.4.0.zip
3 | activemq-1.8.0.zip
4 | admin_by_request_epm-0.2.0.zip
5 | airflow-0.10.0.zip
6 | akamai-2.28.0.zip
7 | amazon_security_lake-2.4.0.zip
8 | apache-1.29.0.zip
9 | apache_spark-1.4.0.zip
10 | apache_tomcat-1.9.0.zip
11 | arista_ngfw-1.3.0.zip
12 | atlassian_bitbucket-2.4.0.zip
13 | atlassian_confluence-1.28.0.zip
14 | atlassian_jira-1.29.0.zip
15 | auditd-3.21.0.zip
16 | auditd_manager-1.18.3.zip
17 | auth0-1.21.0.zip
18 | authentik-1.3.0.zip
19 | aws-2.41.1.zip
20 | aws_bedrock-1.1.0.zip
21 | aws_logs-1.7.0.zip
22 | aws_mq-0.2.0.zip
23 | awsfargate-1.3.0.zip
24 | awsfirehose-1.5.2.zip
25 | azure-1.22.1.zip
26 | azure_app_service-0.6.0.zip
27 | azure_application_insights-1.8.0.zip
28 | azure_billing-1.8.0.zip
29 | azure_blob_storage-2.2.0.zip
30 | azure_frontdoor-2.2.0.zip
31 | azure_functions-0.9.0.zip
32 | azure_logs-0.2.0.zip
33 | azure_metrics-1.7.0.zip
34 | azure_network_watcher_nsg-1.3.0.zip
35 | azure_network_watcher_vnet-1.3.0.zip
36 | azure_openai-1.6.0.zip
37 | barracuda-1.18.0.zip
38 | barracuda_cloudgen_firewall-1.15.0.zip
39 | bbot-1.3.0.zip
40 | beaconing-1.2.3.zip
41 | beat-0.1.3.zip
42 | beyondinsight_password_safe-0.2.0.zip
43 | bitdefender-2.4.0.zip
44 | bitwarden-1.17.0.zip
45 | blacklens-0.3.0.zip
46 | bluecoat-0.17.3.zip
47 | box_events-2.12.0.zip
48 | canva-0.5.0.zip
49 | carbon_black_cloud-2.8.1.zip
50 | carbonblack_edr-1.21.0.zip
51 | cassandra-1.18.0.zip
52 | cef-2.20.1.zip
53 | cel-1.15.0.zip
54 | ceph-1.8.0.zip
55 | checkpoint-1.37.1.zip
56 | checkpoint_email-0.5.0.zip
57 | checkpoint_harmony_endpoint-0.4.0.zip
58 | cilium_tetragon-0.1.0.zip
59 | cisa_kevs-1.5.0.zip
60 | cisco-0.14.0.zip
61 | cisco_aironet-1.15.1.zip
62 | cisco_asa-2.42.2.zip
63 | cisco_duo-2.4.0.zip
64 | cisco_ftd-3.7.0.zip
65 | cisco_ios-1.29.2.zip
66 | cisco_ise-1.25.0.zip
67 | cisco_meraki-1.28.0.zip
68 | cisco_meraki_metrics-0.3.1.zip
69 | cisco_nexus-1.3.1.zip
70 | cisco_secure_email_gateway-1.25.1.zip
71 | cisco_secure_endpoint-2.29.0.zip
72 | cisco_umbrella-1.29.0.zip
73 | citrix_adc-1.15.0.zip
74 | citrix_waf-1.17.1.zip
75 | claroty_ctd-0.5.0.zip
76 | cloud_asset_inventory-0.8.0.zip
77 | cloud_defend-1.2.7.zip
78 | cloudflare-2.30.0.zip
79 | cloudflare_logpush-1.34.1.zip
80 | cockroachdb-1.13.0.zip
81 | containerd-0.5.0.zip
82 | coredns-0.10.0.zip
83 | corelight-0.8.0.zip
84 | couchbase-1.9.0.zip
85 | couchdb-1.5.0.zip
86 | cribl-0.5.0.zip
87 | crowdstrike-1.52.1.zip
88 | cyberark-0.5.1.zip
89 | cyberark_epm-0.2.0.zip
90 | cyberark_pta-1.12.0.zip
91 | cyberarkpas-2.27.0.zip
92 | cybereason-1.3.0.zip
93 | cylance-0.23.0.zip
94 | darktrace-1.23.0.zip
95 | ded-2.2.1.zip
96 | digital_guardian-1.5.0.zip
97 | docker-2.14.0.zip
98 | elastic_agent-2.1.1.zip
99 | elastic_connectors-1.0.2.zip
100 | elastic_package_registry-0.3.1.zip
101 | elasticsearch-1.17.4.zip
102 | endpoint-9.0.0.zip
103 | enterprisesearch-1.0.1.zip
104 | entityanalytics_ad-0.7.0.zip
105 | entityanalytics_entra_id-1.6.0.zip
106 | entityanalytics_okta-2.1.0.zip
107 | envoyproxy-0.3.0.zip
108 | eset_protect-1.6.0.zip
109 | ess_billing-1.2.0.zip
110 | etcd-1.4.0.zip
111 | f5-0.19.0.zip
112 | f5_bigip-1.26.0.zip
113 | falco-1.3.0.zip
114 | filestream-1.0.1.zip
115 | fim-1.15.1.zip
116 | fireeye-1.25.0.zip
117 | first_epss-0.4.0.zip
118 | fleet_server-1.6.0.zip
119 | forcepoint_web-1.13.0.zip
120 | forgerock-1.21.0.zip
121 | fortinet-1.9.0.zip
122 | fortinet_forticlient-1.11.0.zip
123 | fortinet_fortiedr-1.17.0.zip
124 | fortinet_fortigate-1.29.2.zip
125 | fortinet_fortimail-2.14.1.zip
126 | fortinet_fortimanager-2.14.1.zip
127 | fortinet_fortiproxy-1.1.1.zip
128 | gcp-2.41.0.zip
129 | gcp_metrics-0.3.0.zip
130 | gcp_pubsub-2.2.0.zip
131 | gcp_vertexai-1.1.0.zip
132 | gigamon-1.4.0.zip
133 | github-2.4.0.zip
134 | gitlab-2.2.0.zip
135 | goflow2-0.3.0.zip
136 | golang-1.7.0.zip
137 | google_cloud_storage-2.2.0.zip
138 | google_scc-1.8.0.zip
139 | google_workspace-2.31.0.zip
140 | hadoop-1.8.1.zip
141 | haproxy-1.16.0.zip
142 | hashicorp_vault-1.26.1.zip
143 | hid_bravura_monitor-1.20.0.zip
144 | http_endpoint-2.5.0.zip
145 | httpjson-1.22.0.zip
146 | ibmmq-1.6.0.zip
147 | iis-1.22.0.zip
148 | imperva-1.4.1.zip
149 | imperva_cloud_waf-1.8.0.zip
150 | influxdb-0.11.0.zip
151 | infoblox-0.8.1.zip
152 | infoblox_bloxone_ddi-1.21.0.zip
153 | infoblox_nios-1.28.0.zip
154 | iptables-1.19.0.zip
155 | istio-0.7.0.zip
156 | jamf_compliance_reporter-1.16.0.zip
157 | jamf_pro-0.5.0.zip
158 | jamf_protect-2.10.0.zip
159 | jolokia-0.7.0.zip
160 | journald-1.1.2.zip
161 | jumpcloud-1.15.0.zip
162 | juniper-1.2.0.zip
163 | juniper_junos-0.10.3.zip
164 | juniper_netscreen-0.10.3.zip
165 | juniper_srx-1.22.1.zip
166 | kafka-1.18.0.zip
167 | kafka_log-1.8.1.zip
168 | keycloak-1.26.0.zip
169 | kibana-2.6.1.zip
170 | kubernetes-1.80.1.zip
171 | lastpass-1.20.0.zip
172 | linux-0.7.1.zip
173 | lmd-2.2.0.zip
174 | log-2.3.3.zip
175 | logstash-2.6.2.zip
176 | lumos-1.5.0.zip
177 | lyve_cloud-1.17.0.zip
178 | m365_defender-2.23.0.zip
179 | mattermost-2.4.0.zip
180 | memcached-1.7.0.zip
181 | menlo-1.5.0.zip
182 | microsoft-1.2.1.zip
183 | microsoft_defender_cloud-2.4.0.zip
184 | microsoft_defender_endpoint-2.30.0.zip
185 | microsoft_dhcp-1.26.0.zip
186 | microsoft_dnsserver-1.2.0.zip
187 | microsoft_exchange_online_message_trace-1.27.0.zip
188 | microsoft_exchange_server-1.3.1.zip
189 | microsoft_sentinel-0.4.0.zip
190 | microsoft_sqlserver-2.12.0.zip
191 | mimecast-2.6.2.zip
192 | modsecurity-1.19.0.zip
193 | mongodb-1.19.0.zip
194 | mongodb_atlas-0.2.1.zip
195 | mysql-1.26.0.zip
196 | mysql_enterprise-1.16.0.zip
197 | nagios_xi-1.5.0.zip
198 | nats-1.9.0.zip
199 | netflow-2.21.0.zip
200 | netscout-0.20.1.zip
201 | netskope-1.23.0.zip
202 | network_traffic-1.32.1.zip
203 | nginx-1.25.0.zip
204 | nginx_ingress_controller-1.11.0.zip
205 | o365-2.10.0.zip
206 | o365_metrics-0.6.2.zip
207 | okta-3.5.0.zip
208 | openai-0.3.0.zip
209 | opencanary-0.4.0.zip
210 | oracle-1.29.0.zip
211 | oracle_weblogic-1.9.0.zip
212 | osquery-1.21.0.zip
213 | osquery_manager-1.16.0.zip
214 | panw-5.1.1.zip
215 | panw_cortex_xdr-2.1.0.zip
216 | panw_metrics-0.2.0.zip
217 | pfsense-1.21.1.zip
218 | php_fpm-1.5.0.zip
219 | ping_federate-0.2.0.zip
220 | ping_one-1.19.0.zip
221 | platform_observability-0.1.0.zip
222 | postgresql-1.27.0.zip
223 | pps-0.5.0.zip
224 | prisma_access-1.5.0.zip
225 | prisma_cloud-2.1.0.zip
226 | problemchild-2.2.1.zip
227 | profiler_agent-8.17.1.zip
228 | profiler_collector-8.14.1.zip
229 | profiler_symbolizer-8.14.1.zip
230 | prometheus-1.23.0.zip
231 | prometheus_input-0.7.0.zip
232 | proofpoint-0.9.1.zip
233 | proofpoint_on_demand-1.5.0.zip
234 | proofpoint_tap-1.27.0.zip
235 | proxysg-0.5.1.zip
236 | pulse_connect_secure-2.5.0.zip
237 | qnap_nas-1.21.1.zip
238 | qualys_vmdr-6.2.0.zip
239 | rabbitmq-1.18.0.zip
240 | radware-0.19.1.zip
241 | rapid7_insightvm-1.16.0.zip
242 | redis-1.19.0.zip
243 | redisenterprise-0.12.0.zip
244 | rubrik-0.8.0.zip
245 | sailpoint_identity_sc-0.2.0.zip
246 | salesforce-1.1.0.zip
247 | santa-3.24.0.zip
248 | sentinel_one-1.29.1.zip
249 | sentinel_one_cloud_funnel-1.9.0.zip
250 | servicenow-0.10.0.zip
251 | slack-1.25.0.zip
252 | snort-1.17.0.zip
253 | snyk-1.27.2.zip
254 | sonicwall-0.8.2.zip
255 | sonicwall_firewall-1.17.0.zip
256 | sophos-3.12.1.zip
257 | sophos_central-1.19.0.zip
258 | spring_boot-1.8.0.zip
259 | spycloud-1.3.0.zip
260 | sql-0.6.0.zip
261 | squid-1.1.1.zip
262 | stan-1.9.0.zip
263 | statsd_input-0.5.0.zip
264 | stormshield-1.1.1.zip
265 | sublime_security-1.6.0.zip
266 | symantec-0.1.3.zip
267 | symantec_edr_cloud-1.8.1.zip
268 | symantec_endpoint-2.19.0.zip
269 | symantec_endpoint_security-1.8.0.zip
270 | synthetics-1.4.1.zip
271 | synthetics_dashboards-1.0.1.zip
272 | sysdig-0.3.0.zip
273 | syslog_router-0.1.2.zip
274 | sysmon_linux-1.7.2.zip
275 | system-1.67.0.zip
276 | system_audit-1.10.4.zip
277 | tanium-1.15.0.zip
278 | tcp-1.20.1.zip
279 | teleport-1.3.0.zip
280 | tenable_io-3.8.0.zip
281 | tenable_sc-1.29.0.zip
282 | threat_map-0.2.0.zip
283 | thycotic_ss-1.12.0.zip
284 | ti_abusech-2.6.0.zip
285 | ti_anomali-1.25.2.zip
286 | ti_cif3-1.17.0.zip
287 | ti_crowdstrike-2.4.0.zip
288 | ti_custom-0.8.0.zip
289 | ti_cybersixgill-1.33.0.zip
290 | ti_domaintools-0.2.0.zip
291 | ti_eclecticiq-1.4.0.zip
292 | ti_eset-1.6.0.zip
293 | ti_maltiverse-1.5.0.zip
294 | ti_mandiant_advantage-1.9.0.zip
295 | ti_misp-1.38.0.zip
296 | ti_opencti-2.6.0.zip
297 | ti_otx-1.28.0.zip
298 | ti_rapid7_threat_command-2.4.0.zip
299 | ti_recordedfuture-1.29.0.zip
300 | ti_threatconnect-1.8.0.zip
301 | ti_threatq-1.31.0.zip
302 | ti_util-1.7.0.zip
303 | tines-1.15.0.zip
304 | tomcat-1.12.0.zip
305 | traefik-2.5.0.zip
306 | trellix_edr_cloud-1.7.0.zip
307 | trellix_epo_cloud-1.15.0.zip
308 | trend_micro_vision_one-1.26.0.zip
309 | trendmicro-2.7.0.zip
310 | tychon-0.3.0.zip
311 | udp-2.1.0.zip
312 | unifiedlogs-0.3.0.zip
313 | vectra_detect-1.13.0.zip
314 | vsphere-1.18.1.zip
315 | watchguard_firebox-1.2.0.zip
316 | websocket-0.2.0.zip
317 | websphere_application_server-1.6.0.zip
318 | windows-2.5.0.zip
319 | windows_etw-0.3.0.zip
320 | winlog-2.4.0.zip
321 | wiz-2.8.1.zip
322 | zerofox-1.28.0.zip
323 | zeronetworks-1.18.0.zip
324 | zookeeper-1.14.0.zip
325 | zoom-1.22.0.zip
326 | zscaler-0.5.1.zip
327 | zscaler_zia-3.7.1.zip
328 | zscaler_zpa-1.21.0.zip
329 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.18.4.txt:
--------------------------------------------------------------------------------
1 | security_detection_engine-8.18.8.zip
2 | 1password-1.32.0.zip
3 | abnormal_security-1.4.0.zip
4 | activemq-1.8.1.zip
5 | admin_by_request_epm-1.0.0.zip
6 | airflow-0.9.1.zip
7 | akamai-2.28.0.zip
8 | amazon_security_lake-2.6.1.zip
9 | apache-2.0.0.zip
10 | apache_spark-1.4.0.zip
11 | apache_tomcat-1.9.0.zip
12 | arista_ngfw-1.4.0.zip
13 | armis-0.3.0.zip
14 | atlassian_bitbucket-2.5.0.zip
15 | atlassian_confluence-1.29.2.zip
16 | atlassian_jira-1.30.3.zip
17 | auditd-3.22.0.zip
18 | auditd_manager-1.19.0.zip
19 | auth0-1.23.0.zip
20 | authentik-1.5.0.zip
21 | aws-3.13.2.zip
22 | aws_bedrock-1.2.2.zip
23 | aws_billing-0.1.0.zip
24 | aws_logs-1.8.1.zip
25 | aws_mq-0.9.0.zip
26 | awsfargate-1.3.0.zip
27 | awsfirehose-1.7.0.zip
28 | azure-1.6.0.zip
29 | azure_ai_foundry-0.5.2.zip
30 | azure_app_service-0.6.0.zip
31 | azure_application_insights-1.8.0.zip
32 | azure_billing-1.8.0.zip
33 | azure_blob_storage-2.3.0.zip
34 | azure_frontdoor-2.2.1.zip
35 | azure_functions-0.9.0.zip
36 | azure_logs-0.3.1.zip
37 | azure_metrics-1.9.0.zip
38 | azure_network_watcher_nsg-1.5.0.zip
39 | azure_network_watcher_vnet-1.6.0.zip
40 | azure_openai-1.8.0.zip
41 | barracuda-1.9.1.zip
42 | barracuda_cloudgen_firewall-1.8.0.zip
43 | bbot-1.4.0.zip
44 | beaconing-1.3.1.zip
45 | beat-1.0.1.zip
46 | beelzebub-0.3.0.zip
47 | beyondinsight_password_safe-0.5.0.zip
48 | beyondtrust_pra-0.3.0.zip
49 | bitdefender-2.5.0.zip
50 | bitwarden-1.17.0.zip
51 | blacklens-0.4.1.zip
52 | bluecoat-0.18.0.zip
53 | box_events-2.14.1.zip
54 | canva-0.7.0.zip
55 | carbon_black_cloud-3.1.0.zip
56 | carbonblack_edr-1.21.0.zip
57 | cassandra-1.18.0.zip
58 | cef-2.21.1.zip
59 | cel-1.16.1.zip
60 | ceph-1.8.1.zip
61 | checkpoint-1.41.0.zip
62 | checkpoint_email-1.1.0.zip
63 | checkpoint_harmony_endpoint-1.0.0.zip
64 | cilium_tetragon-0.2.0.zip
65 | cisa_kevs-1.6.0.zip
66 | cisco-0.14.0.zip
67 | cisco_aironet-1.16.0.zip
68 | cisco_asa-2.43.5.zip
69 | cisco_duo-2.6.0.zip
70 | cisco_ftd-3.9.0.zip
71 | cisco_ios-1.31.0.zip
72 | cisco_ise-1.28.0.zip
73 | cisco_meraki-1.29.2.zip
74 | cisco_meraki_metrics-0.4.1.zip
75 | cisco_nexus-1.4.1.zip
76 | cisco_secure_email_gateway-1.27.0.zip
77 | cisco_secure_endpoint-2.32.0.zip
78 | cisco_umbrella-1.31.0.zip
79 | citrix_adc-1.7.0.zip
80 | citrix_waf-1.18.0.zip
81 | claroty_ctd-1.1.0.zip
82 | claroty_xdome-0.3.0.zip
83 | cloud_asset_inventory-1.0.0.zip
84 | cloud_defend-1.3.0.zip
85 | cloudflare-2.31.0.zip
86 | cloudflare_logpush-1.39.1.zip
87 | cockroachdb-1.13.1.zip
88 | containerd-0.5.0.zip
89 | coredns-0.9.0.zip
90 | corelight-1.0.0.zip
91 | couchbase-1.9.1.zip
92 | couchdb-1.5.1.zip
93 | cribl-1.0.0.zip
94 | crowdstrike-1.77.0.zip
95 | cyberark-0.5.1.zip
96 | cyberark_epm-1.2.1.zip
97 | cyberark_pta-1.13.0.zip
98 | cyberarkpas-2.27.0.zip
99 | cybereason-1.4.0.zip
100 | cylance-0.24.0.zip
101 | darktrace-1.23.0.zip
102 | ded-2.3.3.zip
103 | digital_guardian-1.7.0.zip
104 | docker-2.14.0.zip
105 | elastic_agent-2.3.0.zip
106 | elastic_connectors-1.0.2.zip
107 | elastic_package_registry-0.3.1.zip
108 | elastic_security-0.2.0.zip
109 | elasticsearch-1.19.0.zip
110 | endace-0.1.0.zip
111 | endpoint-9.1.0.zip
112 | enterprisesearch-1.0.1.zip
113 | entityanalytics_ad-0.7.0.zip
114 | entityanalytics_entra_id-1.8.1.zip
115 | entityanalytics_okta-2.5.1.zip
116 | entro-0.1.1.zip
117 | envoyproxy-0.4.0.zip
118 | eset_protect-1.8.0.zip
119 | ess_billing-1.4.2.zip
120 | etcd-1.4.1.zip
121 | f5-0.19.0.zip
122 | f5_bigip-1.27.1.zip
123 | falco-2.0.1.zip
124 | filestream-1.2.0.zip
125 | fim-1.16.0.zip
126 | fireeye-1.26.0.zip
127 | first_epss-1.1.0.zip
128 | fleet_server-1.6.0.zip
129 | forcepoint_web-1.13.0.zip
130 | forgerock-1.21.2.zip
131 | fortinet-1.9.0.zip
132 | fortinet_forticlient-1.12.0.zip
133 | fortinet_fortiedr-1.19.0.zip
134 | fortinet_fortigate-1.33.0.zip
135 | fortinet_fortimail-2.15.0.zip
136 | fortinet_fortimanager-2.16.0.zip
137 | fortinet_fortiproxy-1.2.0.zip
138 | gcp-2.42.1.zip
139 | gcp_metrics-0.3.0.zip
140 | gcp_pubsub-2.2.0.zip
141 | gcp_vertexai-1.3.0.zip
142 | gigamon-1.7.0.zip
143 | github-2.4.0.zip
144 | gitlab-2.3.3.zip
145 | goflow2-0.5.0.zip
146 | golang-1.8.0.zip
147 | google_cloud_storage-2.2.0.zip
148 | google_scc-1.8.0.zip
149 | google_secops-1.2.0.zip
150 | google_workspace-2.43.0.zip
151 | hadoop-1.9.0.zip
152 | haproxy-1.17.0.zip
153 | hashicorp_vault-1.28.0.zip
154 | hid_bravura_monitor-1.21.0.zip
155 | hta-1.0.0.zip
156 | http_endpoint-2.5.0.zip
157 | httpjson-1.22.0.zip
158 | ibmmq-1.7.0.zip
159 | iis-1.23.0.zip
160 | imperva-1.7.0.zip
161 | imperva_cloud_waf-1.8.0.zip
162 | influxdb-0.11.0.zip
163 | infoblox-0.8.1.zip
164 | infoblox_bloxone_ddi-1.21.0.zip
165 | infoblox_nios-2.0.0.zip
166 | infoblox_threat_defense-0.1.0.zip
167 | iptables-1.21.1.zip
168 | istio-0.8.0.zip
169 | jamf_compliance_reporter-1.16.0.zip
170 | jamf_pro-0.7.0.zip
171 | jamf_protect-3.0.2.zip
172 | jolokia-0.7.1.zip
173 | journald-1.2.1.zip
174 | jumpcloud-1.16.0.zip
175 | juniper-1.2.0.zip
176 | juniper_junos-0.12.0.zip
177 | juniper_netscreen-0.12.0.zip
178 | juniper_srx-1.25.0.zip
179 | kafka-1.19.0.zip
180 | kafka_log-1.8.1.zip
181 | keycloak-1.30.0.zip
182 | kibana-2.8.0.zip
183 | kubernetes-1.80.2.zip
184 | kubernetes_otel-1.1.0.zip
185 | lastpass-1.20.0.zip
186 | linux-0.7.2.zip
187 | lmd-2.5.1.zip
188 | log-2.4.4.zip
189 | logstash-2.7.2.zip
190 | lumos-1.5.0.zip
191 | lyve_cloud-1.17.0.zip
192 | m365_defender-3.13.0.zip
193 | mattermost-2.5.0.zip
194 | memcached-1.7.0.zip
195 | menlo-1.6.0.zip
196 | microsoft-1.2.1.zip
197 | microsoft_defender_cloud-2.6.0.zip
198 | microsoft_defender_endpoint-2.42.0.zip
199 | microsoft_dhcp-1.27.0.zip
200 | microsoft_dnsserver-1.4.0.zip
201 | microsoft_exchange_online_message_trace-1.27.0.zip
202 | microsoft_exchange_server-1.4.0.zip
203 | microsoft_sentinel-1.2.0.zip
204 | microsoft_sqlserver-2.7.0.zip
205 | mimecast-3.1.0.zip
206 | miniflux-0.3.0.zip
207 | modsecurity-1.21.0.zip
208 | mongodb-1.22.0.zip
209 | mongodb_atlas-1.1.0.zip
210 | mysql-1.28.0.zip
211 | mysql_enterprise-1.17.0.zip
212 | nagios_xi-1.6.0.zip
213 | nats-1.9.0.zip
