Skip to content
This repository has been archived by the owner on Apr 19, 2021. It is now read-only.

Setup: lowercase hostname when creating sensornames #988 and rename VRT to Talos #1000 #24

Merged
merged 2 commits into from
Nov 14, 2016
Merged

Setup: lowercase hostname when creating sensornames #988 and rename VRT to Talos #1000 #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
df7b0d2
Setup: lowercase hostname when creating sensornames #988
weslambert Nov 9, 2016
c3584ec
Setup: rename VRT to Talos #1000
weslambert Nov 10, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 29 additions & 26 deletions bin/sosetup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@
#########################################
DEBUG="0"
# Window title
HOSTNAME=`hostname`
HOST_ORIG=`hostname`
HOSTNAME=${HOST_ORIG,,}
IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
TITLE="Security Onion Setup ($HOSTNAME)"
# File locations
Expand All @@ -35,7 +36,7 @@ LOG=`mktemp /tmp/sosetup.log.XXXXXXXXXX`
PP_CONF="/etc/nsm/pulledpork/pulledpork.conf"
# URLs
ET_URL="rules.emergingthreats.net"
VRT_URL="www.snort.org"
TALOS_URL="www.snort.org"
# Provide sensible defaults for Quick Setup
SGUIL_SERVER_NAME="securityonion"
IDS_ENGINE="snort"
Expand Down Expand Up @@ -208,7 +209,7 @@ as it gives you more control over the details of your system\n\
and allows you to build a distributed sensor network. You choose:\n\
- Sguil server, Sguil sensor, or both\n\
- which IDS engine to use (Snort or Suricata)\n\
- which IDS ruleset(s) to use (Emerging Threats, Snort VRT, or both)\n\
- which IDS ruleset(s) to use (Emerging Threats, Snort Subscriber (Talos), or both)\n\
- how many processes to run for Snort/Suricata/Bro"
SETUP=""
SETUP=`zenity --list --radiolist \
Expand Down Expand Up @@ -546,8 +547,8 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then
IDS_RULESET=`zenity --width=600 --height=300 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \
TRUE "ETOPEN" "Emerging Threats Open" "no oinkcode required" \
FALSE "ETPRO" "Emerging Threats PRO" "requires ETPRO oinkcode" \
FALSE "VRTET" "Snort VRT ruleset and Emerging Threats NoGPL ruleset" "requires Snort VRT oinkcode" \
FALSE "VRT" "Snort VRT ruleset only and set a VRT policy" "requires Snort VRT oinkcode" `
FALSE "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset" "requires Snort Subscriber oinkcode" \
FALSE "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy" "requires Snort Subscriber oinkcode" `

case $IDS_RULESET in
ETOPEN)
Expand All @@ -561,24 +562,24 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then
[ $DEBUG -eq 1 ] && echo "DEBUG: Entered ETPRO oinkcode $OINKCODE"
IDS_RULESET_ACTION="- Download ETPRO ruleset using oinkcode $OINKCODE.\n"
;;
VRT)
[ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort VRT ruleset only and setting a VRT policy."
TEXT="Please enter your Snort VRT oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/."
TALOS)
[ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy."
TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/."
OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"`
[ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort VRT oinkcode $OINKCODE"
VRT_POLICY=`zenity --list --radiolist --hide-header --column="1" --column="2" --text="Please choose a VRT policy." --title "$TITLE" \
[ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE"
TALOS_POLICY=`zenity --list --radiolist --hide-header --column="1" --column="2" --text="Please choose a Snort Subscriber (Talos) policy." --title "$TITLE" \
FALSE "connectivity" \
FALSE "balanced" \
FALSE "security" `
[ $DEBUG -eq 1 ] && echo "DEBUG: Selected Snort VRT policy $VRT_POLICY"
IDS_RULESET_ACTION="- Download the Snort VRT ruleset using oinkcode $OINKCODE.\n- Set VRT policy to $VRT_POLICY.\n"
[ $DEBUG -eq 1 ] && echo "DEBUG: Selected Snort Subscriber (Talos) policy $TALOS_POLICY"
IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Set Snort Subscriber (Talos) policy to $TALOS_POLICY.\n"
;;
VRTET)
[ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort VRT and Emerging Threats NoGPL ruleset."
TEXT="Please enter your Snort VRT oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/."
TALOSET)
[ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) and Emerging Threats NoGPL ruleset."
TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/."
OINKCODE=`zenity --entry --title "$TITLE" --text="$TEXT"`
[ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort VRT oinkcode $OINKCODE"
IDS_RULESET_ACTION="- Download the Snort VRT ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n"
[ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE"
IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n"
;;
*)
[ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1
Expand Down Expand Up @@ -1169,6 +1170,7 @@ pkill autossh
# Make sure MySQL is running so that we can fully delete the NSM databases
[ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1
# Uncomment any disabled sensors so that we can fully delete them
sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB
sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB
# Delete all nsm configuration and data
/usr/sbin/nsm_all_del_quick >> $LOG 2>&1
Expand Down Expand Up @@ -1259,7 +1261,8 @@ if [ $SENSOR -eq 1 ]; then
echo "20"
echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG
BY2PORT=8000
HOSTNAME=`hostname`
HOST_ORIG=`hostname`
HOSTNAME=${HOST_ORIG,,}

# Configure SSH Key authentication to server if necessary
if [ "$SERVERNAME" != "localhost" ]; then
Expand Down Expand Up @@ -1628,29 +1631,29 @@ if [ "$SERVERNAME" = "localhost" ]; then
# Test Internet access
curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP"
;;
VRT)
echo "Configuring for Snort VRT ruleset only and setting a VRT policy." >> $LOG 2>&1
TALOS)
echo "Configuring for Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." >> $LOG 2>&1
# Disable ET.
sed -i 's\rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1
# Enable Snort.
sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1
# Enable Snort Community ruleset.
sed -i "s\#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1
# Set VRT Policy.
sed -i "s|# ips_policy=security|ips_policy=$VRT_POLICY|g" $PP_CONF >> $LOG 2>&1
# Set Snort Subscriber (Talos) Policy.
sed -i "s|# ips_policy=security|ips_policy=$TALOS_POLICY|g" $PP_CONF >> $LOG 2>&1
# Test Internet access
curl -s $VRT_URL >/dev/null 2>&1 && INTERNET="UP"
curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP"
;;
VRTET)
echo "Configuring for Snort VRT and Emerging Threats NoGPL rulesets" >> $LOG 2>&1
TALOSET)
echo "Configuring for Snort Subscriber (Talos) and Emerging Threats NoGPL rulesets" >> $LOG 2>&1
# Enable Snort.
sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1
# Enable Snort Community ruleset.
sed -i "s\#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1
# Change open to open-nogpl
sed -i 's\rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open\rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl\g' $PP_CONF >> $LOG 2>&1
# Test Internet access
curl -s $ET_URL >/dev/null 2>&1 && curl -s $VRT_URL >/dev/null 2>&1 && INTERNET="UP"
curl -s $ET_URL >/dev/null 2>&1 && curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP"
;;
esac

Expand Down
3 changes: 2 additions & 1 deletion bin/sosetup-network
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@
DEBUG="0"
LOGDIR=/var/log/nsm
LOG=$LOGDIR/sosetup-network.log
HOSTNAME=`hostname`
HOST_ORIG=`hostname`
HOSTNAME=${HOST_ORIG,,}
TITLE="Security Onion Setup ($HOSTNAME)"

function ASK_FOR_NETWORK_CONFIG() {
Expand Down