Merge pull request #527 from Security-Onion-Solutions/2.4/dev

2.4.70
Security-Onion-Solutions · May 29, 2024 · 09557cf · 09557cf
2 parents 9e439b9 + a4c0d9c
commit 09557cf
Show file tree

Hide file tree

Showing 80 changed files with 11,430 additions and 3,495 deletions.
diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml
diff --git a/.github/workflows/leaktest.yml b/.github/workflows/leaktest.yml
@@ -13,3 +13,5 @@ jobs:
 
     - name: Gitleaks
       uses: gitleaks/[email protected]
+      with:
+        config-path: .github/.gitleaks.toml
diff --git a/Dockerfile b/Dockerfile
@@ -4,14 +4,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-FROM ghcr.io/security-onion-solutions/golang:1.21.5-alpine as builder
+FROM ghcr.io/security-onion-solutions/golang:1.22-alpine as builder
 ARG VERSION=0.0.0
 RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv python3-dev openssl-dev linux-headers
 COPY . /build
 WORKDIR /build
 RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 	git clone --no-single-branch --depth 50 https://github.com/Security-Onion-Solutions/securityonion-docs.git . && \
-	git checkout --force origin/$(echo $VERSION | cut -d'.' -f1,2) && \
+	git checkout --force origin/dev && \
 	git clean -d -f -f && \
 	sed -i "s|'display_github': True|'display_github': False|g" conf.py && \
 	python3 -mvirtualenv /tmp/virtualenv && \
@@ -22,9 +22,14 @@ RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
-RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows --break-system-packages
 RUN sed -i 's/#!\/usr\/bin\/python3/#!\/usr\/bin\/env python/g' /usr/bin/sigma
 
+# Build specific version of yara-python - needs to be pinned to Strelka's version.
+FROM ghcr.io/security-onion-solutions/python:3-slim as stage_2
+RUN apt-get update && apt-get install -y gcc python3-dev libssl-dev
+RUN pip3 install yara-python==4.3.1
+
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
 ARG UID=939
@@ -34,7 +39,7 @@ ARG ELASTIC_VERSION=0.0.0
 ARG WAZUH_VERSION=0.0.0
 
 RUN apt update -y
-RUN apt install -y bash tzdata ca-certificates wget curl tcpdump unzip
+RUN apt install -y bash tzdata ca-certificates wget curl tcpdump unzip git
 RUN update-ca-certificates
 RUN addgroup --gid "$GID" socore
 RUN adduser --disabled-password --uid "$UID" --ingroup socore --gecos '' socore
@@ -51,6 +56,8 @@ COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
 COPY --from=builder /usr/lib/python3.11/site-packages /usr/local/lib/python3.9/site-packages
 COPY --from=builder /usr/bin/sigma /usr/bin/sigma
+COPY --from=stage_2 /usr/local/lib/python3.9/site-packages/yara_python-4.3.1.dist-info /usr/local/lib/python3.9/site-packages/
+COPY --from=stage_2 /usr/local/lib/python3.9/site-packages/yara.cpython-39-x86_64-linux-gnu.so /usr/local/lib/python3.9/site-packages/
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*
 RUN chown 939:939 scripts/*

diff --git a/Dockerfile.kratos b/Dockerfile.kratos
@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-FROM ghcr.io/security-onion-solutions/golang:1.21 AS builder
+FROM ghcr.io/security-onion-solutions/golang:1.22 AS builder
 
 ARG OWNER=ory
 ARG VERSION=v1.1.0
@@ -30,7 +30,7 @@ ENV CGO_CPPFLAGS -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600
 
 RUN go mod download
 RUN go build -tags sqlite -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=$(date -I)' -X 'github.com/ory/kratos/driver/config.Commit=$(git rev-parse --short HEAD)'"
- 
+
 