214 | netflow-2.23.0.zip
215 | netscout-0.22.0.zip
216 | netskope-2.0.0.zip
217 | network_traffic-1.33.0.zip
218 | nginx-2.2.0.zip
219 | nginx_ingress_controller-1.12.0.zip
220 | nozomi_networks-0.2.0.zip
221 | nvidia_gpu-0.4.0.zip
222 | o365-2.5.1.zip
223 | o365_metrics-0.6.2.zip
224 | okta-3.5.0.zip
225 | openai-1.2.0.zip
226 | opencanary-1.0.0.zip
227 | oracle-1.31.0.zip
228 | oracle_weblogic-1.9.1.zip
229 | osquery-1.23.0.zip
230 | osquery_manager-1.18.0.zip
231 | pad-0.6.1.zip
232 | panw-5.3.1.zip
233 | panw_cortex_xdr-2.4.0.zip
234 | panw_metrics-0.2.0.zip
235 | pfsense-1.23.0.zip
236 | php_fpm-1.6.0.zip
237 | ping_federate-1.0.2.zip
238 | ping_one-1.20.0.zip
239 | platform_observability-0.1.0.zip
240 | postgresql-1.31.0.zip
241 | pps-1.0.1.zip
242 | prisma_access-1.6.0.zip
243 | prisma_cloud-3.3.0.zip
244 | problemchild-2.4.1.zip
245 | profiler_agent-8.17.3.zip
246 | profiler_collector-8.17.3.zip
247 | profiler_symbolizer-8.17.3.zip
248 | prometheus-1.24.1.zip
249 | prometheus_input-0.9.0.zip
250 | proofpoint-0.9.1.zip
251 | proofpoint_itm-0.3.0.zip
252 | proofpoint_on_demand-1.6.0.zip
253 | proofpoint_tap-1.27.0.zip
254 | proxysg-0.6.0.zip
255 | pulse_connect_secure-2.6.0.zip
256 | qnap_nas-1.23.0.zip
257 | qualys_vmdr-6.8.0.zip
258 | qualys_was-0.3.0.zip
259 | rabbitmq-1.20.0.zip
260 | radware-0.20.0.zip
261 | rapid7_insightvm-2.1.0.zip
262 | redis-1.20.0.zip
263 | redisenterprise-0.12.0.zip
264 | rubrik-0.9.1.zip
265 | sailpoint_identity_sc-1.0.0.zip
266 | salesforce-1.3.0.zip
267 | santa-3.24.0.zip
268 | security_ai_prompts-0.0.5.zip
269 | sentinel_one-1.36.0.zip
270 | sentinel_one_cloud_funnel-1.9.0.zip
271 | servicenow-1.1.0.zip
272 | slack-1.25.0.zip
273 | snort-1.19.0.zip
274 | snyk-2.1.0.zip
275 | sonicwall-0.8.2.zip
276 | sonicwall_firewall-1.19.0.zip
277 | sophos-3.9.0.zip
278 | sophos_central-1.19.0.zip
279 | splunk-0.5.0.zip
280 | spring_boot-1.9.0.zip
281 | spycloud-1.5.0.zip
282 | sql-1.0.0.zip
283 | squid-1.3.0.zip
284 | stan-1.9.0.zip
285 | statsd_input-0.5.1.zip
286 | stormshield-1.3.0.zip
287 | sublime_security-1.6.0.zip
288 | swimlane-0.4.1.zip
289 | symantec-0.1.3.zip
290 | symantec_edr_cloud-1.8.1.zip
291 | symantec_endpoint-2.19.0.zip
292 | symantec_endpoint_security-1.8.0.zip
293 | synthetics-1.4.2.zip
294 | synthetics_dashboards-1.0.1.zip
295 | sysdig-2.0.0.zip
296 | syslog_router-0.2.0.zip
297 | sysmon_linux-1.9.0.zip
298 | system-2.3.3.zip
299 | system_audit-1.11.0.zip
300 | tanium-1.16.2.zip
301 | tcp-2.0.0.zip
302 | teleport-1.6.0.zip
303 | tenable_io-4.2.0.zip
304 | tenable_ot_security-0.4.0.zip
305 | tenable_sc-1.29.0.zip
306 | tencent_cloud-0.2.0.zip
307 | threat_map-1.0.0.zip
308 | thycotic_ss-1.12.0.zip
309 | ti_abusech-3.1.0.zip
310 | ti_anomali-2.0.0.zip
311 | ti_cif3-1.17.0.zip
312 | ti_crowdstrike-2.5.0.zip
313 | ti_custom-1.2.0.zip
314 | ti_cybersixgill-1.33.0.zip
315 | ti_domaintools-1.0.0.zip
316 | ti_eclecticiq-1.4.1.zip
317 | ti_eset-1.7.0.zip
318 | ti_google_threat_intelligence-0.5.0.zip
319 | ti_greynoise-0.3.0.zip
320 | ti_maltiverse-1.5.0.zip
321 | ti_mandiant_advantage-1.9.0.zip
322 | ti_misp-1.38.0.zip
323 | ti_opencti-2.7.0.zip
324 | ti_otx-1.28.0.zip
325 | ti_rapid7_threat_command-2.5.0.zip
326 | ti_recordedfuture-2.3.0.zip
327 | ti_threatconnect-1.8.0.zip
328 | ti_threatq-1.35.0.zip
329 | ti_util-1.7.0.zip
330 | tines-1.15.0.zip
331 | tomcat-1.14.0.zip
332 | traefik-2.6.0.zip
333 | trellix_edr_cloud-1.9.0.zip
334 | trellix_epo_cloud-1.15.0.zip
335 | trend_micro_vision_one-2.2.0.zip
336 | trendmicro-2.8.0.zip
337 | tychon-1.0.0.zip
338 | udp-2.2.0.zip
339 | unifiedlogs-0.4.0.zip
340 | varonis-0.2.0.zip
341 | vectra_detect-1.14.0.zip
342 | vectra_rux-0.3.0.zip
343 | vsphere-1.8.0.zip
344 | watchguard_firebox-1.4.0.zip
345 | websocket-0.3.0.zip
346 | websphere_application_server-1.6.1.zip
347 | windows-3.1.0.zip
348 | windows_etw-1.0.0.zip
349 | winlog-2.4.0.zip
350 | wiz-3.6.0.zip
351 | zerofox-1.28.0.zip
352 | zeronetworks-1.18.0.zip
353 | zookeeper-1.14.0.zip
354 | zoom-1.23.0.zip
355 | zscaler-0.5.1.zip
356 | zscaler_zia-3.7.1.zip
357 | zscaler_zpa-1.23.1.zip
358 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.18.6.txt:
--------------------------------------------------------------------------------
1 | security_detection_engine-8.18.9.zip
2 | 1password-1.32.0.zip
3 | abnormal_security-1.10.0.zip
4 | activemq-1.8.1.zip
5 | admin_by_request_epm-1.0.0.zip
6 | airflow-0.10.0.zip
7 | akamai-2.28.0.zip
8 | amazon_security_lake-2.7.0.zip
9 | apache-2.1.1.zip
10 | apache_spark-1.4.0.zip
11 | apache_tomcat-1.11.0.zip
12 | arista_ngfw-1.4.1.zip
13 | armis-0.3.0.zip
14 | atlassian_bitbucket-2.5.0.zip
15 | atlassian_confluence-1.29.2.zip
16 | atlassian_jira-1.30.3.zip
17 | auditd-3.22.0.zip
18 | auditd_manager-1.19.0.zip
19 | auth0-1.23.0.zip
20 | authentik-1.5.0.zip
21 | aws-3.14.2.zip
22 | aws_bedrock-1.2.3.zip
23 | aws_billing-0.1.0.zip
24 | aws_logs-1.8.2.zip
25 | aws_mq-0.9.1.zip
26 | awsfargate-1.3.0.zip
27 | awsfirehose-1.8.2.zip
28 | azure-1.28.5.zip
29 | azure_ai_foundry-0.6.0.zip
30 | azure_app_service-0.7.0.zip
31 | azure_application_insights-1.9.0.zip
32 | azure_billing-1.9.0.zip
33 | azure_blob_storage-2.3.0.zip
34 | azure_frontdoor-2.2.1.zip
35 | azure_functions-0.10.0.zip
36 | azure_logs-0.4.1.zip
37 | azure_metrics-1.10.0.zip
38 | azure_network_watcher_nsg-1.5.0.zip
39 | azure_network_watcher_vnet-1.6.0.zip
40 | azure_openai-1.9.0.zip
41 | barracuda-1.18.0.zip
42 | barracuda_cloudgen_firewall-1.16.0.zip
43 | bbot-1.4.0.zip
44 | beaconing-1.3.1.zip
45 | beat-1.0.1.zip
46 | beelzebub-0.4.0.zip
47 | beyondinsight_password_safe-0.7.0.zip
48 | beyondtrust_pra-0.3.0.zip
49 | bitdefender-2.6.0.zip
50 | bitwarden-1.17.0.zip
51 | blacklens-0.4.1.zip
52 | bluecoat-0.18.1.zip
53 | box_events-2.14.1.zip
54 | canva-0.7.0.zip
55 | carbon_black_cloud-3.1.0.zip
56 | carbonblack_edr-1.21.0.zip
57 | cassandra-1.19.0.zip
58 | cef-2.21.2.zip
59 | cel-1.17.0.zip
60 | ceph-1.8.1.zip
61 | checkpoint-1.41.1.zip
62 | checkpoint_email-1.1.0.zip
63 | checkpoint_harmony_endpoint-1.0.0.zip
64 | cilium_tetragon-0.2.1.zip
65 | cisa_kevs-1.7.0.zip
66 | cisco-0.14.0.zip
67 | cisco_aironet-1.16.1.zip
68 | cisco_asa-2.43.7.zip
69 | cisco_duo-2.6.0.zip
70 | cisco_ftd-3.10.2.zip
71 | cisco_ios-1.32.0.zip
72 | cisco_ise-1.28.1.zip
73 | cisco_meraki-1.30.0.zip
74 | cisco_meraki_metrics-0.4.1.zip
75 | cisco_nexus-1.4.2.zip
76 | cisco_secure_email_gateway-1.27.1.zip
77 | cisco_secure_endpoint-2.32.0.zip
78 | cisco_umbrella-1.31.0.zip
79 | citrix_adc-1.17.1.zip
80 | citrix_waf-1.18.1.zip
81 | claroty_ctd-1.1.0.zip
82 | claroty_xdome-0.3.0.zip
83 | cloud_asset_inventory-1.0.0.zip
84 | cloud_defend-1.3.0.zip
85 | cloudflare-2.31.0.zip
86 | cloudflare_logpush-1.39.2.zip
87 | cockroachdb-1.13.1.zip
88 | containerd-0.5.0.zip
89 | coredns-0.10.0.zip
90 | corelight-1.0.0.zip
91 | couchbase-1.9.1.zip
92 | couchdb-1.5.1.zip
93 | cribl-1.0.0.zip
94 | crowdstrike-2.1.0.zip
95 | cyberark-0.5.1.zip
96 | cyberark_epm-1.2.1.zip
97 | cyberark_pta-1.13.0.zip
98 | cyberarkpas-2.27.0.zip
99 | cybereason-1.4.0.zip
100 | cylance-0.24.0.zip
101 | darktrace-1.23.0.zip
102 | ded-2.3.4.zip
103 | digital_guardian-1.7.0.zip
104 | docker-2.14.0.zip
105 | elastic_agent-2.5.1.zip
106 | elastic_connectors-1.0.2.zip
107 | elastic_package_registry-0.3.1.zip
108 | elastic_security-0.3.2.zip
109 | elasticsearch-1.19.0.zip
110 | endace-0.1.1.zip
111 | endpoint-9.2.0-prerelease.0.zip
112 | enterprisesearch-1.0.1.zip
113 | entityanalytics_ad-0.16.0.zip
114 | entityanalytics_entra_id-1.8.1.zip
115 | entityanalytics_okta-2.5.1.zip
116 | entro-0.1.1.zip
117 | envoyproxy-0.4.0.zip
118 | eset_protect-1.8.0.zip
119 | ess_billing-1.5.1.zip
120 | etcd-1.4.1.zip
121 | extrahop-0.2.0.zip
122 | f5-0.19.0.zip
123 | f5_bigip-1.27.1.zip
124 | falco-2.0.1.zip
125 | filestream-1.2.0.zip
126 | fim-1.16.0.zip
127 | fireeye-1.27.0.zip
128 | first_epss-1.1.0.zip
129 | fleet_server-1.6.0.zip
130 | forcepoint_web-1.13.0.zip
131 | forgerock-1.21.2.zip
132 | fortinet-1.9.0.zip
133 | fortinet_forticlient-1.12.1.zip
134 | fortinet_fortiedr-1.19.1.zip
135 | fortinet_fortigate-1.34.0.zip
136 | fortinet_fortimail-2.15.1.zip
137 | fortinet_fortimanager-2.16.1.zip
138 | fortinet_fortiproxy-1.2.1.zip
139 | gcp-2.42.2.zip
140 | gcp_metrics-0.3.1.zip
141 | gcp_pubsub-2.2.1.zip
142 | gcp_vertexai-1.3.1.zip
143 | gigamon-2.0.0.zip
144 | github-2.12.0.zip
145 | gitlab-2.3.3.zip
146 | goflow2-0.5.1.zip
147 | golang-1.8.0.zip
148 | google_cloud_storage-2.2.0.zip
149 | google_scc-2.0.0.zip
150 | google_secops-1.2.1.zip
151 | google_workspace-2.45.0.zip
152 | hadoop-1.9.0.zip
153 | haproxy-1.17.0.zip
154 | hashicorp_vault-1.28.1.zip
155 | hid_bravura_monitor-1.21.0.zip
156 | hta-1.0.0.zip
157 | http_endpoint-2.5.0.zip
158 | httpjson-1.22.0.zip
159 | ibmmq-1.7.0.zip
160 | iis-1.24.1.zip
161 | imperva-1.7.1.zip
162 | imperva_cloud_waf-1.13.0.zip
163 | influxdb-0.11.0.zip
164 | infoblox-0.8.1.zip
165 | infoblox_bloxone_ddi-1.21.0.zip
166 | infoblox_nios-2.0.0.zip
167 | infoblox_threat_defense-0.1.0.zip
168 | iptables-1.21.3.zip
169 | istio-0.8.0.zip
170 | jamf_compliance_reporter-1.16.0.zip
171 | jamf_pro-0.7.0.zip
172 | jamf_protect-3.1.0.zip
173 | jolokia-1.0.0.zip
174 | journald-1.2.1.zip
175 | jumpcloud-1.16.0.zip
176 | juniper-1.2.0.zip
177 | juniper_junos-0.12.1.zip
178 | juniper_netscreen-0.12.1.zip
179 | juniper_srx-1.25.1.zip
180 | kafka-1.21.0.zip
181 | kafka_log-1.8.1.zip
182 | keycloak-1.30.0.zip
183 | kibana-2.8.0.zip
184 | kubernetes-1.80.2.zip
185 | kubernetes_otel-1.1.1.zip
186 | lastpass-1.20.0.zip
187 | linux-0.7.2.zip
188 | lmd-2.5.2.zip
189 | log-2.4.4.zip
190 | logstash-2.7.3.zip
191 | lumos-1.5.0.zip
192 | lyve_cloud-1.17.0.zip
193 | m365_defender-4.0.0.zip
194 | mattermost-2.5.0.zip
195 | memcached-1.7.0.zip
196 | menlo-1.6.0.zip
197 | microsoft-1.2.1.zip
198 | microsoft_defender_cloud-2.6.0.zip
199 | microsoft_defender_endpoint-3.0.0.zip
200 | microsoft_dhcp-1.27.0.zip
201 | microsoft_dnsserver-1.5.0.zip
202 | microsoft_exchange_online_message_trace-1.27.0.zip
203 | microsoft_exchange_server-1.4.0.zip
204 | microsoft_sentinel-1.2.1.zip
205 | microsoft_sqlserver-2.13.0.zip
206 | mimecast-3.1.1.zip
207 | miniflux-0.3.0.zip
208 | modsecurity-1.21.1.zip
209 | mongodb-1.22.0.zip
210 | mongodb_atlas-1.1.0.zip
211 | mysql-1.28.0.zip
212 | mysql_enterprise-1.17.0.zip
213 | nagios_xi-1.7.1.zip
214 | nats-1.11.0.zip
215 | netflow-2.23.1.zip
216 | netscout-0.22.1.zip
217 | netskope-2.3.0.zip
218 | network_traffic-1.33.0.zip
219 | nginx-2.3.2.zip
220 | nginx_ingress_controller-1.12.0.zip
221 | nozomi_networks-0.2.0.zip
222 | nvidia_gpu-0.4.0.zip
223 | o365-2.24.0.zip
224 | o365_metrics-0.22.4.zip
225 | okta-3.10.2.zip
226 | openai-1.2.0.zip
227 | opencanary-1.0.0.zip
228 | oracle-1.31.0.zip
229 | oracle_weblogic-1.9.1.zip
230 | osquery-1.23.1.zip
231 | osquery_manager-1.18.0.zip
232 | pad-0.6.2.zip
233 | panw-5.3.3.zip
234 | panw_cortex_xdr-2.4.0.zip
235 | panw_metrics-0.2.0.zip
236 | pfsense-1.23.1.zip
237 | php_fpm-1.6.0.zip
238 | ping_federate-1.0.2.zip
239 | ping_one-1.20.0.zip
240 | platform_observability-0.1.0.zip
241 | postgresql-1.31.0.zip
242 | pps-1.0.1.zip
243 | prisma_access-1.6.1.zip
244 | prisma_cloud-3.3.0.zip
245 | problemchild-2.4.1.zip
246 | profiler_agent-8.17.3.zip
247 | profiler_collector-8.17.3.zip
248 | profiler_symbolizer-8.17.3.zip
249 | prometheus-1.24.2.zip
250 | prometheus_input-1.0.0.zip
251 | proofpoint-0.9.1.zip
252 | proofpoint_itm-0.3.0.zip
253 | proofpoint_on_demand-1.7.0.zip
254 | proofpoint_tap-1.27.0.zip
255 | proxysg-0.6.1.zip
256 | pulse_connect_secure-2.6.0.zip
257 | qnap_nas-1.23.1.zip
258 | qualys_gav-0.1.0.zip
259 | qualys_vmdr-6.9.0.zip
260 | qualys_was-0.3.0.zip
261 | rabbitmq-1.20.0.zip
262 | radware-0.20.1.zip
263 | rapid7_insightvm-2.2.0.zip
264 | redis-1.20.0.zip
265 | redisenterprise-0.12.0.zip
266 | rubrik-0.9.1.zip
267 | sailpoint_identity_sc-1.1.0.zip
268 | salesforce-1.3.0.zip
269 | santa-3.24.0.zip
270 | security_ai_prompts-1.0.0.zip
271 | security_detection_engine-9.1.5.zip
272 | sentinel_one-1.37.0.zip
273 | sentinel_one_cloud_funnel-1.13.1.zip
274 | servicenow-1.1.0.zip
275 | slack-1.25.1.zip
276 | snort-1.19.1.zip
277 | snyk-2.2.0.zip
278 | sonicwall-0.8.2.zip
279 | sonicwall_firewall-1.19.1.zip
280 | sophos-3.15.1.zip
281 | sophos_central-1.19.0.zip
282 | splunk-0.6.0.zip
283 | spring_boot-1.9.1.zip
284 | spycloud-1.5.0.zip
285 | sql-1.1.0.zip
286 | squid-1.3.1.zip
287 | stan-1.11.0.zip
288 | statsd_input-0.6.0.zip
289 | stormshield-1.3.1.zip
290 | sublime_security-1.11.0.zip
291 | swimlane-0.4.1.zip
292 | symantec-0.1.3.zip
293 | symantec_edr_cloud-1.8.1.zip
294 | symantec_endpoint-2.19.0.zip
295 | symantec_endpoint_security-1.14.0.zip
296 | synthetics-1.4.2.zip
297 | synthetics-1.0.0-rc-2.zip
298 | synthetics_dashboards-1.0.1.zip
299 | sysdig-2.0.0.zip
300 | syslog_router-0.2.1.zip
301 | sysmon_linux-1.9.0.zip
302 | system-2.5.4.zip
303 | system_audit-1.11.0.zip
304 | tanium-1.16.2.zip
305 | tcp-2.0.1.zip
306 | teleport-1.6.0.zip
307 | tenable_io-4.2.1.zip
308 | tenable_ot_security-0.4.0.zip
309 | tenable_sc-1.30.0.zip
310 | tencent_cloud-0.2.0.zip
311 | threat_map-1.0.0.zip
312 | thycotic_ss-1.12.0.zip
313 | ti_abusech-3.3.0.zip
314 | ti_anomali-2.1.0.zip
315 | ti_cif3-1.17.0.zip
316 | ti_crowdstrike-2.5.0.zip
317 | ti_custom-1.2.1.zip
318 | ti_cybersixgill-1.33.0.zip
319 | ti_cyware_intel_exchange-0.1.0.zip
320 | ti_domaintools-1.1.0.zip
321 | ti_eclecticiq-1.4.1.zip
322 | ti_eset-1.7.0.zip
323 | ti_google_threat_intelligence-0.6.1.zip
324 | ti_greynoise-0.5.0.zip
325 | ti_maltiverse-1.5.0.zip
326 | ti_mandiant_advantage-1.9.0.zip
327 | ti_misp-1.38.0.zip
328 | ti_opencti-2.7.0.zip
329 | ti_otx-1.28.0.zip
330 | ti_rapid7_threat_command-2.5.0.zip
331 | ti_recordedfuture-2.3.0.zip
332 | ti_threatconnect-1.10.2.zip
333 | ti_threatq-1.35.0.zip
334 | ti_util-1.7.0.zip
335 | tines-1.15.0.zip
336 | tomcat-1.14.0.zip
337 | traefik-2.6.0.zip
338 | trellix_edr_cloud-1.9.0.zip
339 | trellix_epo_cloud-1.15.0.zip
340 | trend_micro_vision_one-2.3.0.zip
341 | trendmicro-2.8.0.zip
342 | tychon-1.1.0.zip
343 | udp-2.2.1.zip
344 | unifiedlogs-0.4.0.zip
345 | varonis-0.2.0.zip
346 | vectra_detect-1.14.0.zip
347 | vectra_rux-0.3.2.zip
348 | vsphere-1.20.0.zip
349 | watchguard_firebox-1.4.1.zip
350 | websocket-0.3.0.zip
351 | websphere_application_server-1.6.1.zip
352 | windows-3.1.2.zip
353 | windows_etw-1.0.0.zip
354 | winlog-2.4.0.zip
355 | wiz-3.7.0.zip
356 | wmi-0.0.1.zip
357 | zerofox-1.28.0.zip
358 | zeronetworks-1.18.0.zip
359 | zookeeper-1.14.0.zip
360 | zoom-1.23.0.zip
361 | zscaler-0.5.1.zip
362 | zscaler_zia-3.15.1.zip
363 | zscaler_zpa-1.23.1.zip
364 |
--------------------------------------------------------------------------------
/so-elastic-fleet-package-registry/versions/8.18.8.txt:
--------------------------------------------------------------------------------
1 | security_detection_engine-8.18.14.zip
--------------------------------------------------------------------------------
/so-elasticsearch/Dockerfile:
--------------------------------------------------------------------------------
1 | # This Dockerfile was based on the official Elasticsearch Docker image:
2 | # https://github.com/elastic/elasticsearch-docker
3 |
4 | # Copyright Security Onion Solutions, LLC
5 |
6 | # This program is free software: you can redistribute it and/or modify
7 | # it under the terms of the GNU General Public License as published by
8 | # the Free Software Foundation, either version 3 of the License, or
9 | # (at your option) any later version.
