├── .gitignore ├── README.md ├── debian ├── changelog ├── compat ├── control ├── copyright ├── docs ├── install ├── patches │ ├── -Issue-968:-NSM:-wipe-stats.log-when-restarting-Suricata │ ├── -Issue-975:-NSM:-configure-Snort-snaplen-via-command-line-argument │ ├── 501-516-518 │ ├── 647-597-595-611 │ ├── Enable-BPF-JIT-and-silence-daily-syslog-ng-restart │ ├── Issue-#859:-NSM:-mkdir--p-varrunnsm-before-trying-to-chown │ ├── Issue-1030:-NSM:-remove-chown-from-usrsbinso-bro-cron │ ├── Issue-1032:-NSM:-don't-chown-every-file-in-nsmbroextracted │ ├── Issue-1033:-NSM:-only-allow-one-instance-of-nsm_sensor_clean-at-a-time │ ├── Issue-1162:-NSM:-Add-new-script-to-clear-sensor-backlog │ ├── Issue-411:-Have-only-one-copy-of-barnyard2-that-updates-signature-reference-table │ ├── Issue-453:-etccron.dsensor-newday-should-restart-autossh-tunnel │ ├── Issue-555:-NSM:-replace-"2>1"-with-"2>&1" │ ├── Issue-581:-NSM:-avoid-filling-disk-if-CRIT_DISK_USAGE-exceeded-in-one-day │ ├── Issue-598:-so-snorby-wipe │ ├── Issue-610:-NSM:-ossec_agent-alert-level-should-be-configurable │ ├── Issue-620:-NSM:-stop-netsniff-ng-only-after-checking-all-interfaces-for-pcaps-to-delete │ ├── Issue-625:-Update-NSM-for-Sguil-0.9 │ ├── Issue-665:-NSM:-run-Bro-as-non-root-user │ ├── Issue-671:-NSM:-etccron.dsensor-clean-needs-2>&1 │ ├── Issue-684:-NSM:-nsm_server_ps-start-needs-to-create-varlogsguild-if-it-doesn't-already-exist │ ├── Issue-689:-NSM:-add-USE_DNS-option-to-ossec_agent.conf │ ├── Issue-691:-NSM:-chown--R-$BRO_USER:$BRO_GROUP-nsmbro->devnull-2>&1 │ ├── Issue-751:-change-watchdog-run-time-to-avoid-race-condition │ ├── Issue-797:-NSM:-update-SpoolDir-and-LogDir-in-broctl.cfg │ ├── Issue-799:-NSM:-add-stderr-redirect-to-stdout-on-adduser │ ├── Issue-924:-NSM:-set-DEBUG-1-in-etcsguildsguild.conf │ ├── Issue-993:-NSM:-startrestart-errors-on-systems-with-ethXX-(2-or-more-numbers) │ ├── Issues-429,-451,-and-454 │ ├── Issues-853-854-855 │ ├── NSM:-Squert-object_mappings-table-has-wrong-permissions-#866 │ ├── NSM:-add---no-hwtimestamp-to-netsniff-command-line-Security-Onion-Solutionssecurity-onion#1514 │ ├── NSM:-avoid-loading-IDS-rules-twice-#1062 │ ├── NSM:-barnyard-sending-blank-interface-to-syslog-output-#652 │ ├── NSM:-broctl-and-zeekctl-need-to-check-if-parameters-were-passed-Security-Onion-Solutionssecurity-onion#1713 │ ├── NSM:-change-filesystem-grep-Security-Onion-Solutionssecurity-onion#1488 │ ├── NSM:-create-usrsbinbroctl-#1043 │ ├── NSM:-cron-jobs-should-check-to-see-if-they-are-running-on-storage-nodes-#1337 │ ├── NSM:-don't-output-color-codes-if-not-running-on-a-tty-#732 │ ├── NSM:-fix-spelling-error-#1055 │ ├── NSM:-increase-timeout-in-etcsystemdsystemsecurityonion.service-Security-Onion-Solutionssecurity-onion#1708 │ ├── NSM:-more-gracefully-handle-large-number-of-files-in-nsmbroextracted-#942 │ ├── NSM:-nsm_server_configure_sshd-should-check-for-existing-config-#1396 │ ├── NSM:-nsm_server_user-add-should-check-to-see-if-user-account-exists-and-prompt-user-Security-Onion-Solutionssecurity-onion#1505 │ ├── NSM:-nsm_server_user-add-should-require-usernames-to-be-alphanumeric-Security-Onion-Solutionssecurity-onion#1627 │ ├── NSM:-redirect-iostreams-to-logfile-during-ossec-agent-restart-#1005 │ ├── NSM:-replace-pcap-ls-with-find-Security-Onion-Solutionssecurity-onion#1654 │ ├── NSM:-support-running-Suricata-using-AF_PACKET-Security-Onion-Solutionssecurity-onion#1431 │ ├── NSM:-wait-for-network-online-on-boot-#1362 │ ├── NSM:-when-(re)starting-Suricata,-make-sure-stats.log-has-proper-ownership-Security-Onion-Solutionssecurity-onion#1477 │ ├── NSM:-wipe-Suricata-stats.log-using-truncate-rather-than-rm-Security-Onion-Solutionssecurity-onion#1456 │ ├── add-"sleep-1"-to-bro-start │ ├── add---verbose-to-netsniff-ng-command-line-to-get-stats │ ├── add-PCAP_OPTIONS-to-netsniff-ng-command-line-to-allow-Quick-Setup-to-specify--c │ ├── add-argus.conf │ ├── add-bpf-support-for-netsniff-ng │ ├── add-daily-cronjob-to-restart-sancp_agent │ ├── add-license-header │ ├── add-more-error-checking-to-so-bro-cron │ ├── add-nsm_server_user-passwd │ ├── add-support-for-prads │ ├── add-support-for-suricata │ ├── add-systemd-script │ ├── added-back-netsniff-ng---verbose-option │ ├── added-netsniff-ng-ring-buffer-and-mmap-options,-changed-syslog-ng-daily-reload-to-restart │ ├── additional-safety-check-for-postinst │ ├── align-to-naming-convention │ ├── allow-pivoting-from-Squert-to-ELSA │ ├── allow-user-to-set-CRIT_DISK_USAGE-in-etcnsmsecurityonion.conf │ ├── avoid-errors-when-no-unified2-files-are-available-for-deletion │ ├── barnyard2.conf-needs-to-output-to-local-syslog-for-ELSA │ ├── bro-node-cfg-path │ ├── change-ELSA-to-Kibana │ ├── change-from-Bro-to-Zeek │ ├── change-so-bro-cron-to-so-zeek-cron │ ├── change-sphinx-port-from-3307-to-9306 │ ├── change-sshd-ClientAliveInterval-to-30 │ ├── check-disk-usage-threshold-before-stopping-netsniff-ng │ ├── check-for-root │ ├── check-for-snorby-output-before-trying-to-disable │ ├── check_usergroup-sensor_user-sensor_group │ ├── clean-up-more-Zeek-warnings │ ├── clean-up-more-zeek-warnings │ ├── clean-up-output-of-nsm_server_user-* │ ├── clean-up-zeek-warnings │ ├── comment-out-sensor_cleandisk-in-nsm_sensor_ps-start │ ├── comment-out-sensortab.bro-code │ ├── consolidate-the-two-sleeps-into-one-that-always-runs-regardless-of-sensorserver │ ├── convert-from-daemonlogger-to-netsniff-ng │ ├── copy-IDS_LB_PROCS-from-sensor.conf-to-suricata.yaml │ ├── cp-prads.conf-and-enable-home_nets │ ├── create-etcnsmsensortab.bro │ ├── create-logrotate-jobs-if-necessary │ ├── create-new-BRO_USER-and-BRO_GROUP-variables │ ├── daily-cronjobs-to-restart-all-Sguil-agents │ ├── daily-reload-syslog-ng-and-run-snort-as-sguil-with-unique-pf_ring-cluster-id │ ├── delete-snorby-pid-file-at-boot │ ├── disable-DAEMON-mode-in-ossec_agent.conf │ ├── disable-DEAMON-mode-in-argus.conf │ ├── disable-snorby-output-in-all-barnyard2.conf-files │ ├── do-not-sleep-for-60-seconds-when-starting-securityonion-during-Setup │ ├── don't-sleep-for-10-seconds-if-starting-securityonion-during-Setup │ ├── elsa_r1090 │ ├── ensure-SURICATA_CAPTURE-gets-added-to-sensor.conf-Security-Onion-Solutionssecurity-onion#1431 │ ├── ensure-netsniff-ng-is-writing-with-the-correct-date │ ├── ensure-non-threaded-tcl8.6-for-sguild │ ├── etccron.dnsm-watchdog-should-restart-sguild-if-crashed │ ├── fall-back-to-localdomain-if-etcresolv.conf-contains-no-search-directives │ ├── filter-out-warnings-in-broctl-and-zeekctl │ ├── first-round-of-changes-for-zeek-migration │ ├── fix-Bro-http_agent-counting-interfaces │ ├── fix-bug-when-determining-Bro-http.log │ ├── fix-bug-when-restarting-suricata │ ├── fix-bugs-in-nsm_sensor_ps-start-and-lib-nsm-common-utils │ ├── fix-cleandisk-and-netsniff-ng-output-directory │ ├── fix-curly-brace │ ├── fix-etcinitsecurityonion.conf-when-running-on-sensor-only-with-no-elsa-and-no-mysql │ ├── fix-if-statement │ ├── fix-mysql-calls │ ├── fix-nsm_server_user-disable │ ├── fix-ossec_agent-default-domain │ ├── fix-permissions-on-SERVER_LOG_DIR │ ├── fix-so-*-config-backup │ ├── fix-so-nsm-watchdog │ ├── fix-support-for-multiple-snort-pfring-instances │ ├── fix-typos │ ├── go-back-to-use-squert.sql-for-new-databases │ ├── go-back-to-using-nsmbrologscurrent-symlink │ ├── granular-service-control │ ├── improve-so-*-config-backup │ ├── improve-so-bro-cron │ ├── improve-so-netsniff-ng-cron │ ├── improve-so-nsm-watchdog │ ├── increase-first-sleep-from-5-seconds-to-10-to-make-sure-Sguil-doesn't-start-until-MySQL-does │ ├── increase-systemd-timeout-to-5-minutes │ ├── issue-649 │ ├── issues-1227-and-1234 │ ├── issues-1291-1292-1176 │ ├── issues-241-392-714 │ ├── issues-548-and-658 │ ├── issues-686-and-687 │ ├── issues-698-and-699 │ ├── issues-944-937-943 │ ├── make-checks-more-consistent-Security-Onion-Solutionssecurity-onion#645 │ ├── merge-Wes's-pull-request-to-add-quotes-around-$FORCE_YES │ ├── migrate-from-broctl.cfg-to-zeekctl.cfg │ ├── more-naming-fixes │ ├── more-zeek-cleanup │ ├── move-daily-restart-to-0:00-to-avoid-pcap-blackhole │ ├── move-squert-to-varwwwsosquert │ ├── mysql---defaults-file=etcmysqldebian.cnf │ ├── mysql5.5_and_tcpflow-no-tags │ ├── nsm_all_del_quick-fix-typo │ ├── nsm_all_del_quick-should-check-for-root-first │ ├── nsm_sensor_add-needs-check_usergroup │ ├── nsm_sensor_backup-data-missing-leading-slash-in-directory-#931 │ ├── nsm_sensor_clean:-redirect-grep-output-to-devnull │ ├── nsm_server_user-list---only-show-enabled-users │ ├── optimize-network-buffers,-sleep-1s-when-restarting-netsniff-ng,-free-disk-space-every-5-minutes │ ├── package-issues-645-1637-1118 │ ├── postinst---add-conditions-for-updating-etcinitsecurityonion.conf │ ├── process_start-function-needs-"su--"-to-start-in-home-directory │ ├── process_start-needs-to-create-home-directory-if-it-doesn't-already-exist │ ├── refactor-config-backup-cron-jobs-#1376 │ ├── remove-"-m-112"-from-nsm_sensor_add │ ├── remove-PCAP_MMAP-option │ ├── remove-afpacket-daq │ ├── remove-extra-indexes-for-Sguil-database │ ├── remove-init.d-scripts │ ├── remove-old-files │ ├── remove-old-lines │ ├── remove-service-nsm-reference │ ├── remove-so-common-since-it-already-exists-in-securityonion-elastic-package │ ├── remove-so-snorby-wipe │ ├── remove-unnecessary-zeek-warnings │ ├── rename-setting-to-SURICATA_CAPTURE-Security-Onion-Solutionssecurity-onion#1431 │ ├── replace-sguil:sguil-with-$SENSOR_USER:$SENSOR_GROUP │ ├── replace-the-autossh-restart-with-ClientAlive-settings-in-sshd_config │ ├── restart-http-agent-daily-to-rotate-log-file │ ├── restart-sshd │ ├── run-'broctl-cron'-as-non-root-user │ ├── run-'broctl-stop'-as-root-in-case-bro-was-previously-running-as-root │ ├── run-bro-as-sguil │ ├── run-bro-cron-job-as-root │ ├── run-netsniff-ng-as-a-non-root-user │ ├── run-sguil-as-non-root-user │ ├── run-sguild-as-non-root-user │ ├── series │ ├── set-pads.fifo-permissions-only-if-pads_agent-is-enabled │ ├── set-suricata-PF_RING-cluster-id-using-same-logic-as-snort │ ├── sguild-add-user-and-sguild-changepasswd-are-now-in-usrsbin │ ├── skip-netsniff-date-check-at-midnight-and-work-around-issue-1118 │ ├── sleep-for-60-seconds-before-trying-to-ssh-to-server │ ├── snort-cluster-should-use-a-single-snort.conf │ ├── snort-pfring │ ├── so-snorby-wipe---add-sudo-to-example-shred-command │ ├── so-user-add:-improper-confirmation-of-password-should-throw-an-error-#1271 │ ├── standardize-error-message-in-nsm_sensor_clean │ ├── start-Bro-before-http_agent,-fix-bugs-when-restarting │ ├── stderr-redirects-when-listing-logfiles │ ├── strip-comments-from-bpf.conf-for-PRADS │ ├── support-reading-PCAP_SIZE-from-sensor.conf │ ├── switch-Suricata-from-afpacket-to-pfring │ ├── update-IP-address-in-Bro-node.cfg-if-necessary │ ├── update-broctl-path │ ├── update-comment │ ├── update-copyright │ ├── update-copyright-date-in-nsm_sensor_clean │ ├── update-etcinitsecurityonion.conf-for-ELSA │ ├── update-etcinitsecurityonion.conf-to-remove-Snorby-and-add-back-Xplico │ ├── update-so-zeek-cron-to-avoid-running-on-boxes-with-no-sensors │ ├── update-start-script │ ├── update-systemd-script │ ├── updated-bro-cron-job │ ├── use-securityonion_update.sh-instead-of-squert.sql │ ├── usrsbinbroctl---check-for-root-privileges │ ├── when-configuring-Squert,-run-securityonion_update.sh-as-well │ └── wipe-stats.log-if-doing-a-full-restart-of-Suricata,-but-not-if-we're-just-doing-the-watchdog-check-for-stale-processes ├── postinst ├── rules └── source │ └── format ├── etc ├── cron.d │ ├── netsniff-sync │ ├── nsm-watchdog │ ├── sensor-clean │ ├── sensor-newday │ ├── so-sensor-backup-config │ ├── so-server-backup-config │ └── zeek ├── nsm │ ├── administration.conf │ └── templates │ │ ├── argus │ │ └── argus.conf │ │ └── init │ │ └── securityonion.conf ├── sysctl.d │ └── 10-securityonion.conf └── systemd │ └── system │ └── securityonion.service └── usr ├── lib └── nsmnow │ ├── lib-component-barnyard2.sh │ ├── lib-component-buildessential.sh │ ├── lib-component-mysql.sh │ ├── lib-component-nsm.sh │ ├── lib-component-sancp.sh │ ├── lib-component-sguilclient.sh │ ├── lib-component-sguilsensor.sh │ ├── lib-component-sguilserver.sh │ ├── lib-component-snort.sh │ ├── lib-component-tcl.sh │ ├── lib-console-utils │ ├── lib-nsm-common-utils │ ├── lib-nsm-sensor-utils │ └── lib-nsm-server-utils ├── sbin ├── broctl ├── nsm ├── nsm_all_del ├── nsm_all_del_quick ├── nsm_sensor ├── nsm_sensor_add ├── nsm_sensor_backup-config ├── nsm_sensor_backup-data ├── nsm_sensor_clean ├── nsm_sensor_clear ├── nsm_sensor_del ├── nsm_sensor_edit ├── nsm_sensor_ps-daily-restart ├── nsm_sensor_ps-restart ├── nsm_sensor_ps-start ├── nsm_sensor_ps-status ├── nsm_sensor_ps-stop ├── nsm_server ├── nsm_server_add ├── nsm_server_backup-config ├── nsm_server_backup-data ├── nsm_server_clear ├── nsm_server_configure_sshd ├── nsm_server_del ├── nsm_server_edit ├── nsm_server_ps-restart ├── nsm_server_ps-start ├── nsm_server_ps-status ├── nsm_server_ps-stop ├── nsm_server_sensor-add ├── nsm_server_sensor-del ├── nsm_server_user-add ├── nsm_server_user-disable ├── nsm_server_user-list ├── nsm_server_user-passwd ├── so-clear-backlog ├── so-netsniff-ng-cron ├── so-nsm-common ├── so-nsm-watchdog ├── so-sensor-backup-config ├── so-server-backup-config ├── so-zeek-cron └── zeekctl └── share └── nsmnow ├── .cache └── templates ├── server └── sguil │ └── config │ ├── autocat.conf │ ├── sguild.access │ ├── sguild.email │ ├── sguild.queries │ └── sguild.users └── snort └── rules ├── attack-responses.rules ├── backdoor.rules ├── bad-traffic.rules ├── chat.rules ├── ddos.rules ├── deleted.rules ├── dns.rules ├── dos.rules ├── experimental.rules ├── exploit.rules ├── finger.rules ├── ftp.rules ├── icmp-info.rules ├── icmp.rules ├── imap.rules ├── info.rules ├── local.rules ├── misc.rules ├── multimedia.rules ├── mysql.rules ├── netbios.rules ├── nntp.rules ├── oracle.rules ├── other-ids.rules ├── p2p.rules ├── policy.rules ├── pop2.rules ├── pop3.rules ├── porn.rules ├── rpc.rules ├── rservices.rules ├── scan.rules ├── shellcode.rules ├── smtp.rules ├── snmp.rules ├── sql.rules ├── telnet.rules ├── tftp.rules ├── virus.rules ├── web-attacks.rules ├── web-cgi.rules ├── web-client.rules ├── web-coldfusion.rules ├── web-frontpage.rules ├── web-iis.rules ├── web-misc.rules ├── web-php.rules └── x11.rules /.gitignore: -------------------------------------------------------------------------------- 1 | .pc 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # securityonion-nsmnow-admin-scripts 2 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 8 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: securityonion-nsmnow-admin-scripts 2 | Section: net 3 | Priority: extra 4 | Maintainer: Doug Burks 5 | Build-Depends: debhelper (>= 8.0.0) 6 | Standards-Version: 3.9.3 7 | Homepage: http://www.securixlive.com/nsmnow/index.php 8 | #Vcs-Git: git://git.debian.org/collab-maint/securityonion-nsmnow-admin-scripts.git 9 | #Vcs-Browser: http://git.debian.org/?p=collab-maint/securityonion-nsmnow-admin-scripts.git;a=summary 10 | 11 | Package: securityonion-nsmnow-admin-scripts 12 | Architecture: all 13 | Depends: ${misc:Depends} 14 | Description: This package installs the NSMnow Administration Scripts. 15 | These scripts manage the NSM processes. 16 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://dep.debian.net/deps/dep5 2 | Upstream-Name: securityonion-nsmnow-admin-scripts 3 | Source: 4 | 5 | Files: * 6 | Copyright: 7 | 8 | License: 9 | 10 | 11 | . 12 | 13 | 14 | # If you want to use GPL v2 or later for the /debian/* files use 15 | # the following clauses, or change it to suit. Delete these two lines 16 | Files: debian/* 17 | Copyright: 2012 Doug Burks 18 | License: GPL-2+ 19 | This package is free software; you can redistribute it and/or modify 20 | it under the terms of the GNU General Public License as published by 21 | the Free Software Foundation; either version 2 of the License, or 22 | (at your option) any later version. 23 | . 24 | This package is distributed in the hope that it will be useful, 25 | but WITHOUT ANY WARRANTY; without even the implied warranty of 26 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 27 | GNU General Public License for more details. 28 | . 29 | You should have received a copy of the GNU General Public License 30 | along with this program. If not, see 31 | . 32 | On Debian systems, the complete text of the GNU General 33 | Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". 34 | 35 | # Please also look if there are files or directories which have a 36 | # different copyright/license attached and list them here. 37 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/a0f434eaf93c7be08e63a21d0bb3d3929696c689/debian/docs -------------------------------------------------------------------------------- /debian/install: -------------------------------------------------------------------------------- 1 | etc/* etc 2 | usr/* usr 3 | -------------------------------------------------------------------------------- /debian/patches/Issue-#859:-NSM:-mkdir--p-varrunnsm-before-trying-to-chown: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion130) trusty; urgency=medium 9 | . 