diff --git a/README.md b/README.md index e68583021..b28f0c14f 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,9 @@ The following log sources are collected from the machines: - Attack Simulation Logs from Atomic Red Team and Caldera (```index = attack```) - Zeek Logs (```index = zeek```) - Snort Logs (```index = snort```) +- Cisco Secure Endpoint Logs (```index = cisco_secure_endpoint```) +- CrowdStrike Falcon Logs (```index = crowdstrike_falcon```) +- Carbon Black Logs (```index = carbon_black_cloud```) ## Running 🏃‍♀️ Attack Range supports different actions: @@ -196,3 +199,4 @@ We welcome feedback and contributions from the community! Please see our [contri * Eric McGinnis * [Micheal Haag](https://twitter.com/M_haggis) * Gowthamaraj Rajendran +* [Christopher Caldwell](https://github.com/cudgel) \ No newline at end of file diff --git a/configs/attack_range_default.yml b/configs/attack_range_default.yml index 319979129..ea7bf7714 100644 --- a/configs/attack_range_default.yml +++ b/configs/attack_range_default.yml @@ -17,7 +17,7 @@ general: # ip_whitelist = 0.0.0.0/0,35.153.82.195/32 crowdstrike_falcon: "0" - # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0. + # Enable/Disable CrowdStrike Falcon log forwarding to Splunk by setting this to 1 or 0. crowdstrike_customer_ID: "" crowdstrike_logs_region: "" @@ -28,13 +28,19 @@ general: # See the chapter CrowdStrike Falcon in the docs page Attack Range Features. carbon_black_cloud: "0" - # Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0. + # Enable/Disable VMWare Carbon Black Cloud log forwarding to Splunkby setting this to 1 or 0. carbon_black_cloud_company_code: "" carbon_black_cloud_s3_bucket: "" # All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server. # See the chapter Carbon Black in the docs page Attack Range Features. + cisco_secure_endpoint: "0" + # Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0. + cisco_secure_endpoint_api_id: "" + cisco_secure_endpoint_api_secret: "" + # All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server. + install_contentctl: "0" # Install splunk/contentctl on linux servers @@ -114,10 +120,13 @@ splunk_server: - TA-aurora-0.2.0.tar.gz - TA-osquery.tar.gz - app-for-circleci_011.tgz + - cisco-secure-endpoint-formerly-amp-for-endpoints-cim-add-on_212.tgz + - cisco-secure-endpoint-formerly-amp-for-endpoints_300.tgz - palo-alto-networks-add-on-for-splunk_813.tgz - punchcard---custom-visualization_150.tgz - python-for-scientific-computing-(for-linux-64-bit)_421.tgz - snort-alert-for-splunk_111.tgz + - snort-3-json-alerts_105.tgz - splunk-add-on-for-amazon-web-services-(aws)_770.tgz - splunk-add-on-for-crowdstrike-fdr_200.tgz - splunk-add-on-for-github_300.tgz @@ -209,6 +218,12 @@ windows_servers_default: carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi" # Name of the Carbon Black Windows Agent stored in apps/ folder. + install_cisco_secure_endpoint: "0" + # Install Cisco Secure Endpoint by setting this to 1. + + cisco_secure_endpoint_windows_agent: "amp_Server.exe" + # Name of the Cisco Secure Endpoint Windows Agent stored in apps/ folder. + aurora_agent: "0" # Install Aurora Agent diff --git a/docs/source/Attack_Range_Config.md b/docs/source/Attack_Range_Config.md index e3db567bb..ab53dc75f 100644 --- a/docs/source/Attack_Range_Config.md +++ b/docs/source/Attack_Range_Config.md @@ -25,9 +25,8 @@ general: # ip_whitelist = 0.0.0.0/0,35.153.82.195/32 crowdstrike_falcon: "0" - # Enable/Disable CrowdStrike Falcon by setting this to 1 or 0. + # Enable/Disable CrowdStrike Falcon log forwarding to Splunk by setting this to 1 or 0. - crowdstrike_agent_name: "WindowsSensor.exe" crowdstrike_customer_ID: "" crowdstrike_logs_region: "" crowdstrike_logs_access_key_id: "" @@ -37,14 +36,19 @@ general: # See the chapter CrowdStrike Falcon in the docs page Attack Range Features. carbon_black_cloud: "0" - # Enable/Disable VMWare Carbon Black Cloud by setting this to 1 or 0. + # Enable/Disable VMWare Carbon Black Cloud log forwarding to Splunkby setting this to 1 or 0. - carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi" carbon_black_cloud_company_code: "" carbon_black_cloud_s3_bucket: "" # All these fields are needed to automatically deploy a Carbon Black Agent and ingest Carbon Black logs into the Splunk Server. # See the chapter Carbon Black in the docs page Attack Range Features. + cisco_secure_endpoint: "0" + # Enable/Disable Cisco Secure Endpoint log forwarding to Splunk by setting this to 1 or 0. + cisco_secure_endpoint_api_id: "" + cisco_secure_endpoint_api_secret: "" + # All these fields are needed to automatically ingest Cisco Secure Endpoint logs into the Splunk Server. + install_contentctl: "0" # Install splunk/contentctl on linux servers @@ -121,33 +125,39 @@ splunk_server: # Url to download Splunk Universal Forwarder Windows. splunk_apps: - - splunk-add-on-for-microsoft-windows_880.tgz - - splunk-timeline-custom-visualization_162.tgz - - status-indicator-custom-visualization_150.tgz - - splunk-sankey-diagram-custom-visualization_160.tgz - - punchcard-custom-visualization_150.tgz - - splunk_attack_range_reporting-1.0.9.tar.gz - - splunk-common-information-model-cim_532.tgz - - DA-ESS-ContentUpdate-latest.tar.gz - - python-for-scientific-computing-for-linux-64-bit_420.tgz - - splunk-machine-learning-toolkit_541.tgz - - splunk-security-essentials_380.tgz - - splunk-add-on-for-sysmon_400.tgz - - splunk-add-on-for-sysmon-for-linux_100.tgz - - splunk-add-on-for-amazon-web-services-aws_760.tgz - - splunk-add-on-for-microsoft-office-365_451.tgz - - splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz - - splunk-add-on-for-unix-and-linux_910.tgz - - ta-for-zeek_108.tgz - - splunk-add-on-for-nginx_322.tgz - - phantom-app-for-splunk_4035.tgz - - TA-osquery.tar.gz - - splunk-add-on-for-microsoft-cloud-services_530.tgz - - splunk-add-on-for-crowdstrike-fdr_150.tgz - - vmware-carbon-black-cloud_115.tgz - - splunk-add-on-for-carbon-black_210.tgz - TA-aurora-0.2.0.tar.gz + - TA-osquery.tar.gz + - app-for-circleci_011.tgz + - cisco-secure-endpoint-formerly-amp-for-endpoints-cim-add-on_212.tgz + - cisco-secure-endpoint-formerly-amp-for-endpoints_300.tgz + - palo-alto-networks-add-on-for-splunk_813.tgz + - punchcard---custom-visualization_150.tgz + - python-for-scientific-computing-(for-linux-64-bit)_421.tgz - snort-alert-for-splunk_111.tgz + - snort-3-json-alerts_105.tgz + - splunk-add-on-for-amazon-web-services-(aws)_770.tgz + - splunk-add-on-for-crowdstrike-fdr_200.tgz + - splunk-add-on-for-github_300.tgz + - splunk-add-on-for-google-workspace_281.tgz + - splunk-add-on-for-microsoft-cloud-services_532.tgz + - splunk-add-on-for-microsoft-office-365_451.tgz + - splunk-add-on-for-microsoft-windows_890.tgz + - splunk-add-on-for-nginx_322.tgz + - splunk-add-on-for-okta-identity-cloud_221.tgz + - splunk-add-on-for-sysmon-for-linux_100.tgz + - splunk-add-on-for-sysmon_401.tgz + - splunk-add-on-for-unix-and-linux_920.tgz + - splunk-app-for-stream_813.tgz + - splunk-common-information-model-(cim)_532.tgz + - splunk-es-content-update_4391.tgz + - splunk-machine-learning-toolkit_542.tgz + - splunk-sankey-diagram---custom-visualization_160.tgz + - splunk-security-essentials_380.tgz + - splunk-timeline---custom-visualization_162.tgz + - splunk_attack_range_reporting-1.0.9.tar.gz + - status-indicator---custom-visualization_150.tgz + - ta-for-zeek_108.tgz + - vmware-carbon-black-cloud_210.tgz # List of Splunk Apps to install on the Splunk Server byo_splunk: "0" @@ -166,8 +176,10 @@ phantom_server: phantom_server: "0" # Enable/Disable Phantom Server - phantom_app: "splunk_soar-unpriv-6.2.1.305-7c40b403-el7-x86_64.tgz" - # name of the Splunk SOAR package located in apps folder + phantom_app: "splunk_soar-unpriv-6.2.2.134-8f694086-el8-x86_64.tgz" + # name of the Splunk SOAR package located in apps folder. + # aws: Make sure you use the RHEL 8 version which contains ....el8... in the file name + # azure, local: Make sure you use the RHEL 7 version which contains ....el7... in the file name phantom_byo: "0" # Enable/Disable Bring your own Phantom @@ -184,6 +196,7 @@ windows_servers_default: windows_image: "windows-server-2019" # Name of the image of the Windows Server. + # allowd values: windows-server-2016, windows-server-2019, windows-server-2022 create_domain: "0" # Create Domain will turn this Windows Server into a Domain Controller. Enable by setting this to 1. @@ -201,6 +214,24 @@ windows_servers_default: # Install Bad Blood by setting this to 1 or 0. # More information in chapter Bad Blood under Attack Range Features. + install_crowdstrike: "0" + # Install CrowdStrike Falcon by setting this to 1. + + crowdstrike_windows_agent: "WindowsSensor.exe" + # Name of the CrowdStrike Windows Agent stored in apps/ folder. + + install_carbon_black: "0" + # Install Carbon Black Cloud by setting this to 1. + + carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi" + # Name of the Carbon Black Windows Agent stored in apps/ folder. + + install_cisco_secure_endpoint: "0" + # Install Cisco Secure Endpoint by setting this to 1. + + cisco_secure_endpoint_windows_agent: "amp_Server.exe" + # Name of the Cisco Secure Endpoint Windows Agent stored in apps/ folder. + aurora_agent: "0" # Install Aurora Agent @@ -214,6 +245,13 @@ linux_servers_default: sysmon_config: "SysMonLinux-CatchAll.xml" # Specify a Sysmon config located under configs/ . + install_crowdstrike: "0" + # Install CrowdStrike Falcon by setting this to 1. + + crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb" + # Name of the CrowdStrike Windows Agent stored in apps/ folder. + + kali_server: kali_server: "0" # Enable Kali Server by setting this to 1. diff --git a/docs/source/Attack_Range_Features.md b/docs/source/Attack_Range_Features.md index 0eb06bf5b..9b93a8efe 100644 --- a/docs/source/Attack_Range_Features.md +++ b/docs/source/Attack_Range_Features.md @@ -1,5 +1,23 @@ # Attack Range Features +## Cisco Secure Endpoint +A Cisco Secure Endpoint agent can be automatically installed on the Windows server in Attack Range. It is required that the agent is downloaded into the apps folder before running the build command. The logs can ingested automatically to the Splunk server when you enable the Cisco Secure Endpoint log forwarding. You can use the following attack_range.yml configuration: +````yml +general: + attack_range_password: "ChangeMe123!" + cloud_provider: "aws" + key_name: "ar" + cisco_secure_endpoint: "1" # forward cisco secure endpoint logs to splunk + cisco_secure_endpoint_api_id: "" + cisco_secure_endpoint_api_secret: "" +windows_servers: + - hostname: ar-win + install_cisco_secure_endpoint: "1" + cisco_secure_endpoint_windows_agent: "amp_Server.exe" +```` +You need to update all the fields with your values. + + ## CrowdStrike Falcon A CrowdStrike Falcon agent can be automatically installed on the Windows Servers in Attack Range. It is required that the agent is downloaded into the apps folder before running the build command. The logs can ingested automatically to the Splunk server when you have the CrowdStrike Falcon Data Replicator (FDR) entitlement. You can use the following `attack_range.yml` configuration: ````yml @@ -7,8 +25,7 @@ general: attack_range_password: "ChangeMe123!" cloud_provider: "aws" key_name: "ar" - crowdstrike_falcon: "1" - crowdstrike_agent_name: "WindowsSensor.exe" + crowdstrike_falcon: "1" # forward crowdstrike logs to splunk crowdstrike_customer_ID: "" crowdstrike_logs_region: "" crowdstrike_logs_access_key_id: "" @@ -16,7 +33,8 @@ general: crowdstrike_logs_sqs_url: "" windows_servers: - hostname: ar-win - image: windows-2016-v3-0-0 + install_crowdstrike: "1" + crowdstrike_linux_agent: "falcon-sensor_7.18.0-17106_amd64.deb" ```` You need to update all the fields with your values. @@ -29,13 +47,13 @@ general: attack_range_password: "ChangeMe123!" cloud_provider: "aws" key_name: "ar" - carbon_black_cloud: "1" - carbon_black_cloud_agent_name: "installer_vista_win7_win8-64-3.8.0.627.msi" + carbon_black_cloud: "1" # forward carbon black logs to splunk carbon_black_cloud_company_code: "" carbon_black_cloud_s3_bucket: "" windows_servers: - hostname: ar-win - image: windows-2016-v3-0-0 + install_carbon_black: "1" + carbon_black_windows_agent: "installer_vista_win7_win8-64-4.0.1.1428.msi" ```` You need to update all the fields with your values. diff --git a/scripts/helpers/attack_range_apps.py b/scripts/helpers/attack_range_apps.py index 7c26edd5e..dd6bbb260 100644 --- a/scripts/helpers/attack_range_apps.py +++ b/scripts/helpers/attack_range_apps.py @@ -48,8 +48,16 @@ "url": "https://splunkbase.splunk.com/app/5488", }, { - "name": "VMware Carbon Black Cloud", - "url": "https://splunkbase.splunk.com/app/5332", + "name": "Cisco Secure Endpoint App", + "url": "https://splunkbase.splunk.com/app/3670", + }, + { + "name": "Cisco Secure Endpoint CIM Add-On", + "url": "https://splunkbase.splunk.com/app/3686", + }, + { + "name": "Snort 3 JSON Alerts", + "url": "https://splunkbase.splunk.com/app/4633", }, ] diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml new file mode 100644 index 000000000..135af0b11 --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/config.yml @@ -0,0 +1,137 @@ +--- + +- name: Get cval from Splunk login page + uri: + url: http://localhost:8000/en-US/account/login + method: GET + return_content: yes + validate_certs: no + register: login_response + +- name: Extract cval from response + ansible.builtin.set_fact: + cval: "{{ login_response.cookies_string | regex_search('cval=([0-9]+)', '\\1') | first }}" + +- name: Login to Splunk using cval + uri: + url: http://localhost:8000/en-US/account/login + method: POST + headers: + Cookie: "cval={{ cval }}" + body_format: form-urlencoded + body: + username: admin + password: "{{ general.attack_range_password }}" + cval: "{{ cval }}" + validate_certs: no + status_code: [200, 201, 302] # Accept these status codes as success + register: login_result + +- name: Extract CSRF token and session ID + set_fact: + splunkweb_csrf_token_8000: "{{ login_result.set_cookie | regex_search('splunkweb_csrf_token_8000=([^;]+)', '\\1') | first }}" + splunkd_8000: "{{ login_result.set_cookie | regex_search('splunkd_8000=([^;]+)', '\\1') | first }}" + +- name: Get Splunk session key + uri: + url: https://localhost:8089/services/auth/login + method: POST + body_format: form-urlencoded + body: + username: admin + password: "{{ general.attack_range_password }}" + output_mode: json + validate_certs: no + return_content: yes + register: auth_response + +- name: Extract and store session key + set_fact: + splunk_session_key: "{{ auth_response.json.sessionKey }}" + +- name: Save API key + uri: + url: http://localhost:8000/en-GB/custom/amp4e_events_input/amp_streams_api_controller/save_api_key + method: POST + headers: + Authorization: "Splunk {{ splunk_session_key }}" + Cookie: "splunkd_8000={{ splunkd_8000 }}; splunkweb_csrf_token_8000={{ splunkweb_csrf_token_8000 }}" + Content-Type: "application/x-www-form-urlencoded" + X-Requested-With: "XMLHttpRequest" + X-Splunk-Form-Key: "{{ splunkweb_csrf_token_8000 }}" + body_format: form-urlencoded + body: + api_id: "{{ general.cisco_secure_endpoint_api_id }}" + api_key: "{{ general.cisco_secure_endpoint_api_secret }}" + validate_certs: no + status_code: [200, 201, 202, 204] + register: save_api_key_result + +- name: Save Inputs Configuration + uri: + url: http://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/amp4e_events_input/configs/conf-inputs/amp4e_events_input + method: POST + headers: + Authorization: "Splunk {{ splunk_session_key }}" + Cookie: "splunkd_8000={{ splunkd_8000 }}; splunkweb_csrf_token_8000={{ splunkweb_csrf_token_8000 }}" + Content-Type: "application/x-www-form-urlencoded" + X-Requested-With: "XMLHttpRequest" + X-Splunk-Form-Key: "{{ splunkweb_csrf_token_8000 }}" + body_format: form-urlencoded + body: + output_mode: "json" + rcvbuf: 1572864 + disabled: "false" + eai_acl: "" + eai_app_name: "search" + eai_user_name: "admin" + host: "$decideOnStartup" + index: "cisco_secure_endpoint" + interval: 0 + python_version: "python3" + start_by_shell: 0 + api_id: "{{ general.cisco_secure_endpoint_api_id }}" + api_host: "api.amp.cisco.com" + api_key: "" + validate_certs: no + status_code: [200, 201, 202, 204] + register: save_inputs_configuration_response + +- name: Generate stream name + set_fact: + stream_name: "cisco_secure_endpoint_input_{{ 999999 | random }}" + +- name: Save Streams Configuration + uri: + url: http://localhost:8000/en-US/custom/amp4e_events_input/amp_streams_api_controller/save_stream + method: POST + headers: + Authorization: "Splunk {{ splunk_session_key }}" + Cookie: "splunkd_8000={{ splunkd_8000 }}; splunkweb_csrf_token_8000={{ splunkweb_csrf_token_8000 }}" + Content-Type: "application/x-www-form-urlencoded" + X-Requested-With: "XMLHttpRequest" + X-Splunk-Form-Key: "{{ splunkweb_csrf_token_8000 }}" + body_format: form-urlencoded + body: + name: "{{ stream_name }}" + index: "cisco_secure_endpoint" + stream_name: "{{ stream_name }}" + groups_names: "" + event_types_names: "" + groups: "" + event_types: "" + api_host: "api.amp.cisco.com" + api_id: "{{ general.cisco_secure_endpoint_api_id }}" + api_key: "{{ general.cisco_secure_endpoint_api_secret }}" + validate_certs: no + status_code: [200, 201, 202, 204] + register: save_streams_configuration_response + +- name: Copy new inputs.conf configuration + template: + src: inputs.conf.j2 + dest: /opt/splunk/etc/apps/amp4e_events_input/local/inputs.conf + +- name: restart splunk + service: name=splunk state=restarted + become: yes \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/main.yml b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/main.yml new file mode 100644 index 000000000..a81a6adcd --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_logs/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include: config.yml + when: general.cisco_secure_endpoint == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 b/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 new file mode 100644 index 000000000..eb43a315a --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_logs/templates/inputs.conf.j2 @@ -0,0 +1,15 @@ +[amp4e_events_input] +api_host = api.amp.cisco.com +api_id = {{ general.cisco_secure_endpoint_api_id }} +disabled = false +eai_app_name = search +eai_user_name = admin +python_version = python3 +rcvbuf = 1572864 +start_by_shell = 0 + +[amp4e_events_input://{{ stream_name }}] +api_host = api.amp.cisco.com +api_id = {{ general.cisco_secure_endpoint_api_id }} +index = cisco_secure_endpoint +stream_name = {{ stream_name }} \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/cisco_secure_endpoint.yml b/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/cisco_secure_endpoint.yml new file mode 100644 index 000000000..e98c5ca62 --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/cisco_secure_endpoint.yml @@ -0,0 +1,17 @@ +--- + +- name: Copy cisco secure endpoint agent + win_copy: + src: "../../apps/{{ windows_servers.cisco_secure_endpoint_windows_agent }}" + dest: C:\temp\amp_Server.exe + +- name: Install Cisco AMP + win_package: + path: C:\temp\amp_Server.exe + arguments: "/S" + state: present + +- name: Remove Cisco AMP installer + win_file: + path: C:\temp\amp_Server.exe + state: absent \ No newline at end of file diff --git a/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/main.yml b/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/main.yml new file mode 100644 index 000000000..e4a8c8f55 --- /dev/null +++ b/terraform/ansible/roles/cisco_secure_endpoint_win/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- include_tasks: cisco_secure_endpoint.yml + when: windows_servers.install_cisco_secure_endpoint == "1" \ No newline at end of file diff --git a/terraform/ansible/roles/snort/files/inputs.conf b/terraform/ansible/roles/snort/files/inputs.conf index 8c8b87d50..884d7a8df 100644 --- a/terraform/ansible/roles/snort/files/inputs.conf +++ b/terraform/ansible/roles/snort/files/inputs.conf @@ -1,8 +1,8 @@ [default] host = snort -[monitor:///var/log/snort/alert_fast.txt] +[monitor:///var/log/snort/alert_json.txt] _TCP_ROUTING = * index = snort -sourcetype = snort_alert_fast +sourcetype = snort3:alert:json diff --git a/terraform/ansible/roles/snort/files/snort.lua b/terraform/ansible/roles/snort/files/snort.lua index 2f63ba0c8..f4c4eb701 100644 --- a/terraform/ansible/roles/snort/files/snort.lua +++ b/terraform/ansible/roles/snort/files/snort.lua @@ -99,8 +99,8 @@ appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' -app_detector_dir = '/usr/local/lib', -log_stats = true, + app_detector_dir = '/usr/local/lib', + log_stats = true, } --[[ @@ -185,12 +185,13 @@ classifications = default_classifications ips = { -- use this to enable decoder and inspector alerts -enable_builtin_rules = true, -include = RULE_PATH .. "/local.rules", -include = RULE_PATH .. "/snort3-community-rules/snort3-community.rules", + enable_builtin_rules = true, + -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) + include = RULE_PATH .. "/local.rules", + include = RULE_PATH .. "/snort3-community-rules/snort3-community.rules", variables = default_variables } @@ -253,10 +254,6 @@ rate_filter = -- you can enable with defaults from the command line with -A -- uncomment below to set non-default configs --alert_csv = { } -alert_fast = {file = true, -packet = false, -limit = 10, -} --alert_fast = { } --alert_full = { } --alert_sfsocket = { } @@ -279,4 +276,94 @@ limit = 10, if ( tweaks ~= nil ) then include(tweaks .. '.lua') -end \ No newline at end of file +end + +--------------------------------------------------------------------------- +-- 9. custom configurations +--------------------------------------------------------------------------- + +-- replace alert_fast with alert_json for logging +--- alert_json will provide much more useful information +alert_json = +{ + -- enables all informational fields + fields = 'action class b64_data client_bytes client_pkts dir dst_addr dst_ap dst_port ' .. + 'eth_dst eth_len eth_src eth_type flowstart_time geneve_vni gid icmp_code icmp_id ' .. + 'icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority ' .. + 'proto rev rule seconds server_bytes server_pkts service sgt sid src_addr src_ap ' .. + 'src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win timestamp tos ttl udp_len vlan', + + file = true, + limit = 10, +} + +-- this detects ARP attacks and anomalies +--- disabled by default in all of our base policies +arp_spoof = nil + +detection = +{ + -- increases limits pcre backtracking + pcre_match_limit = 3500, + -- increases limits for pcre stack consumption + pcre_match_limit_recursion = 3500, +} + +-- increases logs +event_queue = +{ + log = 15, + max_queue = 15, +} + +-- checks for end of encryption +ftp_server.check_encrypted = true + +-- decompress pdf files in response bodies +http_inspect.decompress_pdf = true +-- decompress swf files in response bodies +http_inspect.decompress_swf = true +-- decompress zip files in response bodies +http_inspect.decompress_zip = true +-- normalizes %uNNNN and %UNNNN encodings +http_inspect.percent_u = true +-- normalize javascript in response bodies +http_inspect.normalize_javascript = true + +-- decompress pdf files in MIME attachments +imap.decompress_pdf = true +-- decompress swf files in MIME attachments +imap.decompress_swf = true +-- decompress zip files in MIME attachments +imap.decompress_zip = true + +-- disable latency enforcements +latency = nil + +-- decompress pdf files in MIME attachments +pop.decompress_pdf = true +-- decompress swf files in MIME attachments +pop.decompress_swf = true +-- decompress zip files in MIME attachments +pop.decompress_zip = true + +-- disable port scan module +port_scan = nil + +-- enable detection on TCP payload before reassembly +search_engine.detect_raw_tcp = true + +-- decompress pdf files in MIME attachments +smtp.decompress_pdf = true +-- decompress swf files in MIME attachments +smtp.decompress_swf = true +-- decompress zip files in MIME attachments +smtp.decompress_zip = true + +-- enables builtin detection that will alert if fragment length is < 100 bytes +stream_ip.min_frag_length = 100 + +-- check for end of encryption +telnet.check_encrypted = true +-- eliminate escape sequences +telnet.normalize = true diff --git a/terraform/ansible/roles/splunk_server/files/indexes.conf b/terraform/ansible/roles/splunk_server/files/indexes.conf index 811697437..05cc06c5a 100644 --- a/terraform/ansible/roles/splunk_server/files/indexes.conf +++ b/terraform/ansible/roles/splunk_server/files/indexes.conf @@ -245,4 +245,10 @@ frozenTimePeriodInSecs = 604800 homePath = volume:primary/snortdb/db coldPath = volume:primary/snortdb/colddb thawedPath = $SPLUNK_DB/snortdb/thaweddb +frozenTimePeriodInSecs = 604800 + +[cisco_secure_endpoint] +homePath = volume:primary/cisco_secure_endpointdb/db +coldPath = volume:primary/cisco_secure_endpointdb/colddb +thawedPath = $SPLUNK_DB/cisco_secure_endpointdb/thaweddb frozenTimePeriodInSecs = 604800 \ No newline at end of file diff --git a/terraform/ansible/roles/splunk_server_post/handlers/main.yml b/terraform/ansible/roles/splunk_server_post/handlers/main.yml deleted file mode 100644 index 7e97b88f3..000000000 --- a/terraform/ansible/roles/splunk_server_post/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: restart splunk - service: name=splunk state=restarted - become: yes diff --git a/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml b/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml index e8ebe7f15..7426a1bf5 100644 --- a/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml +++ b/terraform/ansible/roles/splunk_server_post/tasks/change_splunk_password.yml @@ -5,5 +5,23 @@ become: yes - name: restart splunk - service: name=splunk state=restarted - become: yes \ No newline at end of file + shell: '/opt/splunk/bin/splunk restart' + become: yes + +# - name: Stop Splunk service +# systemd: +# name: splunk +# state: stopped +# become: yes + +# - name: Start Splunk service +# systemd: +# name: splunk +# state: started +# become: yes + +# - name: Wait for Splunk to be ready +# wait_for: +# port: 8000 +# timeout: 300 +# become: yes \ No newline at end of file diff --git a/terraform/ansible/splunk_server.yml b/terraform/ansible/splunk_server.yml index 9e936c7b9..88acd7390 100644 --- a/terraform/ansible/splunk_server.yml +++ b/terraform/ansible/splunk_server.yml @@ -16,3 +16,4 @@ - carbon_black_cloud_logs - crowdstrike_falcon_logging - guacamole + - cisco_secure_endpoint_logs diff --git a/terraform/ansible/windows.yml b/terraform/ansible/windows.yml index 039b5cdc4..1652c2a22 100644 --- a/terraform/ansible/windows.yml +++ b/terraform/ansible/windows.yml @@ -21,4 +21,5 @@ - windows_aurora_agent - windows_install_attack_simulation - crowdstrike_falcon_agent_win - - carbon_black_cloud_agent_win \ No newline at end of file + - carbon_black_cloud_agent_win + - cisco_secure_endpoint_win \ No newline at end of file