10 | #
11 | # This program is distributed in the hope that it will be useful,
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | # GNU General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see .
18 | ARG FLAVOR
19 | ARG VERSION
20 |
21 | FROM docker.elastic.co/elasticsearch/$FLAVOR:$VERSION
22 |
23 | ARG GID=930
24 | ARG UID=930
25 | ARG USERNAME=elasticsearch
26 | ARG FLAVOR
27 |
28 | USER root
29 | RUN groupmod -g ${GID} ${USERNAME} && \
30 | usermod -u ${UID} -g ${GID} ${USERNAME}
31 |
32 | WORKDIR /usr/share/elasticsearch
33 |
34 | RUN set -ex && for esdirs in config data logs; do \
35 | mkdir -p "$esdirs"; \
36 | chown -R elasticsearch:elasticsearch "$esdirs"; \
37 | done
38 |
39 | COPY *.yml log4j2.properties config/
40 | COPY bin bin
41 |
42 |
43 | RUN apt-get update && apt-get install -y ca-certificates unzip wget && \
44 | wget -O /tmp/GeoLite2.zip https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/geolite2-db/GeoLite2.zip && \
45 | mkdir -p /usr/share/elasticsearch/config/ingest-geoip && \
46 | unzip -o /tmp/GeoLite2.zip -d /usr/share/elasticsearch/config/ingest-geoip && \
47 | apt-get remove -y unzip wget && \
48 | rm -rf /var/lib/apt/lists/*
49 |
50 | RUN chown elasticsearch:elasticsearch config/elasticsearch.yml config/log4j2.properties bin/es-docker /usr/share/elasticsearch/config/ingest-geoip && \
51 | chmod 0750 bin/es-docker
52 |
53 | # Enable the following lines if custom plugins are to be included in this image.
54 | # COPY plugins-src /plugins-src
55 | # RUN bin/build-plugins /plugins-src plugins/
56 |
57 | USER ${USERNAME}
58 | CMD ["/bin/bash", "bin/es-docker"]
59 |
--------------------------------------------------------------------------------
/so-elasticsearch/bin/build-plugins:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # Copyright Security Onion Solutions, LLC
4 | #
5 | # This program is free software: you can redistribute it and/or modify
6 | # it under the terms of the GNU General Public License as published by
7 | # the Free Software Foundation, either version 3 of the License, or
8 | # (at your option) any later version.
9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see .
17 |
18 |
19 | PLUGIN_SRC_DIR=$1
20 | PLUGIN_DST_DIR=$2
21 |
22 | ES_DIR=$(dirname $0)/..
23 |
24 | CP="${ES_DIR}/lib/*"
25 |
26 | set -e
27 |
28 | for DIR in $(ls ${ES_DIR}/modules); do
29 | CP=$CP:${ES_DIR}/modules/$DIR/*
30 | done
31 |
32 | for NAME in $(ls $PLUGIN_SRC_DIR); do
33 | SRC_DIR=$PLUGIN_SRC_DIR/$NAME
34 | OBJ_DIR=$PLUGIN_DST_DIR/$NAME/classes
35 |
36 | if [[ -f "$SRC_DIR/FLAVOR" ]]; then
37 | REQUIRED_FLAVOR=$(cat "$SRC_DIR/FLAVOR")
38 | if [[ "$FLAVOR" != "$REQUIRED_FLAVOR" ]]; then
39 | echo "Skipping plugin due to unmatched flavor ($FLAVOR != $REQUIRED_FLAVOR): $NAME"
40 | continue
41 | fi
42 | fi
43 |
44 | echo "Building plugin: $NAME"
45 |
46 | mkdir -p $OBJ_DIR
47 |
48 | "${ES_DIR}/jdk/bin/javac" -cp "$CP:$SRC_DIR/*" -d "$OBJ_DIR" $(find "$SRC_DIR" -name '*.java')
49 |
50 | "${ES_DIR}/jdk/bin/jar" cf ${PLUGIN_DST_DIR}/${NAME}/${NAME}.jar -C ${PLUGIN_DST_DIR}/${NAME}/classes .
51 | rm -fr $OBJ_DIR
52 | cp ${SRC_DIR}/*.properties ${PLUGIN_DST_DIR}/${NAME}/
53 | cp ${SRC_DIR}/*.policy ${PLUGIN_DST_DIR}/${NAME}/
54 | if ls ${SRC_DIR}/*.jar > /dev/null 2>&1 ; then
55 | cp ${SRC_DIR}/*.jar ${PLUGIN_DST_DIR}/${NAME}/
56 | fi
57 | cp ${ES_DIR}/modules/transport-netty4/*.jar ${PLUGIN_DST_DIR}/${NAME}/
58 | done
59 |
--------------------------------------------------------------------------------
/so-elasticsearch/bin/es-docker:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # The virtual file /proc/self/cgroup should list the current cgroup
4 | # membership. For each hierarchy, you can follow the cgroup path from
5 | # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
6 | # introspect the statistics for the cgroup for the given
7 | # hierarchy. Alas, Docker breaks this by mounting the container
8 | # statistics at the root while leaving the cgroup paths as the actual
9 | # paths. Therefore, Elasticsearch provides a mechanism to override
10 | # reading the cgroup path from /proc/self/cgroup and instead uses the
11 | # cgroup path defined the JVM system property
12 | # es.cgroups.hierarchy.override. Therefore, we set this value here so
13 | # that cgroup statistics are available for the container this process
14 | # will run in.
15 | export ES_JAVA_OPTS="-Des.cgroups.hierarchy.override=/ $ES_JAVA_OPTS"
16 |
17 | ES_DIR=/usr/share/elasticsearch
18 |
19 | if [ -f $ES_DIR/config/elasticsearch.p12 ]; then
20 | echo "Importing PKCS12 keypair into Java keystore"
21 | jdk/bin/keytool -importkeystore -destkeystore $ES_DIR/config/sokeys -deststorepass changeit -srckeystore $ES_DIR/config/elasticsearch.p12 -srcstoretype pkcs12 -srcstorepass "" -noprompt
22 | fi
23 |
24 | exec bin/elasticsearch #"${es_opts[@]}"
25 |
--------------------------------------------------------------------------------
/so-elasticsearch/elasticsearch.yml:
--------------------------------------------------------------------------------
1 | cluster.name: "docker-cluster"
2 | network.host: 0.0.0.0
3 |
4 | # minimum_master_nodes need to be explicitly set when bound on a public IP
5 | # set to 1 to allow single node clusters
6 | # Details: https://github.com/elastic/elasticsearch/pull/17288
7 | cluster.initial_master_nodes: 1
8 |
--------------------------------------------------------------------------------
/so-elasticsearch/log4j2.properties:
--------------------------------------------------------------------------------
1 | status = error
2 |
3 | appender.console.type = Console
4 | appender.console.name = console
5 | appender.console.layout.type = PatternLayout
6 | appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
7 |
8 | rootLogger.level = info
9 | rootLogger.appenderRef.console.ref = console
10 |
--------------------------------------------------------------------------------
/so-idh/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/python:3.13.7-slim
2 |
3 | WORKDIR /root/
4 |
5 | RUN rm /bin/sh && ln -s /bin/bash /bin/sh
6 |
7 | RUN apt update && apt-get install -y sudo supervisor && rm -rf /var/lib/apt/lists/*
8 | RUN pip install opencanary==0.9.6
9 |
10 | ADD supervise-opencanary.conf /etc/supervisor/conf.d/supervise-opencanary.conf
11 |
12 | CMD ["/usr/bin/supervisord", "-n"]
13 |
--------------------------------------------------------------------------------
/so-idh/supervise-opencanary.conf:
--------------------------------------------------------------------------------
1 | [program:opencanaryd]
2 | command=/usr/local/bin/opencanaryd --start
3 | redirect_stderr=true
4 | autorestart=true
5 |
--------------------------------------------------------------------------------
/so-idstools/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | FROM ghcr.io/security-onion-solutions/python:3.13.3-slim
17 |
18 | LABEL maintainer="Security Onion Solutions, LLC"
19 | LABEL description="IDSTools for downloading NIDS rules"
20 |
21 | ARG GID=939
22 | ARG UID=939
23 | ARG USERNAME=socore
24 | ARG VERSION=0.6.3
25 |
26 | RUN mkdir -p /opt/so/idstools/bin && mkdir /opt/so/idstools/etc
27 | COPY entrypoint.sh /opt/so/idstools/bin
28 | RUN chmod +x /opt/so/idstools/bin/entrypoint.sh && chown -R ${UID}:${GID} /opt/so/idstools
29 |
30 | RUN groupadd --gid ${GID} ${USERNAME} && \
31 | useradd --uid ${UID} --gid ${GID} \
32 | --home-dir /opt/so --no-create-home ${USERNAME}
33 |
34 | #RUN pip install https://github.com/jasonish/py-idstools/archive/master.zip
35 | RUN pip install https://github.com/Security-Onion-Solutions/py-idstools/archive/master.zip
36 |
37 | USER ${USERNAME}
38 | WORKDIR /opt/so/idstools/bin
39 | ENTRYPOINT ["./entrypoint.sh"]
40 |
--------------------------------------------------------------------------------
/so-idstools/README.md:
--------------------------------------------------------------------------------
1 | IDSTOOLS Docker
2 |
--------------------------------------------------------------------------------
/so-idstools/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | cd /opt/so/idstools/etc || exit
3 |
4 | idstools-rulecat --force
5 |
6 | while true; do sleep 1; done
7 |
--------------------------------------------------------------------------------
/so-influxdb/Dockerfile:
--------------------------------------------------------------------------------
1 | ARG INFLUX_VERSION=2.7.12
2 |
3 | FROM ghcr.io/security-onion-solutions/ubuntu:24.04 as builder
4 |
5 | ARG INFLUX_VERSION
6 | #v20.x is LTS
7 | ARG NODE_VERSION=v22.16.0
8 | ARG NODE_ARCH=linux-x64
9 |
10 | RUN apt update -y && apt install -y git wget xz-utils
11 | RUN git clone https://github.com/influxdata/ui -b OSS-v$INFLUX_VERSION
12 | RUN wget https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_ARCH.tar.xz -O /node.xz
13 | RUN tar -xJf /node.xz
14 |
15 | RUN export PATH=$PATH:/node-$NODE_VERSION-$NODE_ARCH/bin && npm i -g yarn
16 |
17 | ENV BASE_PATH=/influxdb/
18 | ENV API_BASE_PATH=/influxdb/
19 | ENV NODE_OPTIONS=--openssl-legacy-provider
20 |
21 | RUN export PATH=$PATH:/node-$NODE_VERSION-$NODE_ARCH/bin && cd ui && yarn build
22 |
23 | FROM ghcr.io/security-onion-solutions/influxdb:$INFLUX_VERSION
24 | LABEL maintainer "Security Onion Solutions, LLC"
25 | LABEL description="InfluxDB running in Docker container for use with Security Onion"
26 |
27 | HEALTHCHECK --interval=1m --timeout=10s CMD nc -z localhost 8086 || exit 1
28 | EXPOSE 8086
29 |
30 | RUN mkdir -p /log
31 | RUN mkdir -p /conf
32 |
33 | COPY entrypoint.sh /redirect_to_file.sh
34 | RUN chmod a+x /redirect_to_file.sh && groupmod -g 939 influxdb
35 |
36 | COPY --from=builder /ui/build /ui
37 |
38 | RUN apt update -y && apt install netcat-traditional -y && apt clean -y
39 |
40 | ENTRYPOINT ["/redirect_to_file.sh"]
41 | CMD ["/entrypoint.sh", "influxd"]
--------------------------------------------------------------------------------
/so-influxdb/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | exec "$@" &>> /log/influxdb.log
3 |
--------------------------------------------------------------------------------
/so-kafka/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
2 | # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
3 | # https://securityonion.net/license; you may not use this file except in compliance with the
4 | # Elastic License 2.0.
5 |
6 | FROM ghcr.io/security-onion-solutions/kafka:3.9.1
7 |
8 | LABEL maintainer "Security Onion Solutions, LLC"
9 | LABEL description="Kafka running in a docker container for use with Security Onion"
10 |
11 | ARG JOLOKIA_VERSION=2.2.8
12 | ARG JOLOKIA_DOWNLOAD=https://github.com/jolokia/jolokia/releases/download/v${JOLOKIA_VERSION}/jolokia-${JOLOKIA_VERSION}-bin.tar.gz
13 |
14 | WORKDIR /opt
15 |
16 | USER root
17 |
18 | RUN addgroup -g 960 kafka && \
19 | adduser -D --uid 960 --ingroup kafka kafka && \
20 | wget ${JOLOKIA_DOWNLOAD} && \
21 | tar -xzf jolokia-${JOLOKIA_VERSION}-bin.tar.gz && \
22 | rm -f jolokia-${JOLOKIA_VERSION}-bin.tar.gz && \
23 | mv jolokia-${JOLOKIA_VERSION} jolokia && \
24 | chown -R 960:960 kafka && \
25 | chown -R 960:960 jolokia
26 |
27 | USER kafka
28 |
29 | ADD files/jolokia.xml /opt/jolokia/jolokia.xml
30 |
31 | ENTRYPOINT ["/opt/kafka/bin/kafka-server-start.sh", "/opt/kafka/config/kraft/server.properties"]
32 |
--------------------------------------------------------------------------------
/so-kafka/files/jolokia.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | read
6 |
7 |
8 |
9 |
10 | com.mchange.v2.c3p0:type=PooledDataSource,*
11 | properties
12 |
13 |
14 | jdk.management.jfr:type=FlightRecorder
15 | *
16 | *
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/so-kibana/Dockerfile:
--------------------------------------------------------------------------------
1 | # This Dockerfile was based on the official Kibana Docker image:
2 | # https://github.com/elastic/kibana-docker
3 |
4 | # Copyright Security Onion Solutions, LLC
5 |
6 | # This program is free software: you can redistribute it and/or modify
7 | # it under the terms of the GNU General Public License as published by
8 | # the Free Software Foundation, either version 3 of the License, or
9 | # (at your option) any later version.
10 | #
11 | # This program is distributed in the hope that it will be useful,
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | # GNU General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see .
18 | ARG FLAVOR
19 | ARG VERSION
20 |
21 | FROM docker.elastic.co/kibana/$FLAVOR:$VERSION
22 |
23 | USER root
24 |
25 | # Files are owned by 1000:1000 by default.
26 | # This causes Kibana to fail on startup.
27 | # Set ownership to kibana:kibana.
28 | RUN chown --recursive 932:932 /usr/share/kibana/*
29 |
30 | RUN groupmod -g 932 kibana && usermod -u 932 -g 932 kibana
31 |
32 | WORKDIR /usr/share/kibana
33 | RUN ln -s /usr/share/kibana /opt/kibana
34 |
35 | ENV PATH=/usr/share/kibana/bin:$PATH
36 |
37 | # Copy over the dashboards
38 | RUN mkdir /usr/share/kibana/dashboards
39 |
40 | # Add a self-signed SSL certificate for use in examples.
41 | #ADD ssl/kibana.example.org.* /usr/share/kibana/config/
42 |
43 | # Add the launcher/wrapper script. It knows how to interpret environment
44 | # variables and translate them to Kibana CLI options.
45 | ADD bin/kibana-docker /usr/local/bin/
46 |
47 | # Add our custom Security Onion Entry Script
48 | ADD bin/so-kibana.sh /usr/local/bin/
49 | RUN chmod +x /usr/local/bin/so-kibana.sh
50 |
51 | ## Switch to limited user and run process.
52 | USER kibana
53 | #CMD /usr/local/bin/kibana-docker
54 |
55 | ENTRYPOINT ["/usr/local/bin/so-kibana.sh"]
56 |
--------------------------------------------------------------------------------
/so-kibana/bin/kibana-docker:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # ** THIS IS AN AUTO-GENERATED FILE **
4 | #
5 |
6 | # Run Kibana, using environment variables to set longopts defining Kibana's
7 | # configuration.