10 | * Issue #859: NSM: mkdir -p /var/run/nsm/ before trying to chown 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_ps-restart 28 | @@ -171,8 +171,11 @@ do 29 | [ "$?" -ne 0 ] && exit 1 30 | fi 31 | 32 | - # Create /var/log/sguild/ if it doesn't already exist 33 | - mkdir -p /var/log/sguild/ 34 | + # Create directories if they doesn't already exist 35 | + mkdir -p /var/log/sguild/ 36 | + mkdir -p $PROCESS_LOG_DIR 37 | + mkdir -p $PROCESS_PID_DIR 38 | + mkdir -p $SERVER_LOG_DIR 39 | 40 | # Set permissions 41 | chown -R $SERVER_USER:$SERVER_GROUP /var/log/sguild/ 42 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_ps-start 43 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_ps-start 44 | @@ -157,8 +157,11 @@ do 45 | [ "$?" -ne 0 ] && exit 1 46 | fi 47 | 48 | - # Create /var/log/sguild/ if it doesn't already exist 49 | + # Create directories if they doesn't already exist 50 | mkdir -p /var/log/sguild/ 51 | + mkdir -p $PROCESS_LOG_DIR 52 | + mkdir -p $PROCESS_PID_DIR 53 | + mkdir -p $SERVER_LOG_DIR 54 | 55 | # Set permissions 56 | chown -R $SERVER_USER:$SERVER_GROUP /var/log/sguild/ 57 | -------------------------------------------------------------------------------- /debian/patches/Issue-1030:-NSM:-remove-chown-from-usrsbinso-bro-cron: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion144) trusty; urgency=medium 9 | . 10 | * Issue 1030: NSM: remove chown from /usr/sbin/so-bro-cron 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-bro-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-bro-cron 28 | @@ -15,8 +15,11 @@ fi 29 | 30 | if [ "$BRO_ENABLED" == "yes" ]; then 31 | 32 | - # set ownership of Bro directories to Bro user 33 | - chown -R $BRO_USER:$BRO_GROUP /nsm/bro >/dev/null 2>&1 34 | + # Set ownership of Bro directories to Bro user. 35 | + # Large sensors with lots of Bro logs can take longer than 5 minutes to chown. 36 | + # This can result in the cron jobs piling up. 37 | + # Commenting this out for now. 38 | + #chown -R $BRO_USER:$BRO_GROUP /nsm/bro >/dev/null 2>&1 39 | 40 | # Run "broctl cron" as Bro user 41 | su $BRO_USER -c '/opt/bro/bin/broctl cron' 42 | -------------------------------------------------------------------------------- /debian/patches/Issue-1033:-NSM:-only-allow-one-instance-of-nsm_sensor_clean-at-a-time: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion146) trusty; urgency=medium 9 | . 10 | * Issue 1033: NSM: only allow one instance of nsm_sensor_clean at a time 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -117,6 +117,14 @@ then 29 | exit 1; 30 | fi 31 | 32 | +# check to see if we're already running 33 | +for pid in $(pidof -x nsm_sensor_clean); do 34 | + if [ $pid != $$ ]; then 35 | + echo "[$(date)] : nsm_sensor_clean : Process is already running with PID $pid" 36 | + exit 1 37 | + fi 38 | +done 39 | + 40 | # 41 | # COLLECT INPUT 42 | # 43 | -------------------------------------------------------------------------------- /debian/patches/Issue-453:-etccron.dsensor-newday-should-restart-autossh-tunnel: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion68) precise; urgency=low 9 | . 10 | * Issue 453: /etc/cron.d/sensor-newday should restart autossh tunnel 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/sensor-newday 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/sensor-newday 28 | @@ -1,6 +1,6 @@ 29 | # /etc/cron.d/sensor-newday 30 | # 31 | -# crontab entry to restart the sensor processes ensuring rotation of logs. 32 | +# crontab entry to restart sensor processes 33 | 34 | SHELL=/bin/sh 35 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 36 | @@ -8,6 +8,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbi 37 | 00 0 * * * root /usr/sbin/nsm_sensor_ps-daily-restart 38 | 01 0 * * * root /etc/init.d/syslog-ng restart >/dev/null 2>&1 39 | 10 0 * * * root /etc/init.d/syslog-ng restart >/dev/null 2>&1 40 | +01 5 * * * root /usr/bin/pkill -USR1 autossh >/dev/null 2>&1 41 | 00 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-sancp-agent >/dev/null 42 | 01 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-http-agent >/dev/null 43 | 02 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-ossec-agent >/dev/null 44 | -------------------------------------------------------------------------------- /debian/patches/Issue-671:-NSM:-etccron.dsensor-clean-needs-2>&1: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion103) precise; urgency=low 9 | . 10 | * Issue 671: NSM: /etc/cron.d/sensor-clean needs 2>&1 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/sensor-clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/sensor-clean 28 | @@ -5,4 +5,4 @@ 29 | SHELL=/bin/sh 30 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 31 | 32 | -* * * * * root /usr/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log 33 | +* * * * * root /usr/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log 2>&1 34 | -------------------------------------------------------------------------------- /debian/patches/Issue-751:-change-watchdog-run-time-to-avoid-race-condition: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion120) precise; urgency=low 9 | . 10 | * Issue 751: change watchdog run time to avoid race condition 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/nsm-watchdog 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/nsm-watchdog 28 | @@ -5,4 +5,4 @@ 29 | SHELL=/bin/sh 30 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 31 | 32 | -*/5 * * * * root ( date ; /usr/sbin/nsm_server_ps-restart --if-stale ; /usr/sbin/nsm_sensor_ps-restart --if-stale) >> /var/log/nsm/watchdog.log 33 | +4,9,14,19,24,29,34,39,44,49,54,59 * * * * root ( date ; /usr/sbin/nsm_server_ps-restart --if-stale ; /usr/sbin/nsm_sensor_ps-restart --if-stale) >> /var/log/nsm/watchdog.log 34 | -------------------------------------------------------------------------------- /debian/patches/Issue-799:-NSM:-add-stderr-redirect-to-stdout-on-adduser: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion122) precise; urgency=low 9 | . 10 | * Issue 799: NSM: add stderr redirect to stdout on adduser 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 28 | @@ -347,7 +347,7 @@ if [ "$OSSEC_AGENT_ENABLED" == "yes" ] & 29 | fi 30 | 31 | # Add OSSEC_AGENT_USER to ossec group 32 | - adduser $OSSEC_AGENT_USER ossec >/dev/null 33 | + adduser $OSSEC_AGENT_USER ossec 2>&1 >/dev/null 34 | 35 | $ACTION "/usr/bin/ossec_agent.tcl" "-o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p $OSSEC_AGENT_LEVEL -c $OSSEC_AGENT_CONF" "$PROCESS_PID_DIR/ossec_agent.pid" "$PROCESS_LOG_DIR/ossec_agent.log" "ossec_agent (sguil)" "$OSSEC_AGENT_USER" 36 | 37 | -------------------------------------------------------------------------------- /debian/patches/Issue-924:-NSM:-set-DEBUG-1-in-etcsguildsguild.conf: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion133) trusty; urgency=medium 9 | . 10 | * Issue 924: NSM: set DEBUG 1 in /etc/sguild/sguild.conf 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_add 28 | @@ -327,7 +327,7 @@ cat >/etc/nsm/$SERVER_NAME/sguild.conf < 29 | set SGUILD_LIB_PATH "${SERVER_LIB_DIR}" 30 | 31 | # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty. 32 | -set DEBUG 2 33 | +set DEBUG 1 34 | 35 | # Run sguild in daemon mode. 1=on 0=off 36 | # This overrides above and will set DEBUG off. 37 | -------------------------------------------------------------------------------- /debian/patches/NSM:-Squert-object_mappings-table-has-wrong-permissions-#866: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion131) trusty; urgency=medium 9 | . 10 | * NSM: Squert object_mappings table has wrong permissions #866 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-server-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-server-utils 28 | @@ -606,6 +606,7 @@ EOF_SGUIL_DB 29 | mysql -N -B --user=root -e "GRANT INSERT,UPDATE,DELETE ON securityonion_db.filters TO 'readonly'@'localhost';" 30 | mysql -N -B --user=root -e "GRANT DELETE on securityonion_db.history to 'readonly'@'localhost';" 31 | mysql -N -B --user=root -e "GRANT UPDATE on securityonion_db.user_info TO 'readonly'@'localhost';" 32 | + mysql -N -B --user=root -e "GRANT INSERT,UPDATE ON securityonion_db.object_mappings TO 'readonly'@'localhost';" 33 | 34 | # Allow pivoting from Squert to ELSA 35 | bash /var/www/so/squert/.scripts/securityonion_create_elsa_link.sh 36 | @@ -859,6 +860,7 @@ EOF_SGUIL_DB 37 | mysql -N -B --user=root -e "GRANT INSERT,UPDATE,DELETE ON securityonion_db.filters TO 'readonly'@'localhost';" 38 | mysql -N -B --user=root -e "GRANT DELETE on securityonion_db.history to 'readonly'@'localhost';" 39 | mysql -N -B --user=root -e "GRANT UPDATE on securityonion_db.user_info TO 'readonly'@'localhost';" 40 | + mysql -N -B --user=root -e "GRANT INSERT,UPDATE ON securityonion_db.object_mappings TO 'readonly'@'localhost';" 41 | 42 | # Allow pivoting from Squert to ELSA 43 | bash /var/www/so/squert/.scripts/securityonion_create_elsa_link.sh 44 | -------------------------------------------------------------------------------- /debian/patches/NSM:-create-usrsbinbroctl-#1043: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion150) trusty; urgency=medium 9 | . 10 | * NSM: create /usr/sbin/broctl #1043 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- /dev/null 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/broctl 28 | @@ -0,0 +1,17 @@ 29 | +#!/bin/bash 30 | + 31 | +SO_CONF="/etc/nsm/securityonion.conf" 32 | + 33 | +# Add new Bro entries to SO_CONF if necessary 34 | +if ! grep BRO_USER $SO_CONF >/dev/null; then 35 | + echo >> $SO_CONF 36 | + echo "# BRO_USER specifies the user account used to start Bro." >> $SO_CONF 37 | + echo "BRO_USER=sguil" >> $SO_CONF 38 | + echo "BRO_GROUP=sguil" >> $SO_CONF 39 | +fi 40 | + 41 | +# load in user config 42 | +. $SO_CONF 43 | + 44 | +# Run "broctl" as Bro user and pass along arguments 45 | +su $BRO_USER -c "/opt/bro/bin/broctl $@" 46 | -------------------------------------------------------------------------------- /debian/patches/NSM:-increase-timeout-in-etcsystemdsystemsecurityonion.service-Security-Onion-Solutionssecurity-onion#1708: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion224) xenial; urgency=medium 9 | . 10 | * NSM: increase timeout in /etc/systemd/system/securityonion.service Security-Onion-Solutions/security-onion#1708 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/systemd/system/securityonion.service 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/systemd/system/securityonion.service 28 | @@ -7,7 +7,7 @@ Wants=network-online.target 29 | Type=forking 30 | ExecStart=/usr/sbin/so-boot 31 | Restart=on-abort 32 | -TimeoutStartSec=300 33 | +TimeoutStartSec=600 34 | 35 | [Install] 36 | WantedBy=multi-user.target 37 | -------------------------------------------------------------------------------- /debian/patches/NSM:-nsm_server_user-add-should-check-to-see-if-user-account-exists-and-prompt-user-Security-Onion-Solutionssecurity-onion#1505: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion203) xenial; urgency=medium 9 | . 10 | * NSM: nsm_server_user-add should check to see if user account exists and prompt user Security-Onion-Solutions/security-onion#1505 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-add 28 | @@ -160,6 +160,14 @@ then 29 | USER_NAME=${PROMPT_RET} 30 | fi 31 | 32 | +# Verify user account does not already exist 33 | +USER_EXISTS=$(mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from user_info where username = "'$USER_NAME'";' ; echo "$?") 34 | +if [ "$USER_EXISTS" != 0 ] 35 | +then 36 | + echo_msg 0 "User account already exists! To re-enable the account or update the password, please run so-user-passwd." 37 | + exit 38 | +fi 39 | + 40 | # collect user pass 41 | if [ -z "${USER_PASS}" ] 42 | then 43 | -------------------------------------------------------------------------------- /debian/patches/NSM:-nsm_server_user-add-should-require-usernames-to-be-alphanumeric-Security-Onion-Solutionssecurity-onion#1627: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion205) xenial; urgency=medium 9 | . 10 | * NSM: nsm_server_user-add should require usernames to be alphanumeric Security-Onion-Solutions/security-onion#1627 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-add 28 | @@ -160,6 +160,19 @@ then 29 | USER_NAME=${PROMPT_RET} 30 | fi 31 | 32 | +# verify user name is not empty 33 | +if [ x$USER_NAME = "x" ] ; then 34 | + echo_msg 0 "Invalid username!" 35 | + exit 36 | +fi 37 | + 38 | +# verify user name is alphanumeric 39 | +COMPRESSED="$(echo $USER_NAME | sed -e 's/[^[:alnum:]]//g')" 40 | +if [ "$COMPRESSED" != "$USER_NAME" ]; then 41 | + echo_msg 0 "Invalid username! Please use alphanumeric characters only." 42 | + exit 43 | +fi 44 | + 45 | # Verify user account does not already exist 46 | USER_EXISTS=$(mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from user_info where username = "'$USER_NAME'";' ; echo "$?") 47 | if [ "$USER_EXISTS" != 0 ] 48 | -------------------------------------------------------------------------------- /debian/patches/NSM:-redirect-iostreams-to-logfile-during-ossec-agent-restart-#1005: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion143) trusty; urgency=medium 9 | . 10 | * NSM: redirect iostreams to logfile during ossec-agent restart #1005 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-common-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-common-utils 28 | @@ -955,10 +955,10 @@ process_start() 29 | if [ "$#" -eq "6" ]; then 30 | 31 | # Create home dir if it doesn't already exist 32 | - mkdir -p /home/$USER 33 | + mkdir -p /home/$USER >>$LOG_FILE 2>&1 34 | 35 | # Set permissions 36 | - chown -R $USER /home/$USER 37 | + chown -R $USER /home/$USER >>$LOG_FILE 2>&1 38 | 39 | # Exec as user in user's home directory 40 | eval exec su - $USER -- "$APP $APP_OPTIONS" >>$LOG_FILE 2>&1 & 41 | -------------------------------------------------------------------------------- /debian/patches/NSM:-replace-pcap-ls-with-find-Security-Onion-Solutionssecurity-onion#1654: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion208) xenial; urgency=medium 9 | . 10 | * NSM: replace pcap ls with find Security-Onion-Solutions/security-onion#1654 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-sensor-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-sensor-utils 28 | @@ -375,7 +375,7 @@ sensor_cleandisk() 29 | CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) 30 | done 31 | # if we're out of pcaps to delete, then increment variable 32 | - if [ `ls $SENSOR/dailylogs/$TODAY/snort.log.* | wc -l` -le 1 ]; then 33 | + if [ `find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | wc -l` -le 1 ]; then 34 | echo_msg 1 "${RED}no old pcaps available to clean up in $SENSOR/dailylogs/" 35 | let SENSORS_WITH_NO_PCAPS_TO_DELETE++ 36 | fi 37 | -------------------------------------------------------------------------------- /debian/patches/NSM:-wait-for-network-online-on-boot-#1362: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion179) xenial; urgency=medium 9 | . 10 | * NSM: wait for network-online on boot #1362 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/systemd/system/securityonion.service 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/systemd/system/securityonion.service 28 | @@ -1,6 +1,7 @@ 29 | [Unit] 30 | Description=Security Onion Service 31 | -After=network.target 32 | +After=network-online.target 33 | +Wants=network-online.target 34 | 35 | [Service] 36 | Type=forking 37 | -------------------------------------------------------------------------------- /debian/patches/add-"sleep-1"-to-bro-start: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion79) precise; urgency=low 9 | . 10 | * add "sleep 1" to bro start 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 28 | @@ -345,6 +345,7 @@ if [ "$BRO_ENABLED" == "yes" ] && [ -z " 29 | # Update /etc/nsm/sensortab.bro 30 | echo -e "#fields\tinterface\tsensorname" > /etc/nsm/sensortab.bro 31 | grep -v "^#" /etc/nsm/sensortab | while read SENSORNAME FIELD2 FIELD3 INTERFACE; do echo -e "$INTERFACE\t$SENSORNAME" >> /etc/nsm/sensortab.bro; done 32 | + sleep 1 33 | 34 | # Update Bro config 35 | /opt/bro/bin/broctl install 36 | -------------------------------------------------------------------------------- /debian/patches/add-PCAP_OPTIONS-to-netsniff-ng-command-line-to-allow-Quick-Setup-to-specify--c: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion35) precise; urgency=low 9 | . 