 FROM ghcr.io/security-onion-solutions/ubuntu:23.04
 

diff --git a/config/clientparameters.go b/config/clientparameters.go
@@ -22,9 +22,8 @@ type ClientParameters struct {
 	CaseParams          CaseParameters      `json:"case"`
 	DashboardsParams    HuntingParameters   `json:"dashboards"`
 	JobParams           HuntingParameters   `json:"job"`
-	DetectionsParams    HuntingParameters   `json:"detections"`
+	DetectionsParams    DetectionParameters `json:"detections"`
 	DetectionParams     DetectionParameters `json:"detection"`
-	PlaybooksParams     HuntingParameters   `json:"playbooks"`
 	DocsUrl             string              `json:"docsUrl"`
 	CheatsheetUrl       string              `json:"cheatsheetUrl"`
 	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/security-onion-solutions/securityonion-soc
 
-go 1.21
+go 1.22
 
 require (
 	github.com/apex/log v1.9.0
@@ -13,14 +13,15 @@ require (
 	github.com/kennygrant/sanitize v1.2.4
 	github.com/stretchr/testify v1.8.4
 	github.com/tidwall/gjson v1.17.0
-	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/go-git/go-git/v5 v5.11.0
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/pierrec/lz4/v4 v4.1.21
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
@@ -41,11 +42,11 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/oapi-codegen/runtime v1.0.0 // indirect
-	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -64,6 +64,10 @@ github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0 h1:ioBbLmR5NMbAjP4UVA5r9b5xGjpABD7j65pI8kFphDM=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0/go.mod h1:k+spCbt9hcvqvUiz0sr5D8LolXHqAAOfPw9v/RIRHl4=
@@ -98,8 +102,6 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
-github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
-github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
@@ -157,8 +159,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -176,8 +178,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -200,15 +202,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

diff --git a/html/css/app.css b/html/css/app.css
@@ -534,17 +534,6 @@ td {
   margin-top: 20px;
 }
 
-.summary-backdrop {
-  background-color: rgb(53, 53, 53);
-  border-radius: 4px;
-}
-
-.summary-backdrop > div {
-  background-color: #2a2a2a;
-  border-radius: 4px;
-  padding: 16px;
-}
-
 .header {
   font-size: 1.3em;
   font-weight: bold;
@@ -555,7 +544,6 @@ td {
 }
 
 .extracted-content {
-  background-color: #404040;
   border-radius: 4px;
   padding: 8px;
 }
@@ -565,32 +553,15 @@ td {
   word-break: break-word;
 }
 
-.detect-reference {
-  font-size: small;
-  display: table;
-  margin-top: 12px;
-  margin-left: 12px;
-}
-
-.detect-reference > div {
-  display: table-row;
-}
-
-.detect-reference > div > div {
-  display: table-cell;
-  padding: 0 4px;
-}
-
-.detect-reference .key {
-  font-weight: bold;
-  text-align: right;
-}
-
 .ops-header {
   font-weight: bold;
   margin-top: 16px;
 }
 
+.ops-value::after {
+  content: "\00a0";
+}
+
 .ops-value > .v-input--selection-controls {
   margin-top: 0 !important;
   padding-top: 0 !important;
@@ -610,12 +581,6 @@ td {
   text-transform: capitalize;
 }
 
-.sigma-dialog-body {
-  background-color: #404040;
-  margin: 12px;
-  padding: 12px;
-}
-
 #convert-button-container {
   display: flex;
   flex-direction: row;
@@ -630,4 +595,37 @@ td {
 #actionTuneDetection-disabled {
   color: gray;
   cursor: pointer;
+}
+
+.override-help {
+  vertical-align: -webkit-baseline-middle;
+  margin-right: 8px;
+}
+
+.manual-sync {
+  margin: 6px;
+  display: flex;
+}
+
+.manual-sync div:first-child {
+  flex-grow: 1;
+  margin-right: 8px;
+}
+
+.manual-sync-buttons {
+  display: flex;
+  flex-direction: column;
+}
+
+.manual-sync-buttons button:first-child {
+  margin-bottom: 6px;
+}
+
+.manual-sync-buttons button {
+  width: 100%;
+}
+
+#override-filter-edit-buttons {
+  display: flex;
+  justify-content: end;
 }