8 | #
9 | # eg. Setting the environment variable:
10 | #
11 | # ELASTICSEARCH_LOGQUERIES=true
12 | #
13 | # will cause Kibana to be invoked with:
14 | #
15 | # --elasticsearch.logQueries=true
16 |
17 | kibana_vars=(
18 | apm_oss.apmAgentConfigurationIndex
19 | apm_oss.errorIndices
20 | apm_oss.indexPattern
21 | apm_oss.metricsIndices
22 | apm_oss.onboardingIndices
23 | apm_oss.sourcemapIndices
24 | apm_oss.spanIndices
25 | apm_oss.transactionIndices
26 | console.proxyConfig
27 | console.proxyFilter
28 | csp.strict
29 | csp.warnLegacyBrowsers
30 | csp.script_src
31 | csp.worker_src
32 | csp.style_src
33 | csp.connect_src
34 | csp.default_src
35 | csp.font_src
36 | csp.frame_src
37 | csp.img_src
38 | csp.frame_ancestors
39 | csp.report_uri
40 | csp.report_to
41 | data.autocomplete.valueSuggestions.terminateAfter
42 | data.autocomplete.valueSuggestions.timeout
43 | elasticsearch.customHeaders
44 | elasticsearch.hosts
45 | elasticsearch.logQueries
46 | elasticsearch.password
47 | elasticsearch.pingTimeout
48 | elasticsearch.requestHeadersWhitelist
49 | elasticsearch.requestTimeout
50 | elasticsearch.serviceAccountToken
51 | elasticsearch.shardTimeout
52 | elasticsearch.sniffInterval
53 | elasticsearch.sniffOnConnectionFault
54 | elasticsearch.sniffOnStart
55 | elasticsearch.ssl.alwaysPresentCertificate
56 | elasticsearch.ssl.certificate
57 | elasticsearch.ssl.certificateAuthorities
58 | elasticsearch.ssl.key
59 | elasticsearch.ssl.keyPassphrase
60 | elasticsearch.ssl.keystore.password
61 | elasticsearch.ssl.keystore.path
62 | elasticsearch.ssl.truststore.password
63 | elasticsearch.ssl.truststore.path
64 | elasticsearch.ssl.verificationMode
65 | elasticsearch.username
66 | enterpriseSearch.accessCheckTimeout
67 | enterpriseSearch.accessCheckTimeoutWarning
68 | enterpriseSearch.host
69 | externalUrl.policy
70 | i18n.locale
71 | interactiveSetup.enabled
72 | interactiveSetup.connectionCheck.interval
73 | interpreter.enableInVisualize
74 | kibana.autocompleteTerminateAfter
75 | kibana.autocompleteTimeout
76 | kibana.index
77 | logging.appenders
78 | logging.appenders.console
79 | logging.appenders.file
80 | logging.loggers
81 | logging.loggers.appenders
82 | logging.loggers.level
83 | logging.loggers.name
84 | logging.root
85 | logging.root.appenders
86 | logging.root.level
87 | map.includeElasticMapsService
88 | map.tilemap.options.attribution
89 | map.tilemap.options.maxZoom
90 | map.tilemap.options.minZoom
91 | map.tilemap.options.subdomains
92 | map.tilemap.url
93 | migrations.batchSize
94 | migrations.maxBatchSizeBytes
95 | migrations.pollInterval
96 | migrations.retryAttempts
97 | migrations.scrollDuration
98 | migrations.skip
99 | monitoring.cluster_alerts.email_notifications.email_address
100 | monitoring.kibana.collection.enabled
101 | monitoring.kibana.collection.interval
102 | monitoring.ui.container.elasticsearch.enabled
103 | monitoring.ui.container.logstash.enabled
104 | monitoring.ui.elasticsearch.hosts
105 | monitoring.ui.elasticsearch.logFetchCount
106 | monitoring.ui.elasticsearch.password
107 | monitoring.ui.elasticsearch.pingTimeout
108 | monitoring.ui.elasticsearch.ssl.certificateAuthorities
109 | monitoring.ui.elasticsearch.ssl.verificationMode
110 | monitoring.ui.elasticsearch.username
111 | monitoring.ui.enabled
112 | monitoring.ui.logs.index
113 | monitoring.ui.max_bucket_size
114 | monitoring.ui.min_interval_seconds
115 | newsfeed.enabled
116 | ops.cGroupOverrides.cpuAcctPath
117 | ops.cGroupOverrides.cpuPath
118 | ops.interval
119 | path.data
120 | pid.file
121 | regionmap
122 | savedObjects.maxImportExportSize
123 | savedObjects.maxImportPayloadBytes
124 | security.showInsecureClusterWarning
125 | server.basePath
126 | server.compression.enabled
127 | server.compression.referrerWhitelist
128 | server.cors
129 | server.cors.allowCredentials
130 | server.cors.allowOrigin
131 | server.cors.enabled
132 | server.cors.origin
133 | server.customResponseHeaders
134 | server.defaultRoute
135 | server.host
136 | server.keepAliveTimeout
137 | server.maxPayload
138 | server.maxPayloadBytes
139 | server.name
140 | server.port
141 | server.publicBaseUrl
142 | server.requestId.allowFromAnyIp
143 | server.requestId.ipAllowlist
144 | server.rewriteBasePath
145 | server.securityResponseHeaders.disableEmbedding
146 | server.securityResponseHeaders.permissionsPolicy
147 | server.securityResponseHeaders.referrerPolicy
148 | server.securityResponseHeaders.strictTransportSecurity
149 | server.securityResponseHeaders.xContentTypeOptions
150 | server.shutdownTimeout
151 | server.socketTimeout
152 | server.ssl.cert
153 | server.ssl.certificate
154 | server.ssl.certificateAuthorities
155 | server.ssl.cipherSuites
156 | server.ssl.clientAuthentication
157 | server.ssl.enabled
158 | server.ssl.key
159 | server.ssl.keyPassphrase
160 | server.ssl.keystore.password
161 | server.ssl.keystore.path
162 | server.ssl.redirectHttpFromPort
163 | server.ssl.supportedProtocols
164 | server.ssl.truststore.password
165 | server.ssl.truststore.path
166 | server.uuid
167 | server.xsrf.allowlist
168 | server.xsrf.disableProtection
169 | status.allowAnonymous
170 | status.v6ApiFormat
171 | telemetry.allowChangingOptInStatus
172 | telemetry.enabled
173 | telemetry.optIn
174 | telemetry.sendUsageTo
175 | telemetry.sendUsageFrom
176 | tilemap.options.attribution
177 | tilemap.options.maxZoom
178 | tilemap.options.minZoom
179 | tilemap.options.subdomains
180 | tilemap.url
181 | vega.enableExternalUrls
182 | vis_type_vega.enableExternalUrls
183 | xpack.actions.allowedHosts
184 | xpack.actions.customHostSettings
185 | xpack.actions.enabledActionTypes
186 | xpack.actions.maxResponseContentLength
187 | xpack.actions.preconfigured
188 | xpack.actions.preconfiguredAlertHistoryEsIndex
189 | xpack.actions.proxyBypassHosts
190 | xpack.actions.proxyHeaders
191 | xpack.actions.proxyOnlyHosts
192 | xpack.actions.proxyRejectUnauthorizedCertificates
193 | xpack.actions.proxyUrl
194 | xpack.actions.rejectUnauthorized
195 | xpack.actions.responseTimeout
196 | xpack.actions.ssl.proxyVerificationMode
197 | xpack.actions.ssl.verificationMode
198 | xpack.alerting.healthCheck.interval
199 | xpack.alerting.invalidateApiKeysTask.interval
200 | xpack.alerting.invalidateApiKeysTask.removalDelay
201 | xpack.alerting.defaultRuleTaskTimeout
202 | xpack.alerting.cancelAlertsOnRuleTimeout
203 | xpack.alerts.healthCheck.interval
204 | xpack.alerts.invalidateApiKeysTask.interval
205 | xpack.alerts.invalidateApiKeysTask.removalDelay
206 | xpack.apm.indices.error
207 | xpack.apm.indices.metric
208 | xpack.apm.indices.onboarding
209 | xpack.apm.indices.sourcemap
210 | xpack.apm.indices.span
211 | xpack.apm.indices.transaction
212 | xpack.apm.maxServiceEnvironments
213 | xpack.apm.searchAggregatedTransactions
214 | xpack.apm.serviceMapEnabled
215 | xpack.apm.serviceMapFingerprintBucketSize
216 | xpack.apm.serviceMapFingerprintGlobalBucketSize
217 | xpack.apm.ui.enabled
218 | xpack.apm.ui.maxTraceItems
219 | xpack.apm.ui.transactionGroupBucketSize
220 | xpack.banners.backgroundColor
221 | xpack.banners.disableSpaceBanners
222 | xpack.banners.placement
223 | xpack.banners.textColor
224 | xpack.banners.textContent
225 | xpack.code.disk.thresholdEnabled
226 | xpack.code.disk.watermarkLow
227 | xpack.code.indexRepoFrequencyMs
228 | xpack.code.lsp.verbose
229 | xpack.code.maxWorkspace
230 | xpack.code.security.enableGitCertCheck
231 | xpack.code.security.gitHostWhitelist
232 | xpack.code.security.gitProtocolWhitelist
233 | xpack.code.ui.enabled
234 | xpack.code.updateRepoFrequencyMs
235 | xpack.code.verbose
236 | xpack.data_enhanced.search.sessions.defaultExpiration
237 | xpack.data_enhanced.search.sessions.enabled
238 | xpack.data_enhanced.search.sessions.maxUpdateRetries
239 | xpack.data_enhanced.search.sessions.notTouchedInProgressTimeout
240 | xpack.data_enhanced.search.sessions.notTouchedTimeout
241 | xpack.data_enhanced.search.sessions.pageSize
242 | xpack.data_enhanced.search.sessions.trackingInterval
243 | xpack.discoverEnhanced.actions.exploreDataInChart.enabled
244 | xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled
245 | xpack.encryptedSavedObjects.encryptionKey
246 | xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys
247 | xpack.event_log.indexEntries
248 | xpack.event_log.logEntries
249 | xpack.fleet.agentPolicies
250 | xpack.fleet.agents.elasticsearch.host
251 | xpack.fleet.agents.elasticsearch.hosts
252 | xpack.fleet.agents.enabled
253 | xpack.fleet.agents.fleet_server.hosts
254 | xpack.fleet.agents.kibana.host
255 | xpack.fleet.agents.tlsCheckDisabled
256 | xpack.fleet.packages
257 | xpack.fleet.registryProxyUrl
258 | xpack.fleet.registryUrl
259 | xpack.graph.canEditDrillDownUrls
260 | xpack.graph.savePolicy
261 | xpack.infra.query.partitionFactor
262 | xpack.infra.query.partitionSize
263 | xpack.infra.sources.default.fields.container
264 | xpack.infra.sources.default.fields.host
265 | xpack.infra.sources.default.fields.message
266 | xpack.infra.sources.default.fields.pod
267 | xpack.infra.sources.default.fields.tiebreaker
268 | xpack.infra.sources.default.fields.timestamp
269 | xpack.infra.sources.default.logAlias
270 | xpack.infra.sources.default.metricAlias
271 | xpack.ingestManager.fleet.tlsCheckDisabled
272 | xpack.ingestManager.registryUrl
273 | xpack.observability.annotations.index
274 | xpack.observability.unsafe.alertingExperience.enabled
275 | xpack.observability.unsafe.cases.enabled
276 | xpack.reporting.capture.browser.autoDownload
277 | xpack.reporting.capture.browser.chromium.disableSandbox
278 | xpack.reporting.capture.browser.chromium.inspect
279 | xpack.reporting.capture.browser.chromium.maxScreenshotDimension
280 | xpack.reporting.capture.browser.chromium.proxy.bypass
281 | xpack.reporting.capture.browser.chromium.proxy.enabled
282 | xpack.reporting.capture.browser.chromium.proxy.server
283 | xpack.reporting.capture.browser.type
284 | xpack.reporting.capture.concurrency
285 | xpack.reporting.capture.loadDelay
286 | xpack.reporting.capture.maxAttempts
287 | xpack.reporting.capture.networkPolicy
288 | xpack.reporting.capture.settleTime
289 | xpack.reporting.capture.timeout
290 | xpack.reporting.capture.timeouts.openUrl
291 | xpack.reporting.capture.timeouts.openUrl
292 | xpack.reporting.capture.timeouts.renderComplete
293 | xpack.reporting.capture.timeouts.waitForElements
294 | xpack.reporting.capture.viewport.height
295 | xpack.reporting.capture.viewport.width
296 | xpack.reporting.capture.zoom
297 | xpack.reporting.csv.checkForFormulas
298 | xpack.reporting.csv.enablePanelActionDownload
299 | xpack.reporting.csv.escapeFormulaValues
300 | xpack.reporting.csv.maxSizeBytes
301 | xpack.reporting.csv.scroll.duration
302 | xpack.reporting.csv.scroll.size
303 | xpack.reporting.csv.useByteOrderMarkEncoding
304 | xpack.reporting.enabled
305 | xpack.reporting.encryptionKey
306 | xpack.reporting.kibanaApp
307 | xpack.reporting.kibanaServer.hostname
308 | xpack.reporting.kibanaServer.port
309 | xpack.reporting.kibanaServer.protocol
310 | xpack.reporting.poll.jobCompletionNotifier.interval
311 | xpack.reporting.poll.jobCompletionNotifier.intervalErrorMultiplier
312 | xpack.reporting.poll.jobsRefresh.interval
313 | xpack.reporting.poll.jobsRefresh.intervalErrorMultiplier
314 | xpack.reporting.queue.indexInterval
315 | xpack.reporting.queue.pollEnabled
316 | xpack.reporting.queue.pollInterval
317 | xpack.reporting.queue.pollIntervalErrorMultiplier
318 | xpack.reporting.queue.timeout
319 | xpack.reporting.roles.allow
320 | xpack.reporting.roles.enabled
321 | xpack.ruleRegistry.write.enabled
322 | xpack.security.audit.appender.fileName
323 | xpack.security.audit.appender.layout.highlight
324 | xpack.security.audit.appender.layout.pattern
325 | xpack.security.audit.appender.layout.type
326 | xpack.security.audit.appender.legacyLoggingConfig
327 | xpack.security.audit.appender.policy.interval
328 | xpack.security.audit.appender.policy.modulate
329 | xpack.security.audit.appender.policy.size
330 | xpack.security.audit.appender.policy.type
331 | xpack.security.audit.appender.strategy.max
332 | xpack.security.audit.appender.strategy.pattern
333 | xpack.security.audit.appender.strategy.type
334 | xpack.security.audit.appender.type
335 | xpack.security.audit.enabled
336 | xpack.security.audit.ignore_filters
337 | xpack.security.authc.http.autoSchemesEnabled
338 | xpack.security.authc.http.enabled
339 | xpack.security.authc.http.schemes
340 | xpack.security.authc.oidc.realm
341 | xpack.security.authc.providers
342 | xpack.security.authc.saml.maxRedirectURLSize
343 | xpack.security.authc.saml.realm
344 | xpack.security.authc.selector.enabled
345 | xpack.security.cookieName
346 | xpack.security.encryptionKey
347 | xpack.security.loginAssistanceMessage
348 | xpack.security.loginHelp
349 | xpack.security.sameSiteCookies
350 | xpack.security.secureCookies
351 | xpack.security.session.cleanupInterval
352 | xpack.security.session.idleTimeout
353 | xpack.security.session.lifespan
354 | xpack.security.sessionTimeout
355 | xpack.security.showInsecureClusterWarning
356 | xpack.securitySolution.alertMergeStrategy
357 | xpack.securitySolution.alertIgnoreFields
358 | xpack.securitySolution.maxExceptionsImportSize
359 | xpack.securitySolution.maxRuleImportExportSize
360 | xpack.securitySolution.maxRuleImportPayloadBytes
361 | xpack.securitySolution.maxTimelineImportExportSize
362 | xpack.securitySolution.maxTimelineImportPayloadBytes
363 | xpack.securitySolution.packagerTaskInterval
364 | xpack.securitySolution.prebuiltRulesFromFileSystem
365 | xpack.securitySolution.prebuiltRulesFromSavedObjects
366 | xpack.spaces.maxSpaces
367 | xpack.task_manager.max_attempts
368 | xpack.task_manager.max_poll_inactivity_cycles
369 | xpack.task_manager.max_workers
370 | xpack.task_manager.monitored_aggregated_stats_refresh_rate
371 | xpack.task_manager.monitored_stats_required_freshness
372 | xpack.task_manager.monitored_stats_running_average_window
373 | xpack.task_manager.monitored_stats_health_verbose_log.enabled
374 | xpack.task_manager.monitored_stats_health_verbose_log.warn_delayed_task_start_in_seconds
375 | xpack.task_manager.monitored_task_execution_thresholds
376 | xpack.task_manager.poll_interval
377 | xpack.task_manager.request_capacity
378 | xpack.task_manager.version_conflict_threshold
379 | xpack.uptime.index
380 | )
381 |
382 | longopts=''
383 | for kibana_var in ${kibana_vars[*]}; do
384 | # 'elasticsearch.hosts' -> 'ELASTICSEARCH_HOSTS'
385 | env_var=$(echo ${kibana_var^^} | tr . _)
386 |
387 | # Indirectly lookup env var values via the name of the var.
388 | # REF: http://tldp.org/LDP/abs/html/bashver2.html#EX78
389 | value=${!env_var}
390 | if [[ -n $value ]]; then
391 | longopt="--${kibana_var}=${value}"
392 | longopts+=" ${longopt}"
393 | fi
394 | done
395 |
396 | # Files created at run-time should be group-writable, for Openshift's sake.
397 | umask 0002
398 |
399 | # The virtual file /proc/self/cgroup should list the current cgroup
400 | # membership. For each hierarchy, you can follow the cgroup path from
401 | # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
402 | # introspect the statistics for the cgroup for the given
403 | # hierarchy. Alas, Docker breaks this by mounting the container
404 | # statistics at the root while leaving the cgroup paths as the actual
405 | # paths. Therefore, Kibana provides a mechanism to override
406 | # reading the cgroup path from /proc/self/cgroup and instead uses the
407 | # cgroup path defined the configuration properties
408 | # ops.cGroupOverrides.cpuPath and ops.cGroupOverrides.cpuAcctPath.
409 | # Therefore, we set this value here so that cgroup statistics are
410 | # available for the container this process will run in.
411 |
412 | exec /usr/share/kibana/bin/kibana --ops.cGroupOverrides.cpuPath=/ --ops.cGroupOverrides.cpuAcctPath=/ ${longopts} "$@"
413 |
--------------------------------------------------------------------------------
/so-kibana/bin/so-kibana.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | /usr/local/bin/kibana-docker &
4 |
5 | #KIBANA_VERSION=7.6.1
6 | #MAX_WAIT=60
7 |
8 | # Check to see if Kibana is available
9 | #wait_step=0
10 | # until curl -s -XGET http://localhost:5601 > /dev/null ; do
11 | # wait_step=$(( ${wait_step} + 1 ))
12 | # echo "Waiting on Kibana...Attempt #$wait_step"
13 | # if [ ${wait_step} -gt ${MAX_WAIT} ]; then
14 | # echo "ERROR: Kibana not available for more than ${MAX_WAIT} seconds."
15 | # exit 5
16 | # fi
17 | # sleep 1s;
18 | # done
19 |
20 | # This is junky but create the index if Kibana decides its not in the mood
21 | #curl -s -X GET "$ELASTICSEARCH_HOST:9200/_cat/indices?v" | grep 'kibana' &> /dev/null
22 |
23 | #if [[ $? != 0 ]]; then
24 | # echo "Kibana Index Isn't There. Let's add it"
25 | # curl -XPUT $ELASTICSEARCH_HOST:9200/.kibana
26 | #else
27 | # echo "Kibana Index is there... Next."
28 | #fi
29 | # Let's sleep some more and let Kibana come all the way up.
30 | sleep 30
31 | # Apply Kibana config
32 | #echo
33 | #echo "Applying Kibana config..."
34 | #curl -s -XPOST http://localhost:5601/api/saved_objects/config/$KIBANA_VERSION?overwrite=true \
35 | # -H "Content-Type: application/json" \
36 | # -H "kbn-xsrf: $KIBANA_VERSION" \
37 | # -d@/usr/share/kibana/config/config.json
38 | #echo
39 |
40 | # Apply Kibana template
41 | # echo
42 | # echo "Applying Kibana template..."
43 | # curl -s -XPUT http://$ELASTICSEARCH_HOST:9200/_template/kibana \
44 | # -H 'Content-Type: application/json' \
45 | # -d'{"index_patterns" : ".kibana", "settings": { "number_of_shards" : 1, "number_of_replicas" : 0 }, "mappings" : { "search": {"properties": {"hits": {"type": "integer"}, "version": {"type": "integer"}}}}}'
46 | # echo
47 |
48 | # curl -s -XPUT "$ELASTICSEARCH_HOST:9200/.kibana/_settings" \
49 | # -H 'Content-Type: application/json' \
50 | # -d'{"index" : {"number_of_replicas" : 0}}'
51 | # echo
52 |
53 | # Apply all the dashboards
54 | # Load dashboards, visualizations, index pattern(s), etc.
55 | #for i in /usr/share/kibana/dashboards/*.json; do
56 | #sed -i "s/OSQPLACEHOLDER/$MASTER/g" $i
57 | #sed -i "s/THEHIVESERVER/$MASTER/g" $i
58 | #sed -i "s/SENSORONISERVER/$MASTER/g" $i
59 | # curl -XPOST localhost:5601/api/kibana/dashboards/import?force=true -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @$i >> /var/log/kibana/dashboards.log 2>&1 &
60 | # echo -n "."
61 | #done
62 |
63 | # Load config file
64 | #curl -XPOST localhost:5601/api/kibana/dashboards/import?force=true -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @$i
65 |
66 | # Add Custom dashboards
67 | #for i in /usr/share/kibana/custdashboards/*.json; do
68 | # curl -XPOST localhost:5601/api/kibana/dashboards/import?force=true -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @$i >> /var/log/kibana/dashboards.log 2>&1 &
69 | # echo -n "."
70 | #done
71 |
72 | sleep infinity
73 |
--------------------------------------------------------------------------------
/so-logstash/Dockerfile:
--------------------------------------------------------------------------------
1 | # This Dockerfile was based on the official Logstash Docker image:
2 | # https://github.com/elastic/logstash-docker
3 |
4 | # Copyright Security Onion Solutions, LLC
5 |
6 | # This program is free software: you can redistribute it and/or modify
7 | # it under the terms of the GNU General Public License as published by
8 | # the Free Software Foundation, either version 3 of the License, or
9 | # (at your option) any later version.
10 | #
11 | # This program is distributed in the hope that it will be useful,
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | # GNU General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see .