10 | * add PCAP_OPTIONS to netsniff-ng command line to allow Quick Setup to specify -c 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 28 | @@ -367,7 +367,7 @@ do 29 | else 30 | BPF_OPTION="" 31 | fi 32 | - [ -z "$SKIP_PCAP" ] && process_start "netsniff-ng" "-i $SENSOR_INTERFACE_SHORT -o $SENSOR_LOG_DIR/dailylogs/$TODAY -s --prefix snort.log. --interval 150MiB $BPF_OPTION" "$PROCESS_PID_DIR/$SENSOR/netsniff-ng.pid" "$PROCESS_LOG_DIR/$SENSOR/netsniff-ng.log" "netsniff-ng (full packet data)" 33 | + [ -z "$SKIP_PCAP" ] && process_start "netsniff-ng" "-i $SENSOR_INTERFACE_SHORT -o $SENSOR_LOG_DIR/dailylogs/$TODAY -s --prefix snort.log. --interval 150MiB $PCAP_OPTIONS $BPF_OPTION" "$PROCESS_PID_DIR/$SENSOR/netsniff-ng.pid" "$PROCESS_LOG_DIR/$SENSOR/netsniff-ng.log" "netsniff-ng (full packet data)" 34 | 35 | # start pcap_agent 36 | [ -z "$SKIP_PCAP_AGENT" ] && process_start "pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" 37 | -------------------------------------------------------------------------------- /debian/patches/add-daily-cronjob-to-restart-sancp_agent: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion46) precise; urgency=low 9 | . 10 | * add daily cronjob to restart sancp_agent 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/sensor-newday 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/sensor-newday 28 | @@ -8,3 +8,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbi 29 | 00 0 * * * root /usr/sbin/nsm_sensor_ps-daily-restart 30 | 01 0 * * * root /etc/init.d/syslog-ng reload 31 | 10 0 * * * root /etc/init.d/syslog-ng reload 32 | +00 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-sancp-agent >/dev/null 33 | -------------------------------------------------------------------------------- /debian/patches/add-more-error-checking-to-so-bro-cron: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion195) xenial; urgency=medium 9 | . 10 | * improve so-bro-cron 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-bro-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-bro-cron 28 | @@ -17,26 +17,35 @@ 29 | 30 | . /usr/sbin/so-nsm-common 31 | 32 | -if ! [ -f /opt/bro/etc/node.cfg ]; then 33 | - exit 1 34 | -fi 35 | - 36 | SO_CONF="/etc/nsm/securityonion.conf" 37 | 38 | # Add new Bro entries to SO_CONF if necessary 39 | -if ! grep BRO_USER $SO_CONF >/dev/null; then 40 | - echo >> $SO_CONF 41 | - echo "# BRO_USER specifies the user account used to start Bro." >> $SO_CONF 42 | - echo "BRO_USER=sguil" >> $SO_CONF 43 | - echo "BRO_GROUP=sguil" >> $SO_CONF 44 | +if ! grep BRO_USER ${SO_CONF} >/dev/null; then 45 | + echo >> ${SO_CONF} 46 | + echo "# BRO_USER specifies the user account used to start Bro." >> ${SO_CONF} 47 | + echo "BRO_USER=sguil" >> ${SO_CONF} 48 | + echo "BRO_GROUP=sguil" >> ${SO_CONF} 49 | fi 50 | 51 | # load in user config 52 | -. $SO_CONF 53 | +. ${SO_CONF} 54 | + 55 | +# check for errors and exit if necessary 56 | +if ! [ "${BRO_ENABLED}" == "yes" ]; then 57 | + exit 0 58 | +fi 59 | + 60 | +if ! getent passwd ${BRO_USER} >/dev/null 2>&1; then 61 | + exit 0 62 | +fi 63 | + 64 | +if ! [ -f /opt/bro/etc/node.cfg ]; then 65 | + exit 0 66 | +fi 67 | 68 | -if ! [ "$BRO_ENABLED" == "yes" ]; then 69 | +if ! [ -x /opt/bro/bin/broctl ]; then 70 | exit 0 71 | fi 72 | 73 | # Run "broctl cron" as Bro user 74 | -su $BRO_USER -c '/opt/bro/bin/broctl cron' 75 | +su ${BRO_USER} -c '/opt/bro/bin/broctl cron' 76 | -------------------------------------------------------------------------------- /debian/patches/add-systemd-script: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion168) xenial; urgency=medium 9 | . 10 | * add systemd script 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- /dev/null 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/systemd/system/securityonion.service 28 | @@ -0,0 +1,11 @@ 29 | +[Unit] 30 | +Description=Security Onion Service 31 | +After=network.target 32 | + 33 | +[Service] 34 | +Type=forking 35 | +ExecStart=/usr/sbin/so-start 36 | +Restart=on-abort 37 | + 38 | +[Install] 39 | +WantedBy=multi-user.target 40 | -------------------------------------------------------------------------------- /debian/patches/additional-safety-check-for-postinst: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion71) precise; urgency=low 9 | . 10 | * additional safety check for postinst 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_configure_sshd 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_configure_sshd 28 | @@ -17,8 +17,11 @@ ClientAliveInterval 60 29 | ClientAliveCountMax 3 30 | EOF 31 | 32 | - # Reload ssh daemon 33 | - echo " * Reloading ssh daemon" 34 | - service ssh reload 35 | + # Check to see if sshd is running 36 | + if pgrep -lf /usr/sbin/sshd >/dev/null 2>&1; then 37 | + # If sshd is running, then reload config 38 | + echo " * Reloading ssh daemon" 39 | + service ssh reload 40 | + fi 41 | fi 42 | fi 43 | -------------------------------------------------------------------------------- /debian/patches/allow-user-to-set-CRIT_DISK_USAGE-in-etcnsmsecurityonion.conf: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion49) precise; urgency=low 9 | . 10 | * allow user to set CRIT_DISK_USAGE in /etc/nsm/securityonion.conf 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -159,7 +159,20 @@ fi 29 | date 30 | echo_msg 0 "Cleaning sensors" 31 | 32 | +# You can override these defaults by setting these variables in /etc/nsm/securityonion.conf 33 | +WARN_DISK_USAGE=80 34 | +CRIT_DISK_USAGE=90 35 | +CONF="/etc/nsm/securityonion.conf" 36 | + 37 | +if [ -f $CONF ]; then 38 | + # Source $CONF, overriding defaults 39 | + . $CONF 40 | + # If $CONF doesn't have these variables, add them 41 | + grep WARN_DISK_USAGE $CONF || echo "WARN_DISK_USAGE=80" >> $CONF 42 | + grep CRIT_DISK_USAGE $CONF || echo "CRIT_DISK_USAGE=90" >> $CONF 43 | +fi 44 | + 45 | # clean the files as appropriate 46 | -sensor_cleandisk $SENSOR_LOG_DIR $SENSOR_UTC 47 | +sensor_cleandisk $SENSOR_LOG_DIR $SENSOR_UTC $WARN_DISK_USAGE $CRIT_DISK_USAGE 48 | 49 | exit 0 50 | -------------------------------------------------------------------------------- /debian/patches/barnyard2.conf-needs-to-output-to-local-syslog-for-ELSA: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion22) precise; urgency=low 9 | . 10 | * barnyard2.conf needs to output to local syslog for ELSA 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_add 28 | @@ -566,6 +566,7 @@ config interface: $SENSOR_INTERFACE 29 | input unified2 30 | output sguil: sensor_name=$SENSOR_NAME agent_port=$SENSOR_BARNYARD2_PORT 31 | output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 32 | +output alert_syslog: LOG_LOCAL6 LOG_ALERT 33 | EOF_BARNYARD2 34 | 35 | # with all files created, enforce certain permissions 36 | -------------------------------------------------------------------------------- /debian/patches/bro-node-cfg-path: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion4) precise; urgency=low 9 | . 10 | * updated bro cron job 11 | * fix bro node.cfg path 12 | Author: Doug Burks 13 | 14 | --- 15 | The information above should follow the Patch Tagging Guidelines, please 16 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 17 | are templates for supplementary fields that you might want to add: 18 | 19 | Origin: , 20 | Bug: 21 | Bug-Debian: http://bugs.debian.org/ 22 | Bug-Ubuntu: https://launchpad.net/bugs/ 23 | Forwarded: 24 | Reviewed-By: 25 | Last-Update: 26 | 27 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 28 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 29 | @@ -397,7 +397,7 @@ do 30 | # If Bro is monitoring a single interface, it will be http.log 31 | # If Bro is monitoring multiple interfaces, the http.log will be per-interface: 32 | # http_eth0.log, http_eth1.log, etc. 33 | - if grep "^type=standalone$" /usr/etc/node.cfg > /dev/null 34 | + if grep "^type=standalone$" /opt/bro/etc/node.cfg > /dev/null 35 | then 36 | BRO_HTTP_LOG=/nsm/bro/logs/current/http.log 37 | else 38 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 39 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 40 | @@ -406,7 +406,7 @@ do 41 | # If Bro is monitoring a single interface, it will be http.log 42 | # If Bro is monitoring multiple interfaces, the http.log will be per-interface: 43 | # http_eth0.log, http_eth1.log, etc. 44 | - if grep "^type=standalone$" /etc/bro/node.cfg > /dev/null 45 | + if grep "^type=standalone$" /opt/bro/etc/node.cfg > /dev/null 46 | then 47 | BRO_HTTP_LOG=/nsm/bro/logs/current/http.log 48 | else 49 | -------------------------------------------------------------------------------- /debian/patches/change-sphinx-port-from-3307-to-9306: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion8) precise; urgency=low 9 | . 10 | * change sphinx port from 3307 to 9306 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -42,7 +42,7 @@ script 29 | fi 30 | fi 31 | done 32 | - REVERSE_TUNNEL="-R $MYSQL_PORT:localhost:50000 -R $SPHINX_PORT:localhost:3307" 33 | + REVERSE_TUNNEL="-R $MYSQL_PORT:localhost:50000 -R $SPHINX_PORT:localhost:9306" 34 | elif [ $ELSA = "NO" ]; then 35 | # We are not using ELSA so there's no need for a reverse ssl tunnel 36 | REVERSE_TUNNEL="" 37 | -------------------------------------------------------------------------------- /debian/patches/check-disk-usage-threshold-before-stopping-netsniff-ng: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion90) precise; urgency=low 9 | . 10 | * check disk usage threshold before stopping netsniff-ng 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-sensor-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-sensor-utils 28 | @@ -436,10 +436,14 @@ sensor_cleandisk() 29 | 30 | done 31 | 32 | - # if we're out of pcaps to delete for all sensors interfaces, then stop writing pcaps 33 | - if [ "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -ne 0 -a "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -eq "$NUMBER_OF_SENSORS" ]; then 34 | - echo_msg 1 "${RED}stopping pcap!" 35 | - /usr/sbin/nsm_sensor_ps-stop --only-pcap > /dev/null 2>&1 36 | + # check if we're still above disk usage threshold 37 | + CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %) 38 | + if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then 39 | + # if we're out of pcaps to delete for all sensor interfaces, then stop writing pcaps 40 | + if [ "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -ne 0 -a "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -eq "$NUMBER_OF_SENSORS" ]; then 41 | + echo_msg 1 "${RED}stopping pcap!" 42 | + /usr/sbin/nsm_sensor_ps-stop --only-pcap > /dev/null 2>&1 43 | + fi 44 | fi 45 | 46 | if [ "$REMOVED" == "yes" ] 47 | -------------------------------------------------------------------------------- /debian/patches/check-for-snorby-output-before-trying-to-disable: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion128) trusty; urgency=medium 9 | . 10 | * check for snorby output before trying to disable 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -58,8 +58,10 @@ script 29 | /usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 $REVERSE_TUNNEL $SSH_USERNAME@$SERVERNAME 30 | fi 31 | 32 | - # Snorby has been removed, so we need to disable the snorby output in all barnyard2.conf files 33 | - sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf 34 | + # Snorby has been removed, so if any barnyard2.conf files have the snorby output enabled, we should disable it 35 | + if grep "^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1" /etc/nsm/*/barnyard2*.conf >/dev/null 2>&1; then 36 | + sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf 37 | + fi 38 | 39 | # Both SLAVES and MASTERS need to start NSM services 40 | service nsm start 41 | -------------------------------------------------------------------------------- /debian/patches/check_usergroup-sensor_user-sensor_group: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion5) precise; urgency=low 9 | . 10 | * nsm_sensor_add needs check_usergroup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_add 28 | @@ -804,10 +804,10 @@ default pcap=pass 29 | EOF_SANCP 30 | 31 | # with all files created, enforce certain permissions 32 | -check_usergroup "${SERVER_USER}" "${SERVER_GROUP}" 33 | +check_usergroup "${SENSOR_USER}" "${SENSOR_GROUP}" 34 | if [ "$?" -ne "0" ] 35 | then 36 | - echo_error_msg 1 "OOPS: The system user:group \"${SERVER_USER}:${SERVER_GROUP}\" does not exist!" 37 | + echo_error_msg 1 "OOPS: The system user:group \"${SENSOR_USER}:${SENSOR_GROUP}\" does not exist!" 38 | exit 1 39 | else 40 | chown -R $SENSOR_USER:$SENSOR_GROUP "/nsm/sensor_data/$SENSOR_NAME" "/etc/nsm/$SENSOR_NAME" 41 | -------------------------------------------------------------------------------- /debian/patches/clean-up-more-zeek-warnings: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion211) xenial; urgency=medium 9 | . 10 | * clean up more zeek warnings 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 28 | @@ -403,7 +403,7 @@ if [ "$BRO_ENABLED" == "yes" ] && [ -z " 29 | fi 30 | 31 | # Stop Bro as root in case it was previously running as root 32 | - /opt/bro/bin/zeekctl stop 2>&1 | grep -v "warning: new .* version detected" 33 | + /opt/bro/bin/zeekctl stop 2>&1 | grep -v "warning: new .* version detected" | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" | grep -v "^$" 34 | 35 | # set ownership of Bro directories 36 | chown -R $BRO_USER:$BRO_GROUP /nsm/bro/logs /nsm/bro/spool >/dev/null 2>&1 37 | -------------------------------------------------------------------------------- /debian/patches/clean-up-zeek-warnings: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion219) xenial; urgency=medium 9 | . 10 | * clean up zeek warnings 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-zeek-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-zeek-cron 28 | @@ -48,4 +48,4 @@ if ! [ -x /opt/bro/bin/zeekctl ]; then 29 | fi 30 | 31 | # Run "zeekctl cron" as Bro user 32 | -su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron' 33 | +su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron 2>&1 | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" ' 34 | -------------------------------------------------------------------------------- /debian/patches/comment-out-sensor_cleandisk-in-nsm_sensor_ps-start: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion64) precise; urgency=low 9 | . 10 | * comment out sensor_cleandisk in nsm_sensor_ps-start 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 28 | @@ -548,7 +548,8 @@ do 29 | [ "$HTTP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_HTTP_AGENT" ] && process_start "http_agent.tcl" "-c /etc/nsm/$SENSOR/http_agent.conf -e /etc/nsm/$SENSOR/http_agent.exclude -f $BRO_HTTP_LOG" "$PROCESS_PID_DIR/$SENSOR/http_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/http_agent.log" "http_agent (sguil)" 30 | 31 | # clean disk/check crontab entry for daily restarts 32 | - sensor_cleandisk $SENSOR_LOG_DIR $SENSOR_UTC 33 | + # don't need to run sensor_cleandisk anymore, it's being run by a cron job every 5 minutes 34 | + # sensor_cleandisk $SENSOR_LOG_DIR $SENSOR_UTC 35 | sensor_stat_cronjob 36 | done 37 | 38 | -------------------------------------------------------------------------------- /debian/patches/daily-cronjobs-to-restart-all-Sguil-agents: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion47) precise; urgency=low 9 | . 10 | * add daily cronjobs to restart all Sguil agents 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/sensor-newday 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/sensor-newday 28 | @@ -9,3 +9,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbi 29 | 01 0 * * * root /etc/init.d/syslog-ng reload 30 | 10 0 * * * root /etc/init.d/syslog-ng reload 31 | 00 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-sancp-agent >/dev/null 32 | +01 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-http-agent >/dev/null 33 | +02 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-ossec-agent >/dev/null 34 | +03 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-pads-agent >/dev/null 35 | +04 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-pcap-agent >/dev/null 36 | +05 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-snort-agent >/dev/null 37 | -------------------------------------------------------------------------------- /debian/patches/delete-snorby-pid-file-at-boot: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion62) precise; urgency=low 9 | . 10 | * delete snorby pid file at boot 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -79,7 +79,7 @@ script 29 | XPLICO_ENABLED=`grep XPLICO_ENABLED $SO_CONF | cut -d\= -f2` 30 | 31 | [ "$XPLICO_ENABLED" = "yes" ] && /etc/init.d/xplico start 32 | - [ "$SNORBY_ENABLED" = "yes" ] && su www-data -c "cd /opt/snorby; bundle exec rake snorby:update RAILS_ENV=production" 33 | + [ "$SNORBY_ENABLED" = "yes" ] && rm -f /opt/snorby/tmp/pids/delayed_job.pid && su www-data -c "cd /opt/snorby; bundle exec rake snorby:update RAILS_ENV=production" 34 | fi 35 | 36 | end script 37 | -------------------------------------------------------------------------------- /debian/patches/disable-snorby-output-in-all-barnyard2.conf-files: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion127) trusty; urgency=medium 9 | . 10 | * disable snorby output in all barnyard2.conf files 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -58,6 +58,9 @@ script 29 | /usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 $REVERSE_TUNNEL $SSH_USERNAME@$SERVERNAME 30 | fi 31 | 32 | + # Snorby has been removed, so we need to disable the snorby output in all barnyard2.conf files 33 | + sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf 34 | + 35 | # Both SLAVES and MASTERS need to start NSM services 36 | service nsm start 37 | 38 | -------------------------------------------------------------------------------- /debian/patches/do-not-sleep-for-60-seconds-when-starting-securityonion-during-Setup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion40) precise; urgency=low 9 | . 10 | * don't sleep for 60 seconds if starting securityonion during Setup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -13,10 +13,11 @@ script 29 | SSH_CONF="$SSH_DIR/securityonion_ssh.conf" 30 | if [ -f $SSH_CONF ] 31 | then 32 | - # Some folks are having problems with link negotiation taking too long 33 | - # and the tunnel failing to come up. 34 | + # Some folks are having problems with link negotiation taking too long and the tunnel failing to come up. 35 | # This is a quick and dirty fix until we come up with a better solution. 36 | - sleep 60 37 | + # If starting the securityonion services at boot-time, sleep for 60 seconds to allow link to negotiate. 38 | + # If running Setup, we don't need to pause as the link should have already been negotiated. 39 | + pgrep sosetup >/dev/null || sleep 60 40 | # Establish persistent SSH tunnel to MASTER. 41 | KEY="$SSH_DIR/securityonion" 42 | # Upstart uses sh instead of bash so we can't use "source" 43 | -------------------------------------------------------------------------------- /debian/patches/don't-sleep-for-10-seconds-if-starting-securityonion-during-Setup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion42) precise; urgency=low 9 | . 10 | * don't sleep for 10 seconds if starting securityonion during Setup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -7,7 +7,9 @@ start on (net-device-up 29 | and runlevel [2345]) 30 | stop on runlevel [016] 31 | script 32 | - sleep 10 33 | + # If starting the securityonion services at boot-time, sleep for 10 seconds to allow time for MySQL to start. 34 | + # If running Setup, we don't need to pause as MySQL should have already started. 35 | + pgrep sosetup >/dev/null || sleep 10 36 | # If this is a SLAVE start SSH tunnel and start ELSA if required 37 | SSH_DIR="/root/.ssh" 38 | SSH_CONF="$SSH_DIR/securityonion_ssh.conf" 39 | -------------------------------------------------------------------------------- /debian/patches/ensure-non-threaded-tcl8.6-for-sguild: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion125) trusty; urgency=medium 9 | . 10 | * ensure non-threaded tcl8.6 for sguild 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_ps-start 28 | @@ -173,6 +173,9 @@ do 29 | chmod -R g+w $ELSA_REG_LOG_DIR 30 | fi 31 | 32 | + # make sure that we're using non-threaded tcl8.6 33 | + update-alternatives --install /usr/bin/tclsh tclsh /usr/bin/tclsh8.6 1000 34 | + 35 | # Start sguild as $SERVER_USER 36 | process_start "/usr/bin/sguild" "-c $SERVER_CONF_DIR/sguild.conf -a $SERVER_CONF_DIR/autocat.conf -g $SERVER_CONF_DIR/sguild.queries -A $SERVER_CONF_DIR/sguild.access -C $SERVER_CONF_DIR/certs" "$PROCESS_PID_DIR/$SERVER/sguild.pid" "$PROCESS_LOG_DIR/$SERVER/sguild.log" "sguil server" "$SERVER_USER" 37 | 38 | -------------------------------------------------------------------------------- /debian/patches/filter-out-warnings-in-broctl-and-zeekctl: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion223) xenial; urgency=medium 9 | . 10 | * filter out warnings in broctl and zeekctl 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/broctl 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/broctl 28 | @@ -37,4 +37,4 @@ fi 29 | . $SO_CONF 30 | 31 | # Run "zeekctl" as Bro user and pass along arguments 32 | -su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 33 | +su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 2>&1 | grep -v "warning: new .* version detected" | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" | grep -v "^$" | grep -v "^Warning: Plugin 'af_packet' uses deprecated method 'broctl_config'; use 'zeekctl_config' instead$" 34 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/zeekctl 35 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/zeekctl 36 | @@ -37,4 +37,4 @@ fi 37 | . $SO_CONF 38 | 39 | # Run "zeekctl" as Bro user and pass along arguments 40 | -su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 41 | +su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 2>&1 | grep -v "warning: new .* version detected" | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" | grep -v "^$" | grep -v "^Warning: Plugin 'af_packet' uses deprecated method 'broctl_config'; use 'zeekctl_config' instead$" 42 | -------------------------------------------------------------------------------- /debian/patches/fix-bug-when-restarting-suricata: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion28) precise; urgency=low 9 | . 10 | * fix bug when restarting suricata 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 28 | @@ -406,7 +406,7 @@ do 29 | # copy IDS_LB_PROCS from sensor.conf 30 | IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` 31 | sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml 32 | - [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" 33 | + [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" 34 | else 35 | # Restart $IDS_LB_PROCS instances of Snort using pfring load-balancing 36 | for i in `seq 1 $IDS_LB_PROCS`; do 37 | -------------------------------------------------------------------------------- /debian/patches/fix-curly-brace: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion192) xenial; urgency=medium 9 | . 10 | * fix curly brace 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-sensor-backup-config 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-sensor-backup-config 28 | @@ -34,7 +34,7 @@ mkdir -p ${SENSOR_CONFIG_BACKUP_DIR} 29 | 30 | # Create a backup for each sensor interface 31 | for i in $(cat /etc/nsm/sensortab | grep -v '#' | awk '{print $1}'); do 32 | - /usr/sbin/nsm_sensor_backup-config --force-yes --sensor-name=${i} --backup-file=${SENSOR_CONFIG_BACKUP_DIR}/${i}-sensor-backup-`date +\%Y-\%m-\%d`.tar.gz >> /var/log/nsm/{$i}-backup-config.log 2>&1 33 | + /usr/sbin/nsm_sensor_backup-config --force-yes --sensor-name=${i} --backup-file=${SENSOR_CONFIG_BACKUP_DIR}/${i}-sensor-backup-`date +\%Y-\%m-\%d`.tar.gz >> /var/log/nsm/${i}-backup-config.log 2>&1 34 | done 35 | 36 | # If old backups exist, delete them 37 | -------------------------------------------------------------------------------- /debian/patches/fix-etcinitsecurityonion.conf-when-running-on-sensor-only-with-no-elsa-and-no-mysql: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion29) precise; urgency=low 9 | . 10 | * fix /etc/init/securityonion.conf when running on sensor-only with no elsa and no mysql 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -47,7 +47,7 @@ script 29 | # We are not using ELSA so there's no need for a reverse ssl tunnel 30 | REVERSE_TUNNEL="" 31 | # Also no need for mysql 32 | - service mysql stop 33 | + [ -f /etc/init/mysql.conf ] && service mysql stop 34 | fi 35 | # If the server isn't up, we want autossh to keep retrying so we set AUTOSSH_GATETIME to 0 36 | export AUTOSSH_GATETIME=0 37 | -------------------------------------------------------------------------------- /debian/patches/fix-nsm_server_user-disable: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion118) precise; urgency=low 9 | . 10 | * fix nsm_server_user-disable 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-disable 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-disable 28 | @@ -162,12 +162,6 @@ prompt_user_yesno "Disable User" "The fo 29 | 30 | # disable 31 | echo_msg 0 "Disabling user: ${USER_NAME}" 32 | -/usr/bin/sguild -disableuser "${USER_NAME}" >/dev/null 2>&1 33 | -if [ "${?}" -ne 0 ] 34 | -then 35 | - echo_error_msg 1 "user could not be disabled!" 36 | -else 37 | - echo_msg 0 "${USER_NAME} successfully disabled." 38 | -fi 39 | +/usr/bin/sguild -disableuser "${USER_NAME}" 40 | 41 | exit 0 42 | -------------------------------------------------------------------------------- /debian/patches/fix-permissions-on-SERVER_LOG_DIR: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion108) precise; urgency=low 9 | . 10 | * fix permissions on SERVER_LOG_DIR 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_ps-restart 28 | @@ -174,6 +174,7 @@ do 29 | # Set permissions 30 | chown -R $SERVER_USER:$SERVER_GROUP $PROCESS_LOG_DIR 31 | chown -R $SERVER_USER:$SERVER_GROUP $PROCESS_PID_DIR 32 | + chown -R $SERVER_USER:$SERVER_GROUP $SERVER_LOG_DIR 33 | chown -R $SERVER_USER:$SERVER_GROUP /var/log/sguild/ 34 | 35 | # restart sguil server 36 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_ps-start 37 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_ps-start 38 | @@ -160,6 +160,7 @@ do 39 | # Set permissions 40 | chown -R $SERVER_USER:$SERVER_GROUP $PROCESS_LOG_DIR 41 | chown -R $SERVER_USER:$SERVER_GROUP $PROCESS_PID_DIR 42 | + chown -R $SERVER_USER:$SERVER_GROUP $SERVER_LOG_DIR 43 | chown -R $SERVER_USER:$SERVER_GROUP /var/log/sguild/ 44 | 45 | # Start sguild as $SERVER_USER 46 | -------------------------------------------------------------------------------- /debian/patches/fix-so-*-config-backup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion186) xenial; urgency=medium 9 | . 10 | * fix so-*-config-backup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-sensor-config-backup 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-sensor-config-backup 28 | @@ -38,6 +38,6 @@ for i in $(cat /etc/nsm/sensortab | grep 29 | done 30 | 31 | # If old backups exist, delete them 32 | -if [ -f ${SENSOR_CONFIG_BACKUP_DIR}/*sensor-backup*.tar.gz ]; then 33 | +if ls ${SENSOR_CONFIG_BACKUP_DIR}/*sensor-backup*.tar.gz >/dev/null 2>&1; then 34 | /usr/bin/find ${SENSOR_CONFIG_BACKUP_DIR}/*sensor-backup*.tar.gz -mtime +${SENSOR_CONFIG_BACKUPS} -exec rm -f {} \; 35 | fi 36 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-server-config-backup 37 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-server-config-backup 38 | @@ -36,6 +36,6 @@ mkdir -p ${SERVER_CONFIG_BACKUP_DIR} 39 | /usr/sbin/nsm_server_backup-config --force-yes --server-name=securityonion --backup-file=${SERVER_CONFIG_BACKUP_DIR}/securityonion-server-backup-`date +\%Y-\%m-\%d`.tar.gz >> /var/log/nsm/server-backup-config.log 2>&1 40 | 41 | # If old backups exist, delete them 42 | -if [ -f ${SERVER_CONFIG_BACKUP_DIR}/*server-backup*.tar.gz ]; then 43 | +if ls ${SERVER_CONFIG_BACKUP_DIR}/*server-backup*.tar.gz >/dev/null 2>&1; then 44 | /usr/bin/find ${SERVER_CONFIG_BACKUP_DIR}/*server-backup*.tar.gz -mtime +${SERVER_CONFIG_BACKUPS} -exec rm -f {} \; 45 | fi 46 | -------------------------------------------------------------------------------- /debian/patches/fix-so-nsm-watchdog: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion185) xenial; urgency=medium 9 | . 10 | * fix so-nsm-watchdog 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-nsm-watchdog 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-nsm-watchdog 28 | @@ -6,7 +6,7 @@ LOG="/var/log/nsm/watchdog.log" 29 | FILE="/etc/nsm/servertab" 30 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 31 | if [ ${ENABLED} -gt 0 ]; then 32 | - $OUTPUT=$(/usr/sbin/nsm_server_ps-restart --if-stale) 33 | + OUTPUT=$(/usr/sbin/nsm_server_ps-restart --if-stale) 34 | if [ "${OUTPUT}" != "" ]; then 35 | echo "$(date) ${OUTPUT}" >> ${LOG} 36 | fi 37 | @@ -16,7 +16,7 @@ fi 38 | FILE="/etc/nsm/sensortab" 39 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 40 | if [ ${ENABLED} -gt 0 ]; then 41 | - $OUTPUT=$(/usr/sbin/nsm_sensor_ps-restart --if-stale) 42 | + OUTPUT=$(/usr/sbin/nsm_sensor_ps-restart --if-stale) 43 | if [ "${OUTPUT}" != "" ]; then 44 | echo "$(date) ${OUTPUT}" >> ${LOG} 45 | fi 46 | -------------------------------------------------------------------------------- /debian/patches/improve-so-*-config-backup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion184) xenial; urgency=medium 9 | . 10 | * improve so-*-config-backup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-sensor-config-backup 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-sensor-config-backup 28 | @@ -15,6 +15,13 @@ 29 | # You should have received a copy of the GNU General Public License 30 | # along with this program. If not, see . 31 | 32 | +# If there are no sensor interfaces enabled, then exit 33 | +FILE="/etc/nsm/sensortab" 34 | +ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 35 | +if [ ${ENABLED} -eq 0 ]; then 36 | + exit 1 37 | +fi 38 | + 39 | # Set defaults 40 | SENSOR_CONFIG_BACKUPS=10 41 | SENSOR_CONFIG_BACKUP_DIR="/etc/nsm/backup" 42 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-server-config-backup 43 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-server-config-backup 44 | @@ -15,6 +15,13 @@ 45 | # You should have received a copy of the GNU General Public License 46 | # along with this program. If not, see . 47 | 48 | +# If server not enabled, then exit 49 | +FILE="/etc/nsm/servertab" 50 | +ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 51 | +if [ ${ENABLED} -eq 0 ]; then 52 | + exit 1 53 | +fi 54 | + 55 | # Set defaults 56 | SERVER_CONFIG_BACKUPS=10 57 | SERVER_CONFIG_BACKUP_DIR="/etc/nsm/backup" 58 | -------------------------------------------------------------------------------- /debian/patches/improve-so-netsniff-ng-cron: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion183) xenial; urgency=medium 9 | . 10 | * improve so-netsniff-ng-cron 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-netsniff-ng-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-netsniff-ng-cron 28 | @@ -1,19 +1,18 @@ 29 | #!/bin/bash 30 | 31 | -# Define initial variables 32 | SENSORTAB="/etc/nsm/sensortab" 33 | NUM_INTERFACES=$(grep -v "#" ${SENSORTAB} 2>/dev/null | wc -l) 34 | +# If there are no sensor interfaces enabled, then exit 35 | +if [ ${NUM_INTERFACES} -eq 0 ]; then 36 | + exit 1 37 | +fi 38 | + 39 | INTERFACES=$(grep -v '#' $SENSORTAB | awk '{print $1}') 40 | LOG="/var/log/nsm/netsniff-sync.log" 41 | NEED_TO_RESTART="no" 42 | OS_DATE=$(date +"%Y-%m-%d") 43 | OS_TIME=$(date +"%H%M") 44 | 45 | -# If there are no sensor interfaces enabled, then exit 46 | -if [ ${NUM_INTERFACES} -eq 0 ]; then 47 | - exit 1 48 | -fi 49 | - 50 | if [ $OS_TIME -eq 0000 ]; then 51 | echo "$(date) Time is 00:00, so skipping check for netsniff date since /etc/cron.d/sensor-newday should be restarting it anyway." >> $LOG 52 | exit 0 53 | -------------------------------------------------------------------------------- /debian/patches/improve-so-nsm-watchdog: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion182) xenial; urgency=medium 9 | . 10 | * improve so-nsm-watchdog 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-nsm-watchdog 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-nsm-watchdog 28 | @@ -1,12 +1,23 @@ 29 | #!/bin/bash 30 | 31 | -# Define initial variables 32 | -SENSORTAB="/etc/nsm/sensortab" 33 | -NUM_INTERFACES=$(grep -v "#" ${SENSORTAB} 2>/dev/null | wc -l) 34 | +LOG="/var/log/nsm/watchdog.log" 35 | 36 | -# If there are no sensor interfaces enabled, then exit 37 | -if [ ${NUM_INTERFACES} -eq 0 ]; then 38 | - exit 1 39 | +# If server enabled, then check if stale 40 | +FILE="/etc/nsm/servertab" 41 | +ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 42 | +if [ ${ENABLED} -gt 0 ]; then 43 | + $OUTPUT=$(/usr/sbin/nsm_server_ps-restart --if-stale) 44 | + if [ "${OUTPUT}" != "" ]; then 45 | + echo "$(date) ${OUTPUT}" >> ${LOG} 46 | + fi 47 | fi 48 | 49 | -( date ; /usr/sbin/nsm_server_ps-restart --if-stale ; /usr/sbin/nsm_sensor_ps-restart --if-stale) >> /var/log/nsm/watchdog.log 50 | +# If there are sensor interfaces enabled, then check if stale 51 | +FILE="/etc/nsm/sensortab" 52 | +ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 53 | +if [ ${ENABLED} -gt 0 ]; then 54 | + $OUTPUT=$(/usr/sbin/nsm_sensor_ps-restart --if-stale) 55 | + if [ "${OUTPUT}" != "" ]; then 56 | + echo "$(date) ${OUTPUT}" >> ${LOG} 57 | + fi 58 | +fi 59 | -------------------------------------------------------------------------------- /debian/patches/increase-first-sleep-from-5-seconds-to-10-to-make-sure-Sguil-doesn't-start-until-MySQL-does: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion40ubuntu1) precise; urgency=low 9 | . 10 | * increase first sleep from 5 seconds to 10 to make sure Sguil doesn't start until MySQL does 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -7,7 +7,7 @@ start on (net-device-up 29 | and runlevel [2345]) 30 | stop on runlevel [016] 31 | script 32 | - sleep 5 33 | + sleep 10 34 | # If this is a SLAVE start SSH tunnel and start ELSA if required 35 | SSH_DIR="/root/.ssh" 36 | SSH_CONF="$SSH_DIR/securityonion_ssh.conf" 37 | -------------------------------------------------------------------------------- /debian/patches/increase-systemd-timeout-to-5-minutes: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion176) xenial; urgency=medium 9 | . 