18 | ARG FLAVOR
19 | ARG VERSION
20 |
21 | FROM docker.elastic.co/logstash/$FLAVOR:$VERSION
22 |
23 | LABEL maintainer "Security Onion Solutions, LLC"
24 |
25 | USER root
26 |
27 | ENV PATH=/usr/share/logstash/bin:$PATH
28 |
29 | # Provide a minimal configuration, so that simple invocations will provide
30 | # a good experience.
31 | ADD config/logstash.yml config/log4j2.properties /usr/share/logstash/config/
32 | ADD pipeline/default.conf /usr/share/logstash/pipeline/logstash.conf
33 | ADD files/dictionaries/ /lib/dictionaries/
34 | ADD files/freq /usr/share/logstash/pipeline.freq/
35 | ADD files/domainstats /usr/share/logstash/pipeline.dstats/
36 |
37 | RUN ln -s /usr/share/logstash /opt/logstash \
38 | && mkdir /usr/share/logstash/pipeline.so \
39 | && mkdir /usr/share/logstash/pipeline.enabled \
40 | && chown --recursive 931:931 /usr/share/logstash \
41 | && chown --recursive 931:931 /lib/dictionaries
42 |
43 | RUN groupmod -g 931 logstash && \
44 | usermod -u 931 -g 931 logstash && \
45 | groupadd -g 945 ossec && \
46 | usermod -a -G ossec logstash
47 |
48 | # Ensure Logstash gets a UTF-8 locale by default.
49 | ENV LANG='en_US.UTF-8' LC_ALL='en_US.UTF-8'
50 |
51 | # Place the startup wrapper script.
52 | ADD bin/docker-entrypoint /usr/local/bin/
53 | RUN chmod 0755 /usr/local/bin/docker-entrypoint
54 |
55 | USER logstash
56 |
57 | RUN cd /usr/share/logstash && LOGSTASH_PACK_URL=https://artifacts.elastic.co/downloads/logstash-plugins && \
58 | logstash-plugin install logstash-filter-translate \
59 | logstash-filter-tld \
60 | logstash-filter-elasticsearch \
61 | logstash-filter-rest \
62 | logstash-integration-kafka \
63 | logstash-output-syslog \
64 | logstash-filter-json_encode
65 |
66 | ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
67 |
--------------------------------------------------------------------------------
/so-logstash/bin/docker-entrypoint:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
4 | exec logstash $@
5 | else
6 | exec $@
7 | fi
8 |
--------------------------------------------------------------------------------
/so-logstash/config/log4j2.properties:
--------------------------------------------------------------------------------
1 | status = error
2 | name = LogstashPropertiesConfig
3 |
4 | appender.console.type = Console
5 | appender.console.name = plain_console
6 | appender.console.layout.type = PatternLayout
7 | appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %m%n
8 |
9 | appender.json_console.type = Console
10 | appender.json_console.name = json_console
11 | appender.json_console.layout.type = JSONLayout
12 | appender.json_console.layout.compact = true
13 | appender.json_console.layout.eventEol = true
14 |
15 | rootLogger.level = ${sys:ls.log.level}
16 | rootLogger.appenderRef.console.ref = ${sys:ls.log.format}_console
17 |
--------------------------------------------------------------------------------
/so-logstash/config/logstash.yml:
--------------------------------------------------------------------------------
1 | http.host: "0.0.0.0"
2 | path.config: /usr/share/logstash/pipeline
3 |
--------------------------------------------------------------------------------
/so-logstash/env2yaml/env2yaml.go:
--------------------------------------------------------------------------------
1 | // env2yaml
2 | //
3 | // Merge environment variables into logstash.yml.
4 | // For example, running Docker with:
5 | //
6 | // docker run -e pipeline.workers=6
7 | //
8 | // or
9 | //
10 | // docker run -e PIPELINE_WORKERS=6
11 | //
12 | // will cause logstash.yml to contain the line:
13 | //
14 | // pipeline.workers: 6
15 | //
16 | package main
17 |
18 | import (
19 | "gopkg.in/yaml.v2"
20 | "io/ioutil"
21 | "log"
22 | "os"
23 | "strconv"
24 | "strings"
25 | )
26 |
27 | // If the given string can be converted to an integer then do so, returning
28 | // the resulting integer. Otherwise, return the string unmodified.
29 | func StringToIntIfPossible(str string) interface{} {
30 | intValue, err := strconv.Atoi(str)
31 | if err == nil {
32 | return intValue
33 | } else {
34 | return str
35 | }
36 | }
37 |
38 | // If the given string can be converted to a boolean then do so, returning
39 | // the resulting bool. Otherwise, return the string unmodified.
40 | func StringToBoolIfPossible(str string) interface{} {
41 | if str == "false" {
42 | return false
43 | } else if str == "true" {
44 | return true
45 | } else {
46 | return str
47 | }
48 | }
49 |
50 | // Try to cast string representations of int, bool to actual
51 | // int and bool types. This will help with YAML serialization.
52 | func TypifyString(str string) interface{} {
53 | var typified interface{}
54 | typified = StringToIntIfPossible(str)
55 | if str == typified {
56 | // It wasn't an int. Try bool instead.
57 | typified = StringToBoolIfPossible(str)
58 | }
59 | return typified
60 | }
61 |
62 | func normalizeSetting(setting string) string {
63 | downcased := strings.ToLower(setting)
64 | dotted := strings.Replace(downcased, "_", ".", -1)
65 | return dotted
66 | }
67 |
68 | func isValidSetting(setting string) bool {
69 | valid_settings := []string {
70 | "node.name",
71 | "path.data",
72 | "pipeline.workers",
73 | "pipeline.output.workers",
74 | "pipeline.batch.size",
75 | "pipeline.batch.delay",
76 | "pipeline.unsafe_shutdown",
77 | "path.config",
78 | "config.string",
79 | "config.test_and_exit",
80 | "config.reload.automatic",
81 | "config.reload.interval",
82 | "config.debug",
83 | "queue.type",
84 | "path.queue",
85 | "queue.page_capacity",
86 | "queue.max_events",
87 | "queue.max_bytes",
88 | "queue.checkpoint.acks",
89 | "queue.checkpoint.writes",
90 | "queue.checkpoint.interval",
91 | "http.host",
92 | "http.port",
93 | "log.level",
94 | "log.format",
95 | "path.logs",
96 | "path.plugins",
97 | "xpack.monitoring.enabled",
98 | "xpack.monitoring.collection.interval",
99 | "xpack.monitoring.elasticsearch.url",
100 | "xpack.monitoring.elasticsearch.username",
101 | "xpack.monitoring.elasticsearch.password",
102 | "xpack.monitoring.elasticsearch.ssl.ca",
103 | "xpack.monitoring.elasticsearch.ssl.truststore.path",
104 | "xpack.monitoring.elasticsearch.ssl.truststore.password",
105 | }
106 |
107 | for _, valid_setting := range valid_settings {
108 | if normalizeSetting(setting) == valid_setting {
109 | return true
110 | }
111 | }
112 | return false
113 | }
114 |
115 | func main() {
116 | if len(os.Args) != 2 {
117 | log.Fatalf("usage: env2yaml FILENAME")
118 | }
119 | settingsFilePath := os.Args[1]
120 |
121 | settingsFile, err := ioutil.ReadFile(settingsFilePath)
122 | if err != nil {
123 | log.Fatalf("error: %v", err)
124 | }
125 |
126 | // Read the original settings file into a map.
127 | settings := make(map[string]interface{})
128 | err = yaml.Unmarshal(settingsFile, &settings)
129 | if err != nil {
130 | log.Fatalf("error: %v", err)
131 | }
132 |
133 | // Merge any valid settings found in the environment.
134 | foundNewSettings := false
135 | for _, line := range os.Environ() {
136 | kv := strings.Split(line, "=")
137 | key := kv[0]
138 | value := kv[1]
139 | if isValidSetting(key) {
140 | foundNewSettings = true
141 | setting := normalizeSetting(key)
142 | log.Printf("Setting from environment '%s: %s'", setting, value)
143 | settings[setting] = TypifyString(value)
144 | }
145 | }
146 |
147 | if foundNewSettings {
148 | output, err := yaml.Marshal(&settings)
149 | if err != nil {
150 | log.Fatalf("error: %v", err)
151 | }
152 |
153 | stat, err := os.Stat(settingsFilePath)
154 | if err != nil {
155 | log.Fatalf("error: %v", err)
156 | }
157 |
158 | err = ioutil.WriteFile(settingsFilePath, output, stat.Mode())
159 | if err != nil {
160 | log.Fatalf("error: %v", err)
161 | }
162 | }
163 | }
164 |
--------------------------------------------------------------------------------
/so-logstash/files/dictionaries/iana_protocols.yaml:
--------------------------------------------------------------------------------
1 | "0": HOPOPT
2 | "1": ICMP
3 | "2": IGMP
4 | "3": GGP
5 | "4": IPv4
6 | "5": ST
7 | "6": TCP
8 | "7": CBT
9 | "8": EGP
10 | "9": IGP
11 | "10": BBN-RCC-MON
12 | "11": NVP-II
13 | "12": PUP
14 | "13": ARGUS
15 | "14": EMCON
16 | "15": XNET
17 | "16": CHAOS
18 | "17": UDP
19 | "18": MUX
20 | "19": DCN-MEAS
21 | "20": HMP
22 | "21": PRM
23 | "22": XNS-IDP
24 | "23": TRUNK-1
25 | "24": TRUNK-2
26 | "25": LEAF-1
27 | "26": LEAF-2
28 | "27": RDP
29 | "28": IRTP
30 | "29": ISO-TP4
31 | "30": NETBLT
32 | "31": MFE-NSP
33 | "32": MERIT-INP
34 | "33": DCCP
35 | "34": 3PC
36 | "35": IDPR
37 | "36": XTP
38 | "37": DDP
39 | "38": IDPR-CMTP
40 | "39": TP++
41 | "40": IL
42 | "41": IPv6
43 | "42": SDRP
44 | "43": IPv6-Route
45 | "44": IPv6-Frag
46 | "45": IDRP
47 | "46": RSVP
48 | "47": GRE
49 | "48": DSR
50 | "49": BNA
51 | "50": ESP
52 | "51": AH
53 | "52": I-NLSP
54 | "53": SWIPE
55 | "54": NARP
56 | "55": MOBILE
57 | "56": TLSP
58 | "57": SKIP
59 | "58": IPv6-ICMP
60 | "59": IPv6-NoNxt
61 | "60": IPv6-Opts
62 | "61": Undefined
63 | "62": CFTP
64 | "63": Undefined
65 | "64": SAT-EXPAK
66 | "65": KRYPTOLAN
67 | "66": RVD
68 | "67": IPPC
69 | "68": Undefined
70 | "69": SAT-MON
71 | "70": VISA
72 | "71": IPCV
73 | "72": CPNX
74 | "73": CPHB
75 | "74": WSN
76 | "75": PVP
77 | "76": BR-SAT-MON
78 | "77": SUN-ND
79 | "78": WB-MON
80 | "79": WB-EXPAK
81 | "80": ISO-IP
82 | "81": VMTP
83 | "82": SECURE-VMTP
84 | "83": VINES
85 | "84": TTP/IPTM
86 | "85": NSFNET-IGP
87 | "86": DGP
88 | "87": TCF
89 | "88": EIGRP
90 | "89": OSPFIGP
91 | "90": Sprite-RPC
92 | "91": LARP
93 | "92": MTP
94 | "93": AX.25
95 | "94": IPIP
96 | "95": MICP
97 | "96": SCC-SP
98 | "97": ETHERIP
99 | "98": ENCAP
100 | "99": Undefined
101 | "100": GMTP
102 | "101": IFMP
103 | "102": PNNI
104 | "103": PIM
105 | "104": ARIS
106 | "105": SCPS
107 | "106": QNX
108 | "107": A/N
109 | "108": IPComp
110 | "109": SNP
111 | "110": Compaq-Peer
112 | "111": IPX-in-IP
113 | "112": VRRP
114 | "113": PGM
115 | "114": Undefined
116 | "115": L2TP
117 | "116": DDX
118 | "117": IATP
119 | "118": STP
120 | "119": SRP
121 | "120": UTI
122 | "121": SMP
123 | "122": SM
124 | "123": PTP
125 | "124": ISIS over IPv4
126 | "125": FIRE
127 | "126": CRTP
128 | "127": CRUDP
129 | "128": SSCOPMCE
130 | "129": IPLT
131 | "130": SPS
132 | "131": PIPE
133 | "132": SCTP
134 | "133": FC
135 | "134": RSVP-E2E-IGNORE
136 | "135": Mobility Header
137 | "136": UDPLite
138 | "137": MPLS-in-IP
139 | "138": manet
140 | "139": HIP
141 | "140": Shim6
142 | "141": WESP
143 | "142": ROHC
144 | "143": Undefined
145 | "144": Undefined
146 | "145": Undefined
147 | "146": Undefined
148 | "147": Undefined
149 | "148": Undefined
150 | "149": Undefined
151 | "150": Undefined
152 | "151": Undefined
153 | "152": Undefined
154 | "153": Undefined
155 | "154": Undefined
156 | "155": Undefined
157 | "156": Undefined
158 | "157": Undefined
159 | "158": Undefined
160 | "159": Undefined
161 | "160": Undefined
162 | "161": Undefined
163 | "162": Undefined
164 | "163": Undefined
165 | "164": Undefined
166 | "165": Undefined
167 | "166": Undefined
168 | "167": Undefined
169 | "168": Undefined
170 | "169": Undefined
171 | "170": Undefined
172 | "171": Undefined
173 | "172": Undefined
174 | "173": Undefined
175 | "174": Undefined
176 | "175": Undefined
177 | "176": Undefined
178 | "177": Undefined
179 | "178": Undefined
180 | "179": Undefined
181 | "180": Undefined
182 | "181": Undefined
183 | "182": Undefined
184 | "183": Undefined
185 | "184": Undefined
186 | "185": Undefined
187 | "186": Undefined
188 | "187": Undefined
189 | "188": Undefined
190 | "189": Undefined
191 | "190": Undefined
192 | "191": Undefined
193 | "192": Undefined
194 | "193": Undefined
195 | "194": Undefined
196 | "195": Undefined
197 | "196": Undefined
198 | "197": Undefined
199 | "198": Undefined
200 | "199": Undefined
201 | "200": Undefined
202 | "201": Undefined
203 | "202": Undefined
204 | "203": Undefined
205 | "204": Undefined
206 | "205": Undefined
207 | "206": Undefined
208 | "207": Undefined
209 | "208": Undefined
210 | "209": Undefined
211 | "210": Undefined
212 | "211": Undefined
213 | "212": Undefined
214 | "213": Undefined
215 | "214": Undefined
216 | "215": Undefined
217 | "216": Undefined
218 | "217": Undefined
219 | "218": Undefined
220 | "219": Undefined
221 | "220": Undefined
222 | "221": Undefined
223 | "222": Undefined
224 | "223": Undefined
225 | "224": Undefined
226 | "225": Undefined
227 | "226": Undefined
228 | "227": Undefined
229 | "228": Undefined
230 | "229": Undefined
231 | "230": Undefined
232 | "231": Undefined
233 | "232": Undefined
234 | "233": Undefined
235 | "234": Undefined
236 | "235": Undefined
237 | "236": Undefined
238 | "237": Undefined
239 | "238": Undefined
240 | "239": Undefined
241 | "240": Undefined
242 | "241": Undefined
243 | "242": Undefined
244 | "243": Undefined
245 | "244": Undefined
246 | "245": Undefined
247 | "246": Undefined
248 | "247": Undefined
249 | "248": Undefined
250 | "249": Undefined
251 | "250": Undefined
252 | "251": Undefined
253 | "252": Undefined
254 | "253": Undefined
255 | "254": Undefined
256 | "255": Reserved
--------------------------------------------------------------------------------
/so-logstash/files/dictionaries/iana_services.yaml:
--------------------------------------------------------------------------------
1 | "1": tcpmux
2 | "2": nbp
3 | "4": echo
4 | "6": zip
5 | "7": echo
6 | "9": discard
7 | "11": systat
8 | "13": daytime
9 | "15": netstat
10 | "17": qotd
11 | "18": msp
12 | "19": chargen
13 | "20": ftp-data
14 | "21": ftp
15 | "22": ssh
16 | "23": telnet
17 | "25": smtp
18 | "37": time
19 | "39": rlp
20 | "42": nameserver
21 | "43": whois
22 | "49": tacacs
23 | "50": re-mail-ck
24 | "53": domain
25 | "57": mtp
26 | "65": tacacs-ds
27 | "67": bootps
28 | "68": bootpc
29 | "69": tftp
30 | "70": gopher
31 | "77": rje
32 | "79": finger
33 | "80": http
34 | "87": link
35 | "88": kerberos
36 | "95": supdup
37 | "98": linuxconf
38 | "101": hostnames
39 | "102": iso-tsap
40 | "104": acr-nema
41 | "105": csnet-ns
42 | "106": poppassd
43 | "107": rtelnet
44 | "109": pop2
45 | "110": pop3
46 | "111": sunrpc
47 | "113": auth
48 | "115": sftp
49 | "117": uucp-path
50 | "119": nntp
51 | "123": ntp
52 | "129": pwdgen
53 | "135": loc-srv
54 | "137": netbios-ns
55 | "138": netbios-dgm
56 | "139": netbios-ssn
57 | "143": imap2
58 | "161": snmp
59 | "162": snmp-trap
60 | "163": cmip-man
61 | "164": cmip-agent
62 | "174": mailq
63 | "177": xdmcp
64 | "178": nextstep
65 | "179": bgp
66 | "191": prospero
67 | "194": irc
68 | "199": smux
69 | "201": at-rtmp
70 | "202": at-nbp
71 | "204": at-echo
72 | "206": at-zis
73 | "209": qmtp
74 | "210": z3950
75 | "213": ipx
76 | "220": imap3
77 | "345": pawserv
78 | "346": zserv
79 | "347": fatserv
80 | "369": rpc2portmap
81 | "370": codaauth2
82 | "371": clearcase
83 | "372": ulistserv
84 | "389": ldap
85 | "406": imsp
86 | "427": svrloc
87 | "443": https
88 | "444": snpp
89 | "445": microsoft-ds
90 | "464": kpasswd
91 | "465": urd
92 | "487": saft
93 | "500": isakmp
94 | "512": exec
95 | "512": biff
96 | "513": login
97 | "513": who
98 | "514": shell
99 | "514": syslog
100 | "515": printer
101 | "517": talk
102 | "518": ntalk
103 | "520": route
104 | "525": timed
105 | "526": tempo
106 | "530": courier
107 | "531": conference
108 | "532": netnews
109 | "533": netwall
110 | "538": gdomap
111 | "540": uucp
112 | "543": klogin
113 | "544": kshell
114 | "546": dhcpv6-client
115 | "547": dhcpv6-server
116 | "548": afpovertcp
117 | "549": idfp
118 | "554": rtsp
119 | "556": remotefs
120 | "563": nntps
121 | "587": submission
122 | "607": nqs
123 | "610": npmp-local
124 | "611": npmp-gui
125 | "612": hmmp-ind
126 | "623": asf-rmcp
127 | "628": qmqp
128 | "631": ipp
129 | "636": ldaps
130 | "655": tinc
131 | "706": silc
132 | "749": kerberos-adm
133 | "750": kerberos4
134 | "751": kerberos-master
135 | "752": passwd-server
136 | "754": krb-prop
137 | "760": krbupdate
138 | "765": webster
139 | "775": moira-db
140 | "777": moira-update
141 | "779": moira-ureg
142 | "783": spamd
143 | "808": omirr
144 | "871": supfilesrv
145 | "873": rsync
146 | "901": swat
147 | "989": ftps-data
148 | "990": ftps
149 | "992": telnets
150 | "993": imaps
151 | "994": ircs
152 | "995": pop3s
153 | "1001": customs
154 | "1080": socks
155 | "1093": proofd
156 | "1094": rootd
157 | "1099": rmiregistry
158 | "1109": kpop
159 | "1127": supfiledbg
160 | "1178": skkserv
161 | "1194": openvpn
162 | "1210": predict
163 | "1214": kazaa
164 | "1236": rmtcfg
165 | "1241": nessus
166 | "1300": wipld
167 | "1313": xtel
168 | "1314": xtelw
169 | "1352": lotusnote
170 | "1433": ms-sql-s
171 | "1434": ms-sql-m
172 | "1524": ingreslock
173 | "1525": prospero-np
174 | "1529": support
175 | "1645": datametrics
176 | "1646": sa-msg-port
177 | "1649": kermit
178 | "1677": groupwise
179 | "1701": l2f
180 | "1812": radius
181 | "1813": radius-acct
182 | "1863": msnp
183 | "1957": unix-status
184 | "1958": log-server
185 | "1959": remoteping
186 | "2000": cisco-sccp
187 | "2003": cfinger
188 | "2010": search
189 | "2010": pipe-server
190 | "2049": nfs
191 | "2053": knetd
192 | "2086": gnunet
193 | "2101": rtcm-sc104
194 | "2102": zephyr-srv
195 | "2103": zephyr-clt
196 | "2104": zephyr-hm
197 | "2105": eklogin
198 | "2111": kx
199 | "2119": gsigatekeeper
200 | "2121": iprop
201 | "2121": frox
202 | "2135": gris
203 | "2150": ninstall
204 | "2401": cvspserver
205 | "2430": venus
206 | "2431": venus-se
207 | "2432": codasrv
208 | "2433": codasrv-se
209 | "2583": mon
210 | "2600": zebrasrv
211 | "2601": zebra
212 | "2602": ripd
213 | "2603": ripngd
214 | "2604": ospfd
215 | "2605": bgpd
216 | "2606": ospf6d
217 | "2607": ospfapi
218 | "2608": isisd
219 | "2628": dict
220 | "2792": f5-globalsite
221 | "2811": gsiftp
222 | "2947": gpsd
223 | "2988": afbackup
224 | "2989": afmbackup
225 | "3050": gds-db
226 | "3130": icpv2
227 | "3260": iscsi-target
228 | "3306": mysql
229 | "3493": nut
230 | "3632": distcc
231 | "3689": daap
232 | "3690": svn
233 | "4031": suucp
234 | "4094": sysrqd
235 | "4190": sieve
236 | "4224": xtell
237 | "4353": f5-iquery
238 | "4369": epmd
239 | "4373": remctl
240 | "4500": ipsec-nat-t
241 | "4557": fax
242 | "4559": hylafax
243 | "4569": iax
244 | "4600": distmp3
245 | "4691": mtn
246 | "4899": radmin-port
247 | "4949": munin
248 | "5002": rfe
249 | "5050": mmcc
250 | "5051": enbd-cstatd
251 | "5052": enbd-sstatd
252 | "5060": sip
253 | "5061": sip-tls
254 | "5151": pcrd
255 | "5190": aol
256 | "5222": xmpp-client
257 | "5269": xmpp-server
258 | "5308": cfengine
259 | "5353": mdns
260 | "5354": noclog
261 | "5355": hostmon
262 | "5432": postgresql
263 | "5555": rplay
264 | "5556": freeciv
265 | "5666": nrpe
266 | "5667": nsca
267 | "5672": amqp
268 | "5674": mrtd
269 | "5675": bgpsim
270 | "5680": canna
271 | "5688": ggz
272 | "6000": x11
273 | "6001": x11-1
274 | "6002": x11-2
275 | "6003": x11-3
276 | "6004": x11-4
277 | "6005": x11-5
278 | "6006": x11-6
279 | "6007": x11-7
280 | "6346": gnutella-svc
281 | "6347": gnutella-rtr
282 | "6444": sge-qmaster
283 | "6445": sge-execd
284 | "6446": mysql-proxy
285 | "6514": syslog-tls
286 | "6566": sane-port
287 | "6667": ircd
288 | "7000": afs3-fileserver
289 | "7001": afs3-callback
290 | "7002": afs3-prserver
291 | "7003": afs3-vlserver
292 | "7004": afs3-kaserver
293 | "7005": afs3-volser
294 | "7006": afs3-errors
295 | "7007": afs3-bos
296 | "7008": afs3-update
297 | "7009": afs3-rmtsys
298 | "7100": font-service
299 | "8021": zope-ftp
300 | "8080": http-alt
301 | "8081": tproxy
302 | "8088": omniorb
303 | "8990": clc-build-daemon
304 | "9098": xinetd
305 | "9101": bacula-dir
306 | "9102": bacula-fd
307 | "9103": bacula-sd
308 | "9359": mandelspawn
309 | "9418": git
310 | "9667": xmms2
311 | "9673": zope
312 | "10000": webmin
313 | "10050": zabbix-agent
314 | "10051": zabbix-trapper
315 | "10080": amanda
316 | "10081": kamanda
317 | "10082": amandaidx
318 | "10083": amidxtape
319 | "10809": nbd
320 | "11112": dicom
321 | "11201": smsqp
322 | "11371": hkp
323 | "13720": bprd
324 | "13721": bpdbm
325 | "13722": bpjava-msvc
326 | "13724": vnetd
327 | "13782": bpcd
328 | "13783": vopied
329 | "15345": xpilot
330 | "17001": sgi-cmsd
331 | "17002": sgi-crsd
332 | "17003": sgi-gcd
333 | "17004": sgi-cad
334 | "17500": db-lsp
335 | "20011": isdnlog
336 | "20012": vboxd
337 | "22125": dcap
338 | "22128": gsidcap
339 | "22273": wnn6
340 | "24554": binkp
341 | "27374": asp
342 | "30865": csync2
343 | "57000": dircproxy
344 | "60177": tfido
345 | "60179": fido
--------------------------------------------------------------------------------
/so-logstash/files/dictionaries/services.yaml:
--------------------------------------------------------------------------------
1 | "Windows Update": whitelist
2 | "SEC555 Service": whitelist
3 | "Evil Service": blacklist
4 |
--------------------------------------------------------------------------------
/so-logstash/files/dictionaries/tcp_flags.yaml:
--------------------------------------------------------------------------------
1 | "0x00": NULL
2 | "0x01": FIN
3 | "0x02": SYN
4 | "0x03": FIN-SYN
5 | "0x08": PSH
6 | "0x09": FIN-PSH
7 | "0x0A": SYN-PSH
8 | "0x0B": FIN-SYN-PSH
9 | "0x10": ACK
10 | "0x11": FIN-ACK
11 | "0x12": SYN-ACK
12 | "0x13": FIN-SYN-ACK
13 | "0x18": PSH-ACK
14 | "0x19": FIN-PSH-ACK
15 | "0x1A": SYN-PSH-ACK
16 | "0x1B": FIN-SYN-PSH-ACK
17 | "0x40": ECE
18 | "0x41": FIN-ECE
19 | "0x42": SYN-ECE
20 | "0x43": FIN-SYN-ECE
21 | "0x48": PSH-ECE
22 | "0x49": FIN-PSH-ECE
23 | "0x4A": SYN-PSH-ECE
24 | "0x4B": FIN-SYN-PSH-ECE
25 | "0x50": ACK-ECE
26 | "0x51": FIN-ACK-ECE
27 | "0x52": SYN-ACK-ECE
28 | "0x53": FIN-SYN-ACK-ECE
29 | "0x58": PSH-ACK-ECE
30 | "0x59": FIN-PSH-ACK-ECE
31 | "0x5A": SYN-PSH-ACK-ECE
32 | "0x5B": FIN-SYN-PSH-ACK-ECE
33 | "0x80": CWR
34 | "0x81": FIN-CWR
35 | "0x82": SYN-CWR
36 | "0x83": FIN-SYN-CWR
37 | "0x88": PSH-CWR
38 | "0x89": FIN-PSH-CWR
39 | "0x8A": SYN-PSH-CWR
40 | "0x8B": FIN-SYN-PSH-CWR
41 | "0x90": ACK-CWR
42 | "0x91": FIN-ACK-CWR
43 | "0x92": SYN-ACK-CWR
44 | "0x93": FIN-SYN-ACK-CWR
45 | "0x98": PSH-ACK-CWR
46 | "0x99": FIN-PSH-ACK-CWR
47 | "0x9A": SYN-PSH-ACK-CWR
48 | "0x9B": FIN-SYN-PSH-ACK-CWR
49 | "0xC0": ECE-CWR
50 | "0xC1": FIN-ECE-CWR
51 | "0xC2": SYN-ECE-CWR
52 | "0xC3": FIN-SYN-ECE-CWR
53 | "0xC8": PSH-ECE-CWR
54 | "0xC9": FIN-PSH-ECE-CWR
55 | "0xCA": SYN-PSH-ECE-CWR
56 | "0xCB": FIN-SYN-PSH-ECE-CWR
57 | "0xD0": ACK-ECE-CWR
58 | "0xD1": FIN-ACK-ECE-CWR
59 | "0xD2": SYN-ACK-ECE-CWR
60 | "0xD3": FIN-SYN-ACK-ECE-CWR
61 | "0xD8": PSH-ACK-ECE-CWR
62 | "0xD9": FIN-PSH-ACK-ECE-CWR
63 | "0xDA": SYN-PSH-ACK-ECE-CWR
64 | "0xDB": FIN-SYN-PSH-ACK-ECE-CWR
--------------------------------------------------------------------------------
/so-logstash/files/domainstats/8007_postprocess_dns_top1m_tagging.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 4/11/2017
5 |
6 | filter {
7 | if [type] == "dns" or [type] == "bro_dns" {
8 | if [highest_registered_domain] {
9 | rest {
10 | request => {
11 | url => "http://domainstats:20000/alexa/%{highest_registered_domain}"
12 | }
13 | sprintf => true
14 | json => false
15 | target => "site"
16 | }
17 | if [site] != "0" and [site] {
18 | mutate {
19 | add_tag => [ "top-1m" ]
20 | remove_field => [ "site" ]
21 | }
22 | }
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/so-logstash/files/domainstats/8008_postprocess_dns_whois_age.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 7/22/2017
5 |
6 | filter {
7 | if "dns" in [tags] or [type] == "bro_dns" {
8 | if "top-1m" not in [tags] and [highest_registered_domain] {
9 | rest {
10 | request => {
11 | url => "http://domainstats:20000/domain/creation_date/%{highest_registered_domain}"
12 | }
13 | sprintf => true
14 | json => false
15 | target => "domain_age"
16 | }
17 | if [domain_age] and [domain_age] !~ "No whois record"{
18 | date {
19 | match => [ "domain_age", "YYYY-MM-dd HH:mm:ss'; '",
20 | "YYYY-MM-dd HH:mm:ss';'",
21 | "YYYY-MM-dd'T'HH:mm:ssZ'; '",
22 | "YYYY-MM-dd'T'HH:mm:ssZ';'",
23 | "YYYY-MM-dd'T'HH:mm:ss'.00Z; '",
24 | "YYYY-MM-dd'T'HH:mm:ss'.00Z;'" ]
25 | target => "creation_date"
26 | remove_field => [ "domain_age" ]
27 | }
28 | }
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/so-logstash/files/freq/8502_postprocess_freq_analysis_bro_dns.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 4/11/2017
5 |
6 | filter {
7 | if [type] == "dns" or [type] == "bro_dns" {
8 | # If Query exists run a frequency analysis against it. In order for this to work you must have
9 | # freq.py and the corresponding frequency table in /opt/freq/. This is a huge boost to security
10 | # and I highly recommend you set this up. Example, if a frequency score less than 6 exists
11 | # then there is a likelihood that something malicious is happening.
12 | #
13 | # For higher accuracy, please generate your own frequency tables. For questions on setup,
14 | # please refer to https://github.com/SMAPPER
15 | if [query_type_name] == "A" or [query_type_name] == "AAAA" and "top-1m" not in [tags] {
16 | if [highest_registered_domain] {
17 | mutate {
18 | add_field => { "freq_highest_registered_domain" => "%{highest_registered_domain}"}
19 | }
20 | mutate {
21 | gsub => [ "freq_highest_registered_domain", "\W", "" ]
22 | }
23 | rest {
24 | request => {
25 | url => "http://freqserver:10004/measure/%{freq_highest_registered_domain}"
26 | }
27 | sprintf => true
28 | json => false
29 | target => "highest_registered_domain_frequency_score"
30 | }
31 | mutate {
32 | remove_field => [ "freq_highest_registered_domain" ]
33 | }
34 | if [highest_registered_domain_frequency_score] {
35 | mutate {
36 | convert => [ "highest_registered_domain_frequency_score", "float" ]
37 | add_field => { "frequency_scores" => "%{highest_registered_domain_frequency_score}" }
38 | }
39 | }
40 | }
41 | if [parent_domain] and [parent_domain_length] > 5 {
42 | mutate {
43 | add_field => { "freq_parent_domain" => "%{parent_domain}"}
44 | }
45 | mutate {
46 | gsub => [ "freq_parent_domain", "\W", "" ]
47 | }
48 | rest {
49 | request => {
50 | url => "http://freqserver:10004/measure/%{freq_parent_domain}"
51 | }
52 | sprintf => true
53 | json => false
54 | target => "parent_domain_frequency_score"
55 | }
56 | mutate {
57 | remove_field => [ "freq_parent_domain" ]
58 | }
59 | if [parent_domain_frequency_score] {
60 | mutate {
61 | convert => [ "parent_domain_frequency_score", "float" ]
62 | add_field => { "frequency_scores" => "%{parent_domain_frequency_score}" }
63 | }
64 | }
65 | }
66 | if [subdomain] and [subdomain_length] > 5 {
67 | mutate {
68 | add_field => { "freq_subdomain" => "%{subdomain}"}
69 | }
70 | mutate {
71 | gsub => [ "freq_subdomain", "\W", "" ]
72 | }
73 | rest {
74 | request => {
75 | url => "http://freqserver:10004/measure/%{freq_subdomain}"
76 | }
77 | sprintf => true
78 | json => false
79 | target => "subdomain_frequency_score"
80 | }
81 | mutate {
82 | remove_field => [ "freq_subdomain" ]
83 | }
84 | if [subdomain_frequency_score] {
85 | mutate {
86 | convert => [ "subdomain_frequency_score", "float" ]
87 | add_field => { "frequency_scores" => "%{subdomain_frequency_score}" }
88 | }
89 | }
90 | }
91 | }
92 | mutate {
93 | #add_tag => [ "conf_file_8502"]
94 | }
95 | }
96 | }
97 |
--------------------------------------------------------------------------------
/so-logstash/files/freq/8503_postprocess_freq_analysis_bro_http.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 7/22/2017
5 |
6 | filter {
7 | if [type] == "bro_http" {
8 | if [virtual_host] and [virtual_host_length] > 5 {
9 | mutate {
10 | add_field => { "freq_virtual_host" => "%{virtual_host}"}
11 | }
12 | mutate {
13 | gsub => [ "freq_virtual_host", "\W", "" ]
14 | }
15 | rest {
16 | request => {
17 | url => "http://freqserver:10004/measure/%{freq_virtual_host}"
18 | }
19 | sprintf => true
20 | json => false
21 | target => "virtual_host_frequency_score"
22 | }
23 | mutate {
24 | remove_field => [ "virtual_host_domain" ]
25 | }
26 | if [virtual_host_frequency_score] {
27 | mutate {
28 | convert => [ "virtual_host_frequency_score", "float" ]
29 | add_field => { "frequency_scores" => "%{virtual_host_frequency_score}" }
30 | }
31 | }
32 | }
33 | }
34 | }
--------------------------------------------------------------------------------
/so-logstash/files/freq/8504_postprocess_freq_analysis_bro_ssl.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 12/9/2016
5 |
6 | filter {
7 | if [type] == "bro_ssl" {
8 | # If CHANGE_ME exists run a frequency analysis against it. In order for this to work you must have
9 | # freq.py and the corresponding frequency table in /opt/freq/. This is a huge boost to security
10 | # and I highly recommend you set this up. Example, if a frequency score less than 6 exists
11 | # then there is a likelihood that something malicious is happening.
12 | #
13 | # For higher accuracy, please generate your own frequency tables. For questions on setup,
14 | # please refer to https://github.com/SMAPPER
15 | if [server_name] {
16 | mutate {
17 | add_field => { "freq_common_name" => "%{server_name}" }
18 | }
19 | mutate {
20 | gsub => [ "freq_common_name", "\W", "" ]
21 | }
22 | rest {
23 | request => {
24 | url => "http://freqserver:10004/measure/%{freq_common_name}"
25 | }
26 | sprintf => true
27 | json => false
28 | target => "server_name_frequency_score"
29 | }
30 | mutate {
31 | remove_field => [ "freq_common_name" ]
32 | }
33 | if [server_name_frequency_score] {
34 | mutate {
35 | convert => [ "server_name_frequency_score", "float" ]
36 | add_field => { "frequency_scores" => "%{server_name_frequency_score}" }
37 | }
38 | }
39 | }
40 | if [issuer_common_name] {
41 | mutate {
42 | add_field => { "freq_common_name" => "%{issuer_common_name}" }
43 | }
44 | mutate {
45 | gsub => [ "freq_common_name", "\W", "" ]
46 | }
47 | rest {
48 | request => {
49 | url => "http://freqserver:10004/measure/%{freq_common_name}"
50 | }
51 | sprintf => true
52 | json => false
53 | target => "issuer_common_name_frequency_score"
54 | }
55 | mutate {
56 | remove_field => [ "freq_common_name" ]
57 | }
58 | if [issuer_common_name_frequency_score] {
59 | mutate {
60 | convert => [ "issuer_common_name_frequency_score", "float" ]
61 | add_field => { "frequency_scores" => "%{issuer_common_name_frequency_score}" }
62 | }
63 | }
64 | }
65 | if [certificate_common_name] {
66 | mutate {
67 | add_field => { "freq_common_name" => "%{certificate_common_name}" }
68 | }
69 | mutate {
70 | gsub => [ "freq_common_name", "\W", "" ]
71 | }
72 | rest {
73 | request => {
74 | url => "http://freqserver:10004/measure/%{freq_common_name}"
75 | }
76 | sprintf => true
77 | json => false
78 | target => "certificate_common_name_frequency_score"
79 | }
80 | mutate {
81 | remove_field => [ "freq_common_name" ]
82 | }
83 | if [certificate_common_name_frequency_score] {
84 | mutate {
85 | convert => [ "certificate_common_name_frequency_score", "float" ]
86 | add_field => { "frequency_scores" => "%{certificate_common_name_frequency_score}" }
87 | }
88 | }
89 | }
90 | mutate {
91 | #add_tag => [ "conf_file_8504"]
92 | }
93 | }
94 | }
95 |
--------------------------------------------------------------------------------
/so-logstash/files/freq/8505_postprocess_freq_analysis_bro_x509.conf:
--------------------------------------------------------------------------------
1 | # Author: Justin Henderson
2 | # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
3 | # Email: justin@hasecuritysolution.com
4 | # Last Update: 12/9/2016
5 |
6 | filter {
7 | if [type] == "bro_x509" {
8 | # If SubjectCommonName exists run a frequency analysis against it. In order for this to work you must have
9 | # freq.py and the corresponding frequency table in /opt/freq/. This is a huge boost to security
10 | # and I highly recommend you set this up. Example, if a frequency score less than 6 exists
11 | # then there is a likelihood that something malicious is happening.