10 | * increase systemd timeout to 5 minutes 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/systemd/system/securityonion.service 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/systemd/system/securityonion.service 28 | @@ -6,6 +6,7 @@ After=network.target 29 | Type=forking 30 | ExecStart=/usr/sbin/so-boot 31 | Restart=on-abort 32 | +TimeoutStartSec=300 33 | 34 | [Install] 35 | WantedBy=multi-user.target 36 | -------------------------------------------------------------------------------- /debian/patches/issue-649: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion93) precise; urgency=low 9 | . 10 | * Issue 649: nsm_all_del_quick: check for /etc/nsm/servertab and /etc/nsm/sensortab before trying to read 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_all_del_quick 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_all_del_quick 28 | @@ -4,16 +4,18 @@ 29 | service nsm stop 30 | 31 | # Delete all sensors 32 | -for INTERFACE in `cat "/etc/nsm/sensortab" | grep -v "^#" |cut -f1` 33 | -do 34 | - echo y | nsm_sensor_del --sensor-name="$INTERFACE" 35 | -done 36 | +if [ -f /etc/nsm/sensortab ]; then 37 | + for INTERFACE in `cat "/etc/nsm/sensortab" | grep -v "^#" |cut -f1`; do 38 | + echo y | nsm_sensor_del --sensor-name="$INTERFACE" 39 | + done 40 | +fi 41 | 42 | # Delete all servers (should only be one) 43 | -for SERVER in `cat "/etc/nsm/servertab" | grep -v "^#" |cut -f1` 44 | -do 45 | - echo y | nsm_server_del --server-name="$SERVER" 46 | -done 47 | +if [ -f /etc/nsm/sensortab ]; then 48 | + for SERVER in `cat "/etc/nsm/servertab" | grep -v "^#" |cut -f1`; do 49 | + echo y | nsm_server_del --server-name="$SERVER" 50 | + done 51 | +fi 52 | 53 | # Remove old Bro logs 54 | rm -rf /nsm/bro/logs/* 55 | -------------------------------------------------------------------------------- /debian/patches/merge-Wes's-pull-request-to-add-quotes-around-$FORCE_YES: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion138) trusty; urgency=medium 9 | . 10 | * merge Wes's pull request to add quotes around $FORCE_YES 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_backup-config 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_backup-config 28 | @@ -167,7 +167,7 @@ fi 29 | 30 | # prompt to backup the configuration, ignore if --force-yes is used 31 | prompt_user_yesno "Backup Sensor Configuration" "All configurations for sensor \"$SENSOR_NAME\" will be backed up to:\n$BACKUP_FILE\n\nDo you want to continue?" "N" 32 | -if [ $FORCE_YES == "yes" ] 33 | +if [ "$FORCE_YES" == "yes" ] 34 | then 35 | PROMPT_RET=Y 36 | fi 37 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_backup-config 38 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_backup-config 39 | @@ -164,7 +164,7 @@ fi 40 | 41 | # prompt to backup the configuration, ignore if --force-yes is used 42 | prompt_user_yesno "Backup Server Configuration" "All configurations for server \"$SERVER_NAME\" will be backed up to:\n$BACKUP_FILE\n\nDo you want to continue?" "N" 43 | -if [ $FORCE_YES == "yes" ] 44 | +if [ "$FORCE_YES" == "yes" ] 45 | then 46 | PROMPT_RET=Y 47 | fi 48 | -------------------------------------------------------------------------------- /debian/patches/more-naming-fixes: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion188) xenial; urgency=medium 9 | . 10 | * more naming fixes 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/so-server-backup-config 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/so-server-backup-config 28 | @@ -1,6 +1,6 @@ 29 | -# /etc/cron.d/so-server-backup 30 | +# /etc/cron.d/so-server-backup-config 31 | # 32 | # crontab entry to backup server config 33 | SHELL=/bin/sh 34 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 35 | -0 1 * * * root /usr/sbin/so-server-backup 36 | +0 1 * * * root /usr/sbin/so-server-backup-config 37 | -------------------------------------------------------------------------------- /debian/patches/more-zeek-cleanup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion220) xenial; urgency=medium 9 | . 10 | * more zeek cleanup 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-zeek-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-zeek-cron 28 | @@ -48,4 +48,4 @@ if ! [ -x /opt/bro/bin/zeekctl ]; then 29 | fi 30 | 31 | # Run "zeekctl cron" as Bro user 32 | -su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron 2>&1 | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" ' 33 | +su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron 2>&1 | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "import BroControl.plugin" | grep -v "^$" ' 34 | -------------------------------------------------------------------------------- /debian/patches/move-daily-restart-to-0:00-to-avoid-pcap-blackhole: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion34) precise; urgency=low 9 | . 10 | * move daily restart to 0:00 to avoid pcap blackhole 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/sensor-newday 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/sensor-newday 28 | @@ -5,4 +5,4 @@ 29 | SHELL=/bin/sh 30 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 31 | 32 | -01 0 * * * root /usr/sbin/nsm_sensor_ps-daily-restart 33 | +00 0 * * * root /usr/sbin/nsm_sensor_ps-daily-restart 34 | -------------------------------------------------------------------------------- /debian/patches/nsm_all_del_quick-fix-typo: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion96) precise; urgency=low 9 | . 10 | * nsm_all_del_quick fix typo 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_all_del_quick 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_all_del_quick 28 | @@ -14,7 +14,7 @@ if [ -f /etc/nsm/sensortab ]; then 29 | fi 30 | 31 | # Delete all servers (should only be one) 32 | -if [ -f /etc/nsm/sensortab ]; then 33 | +if [ -f /etc/nsm/servertab ]; then 34 | for SERVER in `cat "/etc/nsm/servertab" | grep -v "^#" |cut -f1`; do 35 | echo y | nsm_server_del --server-name="$SERVER" 36 | done 37 | -------------------------------------------------------------------------------- /debian/patches/nsm_all_del_quick-should-check-for-root-first: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion95) precise; urgency=low 9 | . 10 | * nsm_all_del_quick should check for root first 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_all_del_quick 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_all_del_quick 28 | @@ -1,5 +1,8 @@ 29 | #!/bin/bash 30 | 31 | +# Check for root 32 | +[ "$(id -u)" -ne 0 ] && echo "This script must be run using sudo!" && exit 1 33 | + 34 | # First, stop all services 35 | service nsm stop 36 | 37 | -------------------------------------------------------------------------------- /debian/patches/nsm_sensor_add-needs-check_usergroup: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion4) precise; urgency=low 9 | . 10 | * updated bro cron job 11 | * fix bro node.cfg path 12 | Author: Doug Burks 13 | 14 | --- 15 | The information above should follow the Patch Tagging Guidelines, please 16 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 17 | are templates for supplementary fields that you might want to add: 18 | 19 | Origin: , 20 | Bug: 21 | Bug-Debian: http://bugs.debian.org/ 22 | Bug-Ubuntu: https://launchpad.net/bugs/ 23 | Forwarded: 24 | Reviewed-By: 25 | Last-Update: 26 | 27 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_add 28 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_add 29 | @@ -804,8 +804,14 @@ default pcap=pass 30 | EOF_SANCP 31 | 32 | # with all files created, enforce certain permissions 33 | -chown -R $SENSOR_USER:$SENSOR_GROUP "/nsm/sensor_data/$SENSOR_NAME" "/etc/nsm/$SENSOR_NAME" 34 | - 35 | +check_usergroup "${SERVER_USER}" "${SERVER_GROUP}" 36 | +if [ "$?" -ne "0" ] 37 | +then 38 | + echo_error_msg 1 "OOPS: The system user:group \"${SERVER_USER}:${SERVER_GROUP}\" does not exist!" 39 | + exit 1 40 | +else 41 | + chown -R $SENSOR_USER:$SENSOR_GROUP "/nsm/sensor_data/$SENSOR_NAME" "/etc/nsm/$SENSOR_NAME" 42 | +fi 43 | chmod 775 "/nsm/sensor_data/$SENSOR_NAME" "/nsm/sensor_data/$SENSOR_NAME/dailylogs" "/nsm/sensor_data/$SENSOR_NAME/portscans" "/nsm/sensor_data/$SENSOR_NAME/sancp" "/etc/nsm/$SENSOR_NAME" "/etc/nsm/$SENSOR_NAME/rules" 44 | 45 | # udpate sensortab 46 | -------------------------------------------------------------------------------- /debian/patches/nsm_sensor_backup-data-missing-leading-slash-in-directory-#931: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion134) trusty; urgency=medium 9 | . 10 | * nsm_sensor_backup-data missing leading slash in directory #931 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_backup-data 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_backup-data 28 | @@ -201,7 +201,7 @@ then 29 | fi 30 | 31 | # create the tarball 32 | -tar -czf $BACKUP_FILE nsm/sensor_data/$SENSOR_NAME 33 | +tar -czf $BACKUP_FILE /nsm/sensor_data/$SENSOR_NAME 34 | if [ "$?" -ne 0 ] 35 | then 36 | echo_error_msg 1 "OOPS: Unable to create $BACKUP_FILE" 37 | -------------------------------------------------------------------------------- /debian/patches/nsm_sensor_clean:-redirect-grep-output-to-devnull: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion50) precise; urgency=low 9 | . 10 | * nsm_sensor_clean: redirect grep output to /dev/null 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -168,8 +168,8 @@ if [ -f $CONF ]; then 29 | # Source $CONF, overriding defaults 30 | . $CONF 31 | # If $CONF doesn't have these variables, add them 32 | - grep WARN_DISK_USAGE $CONF || echo "WARN_DISK_USAGE=80" >> $CONF 33 | - grep CRIT_DISK_USAGE $CONF || echo "CRIT_DISK_USAGE=90" >> $CONF 34 | + grep WARN_DISK_USAGE $CONF >/dev/null || echo "WARN_DISK_USAGE=80" >> $CONF 35 | + grep CRIT_DISK_USAGE $CONF >/dev/null || echo "CRIT_DISK_USAGE=90" >> $CONF 36 | fi 37 | 38 | # clean the files as appropriate 39 | -------------------------------------------------------------------------------- /debian/patches/nsm_server_user-list---only-show-enabled-users: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion136) trusty; urgency=medium 9 | . 10 | * nsm_server_user-list - only show enabled users 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-list 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-list 28 | @@ -49,7 +49,7 @@ else 29 | . /etc/nsm/${SERVER_NAME}/server.conf 30 | fi 31 | 32 | -mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select uid,username,email,last_login,tzoffset from user_info where username != "auto";' 33 | +mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select uid,username,email,last_login,tzoffset from user_info where username != "auto" and password != "LOCKED";' 34 | 35 | exit 0 36 | 37 | -------------------------------------------------------------------------------- /debian/patches/remove-"-m-112"-from-nsm_sensor_add: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion98) precise; urgency=low 9 | . 10 | * remove "-m 112" from nsm_sensor_add 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_add 28 | @@ -103,7 +103,7 @@ SENSOR_GROUP="sguil" 29 | SENSOR_LOG_DIR="/nsm/sensor_data" 30 | SENSOR_CONF_DIR="/etc/nsm" 31 | 32 | -SNORT_OPTIONS="-m 112" 33 | +SNORT_OPTIONS="" 34 | SANCP_OPTIONS="" 35 | BARNYARD2_OPTIONS="" 36 | PADS_OPTIONS="" 37 | -------------------------------------------------------------------------------- /debian/patches/remove-old-files: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion161) trusty; urgency=medium 9 | . 10 | * remove so-common since it already exists in securityonion-elastic package 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_all_del.bak 27 | +++ /dev/null 28 | @@ -1,21 +0,0 @@ 29 | -#!/bin/bash 30 | - 31 | -echo "WARNING!" 32 | -echo "" 33 | -echo "Continuing will permanently delete all NSM sensors and the securityonion server!" 34 | -echo "" 35 | -echo "Press Ctrl-C to cancel." 36 | -echo "OR" 37 | -echo "Press Enter to continue." 38 | -read input 39 | - 40 | -service nsm stop 41 | - 42 | -for INTERFACE in `cat "/proc/net/dev" | egrep "eth[0-9]+" | awk '{print $1}' | cut -d\: -f1` 43 | -do 44 | - nsm_sensor_del --sensor-name="$INTERFACE" 45 | -done 46 | - 47 | -nsm_server_del --server-name="securityonion" 48 | - 49 | -rm -rf /var/*/nsm/* 50 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-common 51 | +++ /dev/null 52 | @@ -1,15 +0,0 @@ 53 | -#!/bin/bash 54 | - 55 | -# Check for prerequisites 56 | -if [ "$(id -u)" -ne 0 ]; then 57 | - echo "This script must be run using sudo!" 58 | - exit 1 59 | -fi 60 | - 61 | -# Define a banner to separate sections 62 | -banner="=========================================================================" 63 | - 64 | -header() { 65 | - echo 66 | - printf '%s\n' "$banner" "$*" "$banner" 67 | -} 68 | -------------------------------------------------------------------------------- /debian/patches/remove-service-nsm-reference: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion171) xenial; urgency=medium 9 | . 10 | * remove service nsm reference 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_all_del_quick 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_all_del_quick 28 | @@ -4,7 +4,7 @@ 29 | [ "$(id -u)" -ne 0 ] && echo "This script must be run using sudo!" && exit 1 30 | 31 | # First, stop all services 32 | -service nsm stop 33 | +/usr/sbin/so-stop 34 | 35 | # Delete all sensors 36 | if [ -f /etc/nsm/sensortab ]; then 37 | -------------------------------------------------------------------------------- /debian/patches/remove-so-common-since-it-already-exists-in-securityonion-elastic-package: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion161) trusty; urgency=medium 9 | . 10 | * remove so-common since it already exists in securityonion-elastic package 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-clear-backlog 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-clear-backlog 28 | @@ -1,15 +1,31 @@ 29 | #!/bin/bash 30 | -. /usr/sbin/so-common 31 | 32 | -. /etc/nsm/securityonion.conf 33 | +# Check for prerequisites 34 | +if [ "$(id -u)" -ne 0 ]; then 35 | + echo "This script must be run using sudo!" 36 | + exit 1 37 | +fi 38 | + 39 | +# Define a banner to separate sections 40 | +banner="=========================================================================" 41 | + 42 | +header() { 43 | + echo 44 | + printf '%s\n' "$banner" "$*" "$banner" 45 | +} 46 | 47 | -if [ -d /nsm/sensor_data ]; then 48 | - : 49 | -else 50 | +if ! [ -d /nsm/sensor_data ]; then 51 | echo "Not a sensor! Exiting..." 52 | exit 1; 53 | fi 54 | 55 | +CONF="/etc/nsm/securityonion.conf" 56 | +if ! [ -f $CONF ]; then 57 | + echo "$CONF not found! Exiting..." 58 | + exit 1; 59 | +fi 60 | +. $CONF 61 | + 62 | SKIP=0 63 | 64 | ######################################### 65 | -------------------------------------------------------------------------------- /debian/patches/replace-sguil:sguil-with-$SENSOR_USER:$SENSOR_GROUP: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion39) precise; urgency=low 9 | . 10 | * replace sguil:sguil with $SENSOR_USER:$SENSOR_GROUP 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 28 | @@ -438,7 +438,7 @@ do 29 | PERFMON=$SENSOR_LOG_DIR/snort-$i.stats 30 | UNI_DIR=$SENSOR_LOG_DIR/snort-$i 31 | mkdir -p $UNI_DIR 32 | - chown sguil:sguil $UNI_DIR 33 | + chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR 34 | [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" 35 | done 36 | fi 37 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 38 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 39 | @@ -444,7 +444,7 @@ do 40 | PERFMON=$SENSOR_LOG_DIR/snort-$i.stats 41 | UNI_DIR=$SENSOR_LOG_DIR/snort-$i 42 | mkdir -p $UNI_DIR 43 | - chown sguil:sguil $UNI_DIR 44 | + chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR 45 | [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" 46 | done 47 | fi 48 | -------------------------------------------------------------------------------- /debian/patches/restart-sshd: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion75) precise; urgency=low 9 | . 10 | * restart sshd 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_configure_sshd 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_configure_sshd 28 | @@ -25,9 +25,9 @@ restart_sshd () 29 | { 30 | # Check to see if sshd is running 31 | if pgrep -lf /usr/sbin/sshd >/dev/null 2>&1; then 32 | - # If sshd is running, then reload config 33 | - echo " * Reloading ssh daemon" 34 | - service ssh reload 35 | + # If sshd is running, then restart it 36 | + echo " * Restarting ssh daemon" 37 | + service ssh restart 38 | fi 39 | } 40 | 41 | @@ -46,6 +46,7 @@ fi 42 | 43 | # if sshd_config has the old ClientAliveInterval setting, update it and restart sshd 44 | if grep "ClientAliveInterval 60" $SSHD_CONFIG >/dev/null 2>&1; then 45 | + echo " * Updating ClientAlive settings in $SSHD_CONFIG" 46 | sed -i 's|ClientAliveInterval 60|ClientAliveInterval 30|g' $SSHD_CONFIG 47 | restart_sshd 48 | fi 49 | -------------------------------------------------------------------------------- /debian/patches/run-bro-cron-job-as-root: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion17) precise; urgency=low 9 | . 