12 | #
13 | # For higher accuracy, please generate your own frequency tables. For questions on setup,
14 | # please refer to https://github.com/SMAPPER
15 | if [issuer_common_name]{
16 | mutate {
17 | add_field => { "freq_common_name" => "%{issuer_common_name}" }
18 | }
19 | mutate {
20 | gsub => [ "freq_common_name", "\W", "" ]
21 | }
22 | rest {
23 | request => {
24 | url => "http://freqserver:10004/measure/%{freq_common_name}"
25 | }
26 | sprintf => true
27 | json => false
28 | target => "issuer_common_name_frequency_score"
29 | }
30 | mutate {
31 | remove_field => [ "freq_common_name" ]
32 | }
33 | if [issuer_common_name_frequency_score] {
34 | mutate {
35 | convert => [ "issuer_common_name_frequency_score", "float" ]
36 | add_field => { "frequency_scores" => "%{issuer_common_name_frequency_score}" }
37 | }
38 | }
39 | }
40 | if [issuer_organization]{
41 | mutate {
42 | add_field => { "freq_common_name" => "%{issuer_organization}" }
43 | }
44 | mutate {
45 | gsub => [ "freq_common_name", "\W", "" ]
46 | }
47 | rest {
48 | request => {
49 | url => "http://freqserver:10004/measure/%{freq_common_name}"
50 | }
51 | sprintf => true
52 | json => false
53 | target => "issuer_organization_frequency_score"
54 | }
55 | mutate {
56 | remove_field => [ "freq_common_name" ]
57 | }
58 | if [issuer_organization_frequency_score] {
59 | mutate {
60 | convert => [ "issuer_organization_frequency_score", "float" ]
61 | add_field => { "frequency_scores" => "%{issuer_organization_frequency_score}" }
62 | }
63 | }
64 | }
65 | if [certificate_common_name]{
66 | mutate {
67 | add_field => { "freq_common_name" => "%{certificate_common_name}" }
68 | }
69 | mutate {
70 | gsub => [ "freq_common_name", "\W", "" ]
71 | }
72 | rest {
73 | request => {
74 | url => "http://freqserver:10004/measure/%{freq_common_name}"
75 | }
76 | sprintf => true
77 | json => false
78 | target => "certificate_common_name_frequency_score"
79 | }
80 | mutate {
81 | remove_field => [ "freq_common_name" ]
82 | }
83 | if [certificate_common_name_frequency_score] {
84 | mutate {
85 | convert => [ "certificate_common_name_frequency_score", "float" ]
86 | add_field => { "frequency_scores" => "%{certificate_common_name_frequency_score}" }
87 | }
88 | }
89 | }
90 | mutate {
91 | #add_tag => [ "conf_file_8505"]
92 | }
93 | }
94 | }
95 |
--------------------------------------------------------------------------------
/so-logstash/pipeline/default.conf:
--------------------------------------------------------------------------------
1 | input {
2 | beats {
3 | port => 5044
4 | }
5 | }
6 |
7 | output {
8 | stdout {
9 | codec => rubydebug
10 | }
11 | }
12 |
13 |
--------------------------------------------------------------------------------
/so-nginx/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | # Navigator build stage
17 | FROM ghcr.io/security-onion-solutions/node:24.9.0-alpine AS navigator-builder
18 |
19 | ARG NAVIGATOR_VERSION=5.1.1
20 |
21 | RUN apk add git wget
22 |
23 | # Git clone the specified version of Navigator
24 | RUN git config --global advice.detachedHead false && \
25 | git clone -b "v${NAVIGATOR_VERSION}" https://github.com/mitre-attack/attack-navigator.git
26 |
27 | # Download the latest version of Enterprise ATT&CK
28 | RUN wget -O /tmp/enterprise-attack.json https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json
29 |
30 | WORKDIR /attack-navigator/nav-app/
31 |
32 | RUN npm ci && npx ng build
33 |
34 | # Delete base href line from index html to fix url path issues
35 | RUN sed -i '//d' ./dist/index.html
36 |
37 | ###################################
38 |
39 | FROM ghcr.io/security-onion-solutions/nginx:1.29.1-alpine
40 | HEALTHCHECK --interval=5m --timeout=3s CMD curl --fail http://localhost/ || exit 1
41 | LABEL maintainer "Security Onion Solutions, LLC"
42 | LABEL description "Security Onion Core Functions Docker"
43 |
44 | ARG CYBERCHEF_VERSION=10.19.4
45 |
46 | RUN mkdir -p /opt/socore/html/navigator
47 | COPY --from=navigator-builder /attack-navigator/nav-app/dist /opt/socore/html/navigator
48 | COPY --from=navigator-builder /tmp/enterprise-attack.json /opt/socore/html/navigator/assets/mitre/enterprise-attack.json
49 |
50 | RUN mkdir -p /opt/socore/html/cyberchef && \
51 | wget -O /tmp/CyberChef.zip https://github.com/gchq/CyberChef/releases/download/v${CYBERCHEF_VERSION}/CyberChef_v${CYBERCHEF_VERSION}.zip && \
52 | unzip -o /tmp/CyberChef.zip -d /opt/socore/html/cyberchef && \
53 | mv /opt/socore/html/cyberchef/CyberChef_v${CYBERCHEF_VERSION}.html /opt/socore/html/cyberchef/index.html && \
54 | rm -f /tmp/CyberChef.zip
55 |
56 | EXPOSE 80
57 | EXPOSE 443
58 |
--------------------------------------------------------------------------------
/so-nginx/README.md:
--------------------------------------------------------------------------------
1 | SO-Core Docker
2 |
--------------------------------------------------------------------------------
/so-pcaptools/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/python:3.13.7-slim AS builder
2 |
3 | LABEL maintainer="Security Onion Solutions, LLC"
4 | LABEL description="Tools for use with PCAP & EVTX files"
5 |
6 | ARG PCAPFIX_VERSION=1.1.4
7 | # DEBIAN_FRONTEND=noninteractive is required for non-interactive install of tshark
8 | RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y tshark
9 | RUN apt-get update && apt-get install -y --no-install-recommends build-essential wget && rm -rf /var/lib/apt/lists/*
10 | RUN wget http://f00l.de/pcapfix/pcapfix-${PCAPFIX_VERSION}.tar.gz && \
11 | tar xf pcapfix-${PCAPFIX_VERSION}.tar.gz && \
12 | cd pcapfix-${PCAPFIX_VERSION} && \
13 | sed -i'' -e 's/OPTFLAGS =.* -D/OPTFLAGS = -include sys\/types.h -D/' Makefile && \
14 | make && \
15 | make install
16 |
17 | FROM ghcr.io/security-onion-solutions/python:3.13.7-slim
18 |
19 | ADD evtx_calc_timestamps.sh /evtx_calc_timestamps.sh
20 | RUN chmod +x /evtx_calc_timestamps.sh
21 |
22 | ADD timeshift.py /timeshift.py
23 | RUN chmod +x /timeshift.py
24 |
25 | # libwiretap is required for capinfo libaries
26 | # jq is required for evtx timestamp script
27 | RUN apt-get update && apt-get install -y --no-install-recommends --force-yes libwiretap15 git jq && rm -rf /var/lib/apt/lists/*
28 | RUN pip3 install evtx elasticsearch==7.17.1 tqdm orjson importlib_metadata
29 | RUN pip3 install evtx2es --no-dependencies
30 |
31 | COPY --from=builder /usr/bin/pcapfix /usr/bin/
32 | COPY --from=builder /usr/bin/capinfos /usr/bin/
33 |
--------------------------------------------------------------------------------
/so-pcaptools/evtx_calc_timestamps.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Convert EVTX to JSON
4 | evtx2json -q "/tmp/data.evtx" --output-file /tmp/evtx/import.json
5 |
6 | # Check for timeshift
7 | if [[ -z "${SHIFTTS}" ]]; then
8 | # Ensure JSON is line-delimited
9 | cat /tmp/evtx/import.json | jq -c .[] > /tmp/evtx/data.json
10 | else
11 | # Shift timestamp
12 | python timeshift.py /tmp/evtx/import.json "${SHIFTTS}" event.created
13 | cat /tmp/evtx/import.json | jq -c .[] > /tmp/evtx/data.json
14 | fi
15 |
16 | # Remove older import file
17 | [ -f /tmp/evtx/import.json ] && rm -f /tmp/evtx/import.json
18 |
19 | # Capture oldest and newest event timestamps
20 | cat /tmp/evtx/data.json | jq -r '.["@timestamp"]' | sort -r | head -n 1 > /tmp/oldest
21 | cat /tmp/evtx/data.json | jq -r '.["@timestamp"]' | sort | head -n 1 > /tmp/newest
22 |
--------------------------------------------------------------------------------
/so-pcaptools/timeshift.py:
--------------------------------------------------------------------------------
1 | import json
2 | import argparse
3 | from datetime import datetime, timedelta
4 |
5 | def parse_custom_date(date_str):
6 | # Add additional date formats as needed
7 | custom_formats = ["%Y-%m-%dT%H:%M:%SZ", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S.%fZ"]
8 | for fmt in custom_formats:
9 | try:
10 | return datetime.strptime(date_str, fmt)
11 | except ValueError:
12 | pass
13 | # If none of the custom formats match, try parsing with ISO 8601 format
14 | return datetime.fromisoformat(date_str.rstrip("Z"))
15 |
16 | def shift_timestamp(json_data, reference_date_str, nested_key):
17 | # Parse the reference date string to a datetime object
18 | reference_date = parse_custom_date(reference_date_str)
19 |
20 | # Find the most recent date for the specified nested key and calculate the time shift
21 | valid_dates = [parse_custom_date(find_nested_value(data, nested_key)) for data in json_data if find_nested_value(data, nested_key)]
22 | most_recent_date = max(valid_dates) if valid_dates else reference_date
23 | time_shift = reference_date - most_recent_date
24 |
25 | # Shift the dates for the specified nested key based on the calculated time_shift
26 | for data in json_data:
27 | try:
28 | date_str = find_nested_value(data, nested_key)
29 | if date_str:
30 | date_datetime = parse_custom_date(date_str)
31 | shifted_datetime = date_datetime + time_shift
32 |
33 | # Update the '@timestamp' and event.created fields with the shifted timestamp value
34 | data['@timestamp'] = shifted_datetime.isoformat() + "Z"
35 | data['timestamp'] = shifted_datetime.isoformat() + "Z"
36 | data['event']['created'] = shifted_datetime.isoformat() + "Z"
37 | data['winlog']['event_data']['UtcTime'] = shifted_datetime.strftime('%Y-%m-%d %H:%M:%S.%f')[:-3]
38 | except KeyError:
39 | pass
40 |
41 | return json_data
42 |
43 | def find_nested_value(data, nested_key):
44 | keys = nested_key.split('.')
45 | value = data
46 | for key in keys:
47 | if key in value:
48 | value = value[key]
49 | else:
50 | raise KeyError("Key not found: {}".format(nested_key))
51 | return value
52 |
53 | def read_json_data_from_file(file_path):
54 | with open(file_path, "r") as file:
55 | json_data = json.load(file)
56 | return json_data
57 |
58 | def write_jsonl_data_to_file(file_path, json_data):
59 | with open(file_path, "w") as file:
60 | json.dump(json_data, file)
61 |
62 | def main():
63 | # Parse command-line arguments
64 | parser = argparse.ArgumentParser(description="Shift the @timestamp field for Windows Event Logs")
65 | parser.add_argument("file_path", help="Path to the file containing JSON data (JSON array).")
66 | parser.add_argument("reference_date", nargs="?", default=None, help="Reference date in custom format (e.g., '2023-08-01T16:00:00Z').")
67 | parser.add_argument("nested_key", help="Nested key in the JSON objects containing the timestamp to be shifted (e.g., 'event.created').")
68 | args = parser.parse_args()
69 |
70 | # Read JSON data from the file
71 | json_data = read_json_data_from_file(args.file_path)
72 |
73 | # If the reference date is not provided as an argument, set it to the current time
74 | reference_date_str = args.reference_date if args.reference_date else datetime.utcnow().isoformat() + "Z"
75 |
76 | # Call the function to shift the '@timestamp' field relative to the reference date
77 | shifted_json_data = shift_timestamp(json_data, reference_date_str, args.nested_key)
78 |
79 | # Save the updated JSON data back to the file
80 | write_jsonl_data_to_file("/tmp/evtx/import.json", shifted_json_data)
81 |
82 | if __name__ == "__main__":
83 | main()
84 |
--------------------------------------------------------------------------------
/so-redis/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/redis:7.2.11-alpine
2 | LABEL maintainer="Security Onion Solutions, LLC"
3 | LABEL description="REDIS running in Docker container for use with Security Onion"
4 | RUN addgroup -g 939 socore && adduser -D --uid 939 --ingroup socore socore && \
5 | chown 939:939 /data
6 | VOLUME /data
7 | WORKDIR /data
8 | EXPOSE 6379
9 | CMD ["redis-server"]
10 |
--------------------------------------------------------------------------------
/so-redis/files/docker-entrypoint.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-redis/files/docker-entrypoint.sh
--------------------------------------------------------------------------------
/so-steno/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | FROM ghcr.io/security-onion-solutions/oraclelinux:9
17 |
18 | LABEL maintainer="Security Onion Solutions, LLC"
19 | LABEL description="Google Stenographer running in a docker for use with Security Onion."
20 |
21 | # Common Oracle layer
22 | RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \
23 | dnf clean all && rm -rf /var/cache/dnf/*
24 |
25 | # Packages Specific to this Container
26 | RUN dnf -y install snappy leveldb tcpdump jq libaio libseccomp golang which openssl && \
27 | dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf/*
28 |
29 | # User configuration
30 | RUN groupadd -g 941 stenographer && \
31 | useradd stenographer -u 941 -g 941 && \
32 | rpm -i https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/stenographer-v101/securityonion-stenographer-v1.0.1.0.rpm && \
33 | chmod 755 /usr/bin/steno* && \
34 | setcap 'CAP_NET_RAW+ep CAP_NET_ADMIN+ep CAP_IPC_LOCK+ep CAP_SETGID+ep' /usr/bin/stenotype && \
35 | mkdir -p /nsm/pcap/files && \
36 | mkdir -p /nsm/pcap/index && \
37 | chown -R 941:941 /nsm/pcap && \
38 | mkdir -p /etc/stenographer/certs && \
39 | mkdir -p /var/log/stenographer && \
40 | usermod -s /bin/bash stenographer
41 |
42 |
43 | # Copy over the entry script.
44 | COPY files/so-steno.sh /usr/local/sbin/so-steno.sh
45 | RUN chmod +x /usr/local/sbin/so-steno.sh
46 |
47 | ENTRYPOINT ["/usr/local/sbin/so-steno.sh"]
48 |
--------------------------------------------------------------------------------
/so-steno/README.md:
--------------------------------------------------------------------------------
1 | Google Stenographer
2 |
--------------------------------------------------------------------------------
/so-steno/files/so-steno.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | exec >> /var/log/stenographer/stenographer.log 2>&1
3 |
4 | # Generate the keys if they have not been already
5 | /usr/bin/stenokeys.sh 941 939
6 |
7 | chown -R 941:939 /etc/stenographer/certs
8 |
9 | exec runuser -l stenographer -c 'exec /usr/bin/stenographer -v 1 --syslog=false'
10 |
--------------------------------------------------------------------------------
/so-strelka-backend/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/ubuntu:22.04
2 | LABEL maintainer="Security Onion Solutions, LLC"
3 |
4 | ARG DEBIAN_FRONTEND=noninteractive
5 |
6 | # Test configuration
7 | ARG CONFIG_TESTS=false
8 |
9 | ARG YARA_VERSION=4.3.1
10 | ARG CAPA_VERSION=6.1.0
11 | ARG EXIFTOOL_VERSION=12.60
12 |
13 | # Environment variables
14 | ENV PYTHONDONTWRITEBYTECODE 1
15 | ENV PYTHONFAULTHANDLER 1
16 | ENV PYTHONUNBUFFERED 1
17 |
18 | # User configuration
19 | ARG USERNAME=strelka
20 | ARG USER_UID=1001
21 | ARG USER_GID=$USER_UID
22 |
23 | # SO - Pin to release tag, download from GitHub, and prepare container dirs
24 | ARG STRELKA_RELEASE_VERSION=0.24.01.18
25 |
26 | RUN groupadd --gid $USER_GID $USERNAME \
27 | && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME
28 |
29 | RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
30 |
31 | RUN mkdir /strelka && \
32 | mkdir /etc/strelka && \
33 | mkdir /tmp/strelka && \
34 | mkdir /var/log/strelka && \
35 | apt -y update && \
36 | apt -y upgrade && \
37 | apt install git -y && \
38 | git clone -b $STRELKA_RELEASE_VERSION https://github.com/target/strelka /tmp/strelka && \
39 | cp -fr /tmp/strelka/pyproject.toml /strelka/ && \
40 | cp -fr /tmp/strelka/poetry.lock /strelka/ && \
41 | cp -fr /tmp/strelka/src/python/* /strelka/ && \
42 | cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \
43 | cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \
44 | # cp -fr /tmp/strelka/build/python/backend/mantic.list /etc/apt/sources.list.d/ && \
45 | rm -fr /tmp/strelka && \
46 | chown -R ${USER_UID}:${USER_GID} /var/log/strelka/
47 |
48 | ADD mantic.list /etc/apt/sources.list.d/mantic.list
49 |
50 | # Install build packages
51 | RUN apt-get -q update && \
52 | apt-get install -q -y --no-install-recommends \
53 | automake build-essential cmake curl gcc git dirmngr gnupg gpg libglu1-mesa libtool make swig python3-dev python3-pip python3-wheel python-is-python3 pkg-config supervisor ncat && \
54 | # Install runtime packages
55 | apt-get install -q -y --no-install-recommends \
56 | 7zip antiword binwalk libarchive-dev libfuzzy-dev libjansson-dev libmagic-dev libssl-dev libzbar0 libgl1 python3-setuptools redis-server tesseract-ocr unrar unzip upx jq && \
57 | # Download and compile exiftool
58 | cd /tmp/ && \
59 | curl -OL https://github.com/exiftool/exiftool/archive/refs/tags/$EXIFTOOL_VERSION.tar.gz && \
60 | tar -zxvf $EXIFTOOL_VERSION.tar.gz && \
61 | cd exiftool-$EXIFTOOL_VERSION/ && \
62 | perl Makefile.PL && \
63 | make && \
64 | make install && \
65 | # Install FireEye CAPA rules and signatures
66 | mkdir -p /etc/capa/rules/ && \
67 | curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \
68 | unzip v$CAPA_VERSION.zip -d /etc/capa/rules/ && \
69 | rm -rf v$CAPA_VERSION.zip && \
70 | mkdir -p /etc/capa/signatures/ && \
71 | cd /etc/capa/signatures/ && \
72 | curl -OL https://github.com/mandiant/capa/raw/master/sigs/1_flare_msvc_rtf_32_64.sig && \
73 | curl -OL https://github.com/mandiant/capa/raw/master/sigs/2_flare_msvc_atlmfc_32_64.sig && \
74 | curl -OL https://github.com/mandiant/capa/raw/master/sigs/3_flare_common_libs.sig && \
75 | # Install FireEye FLOSS
76 | # - Binary installation, not supported as Python 3 plugin
77 | # - Requires binary to be executable
78 | cd /tmp/ && \
79 | curl -OL https://s3.amazonaws.com/build-artifacts.floss.flare.fireeye.com/travis/linux/dist/floss && \
80 | chmod +x /tmp/floss && \
81 | mv /tmp/floss /bin/floss && \
82 | # Install YARA
83 | cd /tmp/ && \
84 | curl -OL https://github.com/VirusTotal/yara/archive/v$YARA_VERSION.tar.gz && \
85 | tar -zxvf v$YARA_VERSION.tar.gz && \
86 | cd yara-$YARA_VERSION/ && \
87 | ./bootstrap.sh && \
88 | ./configure --with-crypto --enable-magic --enable-cuckoo && \
89 | make -s && make -s install && make -s check && \
90 | # Install yara-python
91 | cd /tmp/ && \
92 | curl -OL https://github.com/VirusTotal/yara-python/archive/v$YARA_VERSION.tar.gz && \
93 | tar -zxvf v$YARA_VERSION.tar.gz && \
94 | cd yara-python-$YARA_VERSION/ && \
95 | python3 setup.py build --dynamic-linking && \
96 | python3 setup.py install
97 |
98 | # Install JTR
99 | RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
100 | --mount=type=cache,target=/var/lib/apt,sharing=locked \
101 | apt-get update -qq && \
102 | apt-get install -qq -y --no-install-recommends \
103 | ca-certificates zlib1g-dev yasm libgmp-dev liblzma-dev libpcap-dev libbz2-dev libgomp1 && \
104 | cpan -i Compress::Raw::Lzma && \
105 | # The maintainer isn't big on releases or tags so grab an arbitrary, but consistent, commit.
106 | # Additionally jump through some extra hoops to get the single commit to save some download time.
107 | mkdir jtr && cd jtr && git init && git remote add origin https://github.com/openwall/john.git && \
108 | git fetch --depth 1 origin b5c10480f56ff1b5d76c6cbdaf9c817582ee2228 && \
109 | git reset --hard FETCH_HEAD && \
110 | rm -rf /jtr/.git && \
111 | cd /jtr/src && \
112 | ./configure && \
113 | make -s clean && \
114 | make -sj4 && \
115 | make install && \
116 | cp -Tr /jtr/run/ /jtr && rm -rf /jtr/run && \
117 | chmod -R 777 /jtr && \
118 | chown -R $USER_UID:$USER_UID /jtr && \
119 |
120 | # Install Poetry globally and copy project files
121 | python3 -m pip install -U pip setuptools && \
122 | # Install specific version of poetry, in >= 2.0.0 --no-dev is removed and causes build errors in strelka <= 0.24.01.18
123 | python3 -m pip install poetry==1.8.5 && \
124 | rm -rf /root/.cache/pip
125 |
126 | # Set the working directory
127 | WORKDIR /strelka/
128 |
129 | # Use Poetry to install the project dependencies globally
130 | # This step is after the COPY step because it is more likely to change,
131 | # and therefore should not be included in earlier layers that can be cached.
132 | RUN poetry config virtualenvs.create false && \
133 | poetry install --no-dev && \
134 | rm -rf /root/.cache/pypoetry && \
135 | # Install Strelka
136 | cd /strelka/ && \
137 | python3 setup.py -q build && \
138 | python3 setup.py -q install && \
139 | # Remove build packages
140 | python3 setup.py -q clean --all && \
141 | rm -rf dist/ strelka.egg-info && \
142 | pip3 uninstall -y grpcio-tools && \
143 | apt-get remove -y --purge \
144 | automake build-essential cmake curl gcc git gpg libtool make python3-dev python3-pip python3-wheel && \
145 | apt-get clean -qq && \
146 | rm -rf /var/lib/apt/lists/* /tmp/yara*
147 |
148 | # Run tests as non-root user
149 | USER $USERNAME
150 |
151 | # Run build checks
152 | RUN echo '[+] Run build checks' && \
153 | cd /strelka/strelka/ && \
154 | python3 -m pytest -p no:cacheprovider -s tests/ --ignore-glob='*pcap*.py' --ignore-glob='*test_scan_transcode.py' --ignore-glob='*test_scan_nf.py' && \
155 | if $CONFIG_TESTS; then python3 -m pytest -s tests_configuration/; fi && \
156 | echo '[+] Done'
157 |
158 | USER root
159 |
160 | # Remove build directories and unused files
161 | # Remove config directory (will bind mount once built)
162 | RUN cd /strelka/ && \
163 | rm -rf /strelka/ && \
164 | rm -rf /root/.cache && \
165 | rm -rf /tmp/* && \
166 | rm -rf /etc/strelka/
167 |
168 | USER $USERNAME
169 |
--------------------------------------------------------------------------------
/so-strelka-backend/mantic.list:
--------------------------------------------------------------------------------
1 | deb [arch=amd64] http://old-releases.ubuntu.com/ubuntu mantic main restricted universe multiverse
2 | deb [arch=arm64] http://old-releases.ubuntu.com/ubuntu mantic-backports main restricted universe multiverse
--------------------------------------------------------------------------------
/so-strelka-backend/pin.pref:
--------------------------------------------------------------------------------
1 | Package: 7zip
2 | Pin: release n=jammy
3 | Pin-Priority: 100
4 |
5 | Package: *
6 | Pin: release n=lunar
7 | Pin-Priority: 200
8 |
--------------------------------------------------------------------------------
/so-strelka-filestream/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build
2 | ARG STRELKA_RELEASE_VERSION=0.24.01.18
3 |
4 | RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-filestream@$STRELKA_RELEASE_VERSION
5 |
6 | FROM ghcr.io/security-onion-solutions/alpine:3.21.3
7 | LABEL maintainer="Security Onion Solutions, LLC"
8 |
9 | COPY --from=build /go/bin/strelka-filestream /usr/local/bin/
10 | RUN addgroup -g 939 strelka && \
11 | adduser -u 939 -G strelka strelka --disabled-password \
12 | -h /etc/strelka --no-create-home strelka
13 | RUN apk add --no-cache jq
14 | USER strelka
15 |
--------------------------------------------------------------------------------
/so-strelka-frontend/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build
2 | ARG STRELKA_RELEASE_VERSION=0.24.01.18
3 |
4 | RUN apk add openssl-dev \
5 | bash \
6 | build-base \
7 | pkgconfig \
8 | librdkafka \
9 | librdkafka-dev && \
10 | CGO_ENABLED=1 go install -tags musl github.com/target/strelka/src/go/cmd/strelka-frontend@$STRELKA_RELEASE_VERSION
11 |
12 | FROM ghcr.io/security-onion-solutions/alpine:3.21.3
13 | LABEL maintainer="Security Onion Solutions, LLC"
14 |
15 | COPY --from=build /go/bin/strelka-frontend /usr/local/bin/
16 |
17 | RUN addgroup -g 939 strelka && \
18 | adduser -u 939 -G strelka strelka --disabled-password \
19 | -h /etc/strelka --no-create-home strelka && \
20 | mkdir /var/log/strelka/ && \
21 | touch /var/log/strelka/strelka.log && \
22 | chown -R 939:939 /var/log/strelka/
23 |
24 | USER strelka
25 |
--------------------------------------------------------------------------------
/so-strelka-manager/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build
2 | ARG STRELKA_RELEASE_VERSION=0.24.01.18
3 |
4 | RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION
5 |
6 | FROM ghcr.io/security-onion-solutions/alpine:3.21.3
7 | LABEL maintainer="Security Onion Solutions, LLC"
8 |
9 | COPY --from=build /go/bin/strelka-manager /usr/local/bin/
10 | RUN addgroup -g 939 strelka && \
11 | adduser -u 939 -G strelka strelka --disabled-password \
12 | -h /etc/strelka --no-create-home strelka
13 | USER strelka
14 |
--------------------------------------------------------------------------------
/so-suricata/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | FROM ghcr.io/security-onion-solutions/oraclelinux:9 as builder
17 |
18 | RUN dnf update -y && \
19 | dnf -y install epel-release && \
20 | dnf config-manager --enable ol9_codeready_builder
21 | RUN dnf -y install oraclelinux-developer-release-el9
22 | RUN dnf repolist
23 | RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \
24 | jansson-devel jq libcap-ng-devel libevent-devel \
25 | libmaxminddb-devel libmaxminddb libnet-devel libnetfilter_queue-devel \
26 | libnfnetlink-devel libpcap-devel libtool libyaml-devel \
27 | lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \
28 | python3-devel python3-sphinx python3-yaml sudo which cargo \
29 | zlib-devel luajit-devel cargo && cargo install --force cbindgen
30 | ENV SURIVERSION=7.0.12
31 | RUN mkdir /suricata
32 |
33 | WORKDIR /suricata
34 |
35 | RUN curl -vO https://www.openinfosecfoundation.org/download/suricata-$SURIVERSION.tar.gz && tar zxvf suricata-$SURIVERSION.tar.gz && \
36 | cd suricata-$SURIVERSION && ./configure --enable-rust --enable-luajit --prefix=/opt/suricata --sysconfdir=/etc --disable-gccmarch-native --localstatedir=/var --enable-geoip && make -j4
37 | RUN mkdir suriinstall && cd suricata-$SURIVERSION && make install DESTDIR=/suricata/suriinstall && make install-conf DESTDIR=/suricata/suriinstall && rm -rf /suricata/suriinstall/var/run
38 |
39 | FROM ghcr.io/security-onion-solutions/oraclelinux:9
40 |
41 | LABEL maintainer "Security Onion Solutions, LLC"
42 | LABEL description="Suricata running in a docker with AF_Packet for use with Security Onion."