10 | * run Bro cron job as root 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/bro 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/bro 28 | @@ -5,4 +5,4 @@ 29 | SHELL=/bin/sh 30 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 31 | 32 | -0-59/5 * * * * sguil /opt/bro/bin/broctl cron 33 | +0-59/5 * * * * root /opt/bro/bin/broctl cron 34 | -------------------------------------------------------------------------------- /debian/patches/sguild-add-user-and-sguild-changepasswd-are-now-in-usrsbin: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion153) trusty; urgency=medium 9 | . 10 | * sguild-add-user and sguild-changepasswd are now in /usr/sbin/ 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-add 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-add 28 | @@ -183,7 +183,7 @@ prompt_user_yesno "Add User to Server" " 29 | echo_msg 0 "Adding user: ${USER_NAME}" 30 | 31 | # add client user details 32 | -/usr/bin/sguild-add-user "${USER_NAME}" "${USER_PASS}" >/dev/null 2>&1 33 | +/usr/sbin/sguild-add-user "${USER_NAME}" "${USER_PASS}" >/dev/null 2>&1 34 | if [ "${?}" -ne 0 ] 35 | then 36 | echo_error_msg 1 "user could not be added!" 37 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_server_user-passwd 38 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_server_user-passwd 39 | @@ -183,7 +183,7 @@ prompt_user_yesno "Change User Password" 40 | echo_msg 0 "Changing password for: ${USER_NAME} => ${SERVER_NAME}" 41 | 42 | # add client user details 43 | -/usr/bin/sguild-changepasswd "${USER_NAME}" "${USER_PASS}" >/dev/null 2>&1 44 | +/usr/sbin/sguild-changepasswd "${USER_NAME}" "${USER_PASS}" >/dev/null 2>&1 45 | if [ "${?}" -ne 0 ] 46 | then 47 | echo_error_msg 1 "password could not be changed!" 48 | -------------------------------------------------------------------------------- /debian/patches/sleep-for-60-seconds-before-trying-to-ssh-to-server: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion38) precise; urgency=low 9 | . 10 | * sleep for 60 seconds before trying to start ssh tunnel to master 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/init/securityonion.conf 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/init/securityonion.conf 28 | @@ -13,6 +13,10 @@ script 29 | SSH_CONF="$SSH_DIR/securityonion_ssh.conf" 30 | if [ -f $SSH_CONF ] 31 | then 32 | + # Some folks are having problems with link negotiation taking too long 33 | + # and the tunnel failing to come up. 34 | + # This is a quick and dirty fix until we come up with a better solution. 35 | + sleep 60 36 | # Establish persistent SSH tunnel to MASTER. 37 | KEY="$SSH_DIR/securityonion" 38 | # Upstart uses sh instead of bash so we can't use "source" 39 | -------------------------------------------------------------------------------- /debian/patches/so-snorby-wipe---add-sudo-to-example-shred-command: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion97) precise; urgency=low 9 | . 10 | * so-snorby-wipe - add sudo to example shred command 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-snorby-wipe 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-snorby-wipe 28 | @@ -72,5 +72,5 @@ echo "================================== 29 | echo "Snorby database backup can be found at $BACKUP." 30 | echo "If you're able to login to Snorby and everything works properly," 31 | echo "then you'll probably want to shred this file:" 32 | -echo "shred -u $BACKUP" 33 | +echo "sudo shred -u $BACKUP" 34 | echo "====================================================================" 35 | -------------------------------------------------------------------------------- /debian/patches/so-user-add:-improper-confirmation-of-password-should-throw-an-error-#1271: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion177) xenial; urgency=medium 9 | . 10 | * so-user-add: improper confirmation of password should throw an error #1271 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-common-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-common-utils 28 | @@ -764,6 +764,8 @@ prompt_user_password() 29 | PROMPT_RET=$ANS 30 | elif [ -z "${PROMPT_RET}" ] 31 | then 32 | + echo 33 | + echo "Provided answers do not match!" 34 | return 1 35 | fi 36 | ;; 37 | -------------------------------------------------------------------------------- /debian/patches/standardize-error-message-in-nsm_sensor_clean: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion148) trusty; urgency=medium 9 | . 10 | * standardize error message in nsm_sensor_clean 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -120,7 +120,7 @@ fi 29 | # check to see if we're already running 30 | for pid in $(pidof -x nsm_sensor_clean); do 31 | if [ $pid != $$ ]; then 32 | - echo "[$(date)] : nsm_sensor_clean : Process is already running with PID $pid" 33 | + echo_error_msg 0 "Process is already running with PID $pid" 34 | exit 1 35 | fi 36 | done 37 | -------------------------------------------------------------------------------- /debian/patches/strip-comments-from-bpf.conf-for-PRADS: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion24) precise; urgency=low 9 | . 10 | * strip comments from bpf.conf for PRADS 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 28 | @@ -444,7 +444,7 @@ do 29 | # start prads 30 | # If the user supplies a BPF, use theirs; otherwise, exclude IPv6 31 | if [ -s /etc/nsm/$SENSOR/bpf-prads.conf ]; then 32 | - BPF=`cat /etc/nsm/$SENSOR/bpf-prads.conf` 33 | + BPF=`grep -v "^#" /etc/nsm/$SENSOR/bpf-prads.conf` 34 | else 35 | # By default, we need to exclude IPv6 traffic from prads since Sguil doesn't grok it (yet) 36 | BPF="ip or (vlan and ip)" 37 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 38 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 39 | @@ -444,7 +444,7 @@ do 40 | # restart prads 41 | # If the user supplies a BPF, use theirs; otherwise, exclude IPv6 42 | if [ -s /etc/nsm/$SENSOR/bpf-prads.conf ]; then 43 | - BPF=`cat /etc/nsm/$SENSOR/bpf-prads.conf` 44 | + BPF=`grep -v "^#" /etc/nsm/$SENSOR/bpf-prads.conf` 45 | else 46 | # By default, we need to exclude IPv6 traffic from prads since Sguil doesn't grok it (yet) 47 | BPF="ip or (vlan and ip)" 48 | -------------------------------------------------------------------------------- /debian/patches/update-comment: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion216) xenial; urgency=medium 9 | . 10 | * update comment 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 28 | @@ -413,7 +413,7 @@ if [ "$BRO_ENABLED" == "yes" ] && [ -z " 29 | setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/zeek 30 | setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/capstats 31 | 32 | - # update Dir settings if Bro 2.4 was a fresh installation 33 | + # move SpoolDir and LogDir to /nsm 34 | sed -i 's|SpoolDir = /opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/zeekctl.cfg 35 | sed -i 's|LogDir = /opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/zeekctl.cfg 36 | 37 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start 38 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start 39 | @@ -408,7 +408,7 @@ if [ "$BRO_ENABLED" == "yes" ] && [ -z " 40 | setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/zeek 41 | setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/capstats 42 | 43 | - # update Dir settings if Bro 2.4 was a fresh installation 44 | + # move SpoolDir and LogDir to /nsm 45 | sed -i 's|SpoolDir = /opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/zeekctl.cfg 46 | sed -i 's|LogDir = /opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/zeekctl.cfg 47 | 48 | -------------------------------------------------------------------------------- /debian/patches/update-copyright: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion214) xenial; urgency=medium 9 | . 10 | * update copyright 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -1,6 +1,7 @@ 29 | #!/bin/bash 30 | # 31 | -# Copyright (C) 2011-2018 Doug Burks and Security Onion Solutions, LLC 32 | +# Copyright (C) 2011,2012,2013,2014 Doug Burks 33 | +# Copyright (C) 2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 34 | # 35 | # This program is free software; you can redistribute it and/or modify 36 | # it under the terms of the GNU General Public License Version 2 as 37 | -------------------------------------------------------------------------------- /debian/patches/update-copyright-date-in-nsm_sensor_clean: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion149) trusty; urgency=medium 9 | . 10 | * update copyright date in nsm_sensor_clean 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_clean 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_clean 28 | @@ -1,6 +1,6 @@ 29 | #!/bin/bash 30 | # 31 | -# Copyright (C) 2011 Doug Burks and Security Onion 32 | +# Copyright (C) 2011-2016 Doug Burks and Security Onion 33 | # 34 | # This program is free software; you can redistribute it and/or modify 35 | # it under the terms of the GNU General Public License Version 2 as 36 | @@ -18,13 +18,6 @@ 37 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 38 | # 39 | 40 | -# Version: 41 | -# 20111229 42 | - 43 | -# Changelog: 44 | -# 20111214 - Initial version 45 | -# 20111229 - Add date to output 46 | - 47 | # 48 | # INCLUDES 49 | # 50 | -------------------------------------------------------------------------------- /debian/patches/update-so-zeek-cron-to-avoid-running-on-boxes-with-no-sensors: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion222) xenial; urgency=medium 9 | . 10 | * update so-zeek-cron to avoid running on boxes with no sensors 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: https://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/so-zeek-cron 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/so-zeek-cron 28 | @@ -47,5 +47,9 @@ if ! [ -x /opt/bro/bin/zeekctl ]; then 29 | exit 0 30 | fi 31 | 32 | +if ! grep -qv "^#" /etc/nsm/sensortab; then 33 | + exit 0 34 | +fi 35 | + 36 | # Run "zeekctl cron" as Bro user 37 | su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron 2>&1 | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "import BroControl.plugin" | grep -v "^$" ' 38 | -------------------------------------------------------------------------------- /debian/patches/update-systemd-script: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion169) xenial; urgency=medium 9 | . 10 | * update systemd script 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/systemd/system/securityonion.service 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/systemd/system/securityonion.service 28 | @@ -4,7 +4,7 @@ After=network.target 29 | 30 | [Service] 31 | Type=forking 32 | -ExecStart=/usr/sbin/so-start 33 | +ExecStart=/usr/sbin/so-boot 34 | Restart=on-abort 35 | 36 | [Install] 37 | -------------------------------------------------------------------------------- /debian/patches/updated-bro-cron-job: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion4) precise; urgency=low 9 | . 10 | * updated bro cron job 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/etc/cron.d/bro 27 | +++ securityonion-nsmnow-admin-scripts-20120724/etc/cron.d/bro 28 | @@ -5,4 +5,4 @@ 29 | SHELL=/bin/sh 30 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 31 | 32 | -0-59/5 * * * * root /usr/bin/broctl cron 33 | +0-59/5 * * * * root /opt/bro/bin/broctl cron 34 | -------------------------------------------------------------------------------- /debian/patches/when-configuring-Squert,-run-securityonion_update.sh-as-well: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion165) trusty; urgency=medium 9 | . 10 | * when configuring Squert, run securityonion_update.sh as well 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-server-utils 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-server-utils 28 | @@ -608,6 +608,9 @@ EOF_SGUIL_DB 29 | mysql -N -B --user=root -e "GRANT UPDATE on securityonion_db.user_info TO 'readonly'@'localhost';" 30 | mysql -N -B --user=root -e "GRANT INSERT,UPDATE ON securityonion_db.object_mappings TO 'readonly'@'localhost';" 31 | 32 | + # Additional perms in securityonion_update.sql 33 | + bash /var/www/so/squert/.scripts/securityonion_update.sh 34 | + 35 | # Allow pivoting from Squert to ELSA 36 | bash /var/www/so/squert/.scripts/securityonion_create_elsa_link.sh 37 | 38 | -------------------------------------------------------------------------------- /debian/patches/wipe-stats.log-if-doing-a-full-restart-of-Suricata,-but-not-if-we're-just-doing-the-watchdog-check-for-stale-processes: -------------------------------------------------------------------------------- 1 | Description: 2 | TODO: Put a short summary on the line above and replace this paragraph 3 | with a longer explanation of this change. Complete the meta-information 4 | with other relevant fields (see below for details). To make it easier, the 5 | information below has been extracted from the changelog. Adjust it or drop 6 | it. 7 | . 8 | securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion140) trusty; urgency=medium 9 | . 10 | * wipe stats.log if doing a full restart of Suricata, but not if we're just doing the watchdog check for stale processes 11 | Author: Doug Burks 12 | 13 | --- 14 | The information above should follow the Patch Tagging Guidelines, please 15 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here 16 | are templates for supplementary fields that you might want to add: 17 | 18 | Origin: , 19 | Bug: 20 | Bug-Debian: http://bugs.debian.org/ 21 | Bug-Ubuntu: https://launchpad.net/bugs/ 22 | Forwarded: 23 | Reviewed-By: 24 | Last-Update: 25 | 26 | --- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart 27 | +++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart 28 | @@ -523,8 +523,8 @@ do 29 | # copy IDS_LB_PROCS from sensor.conf 30 | IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` 31 | sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml 32 | - # wipe stats.log 33 | - rm -f /nsm/sensor_data/$SENSOR/stats.log 34 | + # wipe stats.log if doing a full restart of Suricata, but not if we're just doing the watchdog check for stale processes 35 | + [ "$ACTION" == "process_restart" ] && rm -f /nsm/sensor_data/$SENSOR/stats.log 36 | # start Suricata 37 | [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" 38 | else 39 | -------------------------------------------------------------------------------- /debian/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | case "$1" in 6 | configure) 7 | 8 | # Configure sshd to check status of ssh connections 9 | if [ -f /usr/sbin/nsm_server_configure_sshd ]; then 10 | chmod +x /usr/sbin/nsm_server_configure_sshd 11 | /usr/sbin/nsm_server_configure_sshd || echo "Error running nsm_server_configure_sshd." 12 | fi 13 | 14 | # Avoid checking for new versions of Ubuntu 15 | FILE="/etc/update-manager/release-upgrades" 16 | [ -f $FILE ] && sed -i 's|^Prompt=.*$|Prompt=never|g' $FILE || echo "Unable to access $FILE." 17 | FILE="/var/lib/update-notifier/release-upgrade-available" 18 | [ -f $FILE ] && rm -f $FILE 19 | 20 | # Make scripts executable 21 | chmod +x /usr/sbin/so-zeek-cron /usr/sbin/broctl /usr/sbin/so-clear-backlog /usr/sbin/so-sensor-backup-config /usr/sbin/so-server-backup-config /usr/sbin/so-nsm-watchdog /usr/sbin/so-nsm-common || echo "Error making scripts executable." 22 | 23 | # create log directory so cron scripts don't complain 24 | DIR="/var/log/nsm" 25 | [ -d $DIR ] || mkdir -p $DIR 26 | 27 | # update Squert database permissions if necessary 28 | if [ -d /var/lib/mysql/securityonion_db ] ; then 29 | mysql --defaults-file=/etc/mysql/debian.cnf -N -B -e "GRANT INSERT,UPDATE ON securityonion_db.object_mappings TO 'readonly'@'localhost';" || echo "Error updating permissions on Squert object_mappings." 30 | fi 31 | 32 | # clean up old cron jobs if they exist 33 | for FILE in /etc/cron.d/sensor-backup-config /etc/cron.d/server-backup-config /etc/cron.d/bro; do 34 | if [ -f $FILE ]; then 35 | echo "Removing old cron job ${FILE}" 36 | rm ${FILE} || echo "Error removing ${FILE}" 37 | fi 38 | done 39 | 40 | ;; 41 | 42 | abort-upgrade|abort-remove|abort-deconfigure) 43 | ;; 44 | 45 | 46 | *) 47 | echo "postinst called with unknown argument \`$1'" >&2 48 | exit 1 49 | ;; 50 | esac 51 | 52 | # dh_installdeb will replace this with shell code automatically 53 | # generated by other debhelper scripts. 54 | 55 | #DEBHELPER# 56 | 57 | exit 0 58 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | #export DH_VERBOSE=1 11 | 12 | %: 13 | dh $@ 14 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /etc/cron.d/netsniff-sync: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/netsniff-sync 2 | # 3 | # crontab entry to ensure netsniff-ng is recording with the correct date 4 | 5 | SHELL=/bin/sh 6 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 7 | 8 | * * * * * root /usr/sbin/so-netsniff-ng-cron > /dev/null 2>&1 9 | -------------------------------------------------------------------------------- /etc/cron.d/nsm-watchdog: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/nsm-watchdog 2 | # 3 | # crontab entry to restart processes if they fail 4 | 5 | SHELL=/bin/sh 6 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 7 | 8 | 4,9,14,19,24,29,34,39,44,49,54,59 * * * * root /usr/sbin/so-nsm-watchdog >> /var/log/nsm/watchdog.log 2>&1 9 | -------------------------------------------------------------------------------- /etc/cron.d/sensor-clean: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/sensor-clean 2 | # 3 | # crontab entry to keep disk from filling up 4 | 5 | SHELL=/bin/sh 6 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 7 | 8 | * * * * * root /usr/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log 2>&1 9 | -------------------------------------------------------------------------------- /etc/cron.d/sensor-newday: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/sensor-newday 2 | # 3 | # crontab entry to restart sensor processes 4 | 5 | SHELL=/bin/sh 6 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 7 | 8 | 00 0 * * * root /usr/sbin/nsm_sensor_ps-daily-restart 9 | 01 0 * * * root /etc/init.d/syslog-ng restart >/dev/null 2>&1 10 | 10 0 * * * root /etc/init.d/syslog-ng restart >/dev/null 2>&1 11 | 00 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-sancp-agent >/dev/null 12 | 01 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-http-agent >/dev/null 13 | 02 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-ossec-agent >/dev/null 14 | 03 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-pads-agent >/dev/null 15 | 04 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-pcap-agent >/dev/null 16 | 05 12 * * * root /usr/sbin/nsm_sensor_ps-restart --only-snort-agent >/dev/null 17 | -------------------------------------------------------------------------------- /etc/cron.d/so-sensor-backup-config: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/so-sensor-backup-config 2 | # 3 | # crontab entry to backup sensor config 4 | SHELL=/bin/bash 5 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 6 | 0 1 * * * root /usr/sbin/so-sensor-backup-config >> /var/log/nsm/so-sensor-backup-config.log 2>&1 7 | -------------------------------------------------------------------------------- /etc/cron.d/so-server-backup-config: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/so-server-backup-config 2 | # 3 | # crontab entry to backup server config 4 | SHELL=/bin/sh 5 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 6 | 0 1 * * * root /usr/sbin/so-server-backup-config >> /var/log/nsm/so-server-backup-config.log 2>&1 7 | -------------------------------------------------------------------------------- /etc/cron.d/zeek: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/zeek 2 | # 3 | # crontab entry to monitor Zeek processes 4 | 5 | SHELL=/bin/sh 6 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 7 | 8 | 0-59/5 * * * * root /usr/sbin/so-zeek-cron >> /var/log/nsm/so-zeek-cron.log 2>&1 9 | -------------------------------------------------------------------------------- /etc/nsm/administration.conf: -------------------------------------------------------------------------------- 1 | NSM_LIB_DIR="/usr/lib/nsmnow" 2 | NSM_GENERAL_LIB_DIR="/usr/lib" 3 | NSM_GENERAL_BIN_DIR="/usr/bin" 4 | NSM_GENERAL_SBIN_DIR="/usr/sbin" 5 | NSM_GENERAL_ETC_DIR="/etc" 6 | NSM_GENERAL_INIT_DIR="/etc/init.d" 7 | NSM_GENERAL_CRON_DIR="/etc/cron.d" 8 | SNORT_LIB_DIR="/usr/lib" 9 | -------------------------------------------------------------------------------- /etc/nsm/templates/init/securityonion.conf: -------------------------------------------------------------------------------- 1 | # 2 | #/etc/init/securityonion.conf 3 | # 4 | description "Security Onion" 5 | start on (net-device-up 6 | and remote-filesystems 7 | and runlevel [2345]) 8 | stop on runlevel [016] 9 | script 10 | # Some folks are having problems with link negotiation taking too long and the tunnel failing to come up. 11 | # This is a quick and dirty fix until we come up with a better solution. 12 | # If starting the securityonion services at boot-time, sleep for 60 seconds to allow link to negotiate. 13 | # If running Setup, we don't need to pause as the link should have already been negotiated. 14 | pgrep sosetup >/dev/null || sleep 60 15 | 16 | # If this is a sensor, start autossh tunnel 17 | /usr/sbin/so-autossh-start 18 | 19 | # Snorby has been removed, so if any barnyard2.conf files have the snorby output enabled, we should disable it 20 | if grep "^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1" /etc/nsm/*/barnyard2*.conf >/dev/null 2>&1; then 21 | sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf 22 | fi 23 | 24 | # Start services 25 | /usr/sbin/so-start 26 | 27 | end script 28 | -------------------------------------------------------------------------------- /etc/sysctl.d/10-securityonion.conf: -------------------------------------------------------------------------------- 1 | net.core.rmem_default = 16777216 2 | net.core.wmem_default = 16777216 3 | net.core.rmem_max = 16777216 4 | net.core.wmem_max = 16777216 5 | net.ipv4.tcp_rmem = 1048576 4194304 16777216 6 | net.ipv4.tcp_wmem = 1048576 4194304 16777216 7 | net.core.netdev_max_backlog = 250000 8 | net.core.bpf_jit_enable = 1 9 | net.core.optmem_max = 16777216 10 | -------------------------------------------------------------------------------- /etc/systemd/system/securityonion.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Security Onion Service 3 | After=network-online.target 4 | Wants=network-online.target 5 | 6 | [Service] 7 | Type=forking 8 | ExecStart=/usr/sbin/so-boot 9 | Restart=on-abort 10 | TimeoutStartSec=600 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /usr/sbin/broctl: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | # Ensure we're running as root 19 | if [ "$(id -u)" != 0 ]; then 20 | echo "ERROR: This script must run as root. Hint..." 1>&2 21 | echo " sudo $0 $@" 1>&2 22 | exit 1 23 | fi 24 | 25 | # /etc/nsm/securityonion.conf defines the limited user that we use for starting zeekctl 26 | SO_CONF="/etc/nsm/securityonion.conf" 27 | 28 | # Add new Bro entries to SO_CONF if necessary 29 | if ! grep BRO_USER $SO_CONF >/dev/null; then 30 | echo >> $SO_CONF 31 | echo "# BRO_USER specifies the user account used to start Bro." >> $SO_CONF 32 | echo "BRO_USER=sguil" >> $SO_CONF 33 | echo "BRO_GROUP=sguil" >> $SO_CONF 34 | fi 35 | 36 | # load in user config 37 | . $SO_CONF 38 | 39 | # Run "zeekctl" as Bro user and pass along arguments if necessary 40 | if [ $# -eq 0 ]; then 41 | 42 | # No arguments were passed, so just run zeekctl interactively 43 | su $BRO_USER -c "/opt/bro/bin/zeekctl" 44 | 45 | else 46 | 47 | # Arguments were passed, so pass those arguments to zeekctl and try to clean up the output 48 | su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 2>&1 | grep -v "warning: new .* version detected" | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" | grep -v "^$" | grep -v "^Warning: Plugin 'af_packet' uses deprecated method 'broctl_config'; use 'zeekctl_config' instead$" 49 | 50 | fi 51 | -------------------------------------------------------------------------------- /usr/sbin/nsm_all_del: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "WARNING!" 4 | echo "" 5 | echo "Continuing will permanently delete all NSM configuration and data!" 6 | echo "" 7 | echo "Press Ctrl-C to cancel." 8 | echo "OR" 9 | echo "Press Enter to continue." 10 | read input 11 | 12 | /usr/sbin/nsm_all_del_quick 13 | -------------------------------------------------------------------------------- /usr/sbin/nsm_all_del_quick: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check for root 4 | [ "$(id -u)" -ne 0 ] && echo "This script must be run using sudo!" && exit 1 5 | 6 | # First, stop all services 7 | /usr/sbin/so-stop 8 | 9 | # Delete all sensors 10 | if [ -f /etc/nsm/sensortab ]; then 11 | for INTERFACE in `cat "/etc/nsm/sensortab" | grep -v "^#" |cut -f1`; do 12 | echo y | nsm_sensor_del --sensor-name="$INTERFACE" 13 | done 14 | fi 15 | 16 | # Delete all servers (should only be one) 17 | if [ -f /etc/nsm/servertab ]; then 18 | for SERVER in `cat "/etc/nsm/servertab" | grep -v "^#" |cut -f1`; do 19 | echo y | nsm_server_del --server-name="$SERVER" 20 | done 21 | fi 22 | 23 | # Remove old Bro logs 24 | rm -rf /nsm/bro/logs/* 25 | 26 | # Remove old Bro extracted files 27 | rm -rf /nsm/bro/extracted/* 28 | 29 | # Remove old log files 30 | rm -rf /var/*/nsm/* 31 | -------------------------------------------------------------------------------- /usr/sbin/nsm_sensor_ps-daily-restart: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | # Define initial variables 21 | SENSORTAB="/etc/nsm/sensortab" 22 | NUM_INTERFACES=$(grep -v "#" ${SENSORTAB} 2>/dev/null | wc -l) 23 | 24 | # If there are no sensor interfaces enabled, then exit 25 | if [ ${NUM_INTERFACES} -eq 0 ]; then 26 | exit 1 27 | fi 28 | 29 | sleep 1 30 | 31 | date >> /var/log/nsm/sensor-newday-argus.log 32 | /usr/sbin/nsm --sensor --restart --only-argus >> /var/log/nsm/sensor-newday-argus.log 33 | 34 | date >> /var/log/nsm/sensor-newday-http-agent.log 35 | /usr/sbin/nsm --sensor --restart --only-http-agent >> /var/log/nsm/sensor-newday-http-agent.log 36 | 37 | sleep 1 38 | 39 | date >> /var/log/nsm/sensor-newday-pcap.log 40 | /usr/sbin/nsm --sensor --restart --only-pcap >> /var/log/nsm/sensor-newday-pcap.log 41 | -------------------------------------------------------------------------------- /usr/sbin/nsm_server_configure_sshd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | ############ 19 | # Variables 20 | ############ 21 | SSHD_CONFIG="/etc/ssh/sshd_config" 22 | 23 | ############ 24 | # Functions 25 | ############ 26 | # Write custom settings to sshd_config 27 | update_sshd () 28 | { 29 | echo " * Adding ClientAlive settings to $SSHD_CONFIG" 30 | # We're dealing with global settings which need to be higher in the file 31 | # than Match settings. So let's insert each of the needed lines at line 32 | # 1 in reverse order. 33 | sed -i '1i# End of Security Onion ClientAlive\n' $SSHD_CONFIG 34 | if ! grep "ClientAliveCountMax " $SSHD_CONFIG >/dev/null 2>&1; then 35 | sed -i '1iClientAliveCountMax 3' $SSHD_CONFIG 36 | fi 37 | if ! grep "ClientAliveInterval " $SSHD_CONFIG >/dev/null 2>&1; then 38 | sed -i '1iClientAliveInterval 30' $SSHD_CONFIG 39 | fi 40 | sed -i '1i# Security Onion Autossh' $SSHD_CONFIG 41 | } 42 | 43 | # If we make changes to sshd_config later, we'll need to restart sshd 44 | restart_sshd () 45 | { 46 | # Check to see if sshd is running 47 | if pgrep -lf /usr/sbin/sshd >/dev/null 2>&1; then 48 | # If sshd is running, then restart it 49 | echo " * Restarting ssh daemon" 50 | service ssh restart 51 | fi 52 | } 53 | 54 | ############ 55 | # Code 56 | ############ 57 | 58 | # Verify sshd_config exists 59 | [ -f $SSHD_CONFIG ] || exit 60 | 61 | # If sshd_config doesn't contain our ClientAlive settings, insert them and restart sshd 62 | if ! grep "Security Onion Autossh" $SSHD_CONFIG >/dev/null 2>&1; then 63 | update_sshd 64 | restart_sshd 65 | fi 66 | 67 | # if sshd_config has the old ClientAliveInterval setting, update it and restart sshd 68 | if grep "ClientAliveInterval 60" $SSHD_CONFIG >/dev/null 2>&1; then 69 | echo " * Updating ClientAlive settings in $SSHD_CONFIG" 70 | sed -i 's|ClientAliveInterval 60|ClientAliveInterval 30|g' $SSHD_CONFIG 71 | restart_sshd 72 | fi 73 | 74 | -------------------------------------------------------------------------------- /usr/sbin/nsm_server_user-list: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2008-2009 SecurixLive 4 | # Modified by Doug Burks for Security Onion 5 | # 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License Version 2 as 8 | # published by the Free Software Foundation. You may not use, modify or 9 | # distribute this program under any other version of the GNU General 10 | # Public License. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | # 21 | 22 | # 23 | # INCLUDES 24 | # 25 | INC="/etc/nsm/administration.conf" 26 | . $INC 27 | 28 | . $NSM_LIB_DIR/lib-console-utils 29 | . $NSM_LIB_DIR/lib-nsm-common-utils 30 | . $NSM_LIB_DIR/lib-nsm-server-utils 31 | 32 | # ensure we are root user before continuing any further 33 | is_root 34 | if [ "${?}" -ne 0 ] 35 | then 36 | echo_error_msg 0 "OOPS: Must be root to run this script!" 37 | exit 1; 38 | fi 39 | 40 | SERVER_NAME="securityonion" 41 | 42 | # check that the server DOES exist via its config 43 | if [ ! -f "/etc/nsm/${SERVER_NAME}/server.conf" ] 44 | then 45 | echo_error_msg 0 "OOPS: The server \"${SERVER_NAME}\" does not exist!" 46 | exit 1 47 | else 48 | # load existing variables for the server 49 | . /etc/nsm/${SERVER_NAME}/server.conf 50 | fi 51 | 52 | mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select uid,username,email,last_login,tzoffset from user_info where username != "auto" and password != "LOCKED";' 53 | 54 | exit 0 55 | 56 | -------------------------------------------------------------------------------- /usr/sbin/so-netsniff-ng-cron: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | SENSORTAB="/etc/nsm/sensortab" 21 | NUM_INTERFACES=$(grep -v "#" ${SENSORTAB} 2>/dev/null | wc -l) 22 | # If there are no sensor interfaces enabled, then exit 23 | if [ ${NUM_INTERFACES} -eq 0 ]; then 24 | exit 1 25 | fi 26 | 27 | INTERFACES=$(grep -v '#' $SENSORTAB | awk '{print $1}') 28 | LOG="/var/log/nsm/netsniff-sync.log" 29 | NEED_TO_RESTART="no" 30 | OS_DATE=$(date +"%Y-%m-%d") 31 | OS_TIME=$(date +"%H%M") 32 | 33 | if [ $OS_TIME -eq 0000 ]; then 34 | echo "$(date) Time is 00:00, so skipping check for netsniff date since /etc/cron.d/sensor-newday should be restarting it anyway." >> $LOG 35 | exit 0 36 | fi 37 | 38 | # Check all enabled sniffing interfaces 39 | for i in $INTERFACES; do 40 | # Check to see if pcap has been enabled on that interface 41 | if grep -q 'PCAP_ENABLED="yes"' /etc/nsm/$i/sensor.conf; then 42 | # Check to see if netsniff-ng is running on that interface 43 | if pgrep -af netsniff-ng.*/nsm/sensor_data/$i > /dev/null 2>&1; then 44 | NETSNIFF_DATE=$(pgrep -af netsniff-ng.*/nsm/sensor_data/$i | cut -d'/' -f6) 45 | # Check to see if netsniff's date matches current OS date 46 | if [ "$NETSNIFF_DATE" != "$OS_DATE" ]; then 47 | NEED_TO_RESTART="yes" 48 | fi 49 | fi 50 | fi 51 | done 52 | 53 | # Due to Issue 1118, if we try to restart pcap on a single interface, it will also restart Bro: 54 | # https://github.com/Security-Onion-Solutions/security-onion/issues/1118 55 | # To avoid this, we'll just restart all pcap instances. 