43 |
44 | # Common Oracle layer
45 | RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \
46 | dnf clean all && rm -rf /var/cache/dnf/*
47 |
48 | # Packages Specific to this Container
49 | RUN dnf -y install luajit libnet jansson libyaml cargo rustc nss nss-devel libmaxminddb && \
50 | dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf/*
51 |
52 | COPY --from=builder /suricata/suriinstall/ /
53 |
54 | # User configuration
55 | RUN groupadd --gid 940 suricata && \
56 | adduser --uid 940 --gid 940 --home-dir /etc/suricata --no-create-home suricata && \
57 | chown -R 940:940 /etc/suricata && \
58 | chown -R 940:940 /var/log/suricata
59 |
60 | # Copy over the entry script.
61 | ADD files/so-suricata.sh /usr/local/sbin/so-suricata.sh
62 |
63 | RUN chmod +x /usr/local/sbin/so-suricata.sh && rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el9.x86_64.rpm
64 |
65 | ENTRYPOINT ["/usr/local/sbin/so-suricata.sh"]
66 |
--------------------------------------------------------------------------------
/so-suricata/README.md:
--------------------------------------------------------------------------------
1 | Suricata Docker Container
2 |
--------------------------------------------------------------------------------
/so-suricata/files/so-suricata.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | AFPACKET=
4 | if [ -n "$INTERFACE" ]; then
5 | AFPACKET=--af-packet=$INTERFACE
6 | fi
7 | # delete the old PID so Suricata will start
8 | mkdir -p /var/run/suricata
9 | chown 940:940 /var/run/suricata
10 | chmod 770 /var/run/suricata
11 | rm -rf /var/run/suricata.pid
12 | # Start Suricata - --init-errors-fatal could be added to make it die if rules are wrong
13 | /opt/suricata/bin/suricata -c /etc/suricata/suricata.yaml $AFPACKET --user=940 --group=940 --pidfile /var/run/suricata.pid -F /etc/suricata/bpf $@
14 |
--------------------------------------------------------------------------------
/so-tcpreplay/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | FROM ghcr.io/security-onion-solutions/oraclelinux:9
17 |
18 | LABEL maintainer="Security Onion Solutions, LLC"
19 | LABEL description="Replay PCAPs to sniffing interface(s)"
20 |
21 | # Common Oracle layer
22 | RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \
23 | dnf clean all && rm -rf /var/cache/dnf/*
24 |
25 | # Packages Specific to this Container
26 | RUN dnf config-manager --enable ol9_codeready_builder && dnf -y install oraclelinux-developer-release-el9 && dnf repolist && \
27 | dnf -y install rpmrebuild alien wget libnsl && \
28 | dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf/*
29 |
30 | # Manually patch bug fix in rpmrebuild v2.20. See https://sourceforge.net/p/rpmrebuild/bugs/18/ for more info.
31 | # Can remove once v2.21 is released.
32 | RUN sed -i "s/rpm2archive \\$/rpm2archive - < $/" /usr/lib/rpmrebuild/rpmrebuild.sh
33 |
34 | # Copy over tcpreplay - using v4.2.6 instead of 4.3.x because of known bugs: https://github.com/appneta/tcpreplay/issues/557
35 | COPY files/tcpreplay /usr/local/bin/tcpreplay
36 |
37 | # User configuration
38 |
39 | RUN for i in securityonion-samples_20121202-0ubuntu0securityonion4_all.deb securityonion-samples-bro_20170824-1ubuntu1securityonion3_all.deb securityonion-samples-markofu_20130522-0ubuntu0securityonion3_all.deb securityonion-samples-mta_20190514-1ubuntu1securityonion1_all.deb securityonion-samples-shellshock_20140926-0ubuntu0securityonion2_all.deb; do wget https://launchpad.net/~securityonion/+archive/ubuntu/stable/+files/$i; done && \
40 | \
41 | alien -r *.deb && \
42 | \
43 | for i in securityonion-samples-20121202-1.noarch.rpm securityonion-samples-bro-20170824-2.noarch.rpm securityonion-samples-markofu-20130522-1.noarch.rpm securityonion-samples-mta-20190514-2.noarch.rpm securityonion-samples-shellshock-20140926-1.noarch.rpm ; do rpmrebuild -p --change-spec-files='sed -e "s/%dir.*\"\/\"/#/"' -d/tmp/ $i && rpm -ivh /tmp/noarch/$i; done && \
44 | \
45 | rm *.deb && \
46 | rm *.rpm
47 |
48 | ENTRYPOINT ["/bin/bash"]
49 |
--------------------------------------------------------------------------------
/so-tcpreplay/files/tcpreplay:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-tcpreplay/files/tcpreplay
--------------------------------------------------------------------------------
/so-telegraf/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/security-onion-solutions/telegraf:1.36.1-alpine
2 | LABEL maintainer="Security Onion Solutions, LLC"
3 | LABEL description="Telegraf running in Docker container for use with Security Onion"
4 |
5 | USER root
6 |
7 | RUN apk add --no-cache redis curl jq bash
8 |
9 | ENTRYPOINT ["/entrypoint.sh"]
10 | CMD ["telegraf"]
11 |
--------------------------------------------------------------------------------
/so-telegraf/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | if [ "${1:0:1}" = '-' ]; then
5 | set -- telegraf "$@"
6 | fi
7 |
8 | exec "$@"
9 |
--------------------------------------------------------------------------------
/so-zeek/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Security Onion Solutions, LLC
2 |
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | FROM ghcr.io/security-onion-solutions/oraclelinux:9 AS builder
17 |
18 | RUN dnf -y install dnf-plugins-core && \
19 | dnf config-manager --enable ol9_codeready_builder && \
20 | dnf update -y && \
21 | dnf -y install epel-release bash libpcap iproute wget cmake swig && \
22 | dnf -y install jemalloc numactl libnl3 libdnet gdb git && \
23 | dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel python3 kernel-devel kernel-headers libnghttp2-devel brotli-devel && \
24 | dnf group install -y "Development Tools" && \
25 | yum install -y glibc-common && \
26 | pip3 install GitPython semantic-version requests && \
27 | dnf -y erase epel-release && dnf clean all && rm -rf /var/cache/dnf
28 |
29 | RUN mkdir /opensslbuild
30 | WORKDIR /opensslbuild
31 | RUN wget https://www.openssl.org/source/old/3.0/openssl-3.0.1.tar.gz && tar zxvf openssl-3.0.1.tar.gz
32 |
33 | WORKDIR /opensslbuild/openssl-3.0.1
34 | RUN dnf -y install perl && \
35 | ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-fips && \
36 | time make -j4 && \
37 | time make install && \
38 | /usr/local/ssl/bin/openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/ssl/lib64/ossl-modules/fips.so
39 |
40 | WORKDIR /
41 |
42 | ENV ZEEKVER=7.0.11
43 | ARG BUILD_TYPE=Release
44 |
45 | RUN mkdir /zeekbuild
46 |
47 | WORKDIR /zeekbuild
48 |
49 | RUN wget https://download.zeek.org/zeek-$ZEEKVER.tar.gz && tar zxvf zeek-$ZEEKVER.tar.gz
50 | RUN cd zeek-$ZEEKVER && \
51 | ./configure --prefix=/opt/zeek --spooldir=/nsm/zeek/spool --logdir=/nsm/zeek/logs --enable-jemalloc --build-type=$BUILD_TYPE --with-openssl=/usr/local/ssl && \
52 | time make -j4 && time make install
53 | RUN /opt/zeek/bin/zkg install --force ja3 && \
54 | /opt/zeek/bin/zkg install --force zeek/foxio/ja4 && \
55 | /opt/zeek/bin/zkg install --force hassh && \
56 | /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/bzar --version=master && \
57 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-bacnet && \
58 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-bsap && \
59 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-ethercat && \
60 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-enip && \
61 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-opcua-binary --version=v1.0.0 && \
62 | sed -i 's|-|_|g' /opt/zeek/share/zeek/site/icsnpp-opcua-binary/main.zeek && \
63 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-dnp3 && \
64 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-modbus && \
65 | git clone https://github.com/cisagov/icsnpp-s7comm && \
66 | /opt/zeek/bin/zkg install --force --skiptests icsnpp-s7comm && \
67 | /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-profinet --version=master && \
68 | /opt/zeek/bin/zkg install --force --skiptests https://github.com/mmguero-dev/zeek-plugin-tds --version=master && \
69 | /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \
70 | /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \
71 | /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \
72 | /opt/zeek/bin/zkg install --force --skiptests https://github.com/mitrecnd/bro-http2 --version master && \
73 | /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-ipsec && \
74 | /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-openvpn
75 |
76 | # overwrite the default oui.py until https://github.com/iamckn/oui-logging/pull/3 is merged upstream
77 | COPY files/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.py
78 | # oui.py script has been problematic in the past. Run it separately to avoid longer than necessary troubleshooting.
79 | RUN /bin/python3 /opt/zeek/share/zeek/site/oui-logging/oui.py /opt/zeek/share/zeek/site/oui-logging/oui.dat && \
80 | rm -rf /opt/zeek/var/lib/zkg/testing && \
81 | rm -rf /opt/zeek/var/lib/zkg/scratch && \
82 | rm -rf /zeekbuild
83 | RUN groupadd --gid 937 zeek && \
84 | adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek && \
85 | chown -R 937:937 /opt/zeek && \
86 | chown -R 937:937 /nsm/zeek && \
87 | chown -R 937:937 /usr/local/ssl
88 |
89 | FROM ghcr.io/security-onion-solutions/oraclelinux:9
90 |
91 | LABEL maintainer="Security Onion Solutions, LLC"
92 | LABEL description="Zeek running in docker for use with Security Onion"
93 |
94 | # Common Oracle layer, Packages specific to container, User configuration
95 | RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \
96 | dnf clean all && rm -rf /var/cache/dnf/* && \
97 | dnf -y install findutils jemalloc numactl libnl3 libdnet gdb libunwind-devel && \
98 | dnf config-manager --enable ol9_codeready_builder && \
99 | dnf -y install libnghttp2-devel brotli-devel && \
100 | dnf config-manager --disable ol9_codeready_builder && \
101 | dnf -y remove epel-release && \
102 | dnf clean all && \
103 | rm -rf /var/cache/dnf/ && rm -rf /var/cache/yum/ && \
104 | rm -rf /usr/share/doc/oraclelinux-release/OL9-RELNOTES9-4.zip && \
105 | groupadd --gid 937 zeek && \
106 | adduser --uid 937 --gid 937 --home-dir /opt/zeek --no-create-home zeek
107 |
108 | COPY --from=builder /nsm/zeek /nsm/zeek
109 | COPY --from=builder /opt/zeek /opt/zeek
110 | COPY --from=builder /usr/local/ssl/ /usr/local/ssl
111 |
112 | # Copy over the entry script.
113 | COPY files/zeek.sh /usr/local/sbin/zeek.sh
114 | RUN chmod +x /usr/local/sbin/zeek.sh && rpm -i https://github.com/axellioinc/fx-libpcap/releases/download/px3_1.9.1-3/fx-libpcap-1.9.1-3.el9.x86_64.rpm && rm -rf /opt/zeek/share/btest/data/pcaps/*
115 |
116 | HEALTHCHECK --interval=10m --timeout=2m CMD runuser -u zeek -- /opt/zeek/bin/zeekctl status || (kill -s 15 -1 && (sleep 30; kill -s 9 -1))
117 |
118 | ENTRYPOINT ["/usr/local/sbin/zeek.sh"]
119 |
120 |
--------------------------------------------------------------------------------
/so-zeek/LICENSE-JA4:
--------------------------------------------------------------------------------
1 | Copyright (c) 2023 FoxIO
2 | All rights reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
5 |
6 | * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
7 |
8 | * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
9 |
10 | * Neither the name of FoxIO nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
11 |
12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------
/so-zeek/LICENSE.JA4+:
--------------------------------------------------------------------------------
1 | FoxIO License 1.1
2 | Licensor: FoxIO, LLC
3 | Software: JA4S, JA4H, JA4L, JA4X, JA4T, and JA4SSH (Collectively referred to as JA4+)
4 |
5 | This license was created by FoxIO, LLC. You may use the text of this license for your own
6 | software as long as you change the name of the license, and change the licensor and software
7 | above to refer to you and your software. You may state that your license is based on the FoxIO
8 | License 1.0, as long as you clearly identify any other changes you make to the license.
9 |
10 | 1. Acceptance
11 | In order to get any license under these terms, you must agree to them as both strict obligations
12 | and conditions to all your licenses.
13 |
14 | 2. Copyright License
15 | The licensor grants you a copyright license to use and modify the software, only for non-commercial
16 | purposes. The licensor grants you a copyright license to distribute the software to others
17 | only for non-commercial purposes. “Non-commercial purposes” include personal use by an individual,
18 | academic research and development, and testing and evaluation of the software for your own
19 | internal use, and excludes any use for which you charge fees or anything else of value,
20 | directly or indirectly, for use of or access to the software. Using the software for your own
21 | internal business purposes in a manner where you do not directly monetize the software is a
22 | non-commercial purpose. Providing the software on a hosted or managed service basis to others
23 | is not a non-commercial purpose. Providing maintenance, support or development services for
24 | the software to others, or using the software to enable others to provide such services for
25 | the software to you, is not a non-commercial purpose.
26 |
27 | You must ensure that anyone who gets a copy of any part of the software from you also gets a
28 | copy of these license terms or the following URL https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE,
29 | and you must retain all copyright, patent or other intellectual property notices placed on
30 | the software by licensor.
31 |
32 | 3. Patent License
33 | The licensor grants you a patent license for the software that covers patent claims the
34 | licensor can license, or becomes able to license, that you would necessarily infringe by
35 | using the software in the manner allowed under this license for non-commercial purposes.
36 | This license does not grant you any right to practice any patent rights for any invention
37 | not fully embodied in the software in the form provided by the licensor.
38 |
39 | 4. No Other Rights
40 | These terms do not allow you to sublicense or transfer any of your licenses to anyone else, or
41 | prevent the licensor from granting licenses to anyone else. These terms do not imply any other
42 | licenses.
43 |
44 | 5. Patent Defense
45 | If you make any written claim that the software infringes or contributes to infringement of any
46 | patent, your patent license for the software granted under these terms ends immediately. If your
47 | company makes such a claim, your patent license ends immediately for work on behalf of your company.
48 |
49 | 6. Violations
50 | The first time you are notified in writing that you have violated any of these terms, or done
51 | anything with the software not covered by your licenses, your licenses can nonetheless continue
52 | if you come into full compliance with these terms, take practical steps to correct past violations,
53 | and provide a written statement that all such past violations have been corrected within 30 days
54 | after receiving notice. Otherwise, all your licenses end immediately.
55 |
56 | 7. Duration
57 | Your licenses for a particular version of the software will continue until the end of life of
58 | that version of the software, or earlier as described in the Violations section above.
59 |
60 | 8. No Liability
61 | As far as the law allows, the software comes as is, without any warranty or condition, and the
62 | licensor will not be liable to you for any damages arising out of these terms or the use or nature
63 | of the software, under any kind of legal claim.
64 |
65 | 9. Definitions
66 | The “Licensor” is the individual or entity offering these terms, and the “Software” is the
67 | software the licensor makes available under these terms.
68 |
69 | “You” refers to the individual or entity agreeing to these terms.
70 |
71 | “Your company” is any legal entity, sole proprietorship, or other kind of organization that you
72 | work for, plus all organizations that have control over, are under the control of, or are under
73 | common control with that organization. “Control” means ownership of substantially all the assets
74 | of an entity, or the power to direct its management and policies by vote, contract, or otherwise.
75 | Control can be direct or indirect.
76 |
77 | “Your licenses” are all the licenses granted to you for the software under these terms.
78 |
79 | “Use” means anything you do with the software requiring one of your licenses.
80 |
81 | “End of Life” for a version of the software is a date publicly announced by the licensor on which
82 | the licensor intends to cease maintenance of that version of the software.
--------------------------------------------------------------------------------
/so-zeek/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-image/5acc2b6df85d9933b6f2ac7e3216fec95b17135b/so-zeek/README.md
--------------------------------------------------------------------------------
/so-zeek/files/oui.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | _DESCRIPTION = '''Download and parse a listing of Organizationally unique
4 | identifiers, then export the listing as a Bro input file. This can then be
5 | used with the OUI module to allow for OUI lookups in Bro.
6 | '''
7 |
8 | import re
9 | import requests
10 | import os
11 | import shutil
12 |
13 | from argparse import ArgumentParser
14 | from tempfile import NamedTemporaryFile
15 | from time import sleep
16 |
17 | # IEEE publishes a list of OUIs
18 | _IEEE_OUI_LIST = 'https://standards-oui.ieee.org/oui/oui.txt'
19 |
20 | def main(fpath):
21 |
22 | retries = 12
23 | retry_delay = 5
24 | request_headers = {"User-Agent":"curl/7.81.0"}
25 | # retry logic to check if the request succeeds
26 | for attempt in range(retries):
27 | # retrieve the IEEE OUI list
28 | resp = requests.get(_IEEE_OUI_LIST, headers=request_headers, stream=True)
29 |
30 | # if request is successful (status code 200), break the loop and proceed
31 | if resp.status_code == 200:
32 | break
33 | # if status code is not 200, retry after delay
34 | else:
35 | print(f"Status code: {resp.status_code} | Error message: {resp.text}")
36 | sleep(retry_delay)
37 | else:
38 | # if the loop completes without breaking (all attempts failed), exit
39 | print(f"Failed to retrieve IEEE OUI list after {retries} attempts. Exiting.")
40 | os._exit(1)
41 |
42 | # pull out the 'hex' line from the ieee oui list
43 | parser = b'^(.*?)\s.*?\(hex\)\t\t(.*?)$'
44 |
45 | with NamedTemporaryFile(mode='w', delete=False) as f:
46 | temp_file_name = f.name
47 |
48 | print("#fields\toui\tvendor", file=f)
49 | # iterate the ouis returned and parse them into a bro script
50 | for line in resp.iter_lines():
51 | match = re.search(parser, line)
52 |
53 | if match:
54 | oui = match.group(1)
55 | vendor = match.group(2)
56 | oui = oui.replace(b'-', b':')
57 |
58 | print('{0}\t{1}'.format(oui.decode('utf-8').lower(),
59 | vendor.decode('utf-8')), file=f)
60 |
61 | shutil.move(temp_file_name, fpath)
62 |
63 | if __name__ == '__main__':
64 | p = ArgumentParser(description=_DESCRIPTION)
65 | p.add_argument('path',
66 | help='Where to place the exported input file.')
67 | args = p.parse_args()
68 | main(args.path)
69 |
--------------------------------------------------------------------------------
/so-zeek/files/zeek.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/zeek
4 | setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/capstats
5 | runuser zeek -c '/opt/zeek/bin/zeekctl deploy'
6 |
7 | trap "runuser zeek -c '/opt/zeek/bin/zeekctl stop'" SIGTERM
8 | sleep infinity& wait; kill $!
9 |
--------------------------------------------------------------------------------