56 | # This is probably a good idea anyway since, in most cases, if one netsniff instance is recording to the wrong date, then all of them are. 57 | if [ "$NEED_TO_RESTART" == "yes" ]; then 58 | echo "$(date) netsniff-ng date mismatch detected. Restarting all netsniff-ng instances." >> $LOG 59 | nsm_sensor_ps-restart --only-pcap >> $LOG 2>&1 60 | fi 61 | -------------------------------------------------------------------------------- /usr/sbin/so-nsm-common: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | # Check for prerequisites 19 | if [ "$(id -u)" -ne 0 ]; then 20 | echo "This script must be run using sudo!" 21 | exit 1 22 | fi 23 | -------------------------------------------------------------------------------- /usr/sbin/so-nsm-watchdog: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | # If logrotate script doesn't already exist, create it 21 | FILE="/etc/logrotate.d/so-nsm-watchdog" 22 | if ! [ -f ${FILE} ]; then 23 | cat << EOF > ${FILE} 24 | /var/log/nsm/watchdog.log { 25 | daily 26 | rotate 7 27 | copytruncate 28 | compress 29 | missingok 30 | notifempty 31 | } 32 | EOF 33 | fi 34 | 35 | # If server enabled, then check if stale 36 | FILE="/etc/nsm/servertab" 37 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 38 | if [ ${ENABLED} -gt 0 ]; then 39 | OUTPUT=$(/usr/sbin/nsm_server_ps-restart --if-stale) 40 | if [ "${OUTPUT}" != "" ]; then 41 | date 42 | echo "${OUTPUT}" 43 | fi 44 | fi 45 | 46 | # If there are sensor interfaces enabled, then check if stale 47 | FILE="/etc/nsm/sensortab" 48 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 49 | if [ ${ENABLED} -gt 0 ]; then 50 | OUTPUT=$(/usr/sbin/nsm_sensor_ps-restart --if-stale) 51 | if [ "${OUTPUT}" != "" ]; then 52 | date 53 | echo "${OUTPUT}" 54 | fi 55 | fi 56 | -------------------------------------------------------------------------------- /usr/sbin/so-sensor-backup-config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | # If there are no sensor interfaces enabled, then exit 21 | FILE="/etc/nsm/sensortab" 22 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 23 | if [ ${ENABLED} -eq 0 ]; then 24 | exit 1 25 | fi 26 | 27 | # If logrotate script doesn't already exist, create it 28 | FILE="/etc/logrotate.d/so-sensor-backup-config" 29 | if ! [ -f ${FILE} ]; then 30 | cat << EOF > ${FILE} 31 | /var/log/nsm/so-sensor-backup-config.log { 32 | weekly 33 | rotate 4 34 | copytruncate 35 | compress 36 | missingok 37 | notifempty 38 | } 39 | EOF 40 | fi 41 | 42 | # Set defaults 43 | SENSOR_CONFIG_BACKUPS=10 44 | SENSOR_CONFIG_BACKUP_DIR="/etc/nsm/backup" 45 | 46 | # User can override defaults in securityonion.conf 47 | . /etc/nsm/securityonion.conf 48 | 49 | # Make sure the backup directory exists 50 | mkdir -p ${SENSOR_CONFIG_BACKUP_DIR} 51 | 52 | # Create a backup for each sensor interface 53 | for SENSOR in $(cat /etc/nsm/sensortab | grep -v '#' | awk '{print $1}'); do 54 | /usr/sbin/nsm_sensor_backup-config --force-yes --sensor-name=${SENSOR} --backup-file=${SENSOR_CONFIG_BACKUP_DIR}/${SENSOR}-sensor-backup-`date +\%Y-\%m-\%d`.tar.gz 55 | done 56 | 57 | # If old backups exist, delete them 58 | if ls ${SENSOR_CONFIG_BACKUP_DIR}/*sensor-backup*.tar.gz >/dev/null 2>&1; then 59 | /usr/bin/find ${SENSOR_CONFIG_BACKUP_DIR}/*sensor-backup*.tar.gz -mtime +${SENSOR_CONFIG_BACKUPS} -exec rm -f {} \; 60 | fi 61 | -------------------------------------------------------------------------------- /usr/sbin/so-server-backup-config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | # If server not enabled, then exit 21 | FILE="/etc/nsm/servertab" 22 | ENABLED=$(grep -v "#" ${FILE} 2>/dev/null | wc -l) 23 | if [ ${ENABLED} -eq 0 ]; then 24 | exit 1 25 | fi 26 | 27 | # If logrotate script doesn't already exist, create it 28 | FILE="/etc/logrotate.d/so-server-backup-config" 29 | if ! [ -f ${FILE} ]; then 30 | cat << EOF > ${FILE} 31 | /var/log/nsm/so-server-backup-config.log { 32 | weekly 33 | rotate 4 34 | copytruncate 35 | compress 36 | missingok 37 | notifempty 38 | } 39 | EOF 40 | fi 41 | 42 | # Set defaults 43 | SERVER_CONFIG_BACKUPS=10 44 | SERVER_CONFIG_BACKUP_DIR="/etc/nsm/backup" 45 | 46 | # User can override defaults in securityonion.conf 47 | . /etc/nsm/securityonion.conf 48 | 49 | # Make sure the backup directory exists 50 | mkdir -p ${SERVER_CONFIG_BACKUP_DIR} 51 | 52 | # Create a backup of the server config 53 | /usr/sbin/nsm_server_backup-config --force-yes --server-name=securityonion --backup-file=${SERVER_CONFIG_BACKUP_DIR}/securityonion-server-backup-`date +\%Y-\%m-\%d`.tar.gz 54 | 55 | # If old backups exist, delete them 56 | if ls ${SERVER_CONFIG_BACKUP_DIR}/*server-backup*.tar.gz >/dev/null 2>&1; then 57 | /usr/bin/find ${SERVER_CONFIG_BACKUP_DIR}/*server-backup*.tar.gz -mtime +${SERVER_CONFIG_BACKUPS} -exec rm -f {} \; 58 | fi 59 | -------------------------------------------------------------------------------- /usr/sbin/so-zeek-cron: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | . /usr/sbin/so-nsm-common 19 | 20 | SO_CONF="/etc/nsm/securityonion.conf" 21 | 22 | # Add new Bro entries to SO_CONF if necessary 23 | if ! grep BRO_USER ${SO_CONF} >/dev/null; then 24 | echo >> ${SO_CONF} 25 | echo "# BRO_USER specifies the user account used to start Bro." >> ${SO_CONF} 26 | echo "BRO_USER=sguil" >> ${SO_CONF} 27 | echo "BRO_GROUP=sguil" >> ${SO_CONF} 28 | fi 29 | 30 | # load in user config 31 | . ${SO_CONF} 32 | 33 | # check for errors and exit if necessary 34 | if ! [ "${BRO_ENABLED}" == "yes" ]; then 35 | exit 0 36 | fi 37 | 38 | if ! getent passwd ${BRO_USER} >/dev/null 2>&1; then 39 | exit 0 40 | fi 41 | 42 | if ! [ -f /opt/bro/etc/node.cfg ]; then 43 | exit 0 44 | fi 45 | 46 | if ! [ -x /opt/bro/bin/zeekctl ]; then 47 | exit 0 48 | fi 49 | 50 | if ! grep -qv "^#" /etc/nsm/sensortab; then 51 | exit 0 52 | fi 53 | 54 | # Run "zeekctl cron" as Bro user 55 | su ${BRO_USER} -c '/opt/bro/bin/zeekctl cron 2>&1 | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "import BroControl.plugin" | grep -v "^$" ' 56 | -------------------------------------------------------------------------------- /usr/sbin/zeekctl: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | # Ensure we're running as root 19 | if [ "$(id -u)" != 0 ]; then 20 | echo "ERROR: This script must run as root. Hint..." 1>&2 21 | echo " sudo $0 $@" 1>&2 22 | exit 1 23 | fi 24 | 25 | # /etc/nsm/securityonion.conf defines the limited user that we use for starting zeekctl 26 | SO_CONF="/etc/nsm/securityonion.conf" 27 | 28 | # Add new Bro entries to SO_CONF if necessary 29 | if ! grep BRO_USER $SO_CONF >/dev/null; then 30 | echo >> $SO_CONF 31 | echo "# BRO_USER specifies the user account used to start Bro." >> $SO_CONF 32 | echo "BRO_USER=sguil" >> $SO_CONF 33 | echo "BRO_GROUP=sguil" >> $SO_CONF 34 | fi 35 | 36 | # load in user config 37 | . $SO_CONF 38 | 39 | # Run "zeekctl" as Bro user and pass along arguments if necessary 40 | if [ $# -eq 0 ]; then 41 | 42 | # No arguments were passed, so just run zeekctl interactively 43 | su $BRO_USER -c "/opt/bro/bin/zeekctl" 44 | 45 | else 46 | 47 | # Arguments were passed, so pass those arguments to zeekctl and try to clean up the output 48 | su $BRO_USER -c "/opt/bro/bin/zeekctl $@" 2>&1 | grep -v "warning: new .* version detected" | grep -v "Warning: ZeekControl plugin uses legacy BroControl API. Use" | grep -v "'import ZeekControl.plugin' instead of 'import BroControl.plugin'" | grep -v "^$" | grep -v "^Warning: Plugin 'af_packet' uses deprecated method 'broctl_config'; use 'zeekctl_config' instead$" 49 | 50 | fi 51 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/server/sguil/config/autocat.conf: -------------------------------------------------------------------------------- 1 | # $Id: autocat.conf,v 1.9 2005/02/10 19:51:37 bamm Exp $ # 2 | # 3 | # This file is read by sguild on start up. It's contents 4 | # are used to create filters for the auto categorization 5 | # function. 6 | # 7 | # Format: 8 | # 9 | # |||||||||||||||| 10 | # 11 | # - is the time the filter will be removed in 12 | # YYYY-MM-DD TT:TT:TT format. Use 'none' if you wish to make 13 | # the rule permanant. 14 | # 15 | # - Sensor name is the name of the sensor to filter on. Can by 'any' 16 | # 17 | # - The value of 'any' can be used for any of the ip, port, and sig msg fields. 18 | # 19 | # - proto can be 'any' or the int value for the proto (6 == TCP, 17 == UDP, 1 == ICMP) 20 | # 21 | # - The is the value for that category in the DB. 22 | # Cat I - VII == 11 - 17 : NA == 1 23 | # 24 | # - The src_ip and dest_ip can be networks in CIDR notation (eg: 10.0.0.0/24) 25 | # 26 | # - sig msg can use TCL regexp format. To make a sig msg a regexp begin the rule with %%REGEXP%% 27 | # Do not use / / syntax. Matching is case sensitive unless 28 | # the string is preceded by a (?i). Use ^ to match the beginning of the line and $ for the end. 29 | # Examples: 30 | # - '%%REGEXP%%Testing' would match '123Testing123' but not '123testing123' 31 | # - '%%REGEXP%%(?i)testing' would match both '123Testing123' and '123testing123' 32 | # - '%%REGEXP%%^Testing' would match 'Testing' but not '123Testing' and not 'testing' 33 | # - '%%REGEXP%%(?i)^testing would match 'Testing' and 'testing' but not '123testing' 34 | # - if you don't use %%REGEXP%% the string you type in the sig must EXACTLY match the rule. 35 | # 36 | # Examples: 37 | # 38 | # Mark all portscans to port 135 as Category VI (Reconn/Probes/Scans) 39 | # none||ANY||ANY||ANY||ANY||135||6||spp_portscan: Portscan Detected||16 40 | # 41 | # Mark 'ICMP Destination Unreachable (Undefined Code!)' as NA (no 42 | # further action required) until Halloween from 192.168.8.4 on sensor bozo. 43 | # 2003-10-31||bozo||192.168.8.4||any||any||any||any||ICMP Destination Unreachable (Undefined Code!)||1 44 | # 45 | # Mark any rule that begins SNMP as CAT III 46 | # none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^SNMP||13 47 | # 48 | # 49 | none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^URL||1 50 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/server/sguil/config/sguild.access: -------------------------------------------------------------------------------- 1 | #$Id: sguild.access,v 1.3 2004/04/21 18:44:27 bamm Exp $ 2 | ######################################################################### 3 | # # 4 | # This file is used by sguild for access control. It is read upon init # 5 | # or when sguild receives a HUP signal. # 6 | # # 7 | # By default, sguild will look first for /etc/sguild/sguild.access, # 8 | # then ./sguild.access unless the -A /path/to/sguild.access switch # 9 | # is used. # 10 | # # 11 | ######################################################################### 12 | # 13 | ############################################### 14 | # Add your sensor IPs here. 15 | # If don't want to limit access, then use the 16 | # keyword 'ANY'. 17 | # 18 | # Examples: 19 | # sensor 192.168.8.254 20 | ############################################### 21 | sensor ANY 22 | # 23 | ############################################### 24 | # Add your clients here. 25 | # If don't want to limit access, then use the 26 | # keyword ANY. 27 | # 28 | # Examples: 29 | # client 192.168.8.1 30 | # client 127.0.0.1 31 | ############################################### 32 | client ANY 33 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/server/sguil/config/sguild.queries: -------------------------------------------------------------------------------- 1 | # $Id: sguild.queries,v 1.8 2007/05/25 16:33:13 bamm Exp $ # 2 | 3 | # This file contains the standard GLOBAL queries. 4 | # format is: 5 | # |||||| 6 | Last Modified||Return the events modified in the last 30 mins||WHERE event.last_modified > DATE_SUB(NOW(), INTERVAL 30 MINUTE)||event 7 | DNS Overflow||Looks for TCP DNS sessions with large source bytes. Since DNS requests generally have low byte counts, this could be a buffer overflow||WHERE sessions.start_time > DATE_SUB(NOW(), INTERVAL 1 DAY) AND sessions.dst_port=53 AND sessions.src_bytes > 1000||sessions 8 | Auto Cats||Select event auto updated in the last 10 mins||WHERE user_info.uid=event.last_uid AND user_info.username='auto' AND event.last_modified > DATE_SUB(NOW(), INTERVAL 10 MINUTE)||event 9 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/server/sguil/config/sguild.users: -------------------------------------------------------------------------------- 1 | # $Id: sguild.users,v 1.7 2003/11/19 18:18:14 bamm Exp $ # 2 | # 3 | # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 4 | # 5 | # This file is automatically generated. Please do not edit it by hand. 6 | # Doing so could corrupt the file and make it unreadable. 7 | # 8 | # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 9 | # 10 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/experimental.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: experimental.rules,v 1.78 2004/07/23 20:15:44 bmc Exp $ 4 | # --------------- 5 | # EXPERIMENTAL RULES 6 | # --------------- 7 | # These signatures are experimental, new and may trigger way too often. 8 | # 9 | # Be forwarned, this is our testing ground. We put new signatures here for 10 | # testing before incorporating them into the default signature set. This is 11 | # for bleeding edge stuff only. 12 | # 13 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/info.rules: -------------------------------------------------------------------------------- 1 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) 2 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) 3 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 4 | # All rights reserved. 5 | # $Id: info.rules,v 1.27.2.2 2004/11/30 02:39:03 bmc Exp $ 6 | #----------- 7 | # INFO RULES 8 | #----------- 9 | 10 | alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) 11 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) 12 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) 13 | alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) 14 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) 15 | alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) 16 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) 17 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; nocase; distance:0; content:"|01 00 01 00|"; distance:3; within:4; content:"|2C|"; distance:0; content:"|01 00 01 00|"; distance:4; within:4; classtype:misc-activity; sid:2925; rev:2;) 18 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/local.rules: -------------------------------------------------------------------------------- 1 | # $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ 2 | # ---------------- 3 | # LOCAL RULES 4 | # ---------------- 5 | # This file intentionally does not come with signatures. Put your local 6 | # additions here. 7 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/mysql.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: mysql.rules,v 1.10.2.1 2005/03/01 18:57:08 bmc Exp $ 4 | #---------- 5 | # MYSQL RULES 6 | #---------- 7 | # 8 | # These signatures detect unusual and potentially malicious mysql traffic. 9 | # 10 | # These signatures are not enabled by default as they may generate false 11 | # positive alarms on networks that do mysql development. 12 | # 13 | 14 | alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) 15 | alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) 16 | alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;) 17 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/other-ids.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: other-ids.rules,v 1.10 2004/07/23 20:15:44 bmc Exp $ 4 | # --------------- 5 | # OTHER-IDS RULES 6 | # --------------- 7 | # These signatures look for uses of other IDSs. 8 | # 9 | # These signatures serve two purposes. 10 | # 1) If you are "IDS GUY" for a company, and someone else sets up an IDS 11 | # without letting you know, thats bad. 12 | # 2) If you are "pen-tester", this is a good way to find out what IDS 13 | # systems your target is using after you have gained access to their 14 | # network. 15 | # 16 | 17 | 18 | alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;) 19 | alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;) 20 | 21 | # To limit false positives, limit to the default port of 975 22 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;) 23 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/pop2.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: pop2.rules,v 1.11.2.1 2004/10/13 20:25:57 bmc Exp $ 4 | #-------------- 5 | # POP2 RULES 6 | #-------------- 7 | 8 | alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) 9 | alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) 10 | alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) 11 | alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) 12 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/tftp.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: tftp.rules,v 1.19 2004/07/23 20:15:44 bmc Exp $ 4 | #----------- 5 | # TFTP RULES 6 | #----------- 7 | # 8 | # These signatures are based on TFTP traffic. These include malicious files 9 | # that are distributed via TFTP. 10 | # 11 | # The last two signatures refer to generic GET and PUT via TFTP, which is 12 | # generally frowned upon on most networks, but may be used in some enviornments 13 | 14 | alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) 15 | alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) 16 | alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) 17 | alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) 18 | alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) 19 | alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) 20 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) 21 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) 22 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) 23 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) 24 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) 25 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/virus.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: virus.rules,v 1.28 2004/07/23 20:15:44 bmc Exp $ 4 | #------------ 5 | # VIRUS RULES 6 | #------------ 7 | # 8 | # We don't care about virus rules anymore. BUT, you people won't stop asking 9 | # us for virus rules. So... here ya go. 10 | # 11 | # There is now one rule that looks for any of the following attachment types: 12 | # 13 | # ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf, 14 | # eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp, 15 | # nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb, 16 | # vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh, 17 | # xlt, xlw 18 | # 19 | 20 | alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:8;) 21 | -------------------------------------------------------------------------------- /usr/share/nsmnow/templates/snort/rules/x11.rules: -------------------------------------------------------------------------------- 1 | # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. 2 | # All rights reserved. 3 | # $Id: x11.rules,v 1.19 2004/07/23 20:15:44 bmc Exp $ 4 | #---------- 5 | # X11 RULES 6 | #---------- 7 | 8 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) 9 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) 10 | --------------------------------------------------------------------------------